Moment-timezone - 0.5.34 vulnerability

I hope I am at the right place to raise this item.
I'm running Node-Red V3.0.2 and our vulnerability scan has detected a critical vulnerability for moment-timezone - 0.5.34.
Is there any plan to upgrade to version moment-timezone - 0.5.35 for Node-Red V3 or maybe with Node-Red V4 ?
Thanks in advance for your answer.

Yes, it will be picked up in the next release which is coming soon.

In mitigation, the actual vulnerability only applies if someone creates a custom build of moment-timezone using the 0.5.34 version. We do not do that; we use the published version and do not create our own build. It is a good example of a CVE that causes lots of churn in projects even if our use of the module goes nowhere near the issue. Still, that type of subtlety isn't well catered for in most vulnerability scanners.

Thanks for your quick reply, I greatly appreciate.
We will wait for the next release.
Have a good day.

Hi Nick, I am looking at node-red-util here and see that it says "moment-timezone": "0.5.34".
Is there a reason for the version to be fixed to 0.5.34 or was this simply forgotten?

The beta is released from the dev branch and has moment-timezone set to the latest 0.5.43 release:

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.