[SECURITY VULNERABILITY] moment dependency

  • We found a potential security vulnerability in one of your dependencies.
    The moment dependency defined in package-lock.json has a known moderate severity security vulnerability in version range < 2.19.3 and should be updated.

    These dependencies have been defined in the manifest files, such as /backupwordpress/package-lock.json

    https://nvd.nist.gov/vuln/detail/CVE-2017-18214

    CVE-2017-18214 Detail

    Description
    The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter forboding-angel

    (@forboding-angel)

    Forgot to mention that this was an aut-find thanks to github

    Plugin Contributor Katrina “Kat” Moody

    (@katmoody)

    Thanks for the head’s up – I’m pushing this through to our developers!
    Kat

    Plugin Contributor Katrina “Kat” Moody

    (@katmoody)

    Just a heads’ up should anyone else run into this one – We will be packaging an update to these outdated libraries with a new update within the next week or two and that should address this potential security issue. Should anyone have further questions on this please feel free to respond here and we will reply as soon as we can!

    Kat

    Thread Starter forboding-angel

    (@forboding-angel)

    You never released an update. It’s been a month.

    > The moment module before 2.19.3 for Node.js

    N.B. A browser environment is *not* Node.js.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘[SECURITY VULNERABILITY] moment dependency’ is closed to new replies.