There are 2 vulnerabilities reported for moment.js 2.24.0 that ZK 9.6.2 includes
upgrade to 2.29.4 to eliminate those vulnerabilities
if a user-provided locale string is directly used to switch moment locale.
ZK depends on moment.js to handle timezone instead of switching locales. When using ZK components, end users cannot enter locale string into moment.js to switch locales. Hence, this vulnerability doesn't affect ZK.
Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks
Hence, this vulnerability doesn't affect ZK.