chore(deps): update dependency moment to v2.29.2 [security]#2593
chore(deps): update dependency moment to v2.29.2 [security]#2593trevor-scheer merged 1 commit intomasterfrom
Conversation
|
Ping @trevor-scheer |
|
Even better would be to just do #2323 and replace the usages of moment that don't seem to be needed. I'm more than happy to contribute a change if that would help. |
|
Thanks for the ping! @nickpith I'd love a PR for that if you've got the availability for it. And yes - my hope is to find the time to get this repo healthy (graphql /node versions current at the least) and cut new major versions for these packages. We do intend to EOL the packages in this repo at some point but there's still no clarity around when that will be nor do we have viable alternatives for all of the functionality here - so in the meantime I hope to keep the lights on. My main focus is on AS 4 right now, but I hope to dedicate some actual focus time to this project soon enough. |
|
That's amazing to hear! Thank you very much Trevor 🙏 |
|
Created #2595 to remove |
renovate
Bot
force-pushed
the
renovate/npm-moment-vulnerability
branch
from
4c4ea18 to
a43c582
Compare
Co-authored-by: Renovate Bot <bot@renovateapp.com>
4 participants
This PR contains the following updates:
2.29.1->2.29.22.29.1->2.29.2GitHub Vulnerability Alerts
CVE-2022-24785
Impact
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg
fris directly used to switch moment locale.Patches
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Workarounds
Sanitize user-provided locale name before passing it to moment.js.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Release Notes
moment/moment
v2.29.2Compare Source
Address GHSA-8hfj-j24r-96c4
Configuration
📅 Schedule: "" in timezone America/Los_Angeles.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by WhiteSource Renovate. View repository job log here.