node-cron
node-cron copied to clipboard
kelektiv
Vulnerability in a dependency found
Description
Solution Upgrade moment dependency to version 2.29.2 or later
Impact This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
Patches This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Screenshots
No response
Additional information
No response
That could also be motivation for releasing the removal of Moment from this PR, as the package is basically deprecated.
I am wondering if the project is dead... I think I may take it, add default typescript support and update all the dependencies as I came here with the same issue, but I can't see a fix being pushed anytime soon.
Last commit was over 2 years ago (approx.) and there are 100s of issues that have gone ignored.
the maintainer left contact info in the README, I reached out on Twitter to see what's up
so it is dead or .. I hit a problem too with "Something went wrong. cron reached maximum iterations."
I'm in contact with the maintainer. since this issue is about fixing vulnerabilities in the dependencies let's focus on that here. over half the open issues look like they mention the "maximum iterations" issue so I think I'll look at that next but on the original thread for that issue.
I have started working on a TypeScript version of it, that should be easier to maintain, so @intcreator if the owner gets back to you let me know, maybe we can update the project with it.
Either way I shall carry on, just give me a shout, as I would definitely be interested in helping out.
If you need someone to help with super simple tasks like an occasional "release to npm" let me know. On this one, the fix is already in and a publish of that seems likely to fix the issue.
dependencies are now updated and pushed to NPM. @ncb000gt @felipemarts I think this issue can be closed