New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency luxon to v1.28.1 [security] #107

Open

renovate wants to merge 1 commit into master from renovate/npm-luxon-vulnerability/VF-000

+3 −3

Contributor

renovate bot commented Jan 11, 2023 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
luxon	`1.21.3` -> `1.28.1`

GitHub Vulnerability Alerts

CVE-2023-22467

Impact

Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.

This is the same bug as Moment's GHSA-wc69-rhjr-hc9g

Workarounds

Limit the length of the input.

References

There is an excellent writeup of the same issue in Moment: https://github.com/moment/moment/pull/6015#issuecomment-1152961973

Details

DateTime.fromRFC2822("(".repeat(500000)) takes a couple minutes to complete.

Release Notes

moment/luxon (luxon)

`v1.28.1`

`v1.28.0`

Fix ISO parsing for offset specifiers in Year-Ordinal formats

`v1.27.0`

Fix GMT zone parsing for older versions of Node
Support multiple units in toRelative
Various documentation updates

`v1.26.0`

Add fromISOTime, toISOTime and toMillis to Duration (#803)
Fix padding of negative years in IsoDate (#871)
Fix hasSame unit comparison (#798)
Export VERSION information (#794)
Durations are considered equal with extra zero units. Fixes #809 (#811)

`v1.25.0`

fix fromFormat with Intl formats containing non-breaking spaces
Support higher precision in ISO milliseconds
Some fixes for 00:30 timezones
Fix some throwOnInvalid for invalid Intervals
Various doc fixes
Fix Interval#isSame for empty intervals
Mark package as side effect-free
Add support for intervals with a large number of seconds

`v1.24.1`

Remove erroneous console.log call

`v1.24.0`

Update polyfills for pollyfilled build

`v1.23.0`

Allow minus sign prefix when creating Duration from ISO

`v1.22.2`

Added more details to error messages for type errors

`v1.22.0`

Fix setZone's handling of pre-1970 dates with millisecond components
Fix keepLocalTime for large jumps near the target zone's DST
Fix cache perf for toRelative()

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot added dependencies ready for review labels

renovate bot requested review from jonahsnider and trs

January 11, 2023 13:53

sonarcloud bot commented Jan 11, 2023

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

renovate bot force-pushed the renovate/npm-luxon-vulnerability/VF-000 branch from 548a473 to e8961be Compare

March 16, 2023 15:46

sonarcloud bot commented Mar 16, 2023

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

renovate bot force-pushed the renovate/npm-luxon-vulnerability/VF-000 branch from e8961be to 44b6fb6 Compare

June 19, 2023 17:37

sonarcloud bot commented Jun 19, 2023

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

renovate bot force-pushed the renovate/npm-luxon-vulnerability/VF-000 branch from 44b6fb6 to a4deba2 Compare

November 16, 2023 16:51

sonarcloud bot commented Nov 16, 2023

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

renovate bot force-pushed the renovate/npm-luxon-vulnerability/VF-000 branch from a4deba2 to cba73b5 Compare

February 5, 2024 12:04


          fix(deps): update dependency luxon to v1.28.1 [security]

bb4411e

renovate bot force-pushed the renovate/npm-luxon-vulnerability/VF-000 branch from cba73b5 to bb4411e Compare

February 5, 2024 18:47

sonarcloud bot commented Feb 5, 2024

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment