Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump immer from 8.0.4 to 9.0.6 #11364

Merged
merged 1 commit into from
Sep 22, 2021
Merged

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 3, 2021

Bumps immer from 8.0.4 to 9.0.6.

Release notes

Sourced from immer's releases.

v9.0.6

9.0.6 (2021-08-31)

Bug Fixes

  • security: Follow up on CVE-2020-28477 where path: [["__proto__"], "x"] could still pollute the prototype (fa671e5)

v9.0.5

9.0.5 (2021-07-05)

Bug Fixes

  • release missing dist/ folder (bfb8dec)

v9.0.4

9.0.4 (2021-07-05)

Bug Fixes

  • #791 return 'nothing' should produce undefined patch (5412c9f)
  • #807 new undefined properties should end up in result object (dc3f66c)
  • Better applyPatches type (#810) (09ac097), closes #809

v9.0.3

9.0.3 (2021-06-09)

Bug Fixes

  • isPlainObject: add quick comparison between input and Object to short-circuit taxing Function.toString invocations (#805) (07575f3)

v9.0.2

9.0.2 (2021-04-25)

Bug Fixes

  • #785 fix type inference for produce incorrectly inferring promise (#786) (6555173)

v9.0.1

9.0.1 (2021-03-20)

Bug Fixes

  • #768 immerable field being lost during patch value cloning (#771) (e0b7c01)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [immer](https://github.com/immerjs/immer) from 8.0.4 to 9.0.6.
- [Release notes](https://github.com/immerjs/immer/releases)
- [Commits](immerjs/immer@v8.0.4...v9.0.6)

---
updated-dependencies:
- dependency-name: immer
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Sep 3, 2021
@raix raix added this to the 5.0 milestone Sep 3, 2021
@PatrickShaw
Copy link

This will fix #11443 :)

@KristjanRanna
Copy link

Could this be merged already, please? It is pretty straightforward change and it is making my build fail.

@mrmckeb mrmckeb merged commit 960b21e into main Sep 22, 2021
@mrmckeb mrmckeb deleted the dependabot/npm_and_yarn/immer-9.0.6 branch September 22, 2021 17:37
@Brycetastic
Copy link

Now this is merge how do I get the update? will react-dev-utils have a version update?

@r-wells
Copy link

r-wells commented Sep 23, 2021

Bumping @Brycetastic's comment, we're getting a high severity vulnerability alert for this (as I'm sure a lot are) and would like to get it resolved. We're on the latest version of react-scripts (4.0.3) and react-dev-utils (11.0.4) but immer is still 8.0.1

@KristjanRanna
Copy link

Any updates on this?

@keremciu
Copy link

how about having 4.0.4 with this one?

@erbunao
Copy link

erbunao commented Sep 28, 2021

Out of curiosity, is there anyone we need to tag from the admins to check this out?

@keremciu
Copy link

keremciu commented Oct 7, 2021

maybe @iansu @mrmckeb can help us out for release?

@DaisyyKM
Copy link

DaisyyKM commented Oct 7, 2021

Like everyone above mentioned, this code change is not helping us with the vulnerability issue with immer, I am still getting immer@8.0.1. @iansu @mrmckeb @PatrickShaw @ianschmitz @kentcdodds Please let us know what we need to do to resolve this and get the upgraded version of immer in our repo.

@fauzanriff
Copy link

PR already merged, but we haven't seen any new patch on npm, it still uses immer@8.0.1. Do we have a plan to publish this?

@KristjanRanna
Copy link

@mrmckeb Could you please give an update on this?

@ashvin777
Copy link

Facing the same issue, using the latest 11.0.4 but still seeing the immer being installed with version 8.0.1

@@ -65,7 +65,7 @@
"global-modules": "2.0.0",
"globby": "11.0.1",
"gzip-size": "5.1.1",
"immer": "8.0.4",
"immer": "9.0.6",

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no change in package.json version that seems to be an issue.

@abahuja
Copy link

abahuja commented Nov 10, 2021

Any updates?

@Arunpandi04
Copy link

we are waiting on it please update this?

@felipeplets
Copy link

@iansu can we get a patch version released to address this vulnerability?

@adrespi-dev
Copy link

Any updates on this one?

GaryPWhite added a commit to GaryPWhite/gatsby that referenced this pull request Apr 21, 2022
downstream, [react-dev-utils v11.x.x](https://www.npmjs.com/package/react-dev-utils/v/11.0.4) is subject to a [vulnerability](GHSA-33f9-j839-rf8h). Since the release of 12.x.x, `immer` [has been bumped up](facebook/create-react-app#11364 (comment)) and should resolve the "critical" security alert if it's adopted into Gatsby.
abhiisheek pushed a commit to abhiisheek/create-react-app that referenced this pull request May 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CLA Signed dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.