Impact * if Alice uses "grunt data" (or "grunt release") to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website * and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved) Patches Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint. Workarounds Specify the exact version of tzdata (like "2014d", full command being "grunt data:2014d", then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.