Fixed date filter

[lucasbordeau]

This PR fixes a bug with date filters that behave differently when the timezone of the server changes.

Fixes #14689

[seer-by-sentry]

Bug: The date filter value is created with newDate.toISOString(), which can cause the date to shift by a day for users in non-UTC timezones, leading to incorrect filtering.
_{(Severity: High 0.70 | Confidence: 0.95)}

🔍 Detailed Analysis

When a user in a non-UTC timezone selects a date for a filter, the value is generated using newDate.toISOString(). This converts the locally constructed Date object to a UTC string, which can shift the date by one day (e.g., January 1st becomes December 31st). This leads to incorrect filter results, as the backend receives a different date than the one selected by the user. Other parts of the application correctly handle this by constructing the date with new Date(Date.UTC(...)) to prevent such timezone-related mismatches.

💡 Suggested Fix

To ensure the date is not affected by the user's local timezone, construct the date value using Date.UTC. Replace newDate?.toISOString() with newDate ? new Date(Date.UTC(newDate.getFullYear(), newDate.getMonth(), newDate.getDate())).toISOString() : ''.

🤖 Prompt for AI Agent

Fix this bug. In
packages/twenty-front/src/modules/object-record/object-filter-dropdown/components/ObjectFilterDropdownDateInput.tsx
at lines 54-60: When a user in a non-UTC timezone selects a date for a filter, the value
is generated using `newDate.toISOString()`. This converts the locally constructed `Date`
object to a UTC string, which can shift the date by one day (e.g., January 1st becomes
December 31st). This leads to incorrect filter results, as the backend receives a
different date than the one selected by the user. Other parts of the application
correctly handle this by constructing the date with `new Date(Date.UTC(...))` to prevent
such timezone-related mismatches.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[greptile-apps]

Greptile encountered an error while reviewing this PR. Please reach out to [email protected] for assistance.

[github-actions]

🚀 Preview Environment Ready!

Your preview environment is available at: http://bore.pub:9510

This environment will automatically shut down when the PR is closed or after 5 hours.

[charlesBochet]

@lucasbordeau, I have tested and the behavior on DATE_TIME is correct!

Regarding DATE, it does not seems right:

1. I'm trying to make a filter on a date field and the gql query are see for IS and IS_TODAY are doing lte + gte which seems not intended by your code
2. For DATE, we should not take timezone into account at all, we are storing the intention of the user to be on a specific date whatever the timezone is (usually it's business related, if it's a rental start date, it will be in the rental location timezone for instance), so in this case we should always store / display in UTC (never applying a timezone at any level). I think we can use this PR to fix this behavior

[github-actions]

TODOs/FIXMEs:

• // FIXME: Escape key is not handled properly by the underlying DateInput component. We need to solve that.: packages/twenty-front/src/modules/object-record/record-field/ui/form-types/components/FormDateFieldInput.tsx

Generated by 🚫 dangerJS against d25a4ac

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	json-schema@​0.4.0
	@​wyw-in-js/​vite@​0.7.0
	transliteration@​2.3.5
	date-fns@​3.6.0
	@​types/​react@​18.3.3
	babel-plugin-module-resolver@​5.0.2
	html-to-text@​9.0.5
	glob@​11.0.1
	graphql-tag@​2.12.6
	chalk@​5.3.0
	react@​18.3.1
	ms@​2.1.3
	cron-parser@​4.9.0
	semver@​7.7.2
	graphql@​16.8.1
	axios@​1.12.2
	zod@​4.1.11

View full report

[github-actions]

📊 API Changes Report

GraphQL Schema Changes

GraphQL Schema Changes

[log]
Detected the following changes (5) between schemas:

[log] ✖ Input field ObjectRecordFilterInput.createdAt changed type from DateFilter to DateTimeFilter
[log] ✖ Input field ObjectRecordFilterInput.deletedAt changed type from DateFilter to DateTimeFilter
[log] ✖ Input field ObjectRecordFilterInput.updatedAt changed type from DateFilter to DateTimeFilter
[log] ✔ Description Date custom scalar type on type Date has changed to Date custom scalar type, as a string in format yyyy-MM-dd (ex: 2025-12-31), we dont signify time nor timezone for DATE.'
[log] ✔ Type DateTimeFilter was added
[error] Detected 3 breaking changes
⚠️ Breaking changes or errors detected in GraphQL schema

[log] 
Detected the following changes (5) between schemas:

[log] ✖  Input field ObjectRecordFilterInput.createdAt changed type from DateFilter to DateTimeFilter
[log] ✖  Input field ObjectRecordFilterInput.deletedAt changed type from DateFilter to DateTimeFilter
[log] ✖  Input field ObjectRecordFilterInput.updatedAt changed type from DateFilter to DateTimeFilter
[log] ✔  Description Date custom scalar type on type Date has changed to Date custom scalar type, as a string in format yyyy-MM-dd (ex: 2025-12-31), we dont signify time nor timezone for DATE.'
[log] ✔  Type DateTimeFilter was added
[error] Detected 3 breaking changes
Error generating diff

GraphQL Metadata Schema Changes

GraphQL Metadata Schema Changes

[log]
Detected the following changes (6) between schemas:

[log] ✖ Type Date was removed
[log] ✖ Type DateFilter was removed
[log] ✖ Input field ObjectRecordFilterInput.createdAt changed type from DateFilter to DateTimeFilter
[log] ✖ Input field ObjectRecordFilterInput.deletedAt changed type from DateFilter to DateTimeFilter
[log] ✖ Input field ObjectRecordFilterInput.updatedAt changed type from DateFilter to DateTimeFilter
[log] ✔ Type DateTimeFilter was added
[error] Detected 5 breaking changes
⚠️ Breaking changes or errors detected in GraphQL metadata schema

[log] 
Detected the following changes (6) between schemas:

[log] ✖  Type Date was removed
[log] ✖  Type DateFilter was removed
[log] ✖  Input field ObjectRecordFilterInput.createdAt changed type from DateFilter to DateTimeFilter
[log] ✖  Input field ObjectRecordFilterInput.deletedAt changed type from DateFilter to DateTimeFilter
[log] ✖  Input field ObjectRecordFilterInput.updatedAt changed type from DateFilter to DateTimeFilter
[log] ✔  Type DateTimeFilter was added
[error] Detected 5 breaking changes
Error generating diff

⚠️ Please review these API changes carefully before merging.

⚠️ Breaking Change Protocol

Breaking changes detected but PR title does not contain "breaking" - CI will pass but action needed.

🔄 Options:

1. If this IS a breaking change: Add "breaking" to your PR title and add BREAKING CHANGE: to your commit message
2. If this is NOT a breaking change: The API diff tool may have false positives - please review carefully

For breaking changes, add to commit message:

feat: add new API endpoint

BREAKING CHANGE: removed deprecated field from User schema

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		[email protected] has a Critical CVE. CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL) Affected versions: < 6.6.1 Patched version: 6.6.1 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] is Protestware or potentially unwanted behavior. Note: This package prints a protestware console message on install regarding Ukraine for users with Russian language locale From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] is Protestware or potentially unwanted behavior. Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts. From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report