Potencial security vulnerability?

[Sauloxd]

Hi!

This error started popping up in my repository, warning me about a vulnerability in moment.
It recommends to install "2.19.3 or later", but the moment declared is currently in ~2.11.1, meaning all versions bellow 2.12.0.

Should we update moment to at least 2.19.3? thanks

[dpoetzsch]

As we converted our own project to vue, I did not touch this repo for a while. I am not sure if increasing the moment version might break anything.

But if someone wants to try it out and create a PR I'm happy to review it.

[kylekatarnls]

@dpoetzsch We use it with 2.24.0 with no problems. (The moment version at our own package.json override the one required by md-pickers), so right now, md-pickers just install a version that is not used and throws this security notice in our case. I would appreciate if you could merge #42.

[dpoetzsch]

Thanks for the input :)

[dpoetzsch]

After more reviewing, I think #41 is actually the best fix for this, as this package does not actually use the moment version from its dependencies (it uses the global moment instead, which should be whatever moment you have imported globally).

I will release a new version when #41 is merged.

[kylekatarnls]

Be careful, it means a breaking change for anyone that use only md-pickers and not moment itself. If you have md-pickers in your package.json and not moment, right now it perfectly works. If you update md-pickers in this situation to a next version that would not require it, it will throw some moment not found error at runtime. So please consider respecting semver by releasing 1.2.0 with #42 merged and only release #41 on a next major release (2.0.0).

[dpoetzsch]

@kylekatarnls Good point. I will either find a way that keeps backwards compatibility or respect semver and make two releases. Thanks :)

[dpoetzsch]

I released version 1.1.4 including #42 until #41 is merged.