Conversation
please don't merge this one until #11037 is done. Because any code change to ledger will impact delivery time for it |
Codecov Report
@@ Coverage Diff @@
## master #11062 +/- ##
==========================================
- Coverage 56.25% 56.25% -0.01%
==========================================
Files 280 280
Lines 27516 27511 -5
Branches 4486 4486
==========================================
- Hits 15479 15475 -4
+ Misses 12037 12036 -1
|
blocked until 0.19.x is shipped |
- browser-laptop has PR to remove dependency: #11062 - bat-* libraries should stop using moment Auditors: @diracdeltas, @evq
- browser-laptop has PR to remove dependency: #11062 - bat-* libraries should stop using moment Auditors: @diracdeltas, @evq
- browser-laptop has PR to remove dependency: #11062 - bat-* libraries should stop using moment Auditors: @diracdeltas, @evq
@cezaraugusto a node security alert came up today: I skipped this for now, per comment by @diracdeltas: Would you be able to rebase this please? 😄 |
@@ -141,7 +141,7 @@ class EnabledContent extends ImmutableComponent { | |||
let l10nDataId = 'statusNextReconcileDate' | |||
|
|||
if (!nextReconcileDateRelative) { | |||
nextReconcileDateRelative = formattedDateFromTimestamp(moment().add(1, 'months'), 'MMMM Do') | |||
nextReconcileDateRelative = formattedDateFromTimestamp(addDays(1, 30), 'MMMM Do') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a change in logic, right? Since February only has 28 days for example. Can you use the add months method instead?
https://date-fns.org/v1.29.0/docs/addMonths
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments left- otherwise looks good 😄 (month issue, needs rebase)
Once those issues are addressed I can manually test and confirm by removing the NSP alert skip for https://nodesecurity.io/advisories/532 (to make sure browser-laptop
is clear)
b29c9b8
to
44ce177
Compare
@@ -176,7 +176,7 @@ class EnabledContent extends ImmutableComponent { | |||
let l10nDataId = 'statusNextReconcileDate' | |||
|
|||
if (!nextReconcileDateRelative) { | |||
nextReconcileDateRelative = formattedDateFromTimestamp(moment().add(1, 'months'), 'MMMM Do') | |||
nextReconcileDateRelative = formattedDateFromTimestamp(addMonths(Date.now(), 1), 'MMMM Do') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this now adds 1 month starting from the current date cc @bsclifton
rebased, ready for review again |
Test Plan: npm run test -- --grep="ledger export utilities test"
44ce177
to
f6aad45
Compare
@@ -995,7 +995,7 @@ const pageDataChanged = (state, viewData = {}, keepInfo = false) => { | |||
} | |||
|
|||
const backupKeys = (state, backupAction) => { | |||
const date = moment().format('L') | |||
const date = format(new Date(), 'MM/DD/YYYY') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most of the world uses DD/MM/YYYY
format... does moment().format('L')
always return the date in MM/DD/YYYY
format? or does it respect the user's locale
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, the 'L' parameter forces month numeral/day of month/year.
ref: https://momentjs.com/docs/#/manipulating/local/ and search for "Localized formats".
@@ -91,7 +91,7 @@ let generateAndSaveRecoveryFile = function (recoveryFilePath, passphrase) { | |||
let recoveryFileContents = '' | |||
|
|||
if (typeof passphrase === 'string') { | |||
const date = moment().format('L') | |||
const date = format(new Date(), 'MM/DD/YYYY') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same concern as above- although, I know this is just a test 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes same as above answer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concern raised in comment- but otherwise, looks great! I think with our new process, we'll want to do a security review. I'll create one real quick and link it 😄
Security review created here: |
@cezaraugusto security review completed by @flamsmark 😄 See my comments above (regarding the ordering of MM DD). If no changes are needed, we're ready for a merge 😄 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
++
Initially, the plan was to reduce bundle cost given
moment
is enormous and we only use 2-3 methods from there:What came to my attention regarding security was an issue created in
moment
's repo explaining that a given regular expression could be used to parse dates specified as strings being vulnerable to ReDoS. I first saw this in a Medium post from Node SecurityThis, in fact, didn't remove
moment
entirely as we still requireJoi
which has it as a dependency but may be a good starting point.Fix #11061
Test plan:
This affected bookmarks exporter and ledger.
The general test plan is that you can still export a bookmark (with the same file name as before) and ledger/contribution statement should have their times as usual.
Ledger panel and ledger export util tests should pass too.
npm run unittest
should cover./cc @evq @darkdh