Enhancement
Major
Detail
Bugfix
Detail
Currently, the Javascript library ChartJS is used in version 2.9.4.
ChartJS has moment.js as a dependency and thus introduces a visibility hole:
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Migration
Due to the upgrade of the library from major version 2 to 3, the diagram configuration has changed slightly.
Attention: Charts configured in the application must be adjusted according to the migration guide of chart.js. Details can be found here.
Test
- Start demo. Then, after generating demo data, check if the chart is displayed in the ChartJS tab.
- There should be no build type error com.top-logic:tl-parent-all.pkg:javascript/moment.js@2.24.0 in the build task CheckDependencies.