Parsing of localized month names in moment.js involves a regex that has no length limit and does some amount of backtracking. See moment/moment#4163. MediaWiki core is also affected.
From the upstream report:
The slowdown is moderately low: for 50.000 characters around 2 seconds matching time.
so not too much of a deal (at worst a maliciously crafted wiki page can lock up browsers for a few seconds) - it only came up because some of our node.js services are using moment and the node dependency security checks are breaking the build. Nevertheless, no reason not to fix it in the frontend as well, once upstream has a patch.
Side note: there are various vulnerability trackers for JS dependencies (even Github itself sends warnigns these days), but we don't formally track the stuff in resources/lib as dependencies so we don't get them. Should that be improved?