Moment.js vulnerabilities question

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch Dashboards 1.2.0

Describe the issue: Recently, I noticed that OpenSearch Dashboards 1.2.0 uses the library moment.js version 2.28.0, which has the following vulnerabilities:

Could you please tell me if the 4.2. version has an updated version of this library.*
It seems these vulnerabilities are fixed in the moment.js 2.92.2 version.

Please let me know if you need anything else from my end to help me.

Thank you very much in advance.

As of this moment, the latest release of OpenSearch Dashboards 1.x is v1.3.7 and it uses Moment v2.29.4 (ref). The latest release of OpenSearch Dashboards is v2.4.1 which also uses Moment v2.29.4 (ref). According to the details of those CVEs, Moment v2.29.4 does not include either of those vulnerabilities.

A quicker way to find this information for yourself would be to check the source of OpenSearch Dashboards tagged for the releases on GitHub.

  1. Visit https://github.com/opensearch-project/OpenSearch-Dashboards/blob/2.4.1/yarn.lock, replacing 2.4.1 in the URL with any release version number you would like to check.
  2. Use Ctrl+F or Cmd+F to search for the name of the package you are interested in, followed by @; for example, to find the version of moment, search for moment@. The very next line would contain version "2.29.4" which is the info you are looking for.