Moment JS vulnerability
Permalink Browser Info Environment
Hey there.
Block Developer ships with a [vulnerable version of moment.js](https://security.snyk.io/package/npm/moment)
The latest version without vulnerabilities is [v2.29.4](https://momentjs.com/downloads/moment.js)
Does registering an asset in the application directory override your packages asset registry of moment?
Would it be possible to update your package to this version?
Thank you.
Block Developer ships with a [vulnerable version of moment.js](https://security.snyk.io/package/npm/moment)
The latest version without vulnerabilities is [v2.29.4](https://momentjs.com/downloads/moment.js)
Does registering an asset in the application directory override your packages asset registry of moment?
Would it be possible to update your package to this version?
Thank you.
Type: | Ticket |
---|---|
Status: | Resolved |
Hi there,
As promised, here is version 1.4.3 without this vulnerable Moment JS included. As a matter of fact, since the core uses Moment and this package could use the same - I removed it completely. It's just shipping extras we don't actually need. And once a version stops working, I will update it to make it work again. So let's hope the core version will work for a long time! :D
Thanks for noticing this one, at some point you're too blind to see these kind of things.
Have a good weekend!
Kind regards
Ramon
As promised, here is version 1.4.3 without this vulnerable Moment JS included. As a matter of fact, since the core uses Moment and this package could use the same - I removed it completely. It's just shipping extras we don't actually need. And once a version stops working, I will update it to make it work again. So let's hope the core version will work for a long time! :D
Thanks for noticing this one, at some point you're too blind to see these kind of things.
Have a good weekend!
Kind regards
Ramon
This asset does not overrule any of the others, so I will be updating this later this week. Thanks for notifying me about this. I will let you know in this topic when the new version is live.
Kind regards
Ramon