Remove dependency on moment.js

[wojtekmaj]

No description provided.

[wbt]

Thanks for the contribution; could you share some of the motivating rationale?
It appears that the moment.js data format is used in the datePattern option, though this is only and directly passed to the date_format option of file_stream_rotator's getStream function. Has that been updated to remove the dependency? If so, do we need to update documentation here which refers to moment.js?

[wojtekmaj]

I think we don't really need 4 MB of dependencies just to format one date as string.

moment creators themselves discourage using it, advising for, among others, date-fns and leveraging Intl.

file_stream_rotator is indeed using moment at the (nomen omen) moment, but I can see how, given the above, its creator(s) could drop it as well at some point.

[wbt]

At present, this is only a dev dependency so the weight should only affect those developing on and building winston-daily-rotate-file directly, which is a pretty minor difference for a pretty small set of folks, and actually a zero difference while the dependency is still using moment. Therefore, I'm not going to prioritize this for an in-depth review at present (on quick review, it looks good as it stands), but I will definitely leave the PR open, and any other maintainers who want to do a review are welcome to merge if desired.
Thanks for the contribution and for adding the explanation!

[kyle-zimmerman-manulife]

For what it's worth, moment.js@2.29.1 has a High severity CVE (CVE-2022-24785) that has been fixed in 2.29.2.

The dependency should be updated so that the CVE isn't introduced through winston-daily-rotate-file, but it shows that there might be some value in removing it as a dependency that increases the attack surface for relatively little value given it's only used once.