chore: upgrade luxon (#3152)

* chore: upgrade luxon Mitigation for CVE-2023-22467 (see moment/moment#6015 (comment)) * chore: update `@types/luxon` and fix usage
votingworks · Mar 21, 2023 · f11f07b · f11f07b
1 parent 932351e
commit f11f07b
Show file tree

Hide file tree

Showing 12 changed files with 118 additions and 128 deletions.
diff --git a/apps/central-scan/backend/package.json b/apps/central-scan/backend/package.json
@@ -65,7 +65,7 @@
     "jest-diff": "^26.6.2",
     "js-sha256": "^0.9.0",
     "jszip": "^3.9.1",
-    "luxon": "^1.27.0",
+    "luxon": "^3.0.0",
     "memory-streams": "^0.1.3",
     "multer": "^1.4.2",
     "ora": "^5.2.0",
@@ -82,7 +82,7 @@
     "@types/express": "^4.17.14",
     "@types/fs-extra": "^9.0.6",
     "@types/jest": "^26.0.6",
-    "@types/luxon": "^1.26.5",
+    "@types/luxon": "^3.0.0",
     "@types/multer": "^1.4.7",
     "@types/node": "16.11.29",
     "@types/supertest": "^2.0.10",

diff --git a/apps/mark/frontend/package.json b/apps/mark/frontend/package.json
@@ -93,7 +93,7 @@
     "history": "^4.10.1",
     "http-proxy-middleware": "1.0.6",
     "lodash.camelcase": "^4.3.0",
-    "luxon": "^1.26.0",
+    "luxon": "^3.0.0",
     "mini-css-extract-plugin": "0.11.3",
     "mockdate": "^3.0.2",
     "normalize.css": "^8.0.1",
@@ -132,7 +132,7 @@
     "@types/debug": "^4.1.6",
     "@types/history": "^4.7.8",
     "@types/kiosk-browser": "workspace:*",
-    "@types/luxon": "^1.26.2",
+    "@types/luxon": "^3.0.0",
     "@types/react-gamepad": "^1.0.0",
     "@types/setimmediate": "^1.0.2",
     "@types/testing-library__jest-dom": "^5.14.3",

diff --git a/apps/scan/backend/package.json b/apps/scan/backend/package.json
@@ -63,7 +63,7 @@
     "got": "^11.8.2",
     "js-sha256": "^0.9.0",
     "jszip": "^3.9.1",
-    "luxon": "^1.27.0",
+    "luxon": "^3.0.0",
     "memory-streams": "^0.1.3",
     "rxjs": "^7.5.5",
     "tmp": "^0.2.1",
@@ -79,7 +79,7 @@
     "@types/express": "^4.17.13",
     "@types/fs-extra": "^9.0.6",
     "@types/jest": "^26.0.6",
-    "@types/luxon": "^1.26.5",
+    "@types/luxon": "^3.0.0",
     "@types/multer": "^1.4.7",
     "@types/node": "16.11.29",
     "@types/supertest": "^2.0.10",

diff --git a/libs/ballot-interpreter-nh/package.json b/libs/ballot-interpreter-nh/package.json
@@ -33,7 +33,7 @@
     "he": "^1.2.0",
     "js-sha256": "^0.9.0",
     "jsdom": "^20.0.1",
-    "luxon": "^2.3.0",
+    "luxon": "^3.0.0",
     "tmp": "^0.2.1",
     "zod": "3.14.4"
   },
@@ -43,7 +43,7 @@
     "@types/he": "^1.1.2",
     "@types/jest": "^27.4.0",
     "@types/jsdom": "^20.0.0",
-    "@types/luxon": "^2.0.9",
+    "@types/luxon": "^3.0.0",
     "@types/tmp": "^0.2.3",
     "@typescript-eslint/eslint-plugin": "^5.37.0",
     "@typescript-eslint/parser": "^5.37.0",

diff --git a/libs/test-utils/package.json b/libs/test-utils/package.json
@@ -43,13 +43,13 @@
     "fast-check": "^2.18.0",
     "jest-diff": "^27.3.1",
     "js-sha256": "^0.9.0",
-    "luxon": "1.26.0",
+    "luxon": "^3.0.0",
     "zip-stream": "^4.1.0"
   },
   "devDependencies": {
     "@types/jest": "^27.0.3",
     "@types/kiosk-browser": "workspace:*",
-    "@types/luxon": "^1.26.5",
+    "@types/luxon": "^3.0.0",
     "@types/react": "17.0.39",
     "@types/zip-stream": "workspace:*",
     "@typescript-eslint/eslint-plugin": "^5.37.0",

diff --git a/libs/test-utils/src/arbitraries.ts b/libs/test-utils/src/arbitraries.ts
@@ -178,7 +178,7 @@ export function arbitraryDateTime({
     })
     .map((parts) => {
       try {
-        const result = DateTime.fromObject({ ...parts, zone: zoneName });
+        const result = DateTime.fromObject(parts, { zone: zoneName });
         if (
           result.year === parts.year &&
           result.month === parts.month &&

diff --git a/libs/types/package.json b/libs/types/package.json
@@ -40,14 +40,14 @@
     "@antongolub/iso8601": "^1.2.1",
     "@votingworks/basics": "workspace:*",
     "js-sha256": "^0.9.0",
-    "luxon": "^2.4.0",
+    "luxon": "^3.0.0",
     "util": "^0.12.4",
     "zod": "3.14.4"
   },
   "devDependencies": {
     "@types/jest": "^27.0.3",
     "@types/kiosk-browser": "workspace:*",
-    "@types/luxon": "^2.3.2",
+    "@types/luxon": "^3.0.0",
     "@types/node": "16.11.29",
     "@types/react": "17.0.39",
     "@typescript-eslint/eslint-plugin": "^5.37.0",

diff --git a/libs/ui/package.json b/libs/ui/package.json
@@ -54,7 +54,7 @@
     "debug": "^4.3.2",
     "deep-eql": "^4.0.0",
     "dompurify": "^2.0.12",
-    "luxon": "1.26.0",
+    "luxon": "^3.0.0",
     "normalize.css": "^8.0.1",
     "pluralize": "^8.0.0",
     "polished": "^4.2.2",
@@ -80,7 +80,7 @@
     "@types/history": "4",
     "@types/jest": "^27.0.3",
     "@types/kiosk-browser": "workspace:*",
-    "@types/luxon": "^1.26.5",
+    "@types/luxon": "^3.0.0",
     "@types/node": "16.11.29",
     "@types/pluralize": "^0.0.29",
     "@types/react": "17.0.39",

diff --git a/libs/ui/src/set_clock.test.tsx b/libs/ui/src/set_clock.test.tsx
@@ -23,15 +23,17 @@ function getSelect(testId: string): HTMLSelectElement {
   return screen.getByTestId(testId);
 }
 
-const aDate = DateTime.fromObject({
-  year: 2021,
-  month: 3,
-  day: 31,
-  hour: 19,
-  minute: 34,
-  second: 56,
-  zone: 'America/Los_Angeles',
-});
+const aDate = DateTime.fromObject(
+  {
+    year: 2021,
+    month: 3,
+    day: 31,
+    hour: 19,
+    minute: 34,
+    second: 56,
+  },
+  { zone: 'America/Los_Angeles' }
+);
 
 describe('PickDateTimeModal', () => {
   test('shows pickers for the datetime parts of the given time', () => {
@@ -141,15 +143,17 @@ describe('PickDateTimeModal', () => {
     // Expect a changed timezone
     expect(onSave).toHaveBeenNthCalledWith(
       3,
-      DateTime.fromObject({
-        year: aDate.year,
-        month: aDate.month,
-        day: changedDay,
-        hour: aDate.hour,
-        minute: aDate.minute,
-        second: 0,
-        zone: 'America/Chicago',
-      })
+      DateTime.fromObject(
+        {
+          year: aDate.year,
+          month: aDate.month,
+          day: changedDay,
+          hour: aDate.hour,
+          minute: aDate.minute,
+          second: 0,
+        },
+        { zone: 'America/Chicago' }
+      )
     );
   });
 

diff --git a/libs/ui/src/set_clock.tsx b/libs/ui/src/set_clock.tsx
@@ -1,4 +1,4 @@
-import { DateTime } from 'luxon';
+import { DateTime, HourNumbers } from 'luxon';
 import React, { useCallback, useState } from 'react';
 
 import {
@@ -28,6 +28,15 @@ export interface PickDateAndTimeProps {
   value: DateTime;
 }
 
+function asHour(hour: number): HourNumbers {
+  /* istanbul ignore next */
+  if (hour < 0 || hour > 23) {
+    throw new Error(`Invalid hour: ${hour}`);
+  }
+
+  return hour as HourNumbers;
+}
+
 export function PickDateTimeModal({
   disabled = false,
   onCancel,
@@ -42,20 +51,20 @@ export function PickDateTimeModal({
     const { name, value: stringValue } = event.currentTarget;
     // eslint-disable-next-line vx/gts-safe-number-parse
     const partValue = parseInt(stringValue, 10);
-    let { hour } = newValue;
+    let hour = asHour(newValue.hour);
     if (name === 'hour') {
       if (systemMeridian === 'AM') {
-        hour = partValue % 12;
+        hour = asHour(partValue % 12);
       } else {
-        hour = (partValue % 12) + 12;
+        hour = asHour((partValue % 12) + 12);
       }
     }
     if (name === 'meridian') {
       if (stringValue === 'AM' && newValue.hour >= 12) {
-        hour = newValue.hour - 12;
+        hour = asHour(newValue.hour - 12);
       }
       if (stringValue === 'PM' && newValue.hour < 12) {
-        hour = newValue.hour + 12;
+        hour = asHour(newValue.hour + 12);
       }
     }
     const year = name === 'year' ? partValue : newValue.year;
@@ -64,28 +73,32 @@ export function PickDateTimeModal({
     const lastDayOfMonth = daysInMonth[daysInMonth.length - 1].day;
     const day = name === 'day' ? partValue : newValue.day;
     setNewValue(
-      DateTime.fromObject({
-        year,
-        month,
-        day: lastDayOfMonth && day > lastDayOfMonth ? lastDayOfMonth : day,
-        hour,
-        minute: name === 'minute' ? partValue : newValue.minute,
-        zone: newValue.zone,
-      })
+      DateTime.fromObject(
+        {
+          year,
+          month,
+          day: lastDayOfMonth && day > lastDayOfMonth ? lastDayOfMonth : day,
+          hour,
+          minute: name === 'minute' ? partValue : newValue.minute,
+        },
+        { zone: newValue.zone }
+      )
     );
   };
   const updateTimeZone: SelectChangeEventFunction = useCallback(
     (event) => {
       setNewValue(
-        DateTime.fromObject({
-          year: newValue.year,
-          month: newValue.month,
-          day: newValue.day,
-          hour: newValue.hour,
-          minute: newValue.minute,
-          second: newValue.second,
-          zone: event.currentTarget.value,
-        })
+        DateTime.fromObject(
+          {
+            year: newValue.year,
+            month: newValue.month,
+            day: newValue.day,
+            hour: newValue.hour,
+            minute: newValue.minute,
+            second: newValue.second,
+          },
+          { zone: event.currentTarget.value }
+        )
       );
     },
     [newValue, setNewValue]

diff --git a/libs/utils/package.json b/libs/utils/package.json
@@ -44,7 +44,7 @@
     "fetch-mock": "^9.11.0",
     "jest-fetch-mock": "^3.0.3",
     "jszip": "^3.9.1",
-    "luxon": "^1.27.0",
+    "luxon": "^3.0.0",
     "moment": "^2.29.1",
     "randombytes": "^2.1.0",
     "readline": "^1.3.0",
@@ -56,7 +56,7 @@
     "@types/fast-text-encoding": "^1.0.1",
     "@types/jest": "^27.0.3",
     "@types/kiosk-browser": "workspace:*",
-    "@types/luxon": "^1.26.5",
+    "@types/luxon": "^3.0.0",
     "@types/randombytes": "^2.0.0",
     "@types/yargs": "^17.0.12",
     "@typescript-eslint/eslint-plugin": "^5.37.0",