fix(deps): update dependency luxon to v1.28.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
luxon	1.26.0 → 1.28.1

GitHub Vulnerability Alerts

CVE-2023-22467

Impact

Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.

This is the same bug as Moment's GHSA-wc69-rhjr-hc9g

Workarounds

Limit the length of the input.

References

There is an excellent writeup of the same issue in Moment: https://github.com/moment/moment/pull/6015#issuecomment-1152961973

Details

DateTime.fromRFC2822("(".repeat(500000)) takes a couple minutes to complete.

---

Release Notes

moment/luxon (luxon)

v1.28.1

Compare Source

v1.28.0

Compare Source

• Fix ISO parsing for offset specifiers in Year-Ordinal formats

v1.27.0

Compare Source

• Fix GMT zone parsing for older versions of Node
• Support multiple units in toRelative
• Various documentation updates

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed in 0s 715ms
➤ YN0000: ┌ Fetch step
➤ YN0001: │ Error [ERR_STREAM_PREMATURE_CLOSE]: luxon@npm:1.28.1: Premature close
    at PassThrough.onclose (node:internal/streams/end-of-stream:154:30)
    at PassThrough.emit (node:events:518:28)
    at emitCloseNT (node:internal/streams/destroy:147:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:81:21)
➤ YN0013: │ 783 packages were already cached, one had to be fetched
➤ YN0000: └ Completed in 1s 656ms
➤ YN0000: Failed with errors in 2s 375ms

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed in 0s 386ms
➤ YN0000: ┌ Fetch step
➤ YN0001: │ Error [ERR_STREAM_PREMATURE_CLOSE]: luxon@npm:1.28.1: Premature close
    at PassThrough.onclose (node:internal/streams/end-of-stream:166:30)
    at PassThrough.emit (node:events:508:28)
    at emitCloseNT (node:internal/streams/destroy:148:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:89:21)
➤ YN0013: │ 783 packages were already cached, one had to be fetched
➤ YN0000: └ Completed in 0s 952ms
➤ YN0000: Failed with errors in 1s 343ms