Skip to content

[Security] Bump luxon from 1.28.0 to 1.28.1

Dependabot requested to merge dependabot-npm_and_yarn-luxon-1.28.1 into master

Bumps luxon from 1.28.0 to 1.28.1. This update includes a security fix.

Vulnerabilities fixed

Luxon Inefficient Regular Expression Complexity vulnerability

Impact

Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.

This is the same bug as Moment's https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g

Workarounds

Limit the length of the input.

References

There is an excellent writeup of the same issue in Moment: moment/moment#6015

Details

DateTime.fromRFC2822("(".repeat(500000)) takes a couple minutes to complete.

Patched versions: 1.28.1 Affected versions: >= 1.0.0, < 1.28.1

Changelog

Sourced from luxon's changelog.

Changelog

3.2.0 (2022-12-29)

  • Allow timeZone to be specified as an intl option
  • Fix for diff's handling of end-of-month when crossing leap years (#1340)
  • Add Interval.toLocaleString() (#1320)

3.1.1 (2022-11-28)

  • Add Settings.twoDigitCutoffYear

3.1.0 (2022-10-31)

  • Add Duration.rescale

3.0.4 (2022-09-24)

  • Fix quarters in diffs (#1279)
  • Export package.json in package (#1239)

3.0.2 (2022-08-28)

  • Lots of doc changes
  • Added DateTime.expandFormat
  • Added support for custom conversion matrices in Durations

3.0.1 (2022-07-09)

  • Add DateTime.parseFormatForOpts

3.0.0 (2022-07-09)

  • Add "default" as an option for specifying a zone, and change "system" to really mean the system zone (breaking change)

2.5.0 (2022-07-09)

  • Support for ESM-style node imports
  • Fix Wednesday parsing for RFC 850 strings
  • Increase number of digits allowed in ISO durations

2.4.0 (2022-05-08)

  • Add support for parsing the ISO zone extension, like 2022-05-08T20:42:00.000-04:00[America/New_York]
  • Add an extendedZone option to toISO() and toISOTime
  • Improvements to DateTime.isInDST()
  • Fix for parsing in Vietnames (and probably other languages)

2.3.2 (2022-04-17)

... (truncated)

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports