Rollup-plugin-license is a valuable tool for developers using Rollup to bundle their JavaScript projects, ensuring proper license attribution and compliance. Version 2.0.1 introduces some dependency updates that may impact your project's build process and overall security profile.
A notable change is the update of the moment dependency, moving from version 2.24.0 to 2.25.1. While seemingly minor, this might contain crucial bug fixes or security patches within the Moment.js library, which could influence how date and time information is handled in your generated bundles. Furthermore, @rollup/plugin-babel was updated from 5.0.0, and other updates include @rollup/plugin-commonjs updated to 11.1.0 and @rollup/plugin-node-resolve to 7.1.3, ensuring better compatibility and feature integration with the latest Rollup ecosystem. These updates can lead to better handling of ES modules and CommonJS modules within your Rollup configuration, potentially resolving some build issues related to module resolution.
On the development dependencies side, various packages like @babel/core and @babel/preset-env have been updated to newer versions, mainly related to development stuff and not functional changes.
If you're already using version 2.0.0, upgrading to version 2.0.1 offers enhanced dependency management that benefits your project, particularly if you rely on bug fixes or security enhancements in the moment library. Before updating, always test the new version in a development environment to ensure compatibility with your specific Rollup configuration and dependencies.
All the vulnerabilities related to the version 2.0.1 of the package
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Moment.js vulnerable to Inefficient Regular Expression Complexity
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.