Skip to:
Content

BuddyPress.org

Opened 2 years ago

Closed 2 years ago

#8766 closed task (fixed)

moment.js is outdated and has CVEs

Reported by: thomaslhotta's profile thomaslhotta Owned by: imath's profile imath
Milestone: 11.0.0 Priority: high
Severity: normal Version: 10.6.0
Component: Core Keywords: has-patch 2nd-opinion
Cc:

Description

Hi

BuddyPress uses moment.js 2.15.1, which is quite a few years old (2016) and has two CSVs (CVE-2017-18214, CVE-2022-24785). Both are node.js related, so I do not think this is a security issue. But it might be good to upgrade to at least 2.29.2 anyway, just to be safe.

Change History (8)

#1 @imath
2 years ago

  • Milestone changed from Awaiting Review to 11.0.0
  • Owner set to imath
  • Status changed from new to assigned
  • Type changed from enhancement to task

I agree, thanks a lot for your ticket. I even think WordPress is now including moment.js we might be able to completely remove it! I look at it asap.

#2 @imath
2 years ago

  • Priority changed from normal to high

I confirm WordPress uses v2.29.4 of moment.js. I don't think we've made custom changes to this library, I just need to check it was already bundled in version 5.4 of WordPress. If so we should use this one and stop including moment.js into the plugin.

This ticket was mentioned in PR #39 on buddypress/buddypress by @imath.
2 years ago #4

  • Keywords has-patch added

This PR simply & softly deprecates bp-moment JS dependency. That being said, as bp-moment is only used by bp-livestamp to live update human dates/time diff on the website, we could simply remove this dependency and save ~ 740 KB (see https://github.com/buddypress/buddypress/tree/master/src/bp-core/js/vendor/moment-js). Consequence would be the people using a WordPress version < 5.0 (a very limited population, see https://wordpress.org/about/stats/) would not enjoy this live updating feature anymore..

Trac ticket: https://buddypress.trac.wordpress.org/ticket/8766

#5 @imath
2 years ago

  • Keywords 2nd-opinion added

@dcavins what's your opinion about this ^^. Should we simply deprecate and remove in 12.0.0, or can we completely remove this dependency right away ?

Last edited 2 years ago by imath (previous) (diff)

#6 @dcavins
2 years ago

Let's deprecate and remove in 12, as we normally would. The issues with the old moment.js don't seem worthy of creating an emergency. :)

I'm 100% in favor of letting WP provide the moment library though, as it, like at.js, is no longer actively maintained and will require manual care.

Thanks for the good-looking patch! I'll try it today.

This ticket was mentioned in Slack in #buddypress by imath. View the logs.
2 years ago

#8 @imath
2 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 13373:

Deprecate bp-moment JS dependency in favor of WP's moment one

Doing so is taking care of using a fresher version of moment.js (v2.29.4).

Props thomaslhotta, dcavins

Closes https://github.com/buddypress/buddypress/pull/39
Fixes #8766

Note: See TracTickets for help on using tickets.