Update dependency moment to v2.29.4 [SECURITY] #907
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-moment-vulnerability
branch
from
dfe0465
to
55de67a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.22.2->2.29.4GitHub Vulnerability Alerts
CVE-2022-24785
Impact
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg
fris directly used to switch moment locale.Patches
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Workarounds
Sanitize user-provided locale name before passing it to moment.js.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
CVE-2022-31129
Impact
Patches
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
Workarounds
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
References
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
Details
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing.
moment("(".repeat(500000))will take a few minutes to process, which is unacceptable.Release Notes
moment/moment (moment)
v2.29.4Compare Source
v2.29.3Compare Source
v2.29.2Compare Source
Address GHSA-8hfj-j24r-96c4
v2.29.1Compare Source
Updated deprecation message, bugfix in hi locale
v2.29.0Compare Source
New locales (es-mx, bn-bd).
Minor bugfixes and locale improvements.
More tests.
Moment is in maintenance mode. Read more at this link:
https://momentjs.com/docs/#/-project-status/
v2.28.0Compare Source
Fix bug where .format() modifies original instance, and locale updates
v2.27.0Compare Source
Added Turkmen locale, other locale improvements, slight TypeScript fixes
v2.26.0Compare Source
TypeScript fixes and many locale improvements
v2.25.3Compare Source
Remove package.json module property. It looks like webpack behaves differently
for modules loaded via module vs jsnext:main.
v2.25.2Compare Source
This release includes ES Module bundled moment, separate from it's source code
under dist/ folder. This might alleviate issues with finding the `./locale
subfolder for loading locales. This might also mean now webpack will bundle all
locales automatically, unless told otherwise.
v2.25.1Compare Source
This is a quick patch release to address some of the issues raised after
releasing 2.25.0.
v2.25.0Compare Source
Release May 1, 2020
#4611 022dc038 [feature] Support for strict string parsing, fixes #2469
#4599 4b615b9d [feature] Add support for eras in en and jp
#4296 757d4ff8 [feature] Accept custom relative thresholds in duration.humanize
18 bigfixes
36 locale fixes
5 new locales (oc-lnc, zh-mo, en-in, gom-deva, fil)
v2.24.0Compare Source
Release Jan 21, 2019
#4338 [bugfix] Fix startOf/endOf DST issues while boosting performance
#4553 [feature] Add localeSort param to Locale weekday methods
#4887 [bugfix] Make Duration#as work with quarters
3 new locales (it-ch, ga, en-SG)
Lots of locale improvements
v2.23.0Compare Source
Release Dec 12, 2018
#4863 [new locale] added Kurdish language (ku)
#4417 [bugfix] isBetween should return false for invalid dates
#4700 [bugfix] Fix #4698: Use ISO WeekYear for HTML5_FMT.WEEK
#4563 [feature] Fix #4518: Add support to add/subtract ISO weeks
other locale changes, build process changes, typos
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.