Moment.js version added on assets has vulnerabilities

apostrophecms / apostrophe

A full-featured, open-source content management framework built with Node.js that empowers organizations by combining in-context editing and headless architecture in a full-stack JS environment.

https://apostrophecms.com

Other

4.36k stars 590 forks source link

Moment.js version added on assets has vulnerabilities #4106

Open Jose96GIT opened 1 year ago

Jose96GIT commented 1 year ago

Details

Doing a security scan on a website made using the latest version from Apostrohe v2, I've noticed that the moment.js version which is being imported on apostrophe-assets module is outdated and has some vulnerabilities as it's indicated on this link.

https://security.snyk.io/package/npm/moment

Can this be updated to solve the security issue?

Thanks in advance!

BoDonkey commented 1 year ago

I just looked through a repo using the latest v2 and it is using Moment.js v2.29.4. That is the latest version and doesn't have the listed vulnerabilities.

Are you sure your Apostrophe is up to date? Cheers, Bob

Jose96GIT commented 1 year ago

I don't mean the one installed via npm, but the one that's included on apostrophe-assets.

https://github.com/apostrophecms/apostrophe/blob/2.227.0/lib/modules/apostrophe-assets/public/js/vendor/moment.js

BoDonkey commented 1 year ago

Ahh - missed that. Ticket submitted for the update. Thanks.