[Snyk] Upgrade: , , , react, react-dom, , algoliasearch, isomorphic-unfetch, koa, koa-session, next, snyk, webpack #891
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade:
- @babel/polyfill from 7.4.4 to 7.12.1.
See this package in npm: https://www.npmjs.com/package/@babel/polyfill
- @material-ui/core from 4.3.1 to 4.12.4.
See this package in npm: https://www.npmjs.com/package/@material-ui/core
- @material-ui/icons from 4.2.1 to 4.11.3.
See this package in npm: https://www.npmjs.com/package/@material-ui/icons
- react from 16.8.6 to 16.14.0.
See this package in npm: https://www.npmjs.com/package/react
- react-dom from 16.8.6 to 16.14.0.
See this package in npm: https://www.npmjs.com/package/react-dom
- @material-ui/styles from 4.3.0 to 4.11.5.
See this package in npm: https://www.npmjs.com/package/@material-ui/styles
- algoliasearch from 3.33.0 to 3.35.1.
See this package in npm: https://www.npmjs.com/package/algoliasearch
- isomorphic-unfetch from 3.0.0 to 3.1.0.
See this package in npm: https://www.npmjs.com/package/isomorphic-unfetch
- koa from 2.7.0 to 2.15.2.
See this package in npm: https://www.npmjs.com/package/koa
- koa-session from 5.12.2 to 5.13.1.
See this package in npm: https://www.npmjs.com/package/koa-session
- next from 9.2.1 to 9.5.5.
See this package in npm: https://www.npmjs.com/package/next
- snyk from 1.278.0 to 1.1292.4.
See this package in npm: https://www.npmjs.com/package/snyk
- webpack from 4.39.1 to 4.47.0.
See this package in npm: https://www.npmjs.com/package/webpack
See this project in Snyk:
https://app.snyk.io/org/aubrey-y/project/7731ed6d-b58c-4a96-8361-c8336c6a2781?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯♂ The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
@babel/polyfill
from 7.4.4 to 7.12.1 | 9 versions ahead of your current version | 4 years ago
on 2020-10-15
@material-ui/core
from 4.3.1 to 4.12.4 | 48 versions ahead of your current version | 2 years ago
on 2022-04-03
@material-ui/icons
from 4.2.1 to 4.11.3 | 6 versions ahead of your current version | 2 years ago
on 2022-04-03
react
from 16.8.6 to 16.14.0 | 11 versions ahead of your current version | 4 years ago
on 2020-10-14
react-dom
from 16.8.6 to 16.14.0 | 11 versions ahead of your current version | 4 years ago
on 2020-10-14
@material-ui/styles
from 4.3.0 to 4.11.5 | 21 versions ahead of your current version | 2 years ago
on 2022-04-03
algoliasearch
from 3.33.0 to 3.35.1 | 3 versions ahead of your current version | 5 years ago
on 2019-10-08
isomorphic-unfetch
from 3.0.0 to 3.1.0 | 1 version ahead of your current version | 4 years ago
on 2020-09-29
koa
from 2.7.0 to 2.15.2 | 19 versions ahead of your current version | 6 months ago
on 2024-03-21
koa-session
from 5.12.2 to 5.13.1 | 3 versions ahead of your current version | 5 years ago
on 2020-02-01
next
from 9.2.1 to 9.5.5 | 284 versions ahead of your current version | 4 years ago
on 2020-10-10
snyk
from 1.278.0 to 1.1292.4 | 1174 versions ahead of your current version | a month ago
on 2024-08-12
webpack
from 4.39.1 to 4.47.0 | 22 versions ahead of your current version | a year ago
on 2023-09-06
Issues fixed by the recommended upgrade:
SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555
SNYK-JS-IP-6240864
SNYK-JS-ACORN-559469
SNYK-JS-ACORN-559469
SNYK-JS-AJV-584908
SNYK-JS-AJV-584908
SNYK-JS-LODASHTEMPLATE-1088054
SNYK-JS-LODASH-1040724
SNYK-JS-LODASH-608086
SNYK-JS-PACRESOLVER-1564857
SNYK-JS-NCONF-2395478
SNYK-JS-NETMASK-6056519
SNYK-JS-SERIALIZEJAVASCRIPT-570062
SNYK-JS-SSRI-1246392
SNYK-JS-LODASH-6139239
SNYK-JS-LODASHSET-1320032
SNYK-JS-SNYKDOCKERPLUGIN-3039679
SNYK-JS-SNYKGOPLUGIN-3037316
SNYK-JS-SNYKGRADLEPLUGIN-3038624
SNYK-JS-SNYKMVNPLUGIN-3038623
SNYK-JS-SNYKPYTHONPLUGIN-3039677
SNYK-JS-PARSEURL-2935944
SNYK-JS-PARSEURL-2935947
SNYK-JS-PARSEURL-2936249
SNYK-JS-PARSEURL-2942134
SNYK-JS-PARSEURL-3023021
SNYK-JS-PARSEURL-3024398
SNYK-JS-GOT-2932019
SNYK-JS-BABELTRAVERSE-5962462
SNYK-JS-BABELTRAVERSE-5962462
SNYK-JS-BL-608877
SNYK-JS-AJV-584908
SNYK-JS-ANSIHTML-1296849
SNYK-JS-LODASH-567746
SNYK-JS-PARSEPATH-2936439
SNYK-JS-NETMASK-1089716
SNYK-JS-SERIALIZEJAVASCRIPT-536840
SNYK-JS-SERIALIZEJAVASCRIPT-6056521
SNYK-JS-DOTPROP-543489
SNYK-JS-HOSTEDGITINFO-1088355
SNYK-JS-IP-7148531
SNYK-JS-JSZIP-1251497
SNYK-JS-JSZIP-3188562
SNYK-JS-LODASH-1018905
SNYK-JS-NEXT-561584
SNYK-JS-SNYK-3037342
SNYK-JS-SNYK-3038622
SNYK-JS-SNYK-3111871
SNYK-JS-XML2JS-5414874
SNYK-JS-XML2JS-5414874
SNYK-JS-SNYKSBTPLUGIN-3038626
SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625
Release notes
Package name: @babel/polyfill
-
7.12.1 - 2020-10-15
-
7.11.5 - 2020-08-31
-
7.10.4 - 2020-06-30
-
7.10.1 - 2020-05-27
-
7.8.7 - 2020-03-05
-
7.8.3 - 2020-01-13
-
7.8.0 - 2020-01-12
-
7.7.0 - 2019-11-05
-
7.6.0 - 2019-09-06
-
7.4.4 - 2019-04-26
from @babel/polyfill GitHub release notesPackage name: @material-ui/core
-
4.12.4 - 2022-04-03
-
4.12.3 - 2021-07-30
-
4.12.2 - 2021-07-19
-
4.12.1 - 2021-07-07
-
4.12.0 - 2021-07-06
-
4.11.4 - 2021-04-27
-
4.11.3 - 2021-01-24
-
4.11.3-deprecations.1 - 2021-01-25
-
4.11.3-deprecations.0 - 2021-01-24
-
4.11.2 - 2020-12-02
-
4.11.1 - 2020-11-24
-
4.11.0 - 2020-06-30
-
4.10.2 - 2020-06-11
-
4.10.1 - 2020-06-01
-
4.10.0 - 2020-05-23
-
4.9.14 - 2020-05-11
-
4.9.13 - 2020-05-04
-
4.9.12 - 2020-04-26
-
4.9.11 - 2020-04-18
-
4.9.10 - 2020-04-11
-
4.9.9 - 2020-04-04
-
4.9.8 - 2020-03-28
-
4.9.7 - 2020-03-18
-
4.9.6 - 2020-03-18
-
4.9.5 - 2020-02-29
-
4.9.4 - 2020-02-23
-
4.9.3 - 2020-02-16
-
4.9.2 - 2020-02-09
-
4.9.1 - 2020-02-02
-
4.9.0 - 2020-01-22
-
4.8.3 - 2020-01-06
-
4.8.2 - 2019-12-30
-
4.8.1 - 2019-12-24
-
4.8.0 - 2019-12-14
-
4.7.2 - 2019-12-07
-
4.7.1 - 2019-12-01
-
4.7.0 - 2019-11-22
-
4.6.1 - 2019-11-12
-
4.6.0 - 2019-11-05
-
4.5.2 - 2019-10-28
-
4.5.1 - 2019-10-12
-
4.5.0 - 2019-10-02
-
4.4.3 - 2019-09-22
-
4.4.2 - 2019-09-11
-
4.4.1 - 2019-09-08
-
4.4.0 - 2019-08-31
-
4.3.3 - 2019-08-21
-
4.3.2 - 2019-08-10
-
4.3.1 - 2019-08-03
from @material-ui/core GitHub release notesPackage name: @material-ui/icons
-
4.11.3 - 2022-04-03
-
4.11.2 - 2020-12-02
-
4.9.1 - 2020-02-02
-
4.5.1 - 2019-10-12
-
4.4.3 - 2019-09-22
-
4.4.1 - 2019-09-08
-
4.2.1 - 2019-06-23
from @material-ui/icons GitHub release notesPackage name: react
-
16.14.0 - 2020-10-14
- Add support for the new JSX transform. (@ lunaruan in #18299)
-
16.13.1 - 2020-03-19
- Fix bug in legacy mode Suspense where effect clean-up functions are not fired. This only affects users who use Suspense for data fetching in legacy mode, which is not technically supported. (@ acdlite in #18238)
- Revert warning for cross-component updates that happen inside class render lifecycles (
- react: https://unpkg.com/react@16.13.1/umd/
- react-art: https://unpkg.com/react-art@16.13.1/umd/
- react-dom: https://unpkg.com/react-dom@16.13.1/umd/
- react-is: https://unpkg.com/react-is@16.13.1/umd/
- react-test-renderer: https://unpkg.com/react-test-renderer@16.13.1/umd/
- scheduler: https://unpkg.com/scheduler@0.19.1/umd/
-
16.13.0 - 2020-02-26
- Warn when a string ref is used in a manner that's not amenable to a future codemod (@ lunaruan in #17864)
- Deprecate
- Warn when changes in
- Warn when a function component is updated during another component's render phase (@ acdlite in #17099)
- Deprecate
- Fix
- Call
- Add
- Don't call
- Show component stacks in more warnings (@ gaearon in #17922, #17586)
- Warn for problematic usages of
- Remove
- Don't group Idle/Offscreen work with other work (@ sebmarkbage in #17456)
- Adjust
- Add missing event plugin priorities (@ trueadm in #17914)
- Fix
- Fix
- Don't warn when suspending at the wrong priority (@ gaearon in #17971)
- Fix a bug with rebasing updates (@ acdlite and @ sebmarkbage in #17560, #17510, #17483, #17480)
- react: https://unpkg.com/react@16.13.0/umd/
- react-art: https://unpkg.com/react-art@16.13.0/umd/
- react-dom: https://unpkg.com/react-dom@16.13.0/umd/
- react-is: https://unpkg.com/react-is@16.13.0/umd/
- react-test-renderer: https://unpkg.com/react-test-renderer@16.13.0/umd/
- scheduler: https://unpkg.com/scheduler@0.19.0/umd/
-
16.12.0 - 2019-11-14
- Fix passive effects (
- Fix
-
16.11.0 - 2019-10-22
-
16.10.2 - 2019-10-03
-
16.10.1 - 2019-09-28
-
16.10.0 - 2019-09-27
-
16.9.0 - 2019-08-08
-
16.9.0-rc.0 - 2019-08-05
-
16.9.0-alpha.0 - 2019-04-03
-
16.8.6 - 2019-03-28
from react GitHub release notesReact
React DOM
componentWillReceiveProps,shouldComponentUpdate, and so on). (@ gaearon in #18330)Artifacts
React
React.createFactory()(@ trueadm in #17878)React DOM
stylemay cause an unexpected collision (@ sophiebits in #14181, #18002)unstable_createPortal(@ trueadm in #17880)onMouseEnterbeing fired on disabled buttons (@ AlfredoGJ in #17675)shouldComponentUpdatetwice when developing inStrictMode(@ bvaughn in #17942)versionproperty to ReactDOM (@ ealush in #15780)toString()ofdangerouslySetInnerHTML(@ sebmarkbage in #17773)Concurrent Mode (Experimental)
ReactDOM.createRoot()(@ trueadm in #17937)ReactDOM.createRoot()callback params and added warnings on usage (@ bvaughn in #17916)SuspenseListCPU bound heuristic (@ sebmarkbage in #17455)isPendingonly being true when transitioning from inside an input event (@ acdlite in #17382)React.memocomponents dropping updates when interrupted by a higher priority update (@ acdlite in #18091)Artifacts
React DOM
useEffect) not being fired in a multi-root app. (@ acdlite in #17347)React Is
lazyandmemotypes considered elements instead of components (@ bvaughn in #17278)Artifacts
• react: https://unpkg.com/react@16.12.0/umd/
• react-art: https://unpkg.com/react-art@16.12.0/umd/
• react-dom: https://unpkg.com/react-dom@16.12.0/umd/
• react-is: https://unpkg.com/react-is@16.12.0/umd/
• react-test-renderer: https://unpkg.com/react-test-renderer@16.12.0/umd/
• scheduler: https://unpkg.com/scheduler@0.18.0/umd/
Package name: react-dom
-
16.14.0 - 2020-10-14
- Add support for the new JSX transform. (@ lunaruan in #18299)
-
16.13.1 - 2020-03-19
- Fix bug in legacy mode Suspense where effect clean-up functions are not fired. This only affects users who use Suspense for data fetching in legacy mode, which is not technically supported. (@ acdlite in #18238)
- Revert warning for cross-component updates that happen inside class render lifecycles (
- react: https://unpkg.com/react@16.13.1/umd/
- react-art: https://unpkg.com/react-art@16.13.1/umd/
- react-dom: https://unpkg.com/react-dom@16.13.1/umd/
- react-is: https://unpkg.com/react-is@16.13.1/umd/
- react-test-renderer: https://unpkg.com/react-test-renderer@16.13.1/umd/
- scheduler: https://unpkg.com/scheduler@0.19.1/umd/
-
16.13.0 - 2020-02-26
- Warn when a string ref is used in a manner that's not amenable to a future codemod (@ lunaruan in #17864)
- Deprecate
- Warn when changes in
- Warn when a function component is updated during another component's render phase (@ acdlite in #17099)
- Deprecate
- Fix
- Call
- Add
- Don't call
- Show component stacks in more warnings (@ gaearon in #17922, #17586)
- Warn for problematic usages of
- Remove
- Don't group Idle/Offscreen work with other work (@ sebmarkbage in #17456)
- Adjust
- Add missing event plugin priorities (@ trueadm in #17914)
- Fix
- Fix
- Don't warn when suspending at the wrong priority (@ gaearon in #17971)
- Fix a bug with rebasing updates (@ acdlite and @ sebmarkbage in #17560, #17510, #17483, #17480)
- react: https://unpkg.com/react@16.13.0/umd/
- react-art: https://unpkg.com/react-art@16.13.0/umd/
- react-dom: https://unpkg.com/react-dom@16.13.0/umd/
- react-is: https://unpkg.com/react-is@16.13.0/umd/
- react-test-renderer: https://unpkg.com/react-test-renderer@16.13.0/umd/
- scheduler: https://unpkg.com/scheduler@0.19.0/umd/
-
16.12.0 - 2019-11-14
- Fix passive effects (
- Fix
-
16.11.0 - 2019-10-22
-
16.10.2 - 2019-10-03
-
16.10.1 - 2019-09-28
-
16.10.0 - 2019-09-27
-
16.9.0 - 2019-08-08
-
16.9.0-rc.0 - 2019-08-05
-
16.9.0-alpha.0 - 2019-04-03
-
16.8.6 - 2019-03-28
from react-dom GitHub release notesReact
React DOM
componentWillReceiveProps,shouldComponentUpdate, and so on). (@ gaearon in #18330)Artifacts
React
React.createFactory()(@ trueadm in #17878)React DOM
stylemay cause an unexpected collision (@ sophiebits in #14181, #18002)unstable_createPortal(@ trueadm in #17880)onMouseEnterbeing fired on disabled buttons (@ AlfredoGJ in #17675)shouldComponentUpdatetwice when developing inStrictMode(@ bvaughn in #17942)versionproperty to ReactDOM (@ ealush in #15780)toString()ofdangerouslySetInnerHTML(@ sebmarkbage in #17773)Concurrent Mode (Experimental)
ReactDOM.createRoot()(@ trueadm in #17937)ReactDOM.createRoot()callback params and added warnings on usage (@ bvaughn in #17916)SuspenseListCPU bound heuristic (@ sebmarkbage in #17455)isPendingonly being true when transitioning from inside an input event (@ acdlite in #17382)React.memocomponents dropping updates when interrupted by a higher priority update (@ acdlite in #18091)Artifacts
React DOM
useEffect) not being fired in a multi-root app. (@ acdlite in #17347)React Is
lazyandmemotypes considered elements instead of components (@ bvaughn in #17278)Artifacts
• react: https://unpkg.com/react@16.12.0/umd/
• react-art: https://unpkg.com/react-art@16.12.0/umd/
• react-dom: https://unpkg.com/react-dom@16.12.0/umd/
• react-is: https://unpkg.com/react-is@16.12.0/umd/
• react-test-renderer: https://unpkg.com/react-test-renderer@16.12.0/umd/
• scheduler: https://unpkg.com/scheduler@0.18.0/umd/
Package name: @material-ui/styles
-
4.11.5 - 2022-04-03
-
4.11.4 - 2021-04-27
-
4.11.3 - 2021-01-24
-
4.11.3-deprecations.1 - 2021-01-25
-
4.11.3-deprecations.0 - 2021-01-24
-
4.11.2 - 2020-12-02
-
4.11.1 - 2020-11-24
-
4.10.0 - 2020-05-23
-
4.9.14 - 2020-05-11
-
4.9.13 - 2020-05-04
-
4.9.10 - 2020-04-11
-
4.9.6 - 2020-03-18
-
4.9.0 - 2020-01-22
-
4.8.2 - 2019-12-30
-
4.7.1 - 2019-12-01
-
4.6.0 - 2019-11-05
-
4.5.2 - 2019-10-28
-
4.5.0 - 2019-10-02
-
4.4.3 - 2019-09-22
-
4.4.1 - 2019-09-08
-
4.3.3 - 2019-08-21
-
4.3.0 - 2019-07-28
from @material-ui/styles GitHub release notesPackage name: algoliasearch
-
3.35.1 - 2019-10-08
-
3.35.0 - 2019-09-26
-
3.34.0 - 2019-08-29
-
3.33.0 - 2019-05-09
from algoliasearch GitHub release notesPackage name: isomorphic-unfetch
-
3.1.0 - 2020-09-29
-
3.0.0 - 2018-09-17
from isomorphic-unfetch GitHub release notesisomorphic-unfetch@3.1.0
Package name: koa
-
2.15.2 - 2024-03-21
-
2.15.1 - 2024-03-15
-
2.15.0 - 2023-12-29
-
2.14.2 - 2023-04-12
-
2.14.1 - 2022-12-07
-
2.14.0 - 2022-12-06
-
2.13.4 - 2021-10-19
-
2.13.3 - 2021-09-24
-
2.13.2 - 2021-09-24
-
2.13.1 - 2021-01-04
-
2.13.0 - 2020-06-21
-
2.12.1 - 2020-06-13
-
2.12.0 - 2020-05-17
-
2.11.0 - 2019-10-28
-
2.10.0 - 2019-10-12
-
2.9.0 - 2019-10-12
-
2.8.2 - 2019-09-28
-
2.8.1 - 2019-08-19
-
2.8.0 - 2019-08-19
-
2.7.0 - 2019-01-28
from koa GitHub release notesRelease 2.15.2
Release 2.15.1
Release 2.15.0
Release 2.14.2
Release 2.14.1
Release 2.14.0
Release 2.13.4
Package name: koa-session
-
5.13.1 - 2020-02-01
-
5.13.0 - 2020-02-01
-
5.12.3 - 2019-08-23
-
5.12.2 - 2019-07-09
from koa-session GitHub release notesRelease 5.13.1
Release 5.13.0
Release 5.12.3
Release 5.12.2
Package name: next
Core Changes
Example Changes
Credits
Huge thanks to @ HaNdTriX, and @ jensmeindertsma for helping!
Core Changes
Core Changes
Example Changes
Credits
Huge thanks to @ HaNdTriX and @ jensmeindertsma for helping!
This upgrade is completely backwards compatible and recommended for all users on versions below 9.5.4. For future security related communications of our OSS projects, please join this mailing list.
A security team from one of our partners noticed an issue in Next.js that allowed for open redirects to occur.
Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site.
In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.
We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
How to Upgrade
npm install next@latest --saveImpact
next exportWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
How to Assess Impact
If you think users could have been affected, you can filter logs of affected sites by
%2Fwith a 308 response.What is Being Done
As Next.js has grown in popularity, it has received the attention of security teams and auditors. We are thankful to those that reached out for their investigation and discovery of the original bug and subsequent responsible disclosure.
We've landed a patch that ensures encoding is handled properly for these types of redirects so the open redirect can no longer occur.
Regression tests for this attack were added to the security integration test suite.
Core Changes
next-head-count: #16758