Security Vulnerabilities (CVE-2017-18214)

[zhonglin94]

I observed that chartjs' dependency (moment-2.10.0.min.js) has critical security vulnerabilities.

The WhiteSource said that "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055."

The latter version moment.2.19.3.min.js does not have this issue. So, could we upgrade the moment version officially? Or is there any workaround to fix this?

[benmccann]

Our package-lock.json uses moment 2.24.0, so I'm not sure this is really an issue?

Chart.js/package-lock.json

Line 6844 in 5a99dff

"version": "2.24.0",

[bmtestcode]

Whitesource scan still giving same security error as 2.10.0 mentioned in package-lock.json as a dependency. If that can be changed to 2.19.0 or above version for moment that issue will go away.

[benmccann]

It's currently 2.26.0:

Chart.js/package-lock.json

Line 4863 in 69c8cc7

"version": "2.26.0",