Update version of moment to fix GHSA-wc69-rhjr-hc9g (CVE-2022-31129)

Question

Update version of moment to fix GHSA-wc69-rhjr-hc9g (CVE-2022-31129)

otramony opened this issue 2 years ago · 8 comments

otramony commented 2 years ago

Please update the version of moment to 2.29.4 to fix security vulnerability and release a new tag.

https://nvd.nist.gov/vuln/detail/CVE-2022-31129
GHSA-wc69-rhjr-hc9g

Answer 1 · 2022-07-13T13:46:24.000Z

@trentm How can we help to get a new Bunyan version out?
There is already a PR, which bumps moment #693

Answer 2 · 2022-07-22T21:43:43.000Z

@otramony & @kirrg001 In the absence of @trentm approving PRs, you can override the version of momentjs bunyan depends upon by adding to your project's package.json:

"resolutions": { "moment": "2.29.4" }, "overrides": { "bunyan": { "moment": "2.29.4" } }

Answer 3 · 2022-07-23T04:19:23.000Z

Ug, sorry^10 all. Looking now.

Answer 4 · 2022-07-23T05:20:32.000Z

package-lock.json is not published to npm, so any npm install bunyan will get the newest 2.x version of moment.
Granted to there is a package-lock.json commited to the repo, so if there is a user cloning the repo and then npm installing from there, then they'll get the too-old version of moment. Have I missed a use case that any of you are hitting?

So, I'll merge the PR to update the package-lock.json file. However, is there a need for a new release tag or published version to npm for anyone? Please let me know if so.

My next inclination is to remove the package-lock.json file from the repo. My tendency more recently is to not have a package-lock.json file for library repos. Opinions vary. Anyway, I'll open a separate PR for that on which there can be discussion. We could always re-add the package-lock if there are strong enough uses for it.

Answer 5 · 2022-07-23T06:11:13.000Z

I would appreciate a bumped version published to npm. As long as we're talking about it, I'd like to throw this idea out there: substituting dayjs for momentjs would be super awesome.

Answer 6 · 2022-07-23T06:13:33.000Z

I would appreciate a bumped version published to npm.

Why? It would be identical to the previous release (package-lock.json is not included in an npm published package).

substituting dayjs for momentjs would be super awesome.

Noted. I think there are issue(s) for that. #630 for one.

Answer 7 · 2022-08-09T11:16:36.000Z

I would appreciate a bumped version published to npm.

Why? It would be identical to the previous release (package-lock.json is not included in an npm published package).

I'd appreciate it too. It would automatically be fixed for most people, now I had to manually look at what's exactly wrong and do
npm uninstall bunyan and npm install bunyan again so that moment is installed with a higher version number.

Answer 8 · 2022-08-24T16:36:01.000Z

Updating the optional dependency and releasing a new version will propagate updates to dependents and transitive dependents. I made a PR 🤠 #701