Change Details

Parsing of localized month names in moment.js involves a regex that has no length limit and does some amount of backtracking. See [[https://github.com/moment/moment/issues/4163|moment/moment#4163]]. From there: > The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. so not too much of a deal (at worst a maliciously crafted wiki page can lock up browsers for a few seconds) - it only came up because some of our node.js services are using moment and the node dependency security checks are breaking the build. Nevertheless, no reason not to fix it in the frontend as well, once upstream has a patch. Side note: there are various vulnerability trackers for JS dependencies (even Github itself sends warnigns these days), but we don't formally track the stuff in `resources/lib` as dependencies so we don't get them. Should that be improved?

Parsing of localized month names in moment.js involves a regex that has no length limit and does some amount of backtracking. See [[https://github.com/moment/moment/issues/4163|moment/moment#4163]]. MediaWiki core is [[https://github.com/wikimedia/mediawiki/blob/f13a0d952187d89e565c0551bd1bf147931ece38/resources/lib/moment/moment.js#L693|also affected]]. From the upstream tas: > The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. so not too much of a deal (at worst a maliciously crafted wiki page can lock up browsers for a few seconds) - it only came up because some of our node.js services are using moment and the node dependency security checks are breaking the build. Nevertheless, no reason not to fix it in the frontend as well, once upstream has a patch. Side note: there are various vulnerability trackers for JS dependencies (even Github itself sends warnigns these days), but we don't formally track the stuff in `resources/lib` as dependencies so we don't get them. Should that be improved?

Parsing of localized month names in moment.js involves a regex that has no length limit and does some amount of backtracking. See [[https://github.com/moment/moment/issues/4163|moment/moment#4163]]. From thereMediaWiki core is [[https://github.com/wikimedia/mediawiki/blob/f13a0d952187d89e565c0551bd1bf147931ece38/resources/lib/moment/moment.js#L693|also affected]]. From the upstream tas: > The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. so not too much of a deal (at worst a maliciously crafted wiki page can lock up browsers for a few seconds) - it only came up because some of our node.js services are using moment and the node dependency security checks are breaking the build. Nevertheless, no reason not to fix it in the frontend as well, once upstream has a patch. Side note: there are various vulnerability trackers for JS dependencies (even Github itself sends warnigns these days), but we don't formally track the stuff in `resources/lib` as dependencies so we don't get them. Should that be improved?