@contrast/agent 4.15.0 → 4.16.1

package/README.md

@@ -108,4 +108,4 @@ api:
 | api.service_key | Contrast user account service key                                           |
 | api.url         | Address of the Contrast installation you would like your agent to report to |
 
-For detailed installation and configuration instructions, see the [Node.js Agent documentation](https://docs.contrastsecurity.com/installation-nodeconfig.html).
+For detailed installation and configuration instructions, see the [Node.js Agent documentation](https://docs.contrastsecurity.com/en/install-node-js.html).

package/lib/assess/sinks/dynamo.js

@@ -26,34 +26,38 @@ const disallowedTags = [
   'string-type-checked',
 ];
 const requiredTags = ['untrusted'];
-const moduleName = 'aws-sdk';
-const moduleNameV3 = '@aws-sdk/client-dynamodb';
-const relevantKeys = {
-  v2: ['ExpressionAttributeValues', 'ExclusiveStartKey', 'ScanFilter'],
-  v3: [
-    'ComparisonOperator',
-    'FilterExpression',
-    'ProjectionExpression',
-    'ScanFilter',
-  ],
-};
-const requests = new WeakSet();
 
-// map data types to methods for extracting
-// values
-const dataTypes = {
-  S: 'value',
-  N: 'value',
-  B: 'value',
-  SS: 'array',
-  NS: 'array',
-  BS: 'array',
-  M: 'object',
-  L: 'collection',
-  NULL: 'value',
-  BOOL: 'value',
+/*
+*  Schema of attributes the Node Agent is looking for user-controlled data
+*  The only exception to the rule so far is the ScanFilter in ScanCommand.
+*  It has nested schema too. So far we are only reporting a NoSQL Injection
+*  if ComparisonOperator within the ScanFilter is user-controlled.
+*  ScanFilter is handled individually in extractValues function
+* */
+const trackSchemaCommands = {
+  'scan': {
+    attributes: [
+      'ExpressionAttributeValues',
+      'ExclusiveStartKey',
+      'ScanFilter'
+    ]
+  },
+  'executeStatement': { attributes: ['Statement'] },
+  'ScanCommand': {
+    attributes: [
+      'ComparisonOperator',
+      'FilterExpression',
+      'ProjectionExpression',
+      'ScanFilter',
+    ]
+  },
+  'ExecuteStatementCommand': {
+    attributes: ['Statement']
+  }
 };
 
+const requests = new WeakSet();
+
 /**
  * Extracts all values from either a dynamo document client or client
  *
@@ -62,44 +66,25 @@ const dataTypes = {
  * @param {string} version DynamoDB SDK version
  * @return {Array} all string values from payload
  */
-function extractValues(payload = {}, mode = null, version = 'v2') {
+function extractValues(command, payload = {}) {
   return _.flatten(
-    relevantKeys[version].map((key) => {
-      if (payload[key] === undefined) return;
+    trackSchemaCommands[command].attributes.map((key) => {
+      if (payload[key] == undefined) return;
       if (typeof payload[key] === 'string') return payload[key];
+
+      // ScanFilter is an exception. It is almost safe for any nested attribute
+      if (key === 'ScanFilter') {
+        // collect the values from ComparisonOperator attributes ONLY
+        return getComparisonValues(payload[key]);
+      }
+
       const values = _.values(payload[key]);
-      const extractionMethod =
-        mode === 'client' ? findTypedValues.bind(this) : findValues.bind(this);
+      const extractionMethod = findValues.bind(this);
       return _.flattenDeep(extractionMethod(values));
     }),
   );
 }
 
-/**
- * Extracts all strings from a dynamo client payload
- * Note: Each key is typed so we need to properly extract keys based on AttributeValue types
- *
- * @param {Object} values for all keys in ExpressionAttributeValues, ExclusiveStartKey or ScanFilter
- * @return {Array} all values
- */
-function findTypedValues(values) {
-  return _.map(values, (value) => {
-    const [type] = Object.keys(value);
-    switch (dataTypes[type]) {
-      case 'value':
-        return value[type];
-      case 'array':
-        return _.values(value[type]);
-      case 'object': {
-        const values = _.values(value[type]);
-        return findTypedValues(values);
-      }
-      case 'collection':
-        return findTypedValues(value[type]);
-    }
-  });
-}
-
 /**
  * We only track strings. some data types
  * can contain strings as keys or values but
@@ -139,6 +124,27 @@ function findValues(values) {
   });
 }
 
+/**
+ * Check if key exists in ScanFilter bject and return the value if so
+ * Each element of ScanFilter is an object with predictable structure
+ * "Genre": {
+ *   "AttributeValueList":[ {"S":"Rock"} ],
+ *   "ComparisonOperator": "EQ"
+ * }
+ *
+ * @param {Object} values for all keys in a given payload
+ * @param {String} key name we are looking the value of
+ * @return {Any} if value is found for a given key
+ */
+const getComparisonValues = (obj) => Object.keys(obj).map(field => {
+  if (typeof obj[field] === 'object' && Object.prototype.hasOwnProperty.call(
+    obj[field],
+    'ComparisonOperator'
+  )) {
+    return obj[field].ComparisonOperator;
+  }
+});
+
 module.exports = ({ common }) => {
   const { isVulnerable, report } = common;
 
@@ -147,11 +153,11 @@ module.exports = ({ common }) => {
    * Registers the hooks for client and document client scan
    */
   dynamoSink.handle = function () {
-    moduleHook.resolve({ name: moduleName }, (aws) => {
+    moduleHook.resolve({ name: 'aws-sdk' }, (aws) => {
       const client = aws.DynamoDB.prototype;
 
       patcher.patch(client, 'makeRequest', {
-        name: `${moduleName}.DynamoDB.prototype`,
+        name: 'aws-sdk.DynamoDB.prototype',
         patchType: PATCH_TYPES.ASSESS_SINK,
         alwaysRun: true,
         post(data) {
@@ -163,7 +169,8 @@ module.exports = ({ common }) => {
           if (!AsyncStorage.getContext()) {
             return;
           }
-          if (data.args[0] === 'scan') {
+
+          if (Object.keys(trackSchemaCommands).includes(data.args[0]) && data.args[1]) {
             if (requests.has(data.args[1])) {
               return;
             }
@@ -176,10 +183,10 @@ module.exports = ({ common }) => {
               result: data.result,
             };
 
-            const values = extractValues(data.args[1], 'client', 'v2');
+            const values = extractValues(data.args[0], data.args[1]);
             dynamoSink.check({
               values,
-              methodName: 'DynamoDB.prototype.scan',
+              methodName: `DynamoDB.prototype.${data.args[0]}`,
               data: ctxtData,
             });
           }
@@ -198,7 +205,7 @@ module.exports = ({ common }) => {
           name: 'aws-sdk.DynamoDB.DocumentClient.prototype',
           patchType: PATCH_TYPES.ASSESS_SINK,
           pre(data) {
-            if (data.args[0] === 'scan') {
+            if (data.args[0] === 'scan' && data.args[1]) {
               requests.add(data.args[1]);
             }
           },
@@ -208,7 +215,7 @@ module.exports = ({ common }) => {
           name: 'aws-sdk.DynamoDB.DocumentClient.prototype',
           patchType: PATCH_TYPES.ASSESS_SINK,
           post(data) {
-            const values = extractValues(data.args[0], 'docClient', 'v2');
+            const values = extractValues('scan', data.args[0]);
             dynamoSink.check({
               values,
               methodName: 'DynamoDB.DocumentClient.prototype.scan',
@@ -219,27 +226,31 @@ module.exports = ({ common }) => {
       }
     });
 
-    moduleHook.resolve({ name: moduleNameV3 }, (aws) => {
+    moduleHook.resolve({ name: '@aws-sdk/client-dynamodb' }, (aws) => {
       const client = aws.DynamoDBClient.prototype;
 
       patcher.patch(client, 'send', {
-        name: `${moduleNameV3}.ScanCommand.prototype`,
+        name: '@aws-sdk/client-dynamodb.ScanCommand.prototype',
         patchType: PATCH_TYPES.ASSESS_SINK,
         alwaysRun: true,
         post(data) {
           if (!AsyncStorage.getContext()) return;
 
-          if (data.args[0] instanceof aws.ScanCommand) {
-            const values = extractValues(
-              data.args[0].input,
-              'docClient',
-              'v3',
-            ).filter(Boolean);
-            dynamoSink.check({
-              data,
-              values,
-              methodName: 'DynamoDBClient.ScanCommand',
-            });
+          if (data.args[0] && data.args[0].constructor && data.args[0].input) {
+            const sendCommand = data.args[0].constructor.name;
+
+            if (Object.keys(trackSchemaCommands).includes(sendCommand)) {
+              const values = extractValues(
+                sendCommand,
+                data.args[0].input
+              ).filter(Boolean);
+
+              dynamoSink.check({
+                data,
+                values,
+                methodName: `DynamoDBClient.${sendCommand}`,
+              });
+            }
           }
         },
       });
@@ -257,7 +268,7 @@ module.exports = ({ common }) => {
 
     if (vulnerableString.length) {
       const ctxt = new CallContext(data);
-      const signature = new Signature({ moduleName, methodName });
+      const signature = new Signature({ moduleName: 'aws-sdk', methodName });
       report({ ruleId, signature, input: vulnerableString[0], ctxt });
     }
   };

package/lib/libraries.js

@@ -124,7 +124,7 @@ const getLibInfo = async (agent, eluEnabled) =>
 
       if (!nodeModsPath) {
         logger.error(
-          `unable to read installed dependencies because a node_modules directory could not be detected given a package.json located at %s - use the agent.node.app_root configuration variable if installed in non-standard location`,
+          'unable to read installed dependencies because a node_modules directory could not be detected given a package.json located at %s - use the agent.node.app_root configuration variable if installed in non-standard location',
           agent.appInfo.path
         );
         return AppUpdate.libraries;

package/lib/protect/errors/handler-async-errors.js

@@ -57,7 +57,7 @@ module.exports.install = function() {
       handledErrors.add(error);
     } else {
       console.warn(
-        `An Unhandled Rejection has been caught by the Contrast Security node-agent instrumentation. Error: ${error}`,
+        'An Unhandled Rejection has been found in the instrumented code:\n%s', error
       );
     }
   }

package/lib/protect/service.js

@@ -198,7 +198,6 @@ class ProtectService {
     }
 
     const arg = {
-      rules,
       // header names must be lowercase. should this be done in agent-lib?
       headers: req.rawHeaders.map((h, ix) => (ix & 1 ? h : h.toLowerCase()))
     };
@@ -208,7 +207,7 @@ class ProtectService {
       arg.queries = req.url.slice(questionMark + 1);
     }
 
-    const findings = this.agentLib.scoreRequestConnect(arg, evalOptions);
+    const findings = this.agentLib.scoreRequestConnect(rules, arg, evalOptions);
 
     return findings;
   }
@@ -813,9 +812,9 @@ class ProtectService {
     // for each key, check out the value. the key is set in the code so
     // is not vulnerable.
     for (const key in params) {
-      // items from scoreAtom() are only [{ruleId, score}, ...] because the key
+      // items from scoreAtom() return only [{ruleId, score}, ...] because the key
       // and inputType are already known and there is no path.
-      const items = this.agentLib.scoreAtom(params[key], type, libRules);
+      const items = this.agentLib.scoreAtom(libRules, params[key], type);
       if (!items) {
         continue;
       }
@@ -865,7 +864,7 @@ class ProtectService {
     const filenames = Object.keys(event.data);
 
     for (const filename of filenames) {
-      const items = this.agentLib.scoreAtom(filename, type, libRules);
+      const items = this.agentLib.scoreAtom(libRules, filename, type);
       if (!items) {
         continue;
       }
@@ -899,12 +898,9 @@ class ProtectService {
         queries.unshift(...q); return queries;
       }, []);
 
-    const arg = {
-      rules: rulesMask,
-      queries,
-    };
+    const arg = { queries };
 
-    const findings = this.agentLib.scoreRequestConnect(arg, evalOptions);
+    const findings = this.agentLib.scoreRequestConnect(rulesMask, arg, evalOptions);
 
     this.handleAgentLibAnalysis({
       asyncStorageContext: event._ctxt,
@@ -920,8 +916,9 @@ class ProtectService {
       acc.unshift(key, value);
       return acc;
     }, []);
-    const arg = { rules: this.getRulesMask(rules), cookies };
-    const findings = this.agentLib.scoreRequestConnect(arg, evalOptions);
+    const rulesMask = this.getRulesMask(rules);
+    const arg = { cookies };
+    const findings = this.agentLib.scoreRequestConnect(rulesMask, arg, evalOptions);
     this.handleAgentLibAnalysis({
       asyncStorageContext: event._ctxt,
       appContext: {},
@@ -1136,7 +1133,7 @@ class ProtectService {
    * @param   {Rule[]} rules Rules from which to build findings
    * @returns {Object[]}     The findings from the rules
    */
-  createFindings(rules, samples) {
+  createFindings(rules = [], samples) {
     const findings = [];
     const speedracer = this.reporter.speedracer &&
       this.config.agent.node.speedracer_input_analysis;
@@ -1167,7 +1164,7 @@ class ProtectService {
     const { _type, _value: input } = finding.sample.input;
     const type = this.agentLib.InputType[_type];
 
-    const alFinding = this.agentLib.scoreAtom(input, type, agentLibBit);
+    const alFinding = this.agentLib.scoreAtom(agentLibBit, input, type);
     if (!alFinding) {
       return false;
     }

package/lib/reporter/models/app-update/library.js

@@ -13,9 +13,10 @@ Copyright: 2022 Contrast Security, Inc
   way not consistent with the End User License Agreement.
 */
 'use strict';
-const readdir = require('recursive-readdir');
 const LibraryManifest = require('./library-manifest');
 const logger = require('../../../core/logger')('contrast:libraries');
+const fs = require('fs');
+const pathModule = require('path');
 
 module.exports = class Library {
   /**
@@ -53,7 +54,7 @@ module.exports = class Library {
       manifest: this.manifest.toSerializable(),
       usedClassCount: 0,
       classCount: this.fileCount,
-      tags: this.tags
+      tags: this.tags,
     };
   }
 
@@ -88,15 +89,68 @@ module.exports = class Library {
     );
   }
 
+  readdir(path, callback) {
+    if (!callback) {
+      return new Promise((resolve, reject) => {
+        this.readdir(path, (err, data) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve(data);
+          }
+        });
+      });
+    }
+
+    let list = [];
+
+    fs.readdir(path, (err, files) => {
+      if (err) {
+        return callback(err);
+      }
+
+      let pending = files.length;
+      if (!pending) {
+        return callback(null, list);
+      }
+
+      files.forEach((file) => {
+        const filePath = pathModule.join(path, file);
+        fs.stat(filePath, (_err, stats) => {
+          if (_err) {
+            return callback(_err);
+          }
+
+          if (stats.isDirectory() && !filePath.endsWith('/node_modules')) {
+            this.readdir(filePath, (__err, res) => {
+              if (__err) {
+                return callback(__err);
+              }
+
+              list = list.concat(res);
+              pending -= 1;
+              if (!pending) {
+                return callback(null, list);
+              }
+            });
+          } else {
+            list.push(filePath);
+            pending -= 1;
+            if (!pending) {
+              return callback(null, list);
+            }
+          }
+        });
+      });
+    });
+  }
+
   /**
    * Counts all the valid files in a module directory
    */
   getComposition() {
     // ignore nested node_modules
-    return readdir(this._path, [
-      `${this._path}/node_modules/*`,
-      `${this._path}/*/node_modules/*`
-    ])
+    return this.readdir(this._path)
       .then((files) => {
         this.fileCount = files.filter((file) =>
           Library.applicableFile(file)

package/node_modules/moment/CHANGELOG.md

@@ -1,6 +1,12 @@
 Changelog
 =========
 
+### 2.29.2 [See full changelog](https://gist.github.com/ichernev/1904b564f6679d9aac1ae08ce13bc45c)
+
+* Release Apr 3 2022
+
+Address https://github.com/advisories/GHSA-8hfj-j24r-96c4
+
 ### 2.29.1 [See full changelog](https://gist.github.com/marwahaha/cc478ba01a1292ab4bd4e861d164d99b)
 
 * Release Oct 6, 2020

package/node_modules/moment/dist/locale/ar-kw.js

@@ -8,9 +8,10 @@ export default moment.defineLocale('ar-kw', {
     months: 'يناير_فبراير_مارس_أبريل_ماي_يونيو_يوليوز_غشت_شتنبر_أكتوبر_نونبر_دجنبر'.split(
         '_'
     ),
-    monthsShort: 'يناير_فبراير_مارس_أبريل_ماي_يونيو_يوليوز_غشت_شتنبر_أكتوبر_نونبر_دجنبر'.split(
-        '_'
-    ),
+    monthsShort:
+        'يناير_فبراير_مارس_أبريل_ماي_يونيو_يوليوز_غشت_شتنبر_أكتوبر_نونبر_دجنبر'.split(
+            '_'
+        ),
     weekdays: 'الأحد_الإتنين_الثلاثاء_الأربعاء_الخميس_الجمعة_السبت'.split('_'),
     weekdaysShort: 'احد_اتنين_ثلاثاء_اربعاء_خميس_جمعة_سبت'.split('_'),
     weekdaysMin: 'ح_ن_ث_ر_خ_ج_س'.split('_'),

package/node_modules/moment/dist/locale/ar-ly.js

@@ -1,5 +1,5 @@
 //! moment.js locale configuration
-//! locale : Arabic (Lybia) [ar-ly]
+//! locale : Arabic (Libya) [ar-ly]
 //! author : Ali Hmer: https://github.com/kikoanis
 
 import moment from '../moment';

package/node_modules/moment/dist/locale/ar-ma.js

@@ -9,9 +9,10 @@ export default moment.defineLocale('ar-ma', {
     months: 'يناير_فبراير_مارس_أبريل_ماي_يونيو_يوليوز_غشت_شتنبر_أكتوبر_نونبر_دجنبر'.split(
         '_'
     ),
-    monthsShort: 'يناير_فبراير_مارس_أبريل_ماي_يونيو_يوليوز_غشت_شتنبر_أكتوبر_نونبر_دجنبر'.split(
-        '_'
-    ),
+    monthsShort:
+        'يناير_فبراير_مارس_أبريل_ماي_يونيو_يوليوز_غشت_شتنبر_أكتوبر_نونبر_دجنبر'.split(
+            '_'
+        ),
     weekdays: 'الأحد_الإثنين_الثلاثاء_الأربعاء_الخميس_الجمعة_السبت'.split('_'),
     weekdaysShort: 'احد_اثنين_ثلاثاء_اربعاء_خميس_جمعة_سبت'.split('_'),
     weekdaysMin: 'ح_ن_ث_ر_خ_ج_س'.split('_'),

package/node_modules/moment/dist/locale/ar-sa.js

@@ -33,9 +33,10 @@ export default moment.defineLocale('ar-sa', {
     months: 'يناير_فبراير_مارس_أبريل_مايو_يونيو_يوليو_أغسطس_سبتمبر_أكتوبر_نوفمبر_ديسمبر'.split(
         '_'
     ),
-    monthsShort: 'يناير_فبراير_مارس_أبريل_مايو_يونيو_يوليو_أغسطس_سبتمبر_أكتوبر_نوفمبر_ديسمبر'.split(
-        '_'
-    ),
+    monthsShort:
+        'يناير_فبراير_مارس_أبريل_مايو_يونيو_يوليو_أغسطس_سبتمبر_أكتوبر_نوفمبر_ديسمبر'.split(
+            '_'
+        ),
     weekdays: 'الأحد_الإثنين_الثلاثاء_الأربعاء_الخميس_الجمعة_السبت'.split('_'),
     weekdaysShort: 'أحد_إثنين_ثلاثاء_أربعاء_خميس_جمعة_سبت'.split('_'),
     weekdaysMin: 'ح_ن_ث_ر_خ_ج_س'.split('_'),

package/node_modules/moment/dist/locale/ar-tn.js

@@ -8,9 +8,10 @@ export default moment.defineLocale('ar-tn', {
     months: 'جانفي_فيفري_مارس_أفريل_ماي_جوان_جويلية_أوت_سبتمبر_أكتوبر_نوفمبر_ديسمبر'.split(
         '_'
     ),
-    monthsShort: 'جانفي_فيفري_مارس_أفريل_ماي_جوان_جويلية_أوت_سبتمبر_أكتوبر_نوفمبر_ديسمبر'.split(
-        '_'
-    ),
+    monthsShort:
+        'جانفي_فيفري_مارس_أفريل_ماي_جوان_جويلية_أوت_سبتمبر_أكتوبر_نوفمبر_ديسمبر'.split(
+            '_'
+        ),
     weekdays: 'الأحد_الإثنين_الثلاثاء_الأربعاء_الخميس_الجمعة_السبت'.split('_'),
     weekdaysShort: 'أحد_إثنين_ثلاثاء_أربعاء_خميس_جمعة_سبت'.split('_'),
     weekdaysMin: 'ح_ن_ث_ر_خ_ج_س'.split('_'),

package/node_modules/moment/dist/locale/az.js

@@ -30,9 +30,10 @@ export default moment.defineLocale('az', {
         '_'
     ),
     monthsShort: 'yan_fev_mar_apr_may_iyn_iyl_avq_sen_okt_noy_dek'.split('_'),
-    weekdays: 'Bazar_Bazar ertəsi_Çərşənbə axşamı_Çərşənbə_Cümə axşamı_Cümə_Şənbə'.split(
-        '_'
-    ),
+    weekdays:
+        'Bazar_Bazar ertəsi_Çərşənbə axşamı_Çərşənbə_Cümə axşamı_Cümə_Şənbə'.split(
+            '_'
+        ),
     weekdaysShort: 'Baz_BzE_ÇAx_Çər_CAx_Cüm_Şən'.split('_'),
     weekdaysMin: 'Bz_BE_ÇA_Çə_CA_Cü_Şə'.split('_'),
     weekdaysParseExact: true,

package/node_modules/moment/dist/locale/be.js

@@ -37,20 +37,21 @@ export default moment.defineLocale('be', {
         format: 'студзеня_лютага_сакавіка_красавіка_траўня_чэрвеня_ліпеня_жніўня_верасня_кастрычніка_лістапада_снежня'.split(
             '_'
         ),
-        standalone: 'студзень_люты_сакавік_красавік_травень_чэрвень_ліпень_жнівень_верасень_кастрычнік_лістапад_снежань'.split(
-            '_'
-        ),
+        standalone:
+            'студзень_люты_сакавік_красавік_травень_чэрвень_ліпень_жнівень_верасень_кастрычнік_лістапад_снежань'.split(
+                '_'
+            ),
     },
-    monthsShort: 'студ_лют_сак_крас_трав_чэрв_ліп_жнів_вер_каст_ліст_снеж'.split(
-        '_'
-    ),
+    monthsShort:
+        'студ_лют_сак_крас_трав_чэрв_ліп_жнів_вер_каст_ліст_снеж'.split('_'),
     weekdays: {
         format: 'нядзелю_панядзелак_аўторак_сераду_чацвер_пятніцу_суботу'.split(
             '_'
         ),
-        standalone: 'нядзеля_панядзелак_аўторак_серада_чацвер_пятніца_субота'.split(
-            '_'
-        ),
+        standalone:
+            'нядзеля_панядзелак_аўторак_серада_чацвер_пятніца_субота'.split(
+                '_'
+            ),
         isFormat: /\[ ?[Ууў] ?(?:мінулую|наступную)? ?\] ?dddd/,
     },
     weekdaysShort: 'нд_пн_ат_ср_чц_пт_сб'.split('_'),

package/node_modules/moment/dist/locale/bn-bd.js

@@ -33,9 +33,10 @@ export default moment.defineLocale('bn-bd', {
     months: 'জানুয়ারি_ফেব্রুয়ারি_মার্চ_এপ্রিল_মে_জুন_জুলাই_আগস্ট_সেপ্টেম্বর_অক্টোবর_নভেম্বর_ডিসেম্বর'.split(
         '_'
     ),
-    monthsShort: 'জানু_ফেব্রু_মার্চ_এপ্রিল_মে_জুন_জুলাই_আগস্ট_সেপ্ট_অক্টো_নভে_ডিসে'.split(
-        '_'
-    ),
+    monthsShort:
+        'জানু_ফেব্রু_মার্চ_এপ্রিল_মে_জুন_জুলাই_আগস্ট_সেপ্ট_অক্টো_নভে_ডিসে'.split(
+            '_'
+        ),
     weekdays: 'রবিবার_সোমবার_মঙ্গলবার_বুধবার_বৃহস্পতিবার_শুক্রবার_শনিবার'.split(
         '_'
     ),

package/node_modules/moment/dist/locale/bn.js

@@ -33,9 +33,10 @@ export default moment.defineLocale('bn', {
     months: 'জানুয়ারি_ফেব্রুয়ারি_মার্চ_এপ্রিল_মে_জুন_জুলাই_আগস্ট_সেপ্টেম্বর_অক্টোবর_নভেম্বর_ডিসেম্বর'.split(
         '_'
     ),
-    monthsShort: 'জানু_ফেব্রু_মার্চ_এপ্রিল_মে_জুন_জুলাই_আগস্ট_সেপ্ট_অক্টো_নভে_ডিসে'.split(
-        '_'
-    ),
+    monthsShort:
+        'জানু_ফেব্রু_মার্চ_এপ্রিল_মে_জুন_জুলাই_আগস্ট_সেপ্ট_অক্টো_নভে_ডিসে'.split(
+            '_'
+        ),
     weekdays: 'রবিবার_সোমবার_মঙ্গলবার_বুধবার_বৃহস্পতিবার_শুক্রবার_শনিবার'.split(
         '_'
     ),

package/node_modules/moment/dist/locale/bo.js

@@ -33,14 +33,16 @@ export default moment.defineLocale('bo', {
     months: 'ཟླ་བ་དང་པོ_ཟླ་བ་གཉིས་པ_ཟླ་བ་གསུམ་པ_ཟླ་བ་བཞི་པ_ཟླ་བ་ལྔ་པ_ཟླ་བ་དྲུག་པ_ཟླ་བ་བདུན་པ_ཟླ་བ་བརྒྱད་པ_ཟླ་བ་དགུ་པ_ཟླ་བ་བཅུ་པ_ཟླ་བ་བཅུ་གཅིག་པ_ཟླ་བ་བཅུ་གཉིས་པ'.split(
         '_'
     ),
-    monthsShort: 'ཟླ་1_ཟླ་2_ཟླ་3_ཟླ་4_ཟླ་5_ཟླ་6_ཟླ་7_ཟླ་8_ཟླ་9_ཟླ་10_ཟླ་11_ཟླ་12'.split(
-        '_'
-    ),
+    monthsShort:
+        'ཟླ་1_ཟླ་2_ཟླ་3_ཟླ་4_ཟླ་5_ཟླ་6_ཟླ་7_ཟླ་8_ཟླ་9_ཟླ་10_ཟླ་11_ཟླ་12'.split(
+            '_'
+        ),
     monthsShortRegex: /^(ཟླ་\d{1,2})/,
     monthsParseExact: true,
-    weekdays: 'གཟའ་ཉི་མ་_གཟའ་ཟླ་བ་_གཟའ་མིག་དམར་_གཟའ་ལྷག་པ་_གཟའ་ཕུར་བུ_གཟའ་པ་སངས་_གཟའ་སྤེན་པ་'.split(
-        '_'
-    ),
+    weekdays:
+        'གཟའ་ཉི་མ་_གཟའ་ཟླ་བ་_གཟའ་མིག་དམར་_གཟའ་ལྷག་པ་_གཟའ་ཕུར་བུ_གཟའ་པ་སངས་_གཟའ་སྤེན་པ་'.split(
+            '_'
+        ),
     weekdaysShort: 'ཉི་མ་_ཟླ་བ་_མིག་དམར་_ལྷག་པ་_ཕུར་བུ_པ་སངས་_སྤེན་པ་'.split(
         '_'
     ),

package/node_modules/moment/dist/locale/br.js

@@ -62,9 +62,12 @@ var monthsParse = [
         /^du/i,
         /^ker/i,
     ],
-    monthsRegex = /^(genver|c[ʼ\']hwevrer|meurzh|ebrel|mae|mezheven|gouere|eost|gwengolo|here|du|kerzu|gen|c[ʼ\']hwe|meu|ebr|mae|eve|gou|eos|gwe|her|du|ker)/i,
-    monthsStrictRegex = /^(genver|c[ʼ\']hwevrer|meurzh|ebrel|mae|mezheven|gouere|eost|gwengolo|here|du|kerzu)/i,
-    monthsShortStrictRegex = /^(gen|c[ʼ\']hwe|meu|ebr|mae|eve|gou|eos|gwe|her|du|ker)/i,
+    monthsRegex =
+        /^(genver|c[ʼ\']hwevrer|meurzh|ebrel|mae|mezheven|gouere|eost|gwengolo|here|du|kerzu|gen|c[ʼ\']hwe|meu|ebr|mae|eve|gou|eos|gwe|her|du|ker)/i,
+    monthsStrictRegex =
+        /^(genver|c[ʼ\']hwevrer|meurzh|ebrel|mae|mezheven|gouere|eost|gwengolo|here|du|kerzu)/i,
+    monthsShortStrictRegex =
+        /^(gen|c[ʼ\']hwe|meu|ebr|mae|eve|gou|eos|gwe|her|du|ker)/i,
     fullWeekdaysParse = [
         /^sul/i,
         /^lun/i,