atom-ide-base fix(deps): update dependency moment to v2.29.4 [security]

fix(deps): update dependency moment to v2.29.4 [security]

Open renovate[bot] opened this issue 2 years ago • 1 comments

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
moment (source)	`2.29.1` -> `2.29.4`

GitHub Vulnerability Alerts

Impact

This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.

Patches

This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).

Workarounds

Sanitize user-provided locale name before passing it to moment.js.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in moment repo

Impact

using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
noticeable slowdown is observed with inputs above 10k characters
users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks

Patches

The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.

Workarounds

In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.

References

There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=

Details

The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.

Release Notes

moment/moment (moment)

`v2.29.4`

Compare Source

Release Jul 6, 2022
- #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

`v2.29.3`

Compare Source

Release Apr 17, 2022
- #5995 [bugfix] Remove const usage
- #5990 misc: fix advisory link

`v2.29.2`

Compare Source

Release Apr 3 2022

Address https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Apr 24 '22 19:04 renovate[bot]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

installing v2 tool pnpm v7.5.0
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.

added 1 package in 3s
linking tool pnpm v7.5.0
7.5.0
Scope: all 11 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
nuclide/nuclide-commons                  |  WARN  deprecated [email protected]
nuclide/nuclide-debugger-common          |  WARN  deprecated [email protected]
Progress: resolved 47, reused 0, downloaded 14, added 0
Progress: resolved 79, reused 0, downloaded 32, added 0
Progress: resolved 89, reused 0, downloaded 43, added 0
Progress: resolved 98, reused 0, downloaded 53, added 0
.                                        |  WARN  deprecated @types/[email protected]
Progress: resolved 109, reused 0, downloaded 63, added 0
Progress: resolved 114, reused 0, downloaded 71, added 0
Progress: resolved 120, reused 0, downloaded 77, added 0
Progress: resolved 125, reused 0, downloaded 82, added 0
Progress: resolved 128, reused 0, downloaded 86, added 0
Progress: resolved 135, reused 0, downloaded 92, added 0
Progress: resolved 136, reused 0, downloaded 95, added 0
Progress: resolved 167, reused 0, downloaded 103, added 0
Progress: resolved 202, reused 0, downloaded 114, added 0
Progress: resolved 228, reused 0, downloaded 131, added 0
Progress: resolved 237, reused 0, downloaded 139, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 250, reused 0, downloaded 149, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 261, reused 0, downloaded 156, added 0
Progress: resolved 281, reused 0, downloaded 170, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 288, reused 0, downloaded 175, added 0
Progress: resolved 306, reused 0, downloaded 190, added 0
Progress: resolved 334, reused 0, downloaded 209, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 361, reused 0, downloaded 226, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 395, reused 0, downloaded 250, added 0
Progress: resolved 435, reused 0, downloaded 278, added 0
Progress: resolved 481, reused 0, downloaded 312, added 0
Progress: resolved 532, reused 0, downloaded 341, added 0
Progress: resolved 550, reused 0, downloaded 370, added 0
Progress: resolved 553, reused 0, downloaded 370, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 555, reused 0, downloaded 372, added 0
Progress: resolved 556, reused 0, downloaded 373, added 0
Progress: resolved 602, reused 0, downloaded 393, added 0
Progress: resolved 626, reused 0, downloaded 408, added 0
Progress: resolved 668, reused 0, downloaded 427, added 0
Progress: resolved 707, reused 0, downloaded 457, added 0
Progress: resolved 732, reused 0, downloaded 483, added 0
Progress: resolved 768, reused 0, downloaded 518, added 0
Progress: resolved 796, reused 0, downloaded 539, added 0
Progress: resolved 832, reused 0, downloaded 574, added 0
Progress: resolved 866, reused 0, downloaded 604, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 904, reused 0, downloaded 636, added 0
Progress: resolved 920, reused 0, downloaded 651, added 0
Progress: resolved 957, reused 0, downloaded 677, added 0
Progress: resolved 963, reused 0, downloaded 679, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 975, reused 0, downloaded 694, added 0
Progress: resolved 996, reused 0, downloaded 711, added 0
Progress: resolved 1026, reused 0, downloaded 730, added 0
Progress: resolved 1051, reused 0, downloaded 743, added 0
Progress: resolved 1088, reused 0, downloaded 762, added 0
.                                        |  WARN  deprecated [email protected]
.                                        |  WARN  deprecated [email protected]
.                                        |  WARN  deprecated [email protected]
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1141, reused 0, downloaded 787, added 0
Progress: resolved 1171, reused 0, downloaded 806, added 0
Progress: resolved 1194, reused 0, downloaded 827, added 0
Progress: resolved 1228, reused 0, downloaded 859, added 0
Progress: resolved 1268, reused 0, downloaded 887, added 0
Progress: resolved 1366, reused 0, downloaded 910, added 0
Progress: resolved 1410, reused 0, downloaded 941, added 0
Progress: resolved 1445, reused 0, downloaded 973, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1489, reused 0, downloaded 1011, added 0
Progress: resolved 1527, reused 0, downloaded 1038, added 0
Progress: resolved 1580, reused 0, downloaded 1061, added 0
Progress: resolved 1655, reused 0, downloaded 1077, added 0
Progress: resolved 1723, reused 0, downloaded 1118, added 0
Progress: resolved 1753, reused 0, downloaded 1134, added 0
Progress: resolved 1821, reused 0, downloaded 1178, added 0
.                                        |  WARN  deprecated [email protected]
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1865, reused 0, downloaded 1216, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1908, reused 0, downloaded 1254, added 0
Progress: resolved 1961, reused 0, downloaded 1294, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1989, reused 0, downloaded 1316, added 0
Progress: resolved 2001, reused 0, downloaded 1332, added 0
Progress: resolved 2013, reused 0, downloaded 1342, added 0
Progress: resolved 2030, reused 0, downloaded 1353, added 0
Progress: resolved 2063, reused 0, downloaded 1377, added 0
Progress: resolved 2085, reused 0, downloaded 1396, added 0
Progress: resolved 2087, reused 0, downloaded 1401, added 0
Progress: resolved 2141, reused 0, downloaded 1446, added 0
Progress: resolved 2209, reused 0, downloaded 1483, added 0
Progress: resolved 2266, reused 0, downloaded 1498, added 0
Progress: resolved 2320, reused 0, downloaded 1506, added 0
Progress: resolved 2331, reused 0, downloaded 1522, added 0
Progress: resolved 2338, reused 0, downloaded 1528, added 0
Progress: resolved 2348, reused 0, downloaded 1537, added 0
Progress: resolved 2348, reused 0, downloaded 1539, added 0
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

.
├─┬ @jest-runner/nuclide-e2e
│ └── ✕ missing peer electron@"*"
├─┬ eslint-config-atomic
│ └─┬ eslint-plugin-coffee
│   ├─┬ eslint-config-airbnb
│   │ └── ✕ missing peer eslint-plugin-react-hooks@"^4 || ^3 || ^2.3.0 || ^1.7.0"
│   └─┬ eslint-plugin-react-native
│     └── ✕ unmet peer eslint@"^3.17.0 || ^4 || ^5 || ^6": found 7.28.0 in eslint-config-atomic
└─┬ rollup-plugin-atomic
  ├─┬ rollup-plugin-assemblyscript
  │ └── ✕ missing peer as-bind@"*"
  └─┬ rollup-plugin-coffee-script
    └── ✕ unmet peer [email protected]: found 1.12.7
Peer dependencies that should be installed:
  as-bind@"*"
  electron@"*"
  eslint-plugin-react-hooks@"^4 || ^3 || ^2.3.0 || ^1.7.0"

nuclide/nuclide-commons-ui
└─┬ react-virtualized
  ├── ✕ unmet peer react@"^15.3.0 || ^16.0.0-alpha": found 17.0.1
  └── ✕ unmet peer react-dom@"^15.3.0 || ^16.0.0-alpha": found 17.0.1

hint: If you want peer dependencies to be automatically installed, add "auto-install-peers=true" to an .npmrc file at the root of your project.
hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.

Jul 04 '22 05:07 renovate[bot]

atom-ide-base
atom-ide-base copied to clipboard

fix(deps): update dependency moment to v2.29.4 [security]

GitHub Vulnerability Alerts

CVE-2022-24785

Impact

Patches

Workarounds

References

For more information

CVE-2022-31129

Impact

Patches

Workarounds

References

Details

Release Notes

`v2.29.4`

`v2.29.3`

`v2.29.2`

Configuration

⚠ Artifact update problem

File name: pnpm-lock.yaml

atom-ide-base atom-ide-base copied to clipboard

fix(deps): update dependency moment to v2.29.4 [security]

GitHub Vulnerability Alerts

CVE-2022-24785

Impact

Patches

Workarounds

References

For more information

CVE-2022-31129

Impact

Patches

Workarounds

References

Details

Release Notes

v2.29.4

v2.29.3

v2.29.2

Configuration

⚠ Artifact update problem

File name: pnpm-lock.yaml

atom-ide-base
atom-ide-base copied to clipboard

`v2.29.4`

`v2.29.3`

`v2.29.2`