Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Moment library update, adapt to the changes in Moment's parsing of dates #9381

Closed
dariapimenovaleanix opened this issue Apr 7, 2022 · 5 comments
Closed

Moment library update, adapt to the changes in Moment's parsing of dates #9381

dariapimenovaleanix opened this issue Apr 7, 2022 · 5 comments
Assignees
@jansiegel
Labels
Status: Released

Comments

@dariapimenovaleanix
Copy link

Description

handsontable is currently using moment library of the version 2.24.0.
Affected versions of this package are vulnerable to Directory Traversal when a user provides a locale string which is directly used to switch moment locale.
Link to the known vulnerability in Snyk: https://security.snyk.io/vuln/SNYK-JS-MOMENT-2440688

How to fix

Upgrade moment to version 2.29.2 or higher.

Your environment

  • Handsontable version: 11.1.0
@AMBudnik
Copy link
Contributor

AMBudnik commented Apr 7, 2022

Hi @dariapimenovaleanix, thank you for the notification. We also got the PR from SNYK #9376

I will notify you as soon as we update this topic.

@dariapimenovaleanix
Copy link
Author

@AMBudnik thank you!

@budnix budnix mentioned this issue Apr 7, 2022
Merged
4 tasks
@warpech
Copy link
Member

warpech commented Apr 7, 2022
edited

We will deal with upgrading the dependency shortly. Let me assure you that this vulnerability does not affect Handsontable when it is used, as intended, in a web browser. Anyway we should upgrade the dependency to silence the vulnerability alerts.

@warpech warpech changed the title moment library update Moment library update, adapt to the changes in Moment's parsing of dates Apr 8, 2022
@warpech
Copy link
Member

warpech commented Apr 8, 2022

We are tracking a solution in the PR #9382, but we need to take into account some changes in moment that resulted in changed behaviour when the data does not match dateFormat property.

@warpech warpech mentioned this issue Apr 13, 2022
Closed
@warpech warpech mentioned this issue Apr 26, 2022
Merged
@AMBudnik AMBudnik mentioned this issue Apr 28, 2022
Closed
@AMBudnik
Copy link
Contributor

Hi @dariapimenovaleanix we just released Handsontable v12 where we bumped the version of moment.js
Thank you again for sharing your feedback. I'm closing this issue as done.

@adrianszymanski89 adrianszymanski89 mentioned this issue Jul 18, 2022
Closed
@wszymanski wszymanski mentioned this issue Sep 8, 2022
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jansiegel jansiegel

Labels
Status: Released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@warpech @jansiegel @AMBudnik @dariapimenovaleanix