Bump luxon to ^3.2.0 [SECURITY] #8347

renovate · 2023-03-22T19:58:01Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
luxon	`3.2.0` -> `3.2.1`

GitHub Vulnerability Alerts

CVE-2023-22467

Impact

Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.

This is the same bug as Moment's GHSA-wc69-rhjr-hc9g

Workarounds

Limit the length of the input.

References

There is an excellent writeup of the same issue in Moment: https://github.com/moment/moment/pull/6015#issuecomment-1152961973

Details

DateTime.fromRFC2822("(".repeat(500000)) takes a couple minutes to complete.

Release Notes

moment/luxon

`v3.2.1`

Compare Source

Fix for RFC-2822 regex vulnerability
Better handling of BCP tags with -x- extensions

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

mui-bot · 2023-04-04T20:37:25Z

Netlify deploy preview

Netlify deploy preview: https://deploy-preview-8347--material-ui-x.netlify.app/

Updated pages

No updates.

These are the results for the performance tests:

Test case	Unit	Min	Max	Median	Mean	σ
Filter 100k rows	ms	807	1,259.2	1,259.2	1,018.96	176.686
Sort 100k rows	ms	934.5	1,618.1	1,618.1	1,193.32	252.198
Select 100k rows	ms	225.3	390	310.1	312.42	54.029
Deselect 100k rows	ms	208.2	296.4	224.1	241.04	33.619

Generated by 🚫 dangerJS against af4b9ae

oliviertassinari · 2023-04-09T11:30:32Z

This fixes the same issue as in #8046. In moment, the CVE is GHSA-wc69-rhjr-hc9g, and the fix in moment/moment#6015.

With Luxon, the CVE is GHSA-3xq5-wjfh-ppjc and the fix is moment/luxon@5ab3bf6.

The trigger for me to work on it is https://mui.zendesk.com/agent/tickets/7917.

renovate bot added the dependencies Update of dependencies label Mar 22, 2023

renovate bot force-pushed the renovate/npm-luxon-vulnerability branch 2 times, most recently from f22637b to 1b41ce6 Compare April 4, 2023 20:29

oliviertassinari added the security Pull requests that address a security vulnerability label Apr 9, 2023

renovate bot and others added 2 commits April 9, 2023 13:21

Bump luxon to ^3.2.0 [SECURITY]

6d0f45b

update package.json too

af4b9ae

oliviertassinari force-pushed the renovate/npm-luxon-vulnerability branch from f3bf315 to af4b9ae Compare April 9, 2023 11:21

oliviertassinari approved these changes Apr 9, 2023

View reviewed changes

mui deleted a comment from renovate bot Apr 9, 2023

oliviertassinari enabled auto-merge (squash) April 9, 2023 11:31

oliviertassinari merged commit cedb5fe into master Apr 9, 2023
15 checks passed

oliviertassinari deleted the renovate/npm-luxon-vulnerability branch April 9, 2023 11:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump luxon to ^3.2.0 [SECURITY] #8347

Bump luxon to ^3.2.0 [SECURITY] #8347

renovate bot commented Mar 22, 2023

mui-bot commented Apr 4, 2023 •

edited

oliviertassinari commented Apr 9, 2023

Bump luxon to ^3.2.0 [SECURITY] #8347

Bump luxon to ^3.2.0 [SECURITY] #8347

Conversation

renovate bot commented Mar 22, 2023

GitHub Vulnerability Alerts

CVE-2023-22467

Impact

Workarounds

References

Details

Release Notes

v3.2.1

Configuration

mui-bot commented Apr 4, 2023 • edited

Netlify deploy preview

Updated pages

oliviertassinari commented Apr 9, 2023

`v3.2.1`

mui-bot commented Apr 4, 2023 •

edited