Update version of moment to fix GHSA-wc69-rhjr-hc9g (CVE-2022-31129)
otramony opened this issue ยท 8 comments
Please update the version of moment to 2.29.4 to fix security vulnerability and release a new tag.
https://nvd.nist.gov/vuln/detail/CVE-2022-31129
GHSA-wc69-rhjr-hc9g
Ug, sorry^10 all. Looking now.
package-lock.json is not published to npm, so any npm install bunyan
will get the newest 2.x version of moment.
Granted to there is a package-lock.json commited to the repo, so if there is a user cloning the repo and then npm install
ing from there, then they'll get the too-old version of moment. Have I missed a use case that any of you are hitting?
So, I'll merge the PR to update the package-lock.json file. However, is there a need for a new release tag or published version to npm for anyone? Please let me know if so.
My next inclination is to remove the package-lock.json file from the repo. My tendency more recently is to not have a package-lock.json file for library repos. Opinions vary. Anyway, I'll open a separate PR for that on which there can be discussion. We could always re-add the package-lock if there are strong enough uses for it.
I would appreciate a bumped version published to npm. As long as we're talking about it, I'd like to throw this idea out there: substituting dayjs for momentjs would be super awesome.
I would appreciate a bumped version published to npm.
Why? It would be identical to the previous release (package-lock.json is not included in an npm published package).
substituting dayjs for momentjs would be super awesome.
Noted. I think there are issue(s) for that. #630 for one.
I would appreciate a bumped version published to npm.
Why? It would be identical to the previous release (package-lock.json is not included in an npm published package).
I'd appreciate it too. It would automatically be fixed for most people, now I had to manually look at what's exactly wrong and do
npm uninstall bunyan
and npm install bunyan
again so that moment is installed with a higher version number.
Updating the optional dependency and releasing a new version will propagate updates to dependents and transitive dependents. I made a PR ๐ค #701