[Snyk] Upgrade react-redux from 7.2.0 to 7.2.4 #14
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade react-redux from 7.2.0 to 7.2.4.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version fixes:
SNYK-JS-Y18N-1021887
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-WEBSOCKETEXTENSIONS-570623
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SSRI-1085630
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SSRI-1085630
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SERIALIZEJAVASCRIPT-570062
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-OBJECTPATH-1017036
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-NORMALIZEURL-1296539
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-NORMALIZEURL-1296539
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-NODEFORGE-598677
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-MERGEDEEP-1070277
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-608086
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-590103
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-1040724
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-INI-1048974
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ELLIPTIC-571484
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-DNSPACKET-1293563
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-AJV-584908
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ACORN-559469
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ACORN-559469
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-YARGSPARSER-560381
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-YARGSPARSER-560381
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-WS-1296835
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-WS-1296835
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-URLPARSE-1078283
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SOCKJS-575261
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-PATHPARSE-1077067
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-NODENOTIFIER-1035794
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-MINIMIST-559764
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-MINIMIST-559764
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-567746
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-1018905
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ISSVG-1243891
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ISSVG-1085627
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HTTPPROXY-569139
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HOSTEDGITINFO-1088355
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ELLIPTIC-1064899
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-COLORSTRING-1082939
Why? Proof of Concept exploit, CVSS 7.3
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: react-redux
This release drops our dependency on the core
redux
package by inliningbindActionCreators
, and tweaksuseSelector
to ensure that selectors aren't run an extra time while re-rendering.Changelog
Redux Dependency Removal
React-Redux has always imported the
bindActionCreators
utility from the coreredux
package for use inconnect
. However, that meant that we had to have a peer dependency onredux
, and this was the only reason we actually required thatredux
be installed. This became more annoying with the arrival of Redux Toolkit, which has its own dependency onredux
internally, and thus users typically saw peer dependency warnings saying that "redux
isn't listed as a dependency in your app".Code reuse across separate packages is a great thing, but sometimes the right thing to do is duplicate code. So, we've inlined
bindActionCreators
directly into React-Redux, and we've completely dropped the dependency on Redux. This means that React-Redux will no longer produce a peerDep warning when used with Redux Toolkit, and<Provider>
andconnect
really only need a Redux-store-compatible value to work right.useSelector
FixesUsers reported that
useSelector
was re-running selector functions again unnecessarily while rendering after a dispatch. We've tweaked the logic to ensure that doesn't happen.useSelector
also now has checks in development to ensure thatselector
andequalityFn
are functions.Changes
v7.2.3...v7.2.4
This release improves behavior in
useSelector
by returning the existing reference if the newly returned selector result passes the equality check, and adds a hard dependency on the@ types/react-redux
package to ensure TS users always have the typedefs installed.Changes
useSelector
Results ReuseIssue #1654 reported that
useSelector
was returning new references from a selector even if the equality comparison function returnedtrue
. This is because the equality check was only ever being performed during the action dispatch process.We now run the equality comparison against the value calculated by the selector while rendering, and return the existing reference for consistency if the old and new values are considered equal. This should improve some cases where further derived values where being recalculated unnecessarily.
TS Types Now Included
React-Redux has always been written in plain JS, and the typedefs maintained by the community in DefinitelyTyped. We plan on eventually rewriting the library in TypeScript in a future React-Redux v8 release, but until then the types can stay in DT.
However, having to always manually install
@ types/react-redux
is annoying, and some users have gotten confused by that. This release adds a hard dependency on@ types/react-redux
, so that if you installreact-redux
, you automatically get the types as well. This should simplify the process for TS users.Docs Updates
We've made several docs updates recently:
We are currently working on a new React-Redux tutorial that will teach the React-Redux hooks as the primary approach, based on the "UI and React" page in the Redux docs "Fundamentals" tutorial.
Changelog
v7.2.2...v7.2.3
This release allows you to use React Redux with React 17 without a warning when installing. That's about it.
Changes
This release improves
useSelector
value display in the React DevTools, fixes a potential race condition, and fixes a couple additional minor issues.useSelector
DevTools DisplayThe React DevTools normally show custom hooks with their inspected name (such as "Selector" for
useSelector
), and any calls to core hooks inside. This is not always informative, so React has theuseDebugValue
hook to allow custom hooks to specify what value should be shown instead.useSelector
now callsuseDebugValue
to specifically show the current selected value instead of its internal hooks usage.Bug Fixes
This release has a few different bug fixes:
reactReduxForwardedRef
to avoid a rare situation where someone else might be passing down a field namedforwardedRef
useSelector
error messageChanges
This release fixes two bugs, an algorithmic problem with unsubscribing components and a memory leak with
connect
. It also has optimizations for production bundle size, and adds a couple small improvements to developer readability while debugging.Bug Fixes
connect
in v7 is implemented using hooks, and the hooks usage captures numerous values from the surrounding scope. We received a PR informing us that the way we were capturing these values would likely result in a copy of the first version of its props being kept alive indefinitely.This memory leak has been fixed by extracting a custom hook that receives all the necessary values as arguments, so that they're not captured via closure.
We also received a PR letting us know that the unsubscribe logic had a quadratic algorithm in it, as removing a subscriber would use an
indexOf(listener)
check to remove that callback. If there were a large number of subscribers, that line's runtime would increase rapidly, causing slowdowns.This algorithm has been replaced with tracking subscribers via a linked list, which drastically improves the runtime of this section of the code even with large numbers of subscribers.
Thanks to @ larrylin28 and @ wurstbonbon for finding these bugs and submitting PRs to fix them!
Bundle Size Improvements
We've made a number of small tweaks to the codebase to improve the ability of bundlers to shake and minimize the final included size in a bundle. The net result is that
react-redux@7.2.0
is smaller than 7.1.3, dropping 1.3K min and 0.6K min+gzip. (In fact, it's even smaller than the pre-hooks 7.0.0 when gzipped!)Thanks to @ Andarist for doing most of the work on this!
Debugging Improvements
The
ReactReduxContext
instance now has adisplayName
set, so it should show up in the React DevTools asReactRedux.Provider
.Also, when an error is caught in
useSelector
and re-thrown, we now append the original stack trace.Thanks to @ pieplu and @ r3dm1ke for these!
Changes
UseEffect
(@ larrylin28 - #1506)Commit messages
Package name: react-redux
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs