Dependency should be updated to avoid CVE-2022-24785

[urispmts]

There is a vulnerability in moment prior to version 2.29.2
The dependency of moment should be updated to avoid vulnerable versions.

See: Path Traversal: 'dir/../../filename' in moment.locale

[gaurav-quasar]

@urispmts,

I think you should be able to resolve it by updating your lock file by doing npm/yarn uninstall/install moment-timezone again.

Dependency mentioned in https://github.com/moment/moment-timezone/blob/develop/package.json#L31:

 "dependencies": {
		"moment": ">= 2.9.0"
	}

It should be able to pick up minor upgrade of 2.9.2.

[juliangruber]

If you need to upgrade the sub dependency and are using yarn, remove the entry moment@... from your yarn.lock and run yarn again, that should give you the updated version.

[urispmts]

@gaurav-quasar @juliangruber Thanks. I already did this for my projects.
However, I suggested this as the new dependency to versions lower than 2.9.2, for instance, if you already had moment in your package.json and added moment-timezone (this should either upgrade it or fire an alert).

[sirgoofiguskid]

An automated pull request has it ready to go: #978

[ichernev]

This is a dupe of #997

But yeah, there is a >= relationship, nothing in moment-timezone is FORCING you in using an insecure moment version. Just update your moment version and you'll be fine.