MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhycHAtZjg0dy14aGZn

Moderate

Permalink JSON

Outdated Static Dependency in vue-moment

Affected Packages	Affected Versions	Fixed Versions
npm:vue-moment	< 4.1.0	4.1.0
180 Dependent packages 5,653 Dependent repositories 289,712 Downloads last month Affected Version Ranges All affected versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0 All unaffected versions 4.1.0

Versions of vue-moment prior to 4.1.0 contain an Outdated Static Dependency. The package depends on moment and has it loaded statically instead of as a dependency that can be updated. It has [email protected] that contains a Regular Expression Denial of Service vulnerability.

Recommendation

Upgrade to version 4.1.0 or later.

References:

https://www.npmjs.com/advisories/1425
https://www.npmjs.com/advisories/532
https://github.com/brockpetrie/vue-moment/commit/a265e54660a7181a6795a12a97cebac5b305746e
https://snyk.io/vuln/SNYK-JS-VUEMOMENT-538934
https://github.com/advisories/GHSA-hrpp-f84w-xhfg

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhycHAtZjg0dy14aGZn

Outdated Static Dependency in vue-moment

Affected Version Ranges

All affected versions

All unaffected versions

Recommendation

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API