search

grahamjenson / ger

Good Enough Recommendation (GER) Engine
376 stars 47 forks source link

Mitigate CVE-2017-18214 by updating moment.js to v2.19.3 #56

Closed azhang66 closed 6 years ago

azhang66 commented 6 years ago

Before v2.19.3, the moment.js module is prone to a regular expression denial of service via a crafted date string. Although I'm not sure if GER is directly affected, it's dependency on moment.js should be updated regardless as:

  1. There are no backwards-incompatible changes between v2.17.1 and v2.19.3

  2. Leaving moment.js@2.17.3 will break builds with NSP enabled.

grahamjenson commented 6 years ago

Cheers! :)

azhang66 commented 6 years ago

Thanks for merging! Is there any chance we could bump version and release the fix to NPM?