Security vulnerability due to obsolete moment version

[VB-at-Bis]

Moment-timezone version which you use:

Version: 0.5.34

Issue description:

Security vulnerability reported in our private repository due to moment-timezone.
Please see advisory GHSA-wc69-rhjr-hc9g "Inefficient Regular Expression Complexity in moment".
Current version of moment-timezone uses moment 2.9.0 . Please update dependency to at least 2.29.4 to fix the vulnerability.

[ichernev]

It can work with any version above 2.9.0. As long as you update moment you're good. If we place 2.29.4, all people who want to use an older version of moment won't be able to do it. Aren't tools smart enough to know what is == and what is >= (or for that matter, people...)

[nickdnk]

yarn audit also complains about this which is a compliance issue. Can't we just release a version that has the proper requirement? This is on 0.5.37.

Edit: Yes, I know it doesn't matter, but compliance people don't understand this. They see "high risk vulnerability = bad".

[gilmoreorless]

If you've upgraded moment to 2.29.4 elsewhere in your project, you can use npx yarn-deduplicate --packages moment to make sure moment-timezone also uses the same version. #982 (comment) contains a lot more detail (it's for a slightly different problem, but the underlying cause is the same).

Ideally we'd make moment a peer dependency instead of a core dependency, but that's a breaking change.

[sergei-lobanov]

any possible solutions or updates on this?

[gilmoreorless]

Fixed in version 0.5.41