diff -Nru node-moment-2.29.1+ds/debian/changelog node-moment-2.29.1+ds/debian/changelog
--- node-moment-2.29.1+ds/debian/changelog	2021-09-04 22:32:46.000000000 +0100
+++ node-moment-2.29.1+ds/debian/changelog	2022-08-04 09:27:56.000000000 +0100
@@ -1,3 +1,21 @@
+node-moment (2.29.1+ds-3ubuntu0.1~ppa5) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: Path traversal (LP: #1982617)
+    - debian/patches/CVE-2022-24785.patch: Avoid loading path-looking locales
+      from filesystem.
+    - CVE-2022-24785
+  * SECURITY UPDATE: Denial of service via very long date string (LP: #1982617)
+    - debian/patches/CVE-2022-31129.patch: Make a regular expression more
+      efficient.
+    - CVE-2022-31129
+  * debian/changelog: Add build dependency on libjs-qunit.
+  * debian/source/lintian-overrides: Remove, because all overrides are unused
+    or mismatched.
+  * debian/tests/control: Add dependency on libjs-qunit.
+  * debian/tests/pkg-js/test: Do a complete test.
+
+ -- Luís Infante da Câmara <luis.infante.da.camara@tecnico.ulisboa.pt>  Thu, 04 Aug 2022 09:27:56 +0100
+
 node-moment (2.29.1+ds-3) unstable; urgency=medium
 
   * Fix d/watch.
diff -Nru node-moment-2.29.1+ds/debian/control node-moment-2.29.1+ds/debian/control
--- node-moment-2.29.1+ds/debian/control	2021-09-04 22:32:46.000000000 +0100
+++ node-moment-2.29.1+ds/debian/control	2022-08-04 07:58:52.000000000 +0100
@@ -2,11 +2,13 @@
 Section: javascript
 Priority: optional
 Testsuite: autopkgtest-pkg-nodejs
-Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
 Uploaders: Julien Puydt <jpuydt@debian.org>
 Build-Depends: debhelper-compat (= 13)
  , uglifyjs
  , dh-sequence-nodejs
+ , libjs-qunit
 Standards-Version: 4.6.0
 Homepage: https://github.com/moment/moment
 Vcs-Git: https://salsa.debian.org/js-team/node-moment.git
diff -Nru node-moment-2.29.1+ds/debian/patches/CVE-2022-24785.patch node-moment-2.29.1+ds/debian/patches/CVE-2022-24785.patch
--- node-moment-2.29.1+ds/debian/patches/CVE-2022-24785.patch	1970-01-01 01:00:00.000000000 +0100
+++ node-moment-2.29.1+ds/debian/patches/CVE-2022-24785.patch	2022-07-23 15:33:25.000000000 +0100
@@ -0,0 +1,38 @@
+From 4211bfc8f15746be4019bba557e29a7ba83d54c5 Mon Sep 17 00:00:00 2001
+From: Iskren Chernev <me@iskren.info>
+Date: Sun, 27 Mar 2022 14:46:47 +0300
+Subject: [PATCH] [bugfix] Avoid loading path-looking locales from fs
+
+---
+ src/lib/locale/locales.js | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/locale/locales.js b/src/lib/locale/locales.js
+index 0d082327..b329b83b 100644
+--- a/src/lib/locale/locales.js
++++ b/src/lib/locale/locales.js
+@@ -62,6 +62,11 @@ function chooseLocale(names) {
+     return globalLocale;
+ }
+ 
++function isLocaleNameSane(name) {
++    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
++    return name.match('^[^/\\\\]*$') != null;
++}
++
+ function loadLocale(name) {
+     var oldLocale = null,
+         aliasedRequire;
+@@ -70,7 +75,8 @@ function loadLocale(name) {
+         locales[name] === undefined &&
+         typeof module !== 'undefined' &&
+         module &&
+-        module.exports
++        module.exports &&
++        isLocaleNameSane(name)
+     ) {
+         try {
+             oldLocale = globalLocale._abbr;
+-- 
+2.34.1
+
diff -Nru node-moment-2.29.1+ds/debian/patches/CVE-2022-31129.patch node-moment-2.29.1+ds/debian/patches/CVE-2022-31129.patch
--- node-moment-2.29.1+ds/debian/patches/CVE-2022-31129.patch	1970-01-01 01:00:00.000000000 +0100
+++ node-moment-2.29.1+ds/debian/patches/CVE-2022-31129.patch	2022-07-23 15:33:11.000000000 +0100
@@ -0,0 +1,30 @@
+From 9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 Mon Sep 17 00:00:00 2001
+From: "Khang Vo (doublevkay)" <45411113+vovikhangcdv@users.noreply.github.com>
+Date: Wed, 6 Jul 2022 22:28:25 +0700
+Subject: [PATCH] [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
+
+* fix ReDoS in preprocessRFC2822 regex
+
+Fixes: [#2936](https://github.com/moment/moment/issues/6012)
+
+Disallow nested rfc2822 comments to prevent quadratic regex execution time (i.e each open bracket is considered at most twice).
+---
+ src/lib/create/from-string.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/create/from-string.js b/src/lib/create/from-string.js
+index 5c4d11f7..58739b9d 100644
+--- a/src/lib/create/from-string.js
++++ b/src/lib/create/from-string.js
+@@ -151,7 +151,7 @@ function untruncateYear(yearStr) {
+ function preprocessRFC2822(s) {
+     // Remove comments and folding whitespace and replace multiple-spaces with a single space
+     return s
+-        .replace(/\([^)]*\)|[\n\t]/g, ' ')
++        .replace(/\([^()]*\)|[\n\t]/g, ' ')
+         .replace(/(\s\s+)/g, ' ')
+         .replace(/^\s\s*/, '')
+         .replace(/\s\s*$/, '');
+-- 
+2.34.1
+
diff -Nru node-moment-2.29.1+ds/debian/patches/series node-moment-2.29.1+ds/debian/patches/series
--- node-moment-2.29.1+ds/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ node-moment-2.29.1+ds/debian/patches/series	2022-07-23 15:37:09.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2022-24785.patch
+CVE-2022-31129.patch
diff -Nru node-moment-2.29.1+ds/debian/source/lintian-overrides node-moment-2.29.1+ds/debian/source/lintian-overrides
--- node-moment-2.29.1+ds/debian/source/lintian-overrides	2021-09-04 22:32:46.000000000 +0100
+++ node-moment-2.29.1+ds/debian/source/lintian-overrides	2022-08-03 23:17:51.000000000 +0100
@@ -1,4 +1,2 @@
 # long test line: ok
-node-moment source: source-is-missing src/test/locale/bo.js line length is * characters (>512)
-node-moment source: source-contains-prebuilt-javascript-object src/test/locale/bo.js line length is 602 characters (>512)
-node-moment source: very-long-line-length-in-source-file src/test/locale/bo.js line length is 606 characters (>512)
+# node-moment source: very-long-line-length-in-source-file src/test/locale/bo.js line length is 606 characters (>512)
diff -Nru node-moment-2.29.1+ds/debian/tests/control node-moment-2.29.1+ds/debian/tests/control
--- node-moment-2.29.1+ds/debian/tests/control	1970-01-01 01:00:00.000000000 +0100
+++ node-moment-2.29.1+ds/debian/tests/control	2022-08-03 23:21:02.000000000 +0100
@@ -0,0 +1,2 @@
+Tests: pkg-js/test
+Depends: node-moment, libjs-qunit
diff -Nru node-moment-2.29.1+ds/debian/tests/pkg-js/test node-moment-2.29.1+ds/debian/tests/pkg-js/test
--- node-moment-2.29.1+ds/debian/tests/pkg-js/test	2021-09-04 22:32:46.000000000 +0100
+++ node-moment-2.29.1+ds/debian/tests/pkg-js/test	2022-08-04 09:25:12.000000000 +0100
@@ -1,9 +1,16 @@
 #!/bin/sh
 set -e
 
-# Useless at build-time
 if [ -f package.json ]; then
-  exit 0
+  tests=min/tests.js
+  moment=./moment
+else
+  tests=/usr/share/nodejs/moment/min/tests.js
+  moment=moment
 fi
+sed -E '1ivar QUnit = require("/usr/share/javascript/qunit/qunit.js");' "$tests" > tests.js
+sed -Ei 's@\.\./\.\./moment@'$moment@ tests.js
+node tests.js
+rm tests.js
 
-nodejs -e "require('moment');"
+nodejs -e "require('$moment');"