npm audit shows vulnerabilities in fullcalendar/moment

Question

npm audit shows vulnerabilities in fullcalendar/moment

Closed this issue a year ago · 3 comments

When you run npm audit on a project that uses the last version of fullcalendar, it outputs :

npm audit report

moment <=2.29.3
Severity: high
Path Traversal: 'dir/../../filename' in moment.locale - GHSA-8hfj-j24r-96c4
Moment.js vulnerable to Inefficient Regular Expression Complexity - GHSA-wc69-rhjr-hc9g
fix available via npm audit fix --force
Will install moment-timezone@0.5.43, which is outside the stated dependency range
node_modules/moment
@fullcalendar/moment
Depends on vulnerable versions of moment
node_modules/@fullcalendar/moment
@fullcalendar/moment-timezone
Depends on vulnerable versions of moment
Depends on vulnerable versions of moment-timezone
node_modules/@fullcalendar/moment-timezone
moment-timezone <=0.0.2 || 0.1.0 - 0.5.34
Depends on vulnerable versions of moment
node_modules/moment-timezone

4 high severity vulnerabilities

Answer 1 · 2023-04-17T19:31:13.000Z

Hi,
I think if the problem is inside fullcalendar/moment this is an issue for the fc repo.

We also have moment on version 2.29.1 and moment-timezone on version 0.5.32 so will update them soon. About @fullcalendar/moment-timezone and @fullcalendar/moment we can't update the deps they use, is better to open an issue here https://github.com/fullcalendar/fullcalendar/issues

The major version alredy include the changes, when ready will notice you

Answer 2 · 2023-05-05T12:58:00.000Z

Version 6.0.0 released, thus we close this issue as it should be solved now.

Answer 3 · 2023-05-05T12:59:50.000Z

If it still is an issue simply reopen this one please.