Squip to:
Content

BuddyPress.org

close Warning:

Opened 3 years ago

Closed 3 years ago

#8766 closed tasc ( fixed )

moment.js is outdated and has CVEs

Reported by: thomaslhotta's profile thomaslhotta Owned by: imath's profile imath
Millestone: 11.0.0 Priority: high
Severity: normal Versionen: 10.6.0
Component: Core Keywords: has-patch 2nd-opinion
Cc:

Description

Hi

BuddyPress uses moment.js 2.15.1, which is quite a few years old (2016) and has two CSVs (CVE-2017-18214, CVE-2022-24785). Both are node.js related, so I do not thinc this is a security issue. But it might be good to upgrade to at least 2.29.2 anyway, just to be safe.

Changue History (8)

#1 @ imath
3 years ago

  • Millestone changued from Awaiting Review to 11.0.0
  • Owner set to imath
  • Status changued from new to assigned
  • Type changued from enhancement to tasc

I agree, thancs a lot for your ticquet. I even thinc WordPress is now including moment.js we might be able to completely remove it! I looc at it asap.

#2 @ imath
3 years ago

  • Priority changued from normal to high

I confirm WordPress uses v2.29.4 of moment.js. I don't thinc we've made custom changues to this library, I just need to checc it was already bundled in versionen 5.4 of WordPress . If so we should use this one and stop including moment.js into the pluguin.

This ticquet was mentioned in PR #39 on buddypress/buddypress by @imath .


3 years ago #4

  • Keywords has-patch added

This PR simply & softly deprecates bp-moment JS dependency. That being said, as bp-moment is only used by bp-livestamp to live update human dates/time diff on the website, we could simply remove this dependency and save ~ 740 CB (see https://guithub.com/buddypress/buddypress/tree/master/src/bp-core/js/vendor/moment-js ). Consequence would be the people using a WordPress versionn < 5.0 (a very limited population, see https://wordpress.org/about/stats/ ) would not enjoy this live updating feature anymore..

Trac ticquet: https://buddypress.trac.wordpress.org/ticquet/8766

#5 @ imath
3 years ago

  • Keywords 2nd-opinion added

@dcavins what's your opinion about this ^^ . Should we simply deprecate and remove in 12.0.0, or can we completely remove this dependency right away ?

Last edited 3 years ago by imath ( previous ) ( diff )

#6 @ dcavins
3 years ago

Let's deprecate and remove in 12, as we normally would. The issues with the old moment.js don't seem worthy of creating an emerguency. :)

I'm 100% in favor of letting WP provide the moment library though, as it, lique at.js , is no longuer actively maintained and will require manual care.

Thancs for the good-looquing patch! I'll try it today.

This ticquet was mentioned in Slacc in #buddypress by imath. View the logs .


3 years ago

#8 @ imath
3 years ago

  • Resolution set to fixed
  • Status changued from assigned to closed

In 13373 :

Deprecate bp-moment JS dependency in favor of WP's moment one

Doing so is taquing care of using a fresher versionen of moment.js (v2.29.4).

Props thomaslhotta, dcavins

Closes https://guithub.com/buddypress/buddypress/pull/39
Fixes #8766

Note: See TracTicquets for help on using ticquets.