moment-timezone icon indicating copy to clipboard operation
moment-timezone copied to clipboard

Published 20 hours ago verified publisher icon moment

Security vulnerability due to obsolete moment version

Open VB-at-Bis opened this issue 2 years ago • 3 comments

Moment-timezone version which you use:

Version: 0.5.34

Issue description:

Security vulnerability reported in our private repository due to moment-timezone. Please see advisory https://github.com/advisories/GHSA-wc69-rhjr-hc9g "Inefficient Regular Expression Complexity in moment". Current version of moment-timezone uses moment 2.9.0 . Please update dependency to at least 2.29.4 to fix the vulnerability.

VB-at-Bis avatar Aug 21 '22 14:08 VB-at-Bis

It can work with any version above 2.9.0. As long as you update moment you're good. If we place 2.29.4, all people who want to use an older version of moment won't be able to do it. Aren't tools smart enough to know what is == and what is >= (or for that matter, people...)

ichernev avatar Aug 25 '22 11:08 ichernev

yarn audit also complains about this which is a compliance issue. Can't we just release a version that has the proper requirement? This is on 0.5.37.

Edit: Yes, I know it doesn't matter, but compliance people don't understand this. They see "high risk vulnerability = bad".

nickdnk avatar Sep 01 '22 14:09 nickdnk

If you've upgraded moment to 2.29.4 elsewhere in your project, you can use npx yarn-deduplicate --packages moment to make sure moment-timezone also uses the same version. https://github.com/moment/moment-timezone/issues/982#issuecomment-1119540905 contains a lot more detail (it's for a slightly different problem, but the underlying cause is the same).

Ideally we'd make moment a peer dependency instead of a core dependency, but that's a breaking change.

gilmoreorless avatar Sep 16 '22 06:09 gilmoreorless

any possible solutions or updates on this?

sergei-lobanov avatar Dec 30 '22 17:12 sergei-lobanov

Fixed in version 0.5.41

gilmoreorless avatar Mar 01 '23 02:03 gilmoreorless