Skip to content

Bump date-and-time from 2.4.3 to 4.3.0#2864

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/date-and-time-4.3.0
Open

Bump date-and-time from 2.4.3 to 4.3.0#2864
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/date-and-time-4.3.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 5, 2026
edited
Loading

Bumps date-and-time from 2.4.3 to 4.3.0.

Release notes

Sourced from date-and-time's releases.

v4.3.0

What's Changed

  • Add IANA timezone string support to all date manipulation functions (addDays, addMonths, addYears, parse, format, etc.)
  • Fix timezone offset range and month boundary handling in isValid
  • Update documentation to reflect v4.3.0 API changes

Full Changelog: knowledgecode/date-and-time@v4.2.0...v4.3.0

v4.2.0

What's Changed

Major Changes

  • Consolidated timezone imports: Added a new date-and-time/timezone entry point allowing import of multiple timezones from a single module
  • IANA timezone name string support: The format() function now accepts IANA timezone name strings (e.g., 'Asia/Tokyo') in addition to TimeZone objects

Full Changelog: knowledgecode/date-and-time@v4.1.2...v4.2.0

v4.1.2

What's Changed

Full Changelog: knowledgecode/date-and-time@v4.1.1...v4.1.2

v4.1.1

What's Changed

Full Changelog: knowledgecode/date-and-time@v4.1.0...v4.1.1

v4.1.0

What's Changed

Full Changelog: knowledgecode/date-and-time@v4.0.5...v4.1.0

v4.0.5

... (truncated)

Commits
  • f25d677 Merge pull request #117 from knowledgecode/develop
  • d93ec05 Bump version to 4.3.0 and update dependencies
  • 1556efa Update documentation for v4.3.0 IANA timezone string support
  • d50f51f Add IANA timezone string support to all date manipulation functions
  • def8b55 Fix timezone offset range and month boundary in isValid
  • c54dc6e Merge pull request #116 from knowledgecode/develop
  • 7b1c703 Chore: Bump version to 4.2.0 and update dependencies
  • 0c79694 Docs: Update documentation for new timezone features
  • ea5c6d7 Test: Add tests for new timezone features
  • 69b896e Feat: Add consolidated timezone imports and IANA timezone name string support
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Medium Risk
This is a major-version dependency upgrade that may introduce breaking API/formatting changes and now requires Node >=18 per the updated package metadata.

Overview
Bumps the date-and-time dev dependency from 2.4.3 to 4.3.1 at the repo root and in packages/gui, and updates package-lock.json accordingly.

The lockfile now records date-and-time’s updated tarball/integrity and its node >=18 engine requirement.

Written by Cursor Bugbot for commit 52a1658. This will update automatically on new commits. Configure here.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 5, 2026
@dependabot dependabot Bot requested a review from a team as a code owner March 5, 2026 20:44
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code Changed Required label for PR that categorizes merge commit message as "Changed" for changelog labels Mar 5, 2026
@dependabot dependabot Bot mentioned this pull request Mar 5, 2026
Closed
cursor[bot]
cursor Bot reviewed Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment thread packages/gui/package.json Outdated
"cross-env": "7.0.3",
"css-loader": "6.11.0",
"date-and-time": "2.4.3",
"date-and-time": "4.3.0",
Copy link
Copy Markdown

@cursor cursor Bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Breaking API change: default import removed in v4

High Severity

The date-and-time library was bumped from v2.4.3 to v4.3.0, which is a major version change that switched from a default export to named exports. The test file still uses import date from 'date-and-time' and calls date.format(...), but v4.x no longer provides a default export. The import needs to be changed to import { format } from 'date-and-time' and calls updated to format(...) directly.

Fix in Cursor Fix in Web

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 5, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updateddate-and-time@​2.4.3 ⏵ 4.3.110010090 -1092 +2100

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/date-and-time-4.3.0 branch from 8c16872 to 6378971 Compare March 8, 2026 00:32
@dependabot
Bump date-and-time from 2.4.3 to 4.3.0
52a1658 
Bumps [date-and-time](https://github.com/knowledgecode/date-and-time) from 2.4.3 to 4.3.0.
- [Release notes](https://github.com/knowledgecode/date-and-time/releases)
- [Commits](knowledgecode/date-and-time@v2.4.3...v4.3.0)

---
updated-dependencies:
- dependency-name: date-and-time
  dependency-version: 4.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/date-and-time-4.3.0 branch from 6378971 to 52a1658 Compare April 1, 2026 22:29
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 1, 2026

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying the installed package metadata and how we use it to support the verdict.

Verdict: benign

Why this looks safe

  • Identity / source: The dependency is the real knowledgecode/date-and-time package on the public npm registry (registry.npmjs.org), not a typosquat. The lockfile pins 4.3.1 with a normal sha512 integrity string for that tarball.

  • Classic obfuscation / behavior: No evidence in the review context of eval/hidden payloads, unexpected lifecycle installs, or suspicious network targets. The scanner’s “shell_process_spawn” hits are false positives (e.g. exec from a regex/parser API in microsecond.ts, not OS execution).

  • Invisible Unicode / GlassWorm: The scanner’s unicode/confusable hits match expected locale content (e.g. Persian fa strings) and binary assets (logos), not Trojan Source or zero-width smuggling. IOC count is 0.

  • Integrity / version jump: The large jump (2.x → 4.x) aligns with documented upstream work (timezone/IANA support, API/docs). That is normal product evolution, not a red flag by itself. The resolved git range in the report is for comparing upstream tags, not proof of repo tampering.

  • Repo usage: In-tree use is minimal—a devDependency import in a Playwright spec (offer_created_via_nft.spec.ts), which is low blast radius.

Scanner vs. interpretation: The report is warn because of breadth of upstream file changes and noisy heuristics; it does not indicate compromise. Action: Safe to merge from a supply-chain malware perspective; separately confirm Node ≥ 18 (and your CI images) match the package engines field.

Compatibility Analysis

Searching the repo for date-and-time usage and inspecting the upstream package for API changes.

1) Where it’s used

Location Role
packages/gui/tests/offers/offer_created_via_nft.spec.ts Only live import: default import + date.format(now, 'MMMM D, YYYY h:mm A') for Playwright row matching.
packages/gui/tests/tokens/send_fee_txch.spec.ts Same date.format(...) pattern only in commented-out lines.

date-and-time is listed as a devDependency in the root package.json and packages/gui/package.json. There are no imports in application/runtime GUI source from this search (only tests + lockfiles).

2) Overlap with v4.x changes

Release notes and commits focus on IANA timezone strings, date-and-time/timezone, isValid fixes, and broader timezone support on format / parse / add* when a timezone argument is used.

This repo only uses format(date, 'MMMM D, YYYY h:mm A') with no timezone argument and no parse / addDays / isValid / timezone subpath imports. That usage path is largely orthogonal to the advertised v4.2–v4.3 changes.

3) Risks / unknowns

  • Engines: Upstream declares node >= 18; packages/gui already requires >=20, so the engine constraint is satisfied for normal CI/dev.
  • Module shape: v4 uses modern exports and dual ESM/CJS; default import is still the usual pattern for this library, but any resolution oddity would show up when running the Playwright test, not at typecheck (this package is not in the typed workspace list from the root check:types script).
  • Test semantics (pre-existing): The spec asserts a row name that includes a formatted “now” string. If the app’s displayed time/locale differs from date-and-time’s output, the test can be fragile; upgrading the library could theoretically change formatted output slightly, but that risk is small for this token set and is secondary to app-vs-test alignment.

4) Recommendation

Merge (or merge-with-caveats: run offer_created_via_nft once in CI if you want extra confidence). Scope of real code usage is minimal; the bump does not map strongly onto the breaking-risk areas in the v4 release notes for this codebase.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 607
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 1
  • Resolved upstream range: 0355aef160f9101978fee67dde90fc4b3eca924b..f25d6773f39c2b9fdd9fae1d4cb02297232908d9
  • Resolved refs: from=0355aef160f9101978fee67dde90fc4b3eca924b to=f25d6773f39c2b9fdd9fae1d4cb02297232908d9
  • Unicode findings (post-allowlist): 14
  • Confusable findings (post-allowlist): 2
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 53

Top findings

  • tests/locales/fa.spec.ts:10 unicode :: dddd: ['یکشنبه', 'دوشنبه', 'سه‌شنبه', 'چهارشنبه', 'پنجشنبه', 'جمعه', 'شنبه'],
  • tests/locales/fa.spec.ts:11 unicode :: ddd: ['یکشنبه', 'دوشنبه', 'سه‌شنبه', 'چهارشنبه', 'پنجشنبه', 'جمعه', 'شنبه'],
  • tests/locales/fa.spec.ts:13 unicode :: A: ['قبل‌ازظهر', 'بعدازظهر'],
  • tests/locales/fa.spec.ts:14 unicode :: AA: ['قبل‌ازظهر', 'بعدازظهر'],
  • tests/locales/fa.spec.ts:15 unicode :: a: ['قبل‌ازظهر', 'بعدازظهر'],
  • tests/locales/fa.spec.ts:16 unicode :: aa: ['قبل‌ازظهر', 'بعدازظهر']
  • logo.png:0 unicode :: binary file matches (found "\0" byte around offset 8)
  • src/locales/fa.ts:10 unicode :: dddd: ['یکشنبه', 'دوشنبه', 'سه‌شنبه', 'چهارشنبه', 'پنجشنبه', 'جمعه', 'شنبه'],
  • src/locales/fa.ts:11 unicode :: ddd: ['یکشنبه', 'دوشنبه', 'سه‌شنبه', 'چهارشنبه', 'پنجشنبه', 'جمعه', 'شنبه'],
  • src/locales/fa.ts:13 unicode :: A: ['قبل‌ازظهر', 'بعدازظهر'],
  • src/locales/fa.ts:14 unicode :: AA: ['قبل‌ازظهر', 'بعدازظهر'],
  • src/locales/fa.ts:15 unicode :: a: ['قبل‌ازظهر', 'بعدازظهر'],
  • src/locales/fa.ts:16 unicode :: aa: ['قبل‌ازظهر', 'بعدازظهر']
  • docs/public/logo.png:0 unicode :: binary file matches (found "\0" byte around offset 8)
  • logo.png:0 confusable :: binary file matches (found "\0" byte around offset 8)
  • docs/public/logo.png:0 confusable :: binary file matches (found "\0" byte around offset 8)
  • tools/timezone.ts:37 shell_process_spawn :: name: re.exec(timezone.zone_name)?.[0] ?? ''
  • src/plugins/microsecond.ts:1 shell_process_spawn :: import { ParserPlugin, exec } from '@/plugin.ts';
  • src/plugins/microsecond.ts:5 shell_process_spawn :: const result = exec(/^\d{1,4}/, str, 'S');
  • src/plugins/microsecond.ts:12 shell_process_spawn :: const result = exec(/^\d{1,5}/, str, 'S');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants