Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade react-redux from 7.2.0 to 7.2.4 #14

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade react-redux from 7.2.0 to 7.2.4.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 4 versions ahead of your current version.
  • The recommended version was released 3 months ago, on 2021-04-24.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Prototype Pollution
SNYK-JS-Y18N-1021887
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WEBSOCKETEXTENSIONS-570623
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SSRI-1085630
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SSRI-1085630
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Arbitrary Code Injection
SNYK-JS-SERIALIZEJAVASCRIPT-570062
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-OBJECTPATH-1017036
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-NORMALIZEURL-1296539
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-NORMALIZEURL-1296539
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-NODEFORGE-598677
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-MERGEDEEP-1070277
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-LODASH-608086
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-LODASH-590103
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Command Injection
SNYK-JS-LODASH-1040724
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-INI-1048974
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Cryptographic Issues
SNYK-JS-ELLIPTIC-571484
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Remote Memory Exposure
SNYK-JS-DNSPACKET-1293563
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-AJV-584908
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ACORN-559469
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ACORN-559469
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-YARGSPARSER-560381
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-YARGSPARSER-560381
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Improper Input Validation
SNYK-JS-URLPARSE-1078283
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Denial of Service (DoS)
SNYK-JS-SOCKJS-575261
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHPARSE-1077067
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Command Injection
SNYK-JS-NODENOTIFIER-1035794
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-MINIMIST-559764
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-MINIMIST-559764
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-LODASH-567746
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1243891
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1085627
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Denial of Service (DoS)
SNYK-JS-HTTPPROXY-569139
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-COLORSTRING-1082939
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: react-redux
  • 7.2.4 - 2021-04-24

    This release drops our dependency on the core redux package by inlining bindActionCreators, and tweaks useSelector to ensure that selectors aren't run an extra time while re-rendering.

    Changelog

    Redux Dependency Removal

    React-Redux has always imported the bindActionCreators utility from the core redux package for use in connect. However, that meant that we had to have a peer dependency on redux, and this was the only reason we actually required that redux be installed. This became more annoying with the arrival of Redux Toolkit, which has its own dependency on redux internally, and thus users typically saw peer dependency warnings saying that "redux isn't listed as a dependency in your app".

    Code reuse across separate packages is a great thing, but sometimes the right thing to do is duplicate code. So, we've inlined bindActionCreators directly into React-Redux, and we've completely dropped the dependency on Redux. This means that React-Redux will no longer produce a peerDep warning when used with Redux Toolkit, and <Provider> and connect really only need a Redux-store-compatible value to work right.

    useSelector Fixes

    Users reported that useSelector was re-running selector functions again unnecessarily while rendering after a dispatch. We've tweaked the logic to ensure that doesn't happen.

    useSelector also now has checks in development to ensure that selector and equalityFn are functions.

    Changes

    v7.2.3...v7.2.4

  • 7.2.3 - 2021-03-23

    This release improves behavior in useSelector by returning the existing reference if the newly returned selector result passes the equality check, and adds a hard dependency on the @ types/react-redux package to ensure TS users always have the typedefs installed.

    Changes

    useSelector Results Reuse

    Issue #1654 reported that useSelector was returning new references from a selector even if the equality comparison function returned true. This is because the equality check was only ever being performed during the action dispatch process.

    We now run the equality comparison against the value calculated by the selector while rendering, and return the existing reference for consistency if the old and new values are considered equal. This should improve some cases where further derived values where being recalculated unnecessarily.

    TS Types Now Included

    React-Redux has always been written in plain JS, and the typedefs maintained by the community in DefinitelyTyped. We plan on eventually rewriting the library in TypeScript in a future React-Redux v8 release, but until then the types can stay in DT.

    However, having to always manually install @ types/react-redux is annoying, and some users have gotten confused by that. This release adds a hard dependency on @ types/react-redux, so that if you install react-redux, you automatically get the types as well. This should simplify the process for TS users.

    Docs Updates

    We've made several docs updates recently:

    • Renamed "Quick Start" to "Getting Started" and "Static Typing" to "Usage with TypeScript"
    • Dropped the docs API versioning setup, as the legacy API version docs pages were rarely viewed and the versioning setup confused docs contributors
    • Moved the old "Intro > Basic Tutorial" to "Tutorials > Connect" and marked it as semi-obsolete

    We are currently working on a new React-Redux tutorial that will teach the React-Redux hooks as the primary approach, based on the "UI and React" page in the Redux docs "Fundamentals" tutorial.

    Changelog

    v7.2.2...v7.2.3

  • 7.2.2 - 2020-10-26

    This release allows you to use React Redux with React 17 without a warning when installing. That's about it.

    Changes

  • 7.2.1 - 2020-07-25

    This release improves useSelector value display in the React DevTools, fixes a potential race condition, and fixes a couple additional minor issues.

    useSelector DevTools Display

    The React DevTools normally show custom hooks with their inspected name (such as "Selector" for useSelector), and any calls to core hooks inside. This is not always informative, so React has the useDebugValue hook to allow custom hooks to specify what value should be shown instead.

    useSelector now calls useDebugValue to specifically show the current selected value instead of its internal hooks usage.

    Bug Fixes

    This release has a few different bug fixes:

    • A potential race condition when dispatching actions from child components in the commit phase vs selecting data in a parent
    • Removed an excess new object creation when forcing a re-render
    • Our internal prop name for a forwarded ref is now reactReduxForwardedRef to avoid a rare situation where someone else might be passing down a field named forwardedRef
    • Fixed a typo in a useSelector error message

    Changes

    • Fix error message typo in useSelector ('You must pass a selector...). (@ Pixelwelder - #1581)
    • fix useSelector race condition with memoized selector when dispatching in child components useLayoutEffect as well as cDM/cDU (@ dai-shi - #1536)
    • removed a redundant object creation when using forceUpdate (@ vzaidman - #1567)
    • Rename internal forwardedRef usage (@ dtschust - #1553)
    • Show useSelector result in React DevTools (@ Finesse - #1530)
  • 7.2.0 - 2020-02-18

    This release fixes two bugs, an algorithmic problem with unsubscribing components and a memory leak with connect. It also has optimizations for production bundle size, and adds a couple small improvements to developer readability while debugging.

    Bug Fixes

    connect in v7 is implemented using hooks, and the hooks usage captures numerous values from the surrounding scope. We received a PR informing us that the way we were capturing these values would likely result in a copy of the first version of its props being kept alive indefinitely.

    This memory leak has been fixed by extracting a custom hook that receives all the necessary values as arguments, so that they're not captured via closure.

    We also received a PR letting us know that the unsubscribe logic had a quadratic algorithm in it, as removing a subscriber would use an indexOf(listener) check to remove that callback. If there were a large number of subscribers, that line's runtime would increase rapidly, causing slowdowns.

    This algorithm has been replaced with tracking subscribers via a linked list, which drastically improves the runtime of this section of the code even with large numbers of subscribers.

    Thanks to @ larrylin28 and @ wurstbonbon for finding these bugs and submitting PRs to fix them!

    Bundle Size Improvements

    We've made a number of small tweaks to the codebase to improve the ability of bundlers to shake and minimize the final included size in a bundle. The net result is that react-redux@7.2.0 is smaller than 7.1.3, dropping 1.3K min and 0.6K min+gzip. (In fact, it's even smaller than the pre-hooks 7.0.0 when gzipped!)

    Thanks to @ Andarist for doing most of the work on this!

    Debugging Improvements

    The ReactReduxContext instance now has a displayName set, so it should show up in the React DevTools as ReactRedux.Provider.

    Also, when an error is caught in useSelector and re-thrown, we now append the original stack trace.

    Thanks to @ pieplu and @ r3dm1ke for these!

    Changes

from react-redux GitHub release notes
Commit messages
Package name: react-redux

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant