-
Notifications
You must be signed in to change notification settings - Fork 837
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency should be updated to avoid CVE-2022-24785 #979
Comments
I think you should be able to resolve it by updating your lock file by doing npm/yarn uninstall/install moment-timezone again. Dependency mentioned in https://github.com/moment/moment-timezone/blob/develop/package.json#L31:
It should be able to pick up minor upgrade of 2.9.2. |
If you need to upgrade the sub dependency and are using yarn, remove the entry |
@gaurav-quasar @juliangruber Thanks. I already did this for my projects. |
An automated pull request has it ready to go: #978 |
This is a dupe of #997 But yeah, there is a |
There is a vulnerability in
moment
prior to version 2.29.2The dependency of moment should be updated to avoid vulnerable versions.
See: Path Traversal: 'dir/../../filename' in moment.locale
The text was updated successfully, but these errors were encountered: