replace momentjs with date-fns

[cezaraugusto]

Initially, the plan was to reduce bundle cost given moment is enormous and we only use 2-3 methods from there:

What came to my attention regarding security was an issue created in moment's repo explaining that a given regular expression could be used to parse dates specified as strings being vulnerable to ReDoS. I first saw this in a Medium post from Node Security

This, in fact, didn't remove moment entirely as we still require Joi which has it as a dependency but may be a good starting point.

Fix #11061

Test plan:

This affected bookmarks exporter and ledger.

The general test plan is that you can still export a bookmark (with the same file name as before) and ledger/contribution statement should have their times as usual.

Ledger panel and ledger export util tests should pass too. npm run unittest should cover.

/cc @evq @darkdh

[NejcZdovc]

please don't merge this one until #11037 is done. Because any code change to ledger will impact delivery time for it

[codecov-io]

Codecov Report

Merging #11062 into master will decrease coverage by <.01%.
The diff coverage is 76.92%.

@@            Coverage Diff             @@
##           master   #11062      +/-   ##
==========================================
- Coverage   56.25%   56.25%   -0.01%     
==========================================
  Files         280      280              
  Lines       27516    27511       -5     
  Branches     4486     4486              
==========================================
- Hits        15479    15475       -4     
+ Misses      12037    12036       -1

Flag	Coverage Δ
#unittest	56.25% <76.92%> (-0.01%)	⬇️

Impacted Files	Coverage Δ
...renderer/components/preferences/payment/history.js	34.17% <ø> (-3.18%)	⬇️
app/common/lib/ledgerExportUtil.js	95.72% <100%> (ø)	⬆️
...r/components/preferences/payment/enabledContent.js	75.23% <100%> (ø)	⬆️
app/browser/api/ledger.js	56.52% <50%> (ø)	⬆️
app/browser/bookmarksExporter.js	80.3% <50%> (ø)	⬆️
app/common/lib/ledgerUtil.js	97.57% <80%> (+0.47%)	⬆️

[cezaraugusto]

blocked until 0.19.x is shipped

[bsclifton]

@cezaraugusto a node security alert came up today:
https://nodesecurity.io/advisories/532

I skipped this for now, per comment by @diracdeltas:
master 4e6c056
0.21.x c65f142
0.20.x ffe955e
0.19.x 648ce3b

Would you be able to rebase this please? 😄

[bsclifton]

This is a change in logic, right? Since February only has 28 days for example. Can you use the add months method instead?
https://date-fns.org/v1.29.0/docs/addMonths

[cezaraugusto]

ok updated

[bsclifton]

Comments left- otherwise looks good 😄 (month issue, needs rebase)

Once those issues are addressed I can manually test and confirm by removing the NSP alert skip for https://nodesecurity.io/advisories/532 (to make sure browser-laptop is clear)

[cezaraugusto]

this now adds 1 month starting from the current date cc @bsclifton

[cezaraugusto]

rebased, ready for review again

[bsclifton]

Most of the world uses DD/MM/YYYY format... does moment().format('L') always return the date in MM/DD/YYYY format? or does it respect the user's locale

[cezaraugusto]

yes, the 'L' parameter forces month numeral/day of month/year.

ref: https://momentjs.com/docs/#/manipulating/local/ and search for "Localized formats".

[bsclifton]

same concern as above- although, I know this is just a test 😄

[cezaraugusto]

yes same as above answer

[bsclifton]

Concern raised in comment- but otherwise, looks great! I think with our new process, we'll want to do a security review. I'll create one real quick and link it 😄

[bsclifton]

Security review created here:
https://github.com/brave/internal/issues/202

[bsclifton]

@cezaraugusto security review completed by @flamsmark 😄 See my comments above (regarding the ordering of MM DD). If no changes are needed, we're ready for a merge 😄 👍

[bsclifton]

++