[Snyk] Upgrade react-redux from 7.0.2 to 7.2.6 #39
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade react-redux from 7.0.2 to 7.2.6.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version fixes:
SNYK-JS-Y18N-1021887
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-WEBSOCKETEXTENSIONS-570623
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-TMPL-1583443
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-TAR-1579155
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-TAR-1579152
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-TAR-1579147
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-TAR-1536531
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-TAR-1536528
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SSRI-1246392
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SETVALUE-450213
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SETVALUE-1540541
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SETVALUE-450213
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SETVALUE-1540541
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SERIALIZEJAVASCRIPT-570062
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SERIALIZEJAVASCRIPT-536840
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-NODEFORGE-598677
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-MIXINDEEP-450212
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-MERGEDEEP-1070277
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-608086
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-450202
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-1040724
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-INI-1048974
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HANDLEBARS-534478
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HANDLEBARS-480388
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HANDLEBARS-469063
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HANDLEBARS-1056767
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ESLINTUTILS-460220
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ELLIPTIC-571484
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-DNSPACKET-1293563
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-AJV-584908
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ACORN-559469
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ACORN-559469
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-YARGSPARSER-560381
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-YARGSPARSER-560381
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-WS-1296835
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-WS-1296835
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-URLPARSE-1533425
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-URLPARSE-1078283
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-UGLIFYJS-1727251
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-SOCKJS-575261
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-PROMPTS-1729737
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-PATHPARSE-1077067
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-NODENOTIFIER-1035794
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-MINIMIST-559764
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-MINIMIST-559764
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-MINIMIST-559764
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-567746
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-1018905
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HTTPPROXY-569139
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HOSTEDGITINFO-1088355
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HANDLEBARS-567742
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HANDLEBARS-1279029
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ELLIPTIC-511941
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-DOTPROP-543489
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-COLORSTRING-1082939
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-TAR-1536758
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-LODASH-590103
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ISSVG-1243891
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ISSVG-1085627
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-KINDOF-537849
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-HANDLEBARS-534988
Why? Proof of Concept exploit, CVSS 7.3
SNYK-JS-ELLIPTIC-1064899
Why? Proof of Concept exploit, CVSS 7.3
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: react-redux
Shameless plug: I'm working on a new company called Spaceship 🚀 It's a tool to launch your code anywhere in one click. Check it out!
Just a quick fix for a Yarn install warning. Sorry about the noise!
Changes
workspaces
from our package.json to silence a Yarn warning (@ timdorr)This release shrinks the size of our internal
Subscription
class, and updatesuseSelector
to avoid an unnecessary selector call on mount.Changes
Subscription Size Refactor
Our internal
Subscription
implementation has been written as a class ever since it was added in v5. By rewriting it as a closure factory, we were able to shave a few bytes off the final bundle size.useSelector
Mount OptimizationA user noticed that
useSelector
had never been given an early "bail out if the root state is the same" check to match howconnect
works. This resulted in a usually-unnecessary second call to the provided selector on mount. We've added that check.Entry Point Consolidation
We've consolidated the list of exported public APIs into a single file, and both the
index.js
andalternate-renderers.js
entry points now re-export everything from that file. No meaningful change here, just shuffling lines of code around for consistency.Other Updates
React-Redux v8 and React 18 Development
With the announcement of React 18, we've been working with the React team to plan our migration path to keep React-Redux fully compatible with React's upcoming features.
We've already migrated the React-Redux main development branch to TypeScript, and are prototyping compatibility implementation updates. We'd appreciate any assistance from the community in testing out these changes so that we can ensure React-Redux works great for everyone when React 18 is ready!
Internal Tooling Updates
Our
master
branch now uses Yarn v2 for package management, is built with TypeScript, and we've made CI updates to test against multiple TS versions.The
7.x
branch has also been updated to use Yarn v2 for consistency.These only affect contributors to the React-Redux package itself.
Changelog
v7.2.4...v7.2.5
This release drops our dependency on the core
redux
package by inliningbindActionCreators
, and tweaksuseSelector
to ensure that selectors aren't run an extra time while re-rendering.Changelog
Redux Dependency Removal
React-Redux has always imported the
bindActionCreators
utility from the coreredux
package for use inconnect
. However, that meant that we had to have a peer dependency onredux
, and this was the only reason we actually required thatredux
be installed. This became more annoying with the arrival of Redux Toolkit, which has its own dependency onredux
internally, and thus users typically saw peer dependency warnings saying that "redux
isn't listed as a dependency in your app".Code reuse across separate packages is a great thing, but sometimes the right thing to do is duplicate code. So, we've inlined
bindActionCreators
directly into React-Redux, and we've completely dropped the dependency on Redux. This means that React-Redux will no longer produce a peerDep warning when used with Redux Toolkit, and<Provider>
andconnect
really only need a Redux-store-compatible value to work right.useSelector
FixesUsers reported that
useSelector
was re-running selector functions again unnecessarily while rendering after a dispatch. We've tweaked the logic to ensure that doesn't happen.useSelector
also now has checks in development to ensure thatselector
andequalityFn
are functions.Changes
v7.2.3...v7.2.4
This release improves behavior in
useSelector
by returning the existing reference if the newly returned selector result passes the equality check, and adds a hard dependency on the@ types/react-redux
package to ensure TS users always have the typedefs installed.Changes
useSelector
Results ReuseIssue #1654 reported that
useSelector
was returning new references from a selector even if the equality comparison function returnedtrue
. This is because the equality check was only ever being performed during the action dispatch process.We now run the equality comparison against the value calculated by the selector while rendering, and return the existing reference for consistency if the old and new values are considered equal. This should improve some cases where further derived values where being recalculated unnecessarily.
TS Types Now Included
React-Redux has always been written in plain JS, and the typedefs maintained by the community in DefinitelyTyped. We plan on eventually rewriting the library in TypeScript in a future React-Redux v8 release, but until then the types can stay in DT.
However, having to always manually install
@ types/react-redux
is annoying, and some users have gotten confused by that. This release adds a hard dependency on@ types/react-redux
, so that if you installreact-redux
, you automatically get the types as well. This should simplify the process for TS users.Docs Updates
We've made several docs updates recently:
We are currently working on a new React-Redux tutorial that will teach the React-Redux hooks as the primary approach, based on the "UI and React" page in the Redux docs "Fundamentals" tutorial.
Changelog
v7.2.2...v7.2.3
This release allows you to use React Redux with React 17 without a warning when installing. That's about it.
Changes
This release improves
useSelector
value display in the React DevTools, fixes a potential race condition, and fixes a couple additional minor issues.useSelector
DevTools DisplayThe React DevTools normally show custom hooks with their inspected name (such as "Selector" for
useSelector
), and any calls to core hooks inside. This is not always informative, so React has theuseDebugValue
hook to allow custom hooks to specify what value should be shown instead.useSelector
now callsuseDebugValue
to specifically show the current selected value instead of its internal hooks usage.Bug Fixes
This release has a few different bug fixes:
reactReduxForwardedRef
to avoid a rare situation where someone else might be passing down a field namedforwardedRef
useSelector
error messageChanges
Read more
Forgot to remove a
console
statement before I published 7.1.2. Oops!Lint your source code before publishing, folks.
Changes
Read more
Commit messages
Package name: react-redux
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs