fix(deps): update dependency immer to v9 [security] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
immer	^5.0.0 -> ^9.0.0

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2020-28477

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

CVE-2021-23436

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

CVE-2021-3757

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

---

Release Notes

immerjs/immer

v9.0.19

Compare Source

Bug Fixes

• don't freeze drafts returned from produce if they were passed in as draft (#​917) (46867f8)
• produce results should never be frozen when returned from nested produces, to prevent 'hiding' drafts. Fixes #​935 (a810960)
• release and publish from 'main' rather than 'master' branch (82acc40)
• revert earlier fix (#​990) for recursive types (#​1014) (3eeb331)
• Upgrade Github actions to Node 16 attempt 1 (9d4ea93)
• Upgrade Github actions to Node 16 attempt 2 (082eecd)

v9.0.18

Compare Source

Bug Fixes

• Preserve insertion order of Sets, fixes #​819 (#​976) (b3eeb69)
• unnecessarily recursive Draft type (#​990) (b9eae1d)

v9.0.17

Compare Source

Bug Fixes

• special case NaN in setter (#​912) (5721bb7)

v9.0.16

Compare Source

Bug Fixes

• protect isDraftable against undefined constructor (#​969) (ced4563)

v9.0.15

Compare Source

Bug Fixes

• Add "types" to exports for TypeScript 4.7 (#​946) (85ce6b7)

v9.0.14

Compare Source

Bug Fixes

• Use .esm.js module for backwards compatibility with old build tools (#​939) (d30d219)

v9.0.13

Compare Source

Bug Fixes

• consistent recipe return type in produceWithPatches (#​934) (220d61d)
• incorrect return type for async produceWithPatches (#​933) (9f7623d)

v9.0.12

Compare Source

Bug Fixes

• produceWithPatches should not wrap result in Immutable, fixes #​850, #​881 (d8f2636)

v9.0.11

Compare Source

Bug Fixes

• incorrect patches for delete on arrays. Fixes #​879 (d91a659)

v9.0.10

Compare Source

Bug Fixes

• No patches being generated for root primitive replacements. Fixes #​888 (0f96270)

v9.0.9

Compare Source

Bug Fixes

• make sure produceWithPatches accepts promises (d80e823)

v9.0.8

Compare Source

Bug Fixes

• immerjs#​876 Ensure empty patch set for atomic set+delete on Map (#​878) (e140918)

v9.0.7

Compare Source

Bug Fixes

• Append to array when key is "-" (#​872) (2afdb1b)

v9.0.6

Compare Source

Bug Fixes

• security: Follow up on CVE-2020-28477 where path: [["__proto__"], "x"] could still pollute the prototype (fa671e5)

v9.0.5

Compare Source

Bug Fixes

• release missing dist/ folder (bfb8dec)

v9.0.4

Compare Source

Bug Fixes

• #​791 return 'nothing' should produce undefined patch (5412c9f)
• #​807 new undefined properties should end up in result object (dc3f66c)
• Better applyPatches type (#​810) (09ac097), closes #​809

v9.0.3

Compare Source

Bug Fixes

• isPlainObject: add quick comparison between input and Object to short-circuit taxing Function.toString invocations (#​805) (07575f3)

v9.0.2

Compare Source

Bug Fixes

• #​785 fix type inference for produce incorrectly inferring promise (#​786) (6555173)

v9.0.1

Compare Source

Bug Fixes

• #​768 immerable field being lost during patch value cloning (#​771) (e0b7c01)

v9.0.0

Compare Source

feature

• Improved typescript types (2c2f30e), closes #​720

BREAKING CHANGES

• It is no longer allowed to return nothing from a recipe if the target state doesn't accept undefined.
• It is no longer allowed to return arbitrary things from a recipe. Recipes should either return nothing, or something that is assignable to the original state type. This will catch mistakes with accidental returns earlier.

v8.0.4

Compare Source

Bug Fixes

• make sure isPlainObject checks support objects send accross frames. Fixes #​766 / #​405 (5ae3547)

v8.0.3

Compare Source

Bug Fixes

• new Immer().produce now has the same type as produce. Fixes #​749 (f8b77d1)

v8.0.2

Compare Source

Bug Fixes

• Add a type-checking fast path for primitive types (#​755) (d395efe)
• Ignore equal reference assignments. Fixes #​648 (3b4286d)

v8.0.1

Compare Source

Bug Fixes

• Fixed security issue #​738: prototype pollution possible when applying patches CVE-2020-28477 (da2bd4f)

v8.0.0

Compare Source

feature

• Always freeze by default (#​702) (a406c8f)

BREAKING CHANGES

• always freeze by default, even in production mode. Use setAutoFreeze(process.env.NODE_ENV !== 'production') for the old behavior. See https://github.com/immerjs/immer/issues/687#issuecomment-728881754 for the rationale. Fixes #​649, #​681, #​687

v7.0.15

Compare Source

Bug Fixes

• make plugin loading idempotent, fixes #​692 (754331b)

v7.0.14

Compare Source

Bug Fixes

• build issue. Fixes #​685 (?) (9007be0)

v7.0.13

Compare Source

Bug Fixes

• reconcile if the original value is assigned after creating a draft. Fixes #​659 (c0e6749)

v7.0.12

Compare Source

Bug Fixes

• undraftable values should not be cloned for patches, fixes #​676 (1b70ad5)

v7.0.11

Compare Source

Bug Fixes

• skip ReadonlyMap and ReadonlySet types when not available (#​653). Fixes #​624 (12f4cf8)

v7.0.10

Compare Source

Bug Fixes

• Clearing empty Set&Map should be noop (#​682). Fixes #​680 (33a305b)

v7.0.9

Compare Source

Bug Fixes

• clear map creates invalid patches, fixes #​663 (bacc1e0)

v7.0.8

Compare Source

Bug Fixes

• Use a named type for Draft object for smaller type declaration files (a1a0da0)
• use Array.prototype.slice() for copying arrays. Fixes #​650 (bf90358)
• use Array.prototype.slice() for copying arrays. Fixes #​650 (bb40c36)

v7.0.7

Compare Source

Bug Fixes

• made NOTHING and IMMERABLE shared symbols. Fixes #​632 (b1c6a8e)
• make sure changing an undefined value to undefined is not picked up as change. Fixes #​646 (5521527)
• out of range assignments were broken in ES5 mode. Fixes #​638 (0fe9132)
• Set finalization can get stuck in a loop, fixes #​628 (b12e5c9)
• Trigger setters with the correct context, fixes #​604 (2697430)

v7.0.6

Compare Source

Bug Fixes

• flow: added types for produceWithPatches (b355838)

v7.0.5

Compare Source

Bug Fixes

• Fixed regression in Object.frozen for IE11. Fixes #​600 (6371d05)

v7.0.4

Compare Source

Bug Fixes

• Flow: Add tests for Map and Set and fix base type (9022672)
• new map keys were not added if value is undefined (4a1bd65)

v7.0.3

Compare Source

Bug Fixes

• getOwnPropertyDescriptors is not available in Internet Explorer and Hermes. Fixes #​626 (c7a47e2)

v7.0.2

Compare Source

Bug Fixes

• Fixed #​620: Symbolic properties were not drafted or finalized correctly (91915cf)

v7.0.1

Compare Source

Bug Fixes

• Add missing type current for pre-TS 3.7 types (7d6b57b)

v7.0.0

Compare Source

• Introduced current, which takes a snapshot of the current state of a draft and finalizes it (but without freezing). Current is a great utility to print the current state during debugging (no Proxies in the way), and the output of current can also be safely leaked outside the producer. Implements #​441, #​591

• [BREAKING CHANGE] getters and setters are now handled consistently: own getters and setters will always by copied into fields (like Object.assign does), inherited getters and setters will be left as-is. This should allow using Immer directly on objects that trap their fields, like done in Vue or MobX. Fixes #​584, #​439, #​593, #​558

• [BREAKING CHANGE] produce no longer accepts non-draftable objects as first argument

• [BREAKING CHANGE] original can only be called on drafts and will throw otherwise (fixes #​605)

• [BREAKING CHANGE] non-enumerable and symbolic fields will never be frozen

• [BREAKING CHANGE] the patches for arrays are now computed differently to fix some scenarios in which they were incorrect. In some cases they will be more optimal now, in other cases less. Especially splicing / unshifting items into an existing array might result in a lot of patches. Fixes #​468

• Improved documentation in several areas, there is now a page for typical update patterns and a separate page on how to work with classes. And additional performance tips have been included. Fixes #​457, #​115, #​462

• Fixed #​462: All branches of the produced state should be frozen

• Fixed #​588: Inconsistent behavior with nested produce

• Fixed #​577: Immer might not work with polyfilled symbols

• Fixed #​514, #​609: Explicitly calling useProxies(false) shouldn’t check for the presence of Proxy.

v6.0.9

Compare Source

Bug Fixes

• typo in feature.md (sovled > solved) (3445168)

v6.0.8

Compare Source

Bug Fixes

• Make sure Immer works correctly when Symbol is polyfilled, fixes #​577 (2b40aec)

v6.0.7

Compare Source

Bug Fixes

• fixed issue where new items in Set where not recorded after iterating. Fixes #​586 (169db77)

v6.0.6

Compare Source

Bug Fixes

• Object.isFrozen dies on non objects in Internet Explorer. Fixes #​600 (974bd70)

v6.0.5

Compare Source

Bug Fixes

• Don't recurse into non-enumerable members when freezing tree. Fixes #​590 (497d1a0)
• Don't recurse into non-enumerable members when freezing tree. Fixes #​590 (d64c2bd)

v6.0.4

Compare Source

Bug Fixes

• added flow typings for new API's introduced in v6. Fixes #​570 (0ddddfc)
• Ensure values in patches are never a draft, fixes #​559 (33ecbd6)
• improve flow types (427040c)

v6.0.3

Compare Source

Bug Fixes

• copy flow types to where flow can find them (6247c03)
• Flow failed to find the Immer typings (c2ae050)

v6.0.2

Compare Source

Bug Fixes

• change Full error url (2778ce8)
• fixed broken minimized error url (issue#​550) (949960f)

v6.0.1

Compare Source

Bug Fixes

• rename compat index.d.ts to immer.d.ts (ed6ba6d)

v6.0.0

Compare Source

• Merge pull request #​536 from immerjs/multi-bundle (0d87fc8), closes #​536
• Adding large data sets to a draft has been optimized (in case autofreeze is disabled)
• Added compatibility typing support for TypeScript versions pre 3.7

BREAKING CHANGES

• Support for ES5, patches and Map/Set collections has to be explicitly enable now: https://immerjs.github.io/immer/docs/installation
• Custom serialization hooks are no longer supported

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.