Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in the moment module before 2.19.3 #126

Closed
ale4ko69 opened this issue Dec 17, 2019 · 7 comments
Closed

Vulnerability in the moment module before 2.19.3 #126

ale4ko69 opened this issue Dec 17, 2019 · 7 comments

Comments

@ale4ko69
Copy link

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
https://www.cvedetails.com/cve/CVE-2017-18214/
@BrockReece
Copy link
Collaborator

Is this in reference to the change proposed in #125?
I can bump the package version on again?

@ale4ko69
Copy link
Author

Perhaps this is the same problem.
I just updated the library to version 4.0.0 and saw that the last update on npm was a year ago.
Therefore, I am not sure that the latest version of moments 2.24.0 is used there

@BrockReece
Copy link
Collaborator

That PR updates the yarn.lock to v2.24.0

https://github.com/brockpetrie/vue-moment/pull/125/files#diff-8ee2343978836a779dc9f8d6b794c3b2

@ale4ko69
Copy link
Author

image
This is what I see after the update via the npm update vue-moment command

@BrockReece
Copy link
Collaborator

We haven't released the new version yet

@ale4ko69
Copy link
Author

ok, thanks

@BrockReece
Copy link
Collaborator

v4.1.0 is out now and should include the latest version of vue-moment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BrockReece @ale4ko69