Moment is used in MediaViewer, the VisualEditor media upload dialog, in the OOUI calendar widget; not sure if there's anything else. (See also T146798: Replace Moment.js in core with something smaller (what?).)

the VisualEditor media upload dialog,

That's part of MediaWiki core, not VisualEditor: https://github.com/wikimedia/mediawiki/blob/master/resources/src/mediawiki/mediawiki.Upload.BookletLayout.js

in the OOUI calendar widget;

That's part of MediaWiki core, not OOUI: https://github.com/wikimedia/mediawiki/blob/master/resources/src/mediawiki.widgets/mw.widgets.DateInputWidget.js

not sure if there's anything else. (See also T146798: Replace Moment.js in core with something smaller (what?).)

Used by Notifications (ext.echo.ui dependency), StructuredDiscussions (ext.flow.templating dependency), ContentTranslation (ext.cx.translationlist dependency), and it looks like a bunch of other places, though possibly not exposed: https://github.com/search?l=JSON&q=moment+%40wikimedia&type=Code&utf8=%E2%9C%93

Side note: there are various vulnerability trackers for JS dependencies (even Github itself sends warnigns these days), but we don't formally track the stuff in resources/lib as dependencies so we don't get them. Should that be improved?

Yeah, good idea, let's spin that off to a new task.

A fix for the issue was released in moment v2.19.3.

We're on 2.15.0 in core....

Is there only a 2.19 point release to fix it?

There's a lot of changes between these https://github.com/moment/moment/compare/2.15.2...2.19.3 - I'm guessing this isn't a trivial version bump?

https://github.com/moment/moment/blob/develop/CHANGELOG.md suggests no obvious breaking changes, but some new features, various bugfixes and alike

2.19 has another bug that looks useful to fix

#4213 [critical] Rename dynamic require to avoid React Native crash

@Reedy I've been following the issue and haven't heard any plans to backport the fix to earlier minor versions. :/

https://gerrit.wikimedia.org/r/394103 has the upgrade. Looks clean enough to me.

https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb is the commit if we just wanted to backport it

We should probably backport to REL1_27, REL1_29 and the upcoming REL1_30 (even though we've just had an rc)

Shouldn't be too bad..

https://gerrit.wikimedia.org/r/#/c/310367/ is in 29 and 30... So just a cherry pick will do of the master commit, fix RELEASE-NOTES

For REL1_27.. We're on an even older 2.8.4 - https://github.com/wikimedia/mediawiki/blob/REL1_27/resources/lib/moment/moment.js

So we should just cherry pick https://gerrit.wikimedia.org/r/#/c/310367/ first, then do the newer bump ontop, and add release-notes

remote:   https://gerrit.wikimedia.org/r/394112 momentjs: Hack around bug in node/browser compat wrapper in locale files        
remote:   https://gerrit.wikimedia.org/r/394113 Override momentjs's digit transform logic with MW's        
remote:   https://gerrit.wikimedia.org/r/394114 Don't override all Moment locales to English        
remote:   https://gerrit.wikimedia.org/r/394115 resources: Bump moment.js from 2.8.4 to 2.15.0

Brings REL1_27 into line

Wait a week until the train's gone everywhere?

In T181547#3793922, @Jdforrester-WMF wrote:

Yeah, good idea, let's spin that off to a new task.

Filed T181690: Track external JS libraries in MediaWiki in a way that allows vulnerability detection.

In T181547#3798277, @Reedy wrote:

Make this public now?

In T181547#3798410, @Jdforrester-WMF wrote:

Wait a week until the train's gone everywhere?

That week is over now

Change 407694 had a related patch set uploaded (by Ejegg; owner: Jforrester):
[mediawiki/core@fundraising/REL1_27] resources: Bump moment.js from 2.15.0 to 2.19.3

https://gerrit.wikimedia.org/r/407694

Change 407694 merged by jenkins-bot:
[mediawiki/core@fundraising/REL1_27] resources: Bump moment.js from 2.15.0 to 2.19.3

https://gerrit.wikimedia.org/r/407694