Original expression

/(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?)?/

rvagg's fix

/^(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?(?:\d*)?)?$/

There is essentially a duplicate 0 or more condition (* with a ?) at the end of this expression that can be optimised in the following two ways:

/^(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?(?:\d+)?)?$/

/^(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?(?:\d*))?$/

The last one can be simplified even more without loosing any functionality:

/^(\-)?(?:(\d*)[. ])?(\d+)\:(\d+)(?:\:(\d+)\.?(\d{3})?\d*)?$/

smarty pants

updated with @Starefossen's regex

what's that tool @Starefossen?

@rvagg Looks like Regexper

Either fix seems acceptable from a security perspective. Both remove the extreme blocking behavior and take upwards of around 2.5 million characters to take 1 second of cpu time. so 👍

Thank you @rvagg and @Starefossen

Thanks!

Staging for next release. @ichernev - Due to the security implications, it may make sense to release this separately as 2.11.2, unless you're ready to merge the other PRs I've marked for 2.12.0. Your call.

Since this seems to be breaking builds left and right (hurrah, popularity!) my vote is to release it ASAP as a patch version.

Merged in 52a807b

This is available now in 2.11.2. Thanks @ichernev for getting this out.

Thank you @rvagg and @Starefossen for working on this. @joeybaker thank you for reporting. Is there any way I can get my email for the moment security advisories?

@ichernev FWIW, you might try adding https://www.npmjs.com/package/nsp to the tests. It would then fail the build if moment or any of its deps had a security vulnerability.

@nlf, @daviddias, or @evilpacket might know more about an email list?