Update dependency react-dom to v16 [SECURITY] #65
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^15.6.1
->^16.0.0
GitHub Vulnerability Alerts
CVE-2018-6341
Affected versions of
react-dom
are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to:ReactDOMServer
Recommendation
If you are using
react-dom
16.0.x, upgrade to 16.0.1 or later.If you are using
react-dom
16.1.x, upgrade to 16.1.2 or later.If you are using
react-dom
16.2.x, upgrade to 16.2.1 or later.If you are using
react-dom
16.3.x, upgrade to 16.3.3 or later.If you are using
react-dom
16.4.x, upgrade to 16.4.2 or later.Release Notes
facebook/react (react-dom)
v16.4.2
Compare Source
React DOM Server
Fix a potential XSS vulnerability when the attacker controls an attribute name (
CVE-2018-6341
). This fix is available in the latestreact-dom@16.4.2
, as well as in previous affected minor versions:react-dom@16.0.1
,react-dom@16.1.2
,react-dom@16.2.1
, andreact-dom@16.3.3
. (@gaearon in #13302)Fix a crash in the server renderer when an attribute is called
hasOwnProperty
. This fix is only available inreact-dom@16.4.2
. (@gaearon in #13303)v16.4.1
Compare Source
React
propTypes
to components returned byReact.ForwardRef
. (@bvaughn in #12911)React DOM
type
changes from some other types totext
. (@spirosikmd in #12135)event.target
value for theonChange
event in IE9. (@nhunzaker in #12976)<React.Fragment />
from a component. (@philipp-spiess in #12966)React DOM Server
React Test Renderer
getDerivedStateFromProps()
in the shallow renderer to not discard the pending state. (@fatfisz in #13030)v16.4.0
React
React.unstable_Profiler
component for measuring performance. (@bvaughn in #12745)React DOM
getDerivedStateFromProps()
regardless of the reason for re-rendering. (@acdlite in #12600 and #12802)forwardRef()
on a deepersetState()
. (@gaearon in #12690)propTypes
on a context provider component. (@nicolevy in #12658)react-lifecycles-compat
in<StrictMode>
. (@bvaughn in #12644)forwardRef()
render function haspropTypes
ordefaultProps
. (@bvaughn in #12644)forwardRef()
and context consumers are displayed in the component stack. (@sophiebits in #12777)React Test Renderer
getDerivedStateFromProps()
support to match the new React DOM behavior. (@koba04 in #12676)testInstance.parent
crash when the parent is a fragment or another special node. (@gaearon in #12813)forwardRef()
components are now discoverable by the test renderer traversal methods. (@gaearon in #12725)setState()
updaters that returnnull
orundefined
. (@koba04 in #12756)React ART
React Call Return (Experimental)
React Reconciler (Experimental)
v16.3.3
React DOM Server
CVE-2018-6341
). This fix is available in the latestreact-dom@16.4.2
, as well as in previous affected minor versions:react-dom@16.0.1
,react-dom@16.1.2
,react-dom@16.2.1
, andreact-dom@16.3.3
. (@gaearon in #13302)v16.3.2
Compare Source
React
null
orundefined
toReact.cloneElement
. (@nicolevy in #12534)React DOM
<StrictMode>
. (@bvaughn in #12546)unstable_observedBits
API with nesting. (@gaearon in #12543)React Test Renderer
v16.3.1
Compare Source
React
Fragment
. (@heikkilamarko in #12504)setState()
in constructor. (@gaearon in #12532)React DOM
getDerivedStateFromProps()
not getting applied in some cases. (@acdlite in #12528)Create Subscription
v16.3.0
React
React.createRef()
API as an ergonomic alternative to callback refs. (@trueadm in #12162)React.forwardRef()
API to let components forward their refs to a child. (@bvaughn in #12346)React.Fragment
. (@XaveScor in #11823)React.unstable_AsyncComponent
withReact.unstable_AsyncMode
. (@acdlite in #12117)setState()
on an unmounted component. (@sophiebits in #12347)React DOM
getDerivedStateFromProps()
lifecycle andUNSAFE_
aliases for the legacy lifecycles. (@bvaughn in #12028)getSnapshotBeforeUpdate()
lifecycle. (@bvaughn in #12404)<React.StrictMode>
wrapper to help prepare apps for async rendering. (@bvaughn in #12083)onLoad
andonError
events on the<link>
tag. (@roderickhsiao in #11825)noModule
boolean attribute on the<script>
tag. (@aweary in #11900)onKeyPress
in more browsers. (@nstraub in #10514)value
anddefaultValue
to ignore Symbol values. (@nhunzaker in #11741)opera
with anull
value. @alisherdavronov in #11854)<option selected>
. (@watadarkstar in #11821)ReactDOM.unstable_createPortal()
in favor ofReactDOM.createPortal()
. (@prometheansacrifice in #11747)React DOM Server
React.Component
. (@wyze in #11993)this.state
of different components getting mixed up. (@sophiebits in #12323)React Test Renderer
toTree()
. (@maciej-ka in #12107 and @gaearon in #12154)null
for components that don't set it. (@jwbay in #11965)contextTypes
. (@koba04 in #11922)React Is (New)
ReactIs.isValidElementType()
to help higher-order components validate their inputs. (@jamesreggio in #12483)React Lifecycles Compat (New)
Create Subscription (New)
React Reconciler (Experimental)
react-reconciler/persistent
for building renderers that use persistent data structures. (@gaearon in #12156)finalizeInitialChildren()
. (@jquense in #11970)useSyncScheduling
from the host config. (@acdlite in #11771)React Call Return (Experimental)
v16.2.1
React DOM Server
CVE-2018-6341
). This fix is available in the latestreact-dom@16.4.2
, as well as in previous affected minor versions:react-dom@16.0.1
,react-dom@16.1.2
,react-dom@16.2.1
, andreact-dom@16.3.3
. (@gaearon in #13302)v16.2.0
React
Fragment
as named export to React. (@clemmy in #10783)React.Children
utilities. (@MatteoVH in #11422)React DOM
onChange
event in some cases. (@jquense in #11028)React Test Renderer
setState()
callback firing too early when called fromcomponentWillMount
. (@accordeiro in #11507)React Reconciler
react-reconciler/reflection
with utilities useful to custom renderers. (@rivenhk in #11683)Internal Changes
v16.1.2
React DOM Server
CVE-2018-6341
). This fix is available in the latestreact-dom@16.4.2
, as well as in previous affected minor versions:react-dom@16.0.1
,react-dom@16.1.2
,react-dom@16.2.1
, andreact-dom@16.3.3
. (@gaearon in #13302)v16.1.1
Compare Source
React
React DOM
capture
attribute. (@maxschmeling in #11424)React DOM Server
ReactDOMServer
public API. (@travi in #11531)autoFocus={false}
attribute on the server. (@gaearon in #11543)React Reconciler
v16.1.0
Discontinuing Bower Releases
Starting with 16.1.0, we will no longer be publishing new releases on Bower. You can continue using Bower for old releases, or point your Bower configs to the React UMD builds hosted on unpkg that mirror npm releases and will continue to be updated.
All Packages
React
React.Children
utilities. (@MatteoVH in #11378)render
method but doesn't extend a known base class. (@sw-yx in #11168)React DOM
on
as a custom attribute for AMP. (@nuc in #11153)onMouseEnter
andonMouseLeave
firing on wrong elements. (@gaearon in #11164)null
showing up in a warning instead of the component stack. (@gaearon in #10915)tabIndex
not getting applied to SVG elements. (@gaearon in #11034)dangerouslySetInnerHTML
in IE. (@OriR in #11108)form.reset()
to respectdefaultValue
on uncontrolled<select>
. (@aweary in #11057)<textarea>
placeholder not rendering on IE11. (@gaearon in #11177)<dialog>
element. (@gaearon in #11035)componentDidReceiveProps
method. (@iamtommcc in #11479)contentEditable
andchildren
. (@Ethan-Arrowood in #11208)select
gets nullvalue
. (@Hendeca in #11141)React DOM Server
suppressHydrationWarning
attribute for intentional client/server text mismatches. (@sebmarkbage in #11126)autoFocus
attribute into SSR markup. (@gaearon in #11192)React Test Renderer and Test Utils
setState()
calls incomponentWillMount()
in shallow renderer. (@Hypnosphi in #11167)shouldComponentUpdate()
afterforceUpdate()
. (@d4rky-pl in #11239 and #11439)forceUpdate()
andReact.PureComponent
correctly. (@koba04 in #11440)package.json
dependency. (@gaearon in #11340)React ART
package.json
dependency. (@gaearon in #11341)react-art/Circle
,react-art/Rectangle
, andreact-art/Wedge
. (@gaearon in #11343)React Reconciler (Experimental)
React Call Return (Experimental)
v16.0.1
React DOM Server
CVE-2018-6341
). This fix is available in the latestreact-dom@16.4.2
, as well as in previous affected minor versions:react-dom@16.0.1
,react-dom@16.1.2
,react-dom@16.2.1
, andreact-dom@16.3.3
. (@gaearon in #13302)v16.0.0
Compare Source
New JS Environment Requirements
New Features
render
. (Docs coming soon!)ReactDOM.createPortal()
. (Docs coming soon!)ReactDOMServer.renderToNodeStream()
andReactDOMServer.renderToStaticNodeStream()
. (@aickin in #10425, #10044, #10039, #10024, #9264, and others.)Breaking Changes
ReactDOM.render()
andReactDOM.unstable_renderIntoContainer()
now returnnull
if called from inside a lifecycle method.setState
behavior:setState
with null no longer triggers an update. This allows you to decide in an updater function if you want to re-render.setState
directly in render always causes an update. This was not previously the case. Regardless, you should not be callingsetState
from render.setState
callback (second argument) now fires immediately aftercomponentDidMount
/componentDidUpdate
instead of after all components have rendered.<A />
with<B />
,B.componentWillMount
now always happens beforeA.componentWillUnmount
. Previously,A.componentWillUnmount
could fire first in some cases.ref
to a component would always detach the ref before that component's render is called. Now, we change theref
later, when applying the changes to the DOM.ReactDOM.unmountComponentAtNode
. See this example.componentDidUpdate
lifecycle no longer receivesprevContext
param. (@bvaughn in #8631)componentDidUpdate()
because DOM refs are not available. This also makes it consistent withcomponentDidMount()
(which does not get called in previous versions either).unstable_batchedUpdates()
anymore.ReactDOM.unstable_batchedUpdates
now only takes one extra argument after the callback.react/dist/react.js
→react/umd/react.development.js
react/dist/react.min.js
→react/umd/react.production.min.js
react-dom/dist/react-dom.js
→react-dom/umd/react-dom.development.js
react-dom/dist/react-dom.min.js
→react-dom/umd/react-dom.production.min.js
ReactDOM.hydrate
instead ofReactDOM.render
if you're reviving server rendered HTML. Keep usingReactDOM.render
if you're just doing client-side rendering.Removed Deprecations
react-with-addons.js
build anymore. All compatible addons are published separately on npm, and have single-file browser versions if you need them.React.createClass
is now available as create-react-class,React.PropTypes
as prop-types,React.DOM
as react-dom-factories, react-addons-test-utils as react-dom/test-utils, and shallow renderer as react-test-renderer/shallow. See 15.5.0 and 15.6.0 blog posts for instructions on migrating code and automated codemods.v15.7.0
Compare Source
React
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.