Skip to content

[Snyk] Upgrade @reduxjs/toolkit from 2.9.1 to 2.9.2 #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
freddycoder wants to merge 1 commit into from
Closed

[Snyk] Upgrade @reduxjs/toolkit from 2.9.1 to 2.9.2 #100

freddycoder wants to merge 1 commit into from

Conversation

@freddycoder
Copy link
Owner

@freddycoder freddycoder commented Nov 18, 2025

snyk-top-banner

Snyk has created this PR to upgrade @reduxjs/toolkit from 2.9.1 to 2.9.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 1 version ahead of your current version.

  • The recommended version was released a month ago.

Release notes
Package name: @reduxjs/toolkit
  • 2.9.2 - 2025-10-22

    This bugfix release fixes a potential internal data leak in SSR environments, improves handling of headers in fetchBaseQuery, improves retry handling for unexpected errors and request aborts, and fixes a longstanding issue with prefetch leaving an unused subscription. We've also shipped a new graphqlRequestBaseQuery release with updated dependencies and better error handling.

    Changelog

    Internal Subscription Handling

    We had a report that a Redux SSR app had internal subscription data showing up across different requests. After investigation, this was a bug introduced by the recent RTKQ perf optimizations, where the internal subscription fields were hoisted outside of the middleware setup and into createApi itself. This meant they existed outside of the per-store-instance lifecycle. We've reworked the logic to ensure the data is per-store again. We also fixed another issue that miscalculated when there was an active request while checking for cache entry cleanup.

    Note that no actual app data was leaked in this case, just the internal subscription IDs that RTKQ uses in its own middleware to track the existence of subscriptions per cache entry.

    fetchBaseQuery Headers

    We've updated fetchBaseQuery to avoid setting content-type in cases where a non-JSONifiable value like FormData is being passed as the request body, so that the browser can set that content type itself. It also now sets the accept header based on the selected responseHandler (JSON or text).

    retry Behavior and Cleanup

    The retry util now respects the maxRetries option when catching unknown errors in addition to the existing known errors logic. It also now checks the request's AbortSignal and will stop retrying if aborted.

    In conjunction with that, dispatching resetApiState will now abort all in-flight requests.

    The prefetch util and usePrefetch hook had a long-standing issue where they would create a subscription for a cache entry, but there was no way to clean up that subscription. This meant that the cache entry was effectively permanent. They now initiate the request without adding a subscription. This will fetch the cache entry and leave it in the store for the keepUnusedDataFor period as intended, giving your app time to actually subscribe to the value (such as prefetching the cache entry in a route handler, and then subscribing in a component).

    graphqlRequestBaseQuery

    We've published @ rtk-query/graphql-request-base-query v2.3.2, which updates the graphql-request dep to ^7. We also fixed an issue where the error handling rethrew unknown errors - it now returns {error} as a base query is supposed to.

    What's Changed

    Full Changelog: v2.9.1...v2.9.2

  • 2.9.1 - 2025-10-17

    This bugfix release fixes how sorted entity adapters handle duplicate IDs, tweaks the TS types for RTKQ query state cache entries to improve how the data field is handled, and adds better cleanup for long-running listener middleware effects.

    What's Changed

    • fix(entityAdapter): ensure sorted addMany keeps first occurrence of duplicate ids by @ demyanm in #5097
    • fix(entityAdapter): ensure sorted setMany keeps just unique IDs in state.ids by @ demyanm in #5107
    • fix(types): ensure non-undefined data on isSuccess with exactOptionalPropertyTypes by @ CO0Ki3 in #5088
    • Allow executing effects that have become unsubscribed to be canceled by listenerMiddleware.clearListeners by @ chris-chambers in #5102

    Full Changelog: v2.9.0...v2.9.1

from @reduxjs/toolkit GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade @reduxjs/toolkit from 2.9.1 to 2.9.2
73f3249 
Snyk has created this PR to upgrade @reduxjs/toolkit from 2.9.1 to 2.9.2.

See this package in npm:
@reduxjs/toolkit

See this project in Snyk:
https://app.snyk.io/org/freddycoder/project/54ba868f-15a9-410b-89d0-3cec6c18ecfa?utm_source=github&utm_medium=referral&page=upgrade-pr
@freddycoder freddycoder deleted the snyk-upgrade-296f1278c8beb9e9180189160955f738 branch November 19, 2025 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@freddycoder @snyk-bot