New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency react-dom to v16.8.6 [SECURITY] #12

Merged

10xjs merged 1 commit into master from renovate/npm-react-dom-vulnerability

Apr 7, 2019

renovate bot commented Mar 11, 2019 •

edited

This PR contains the following updates:

Package	Type	Update	Change	References
react-dom	devDependencies	minor	`16.3.2` -> `16.8.6`	homepage, source

GitHub Vulnerability Alerts

CVE-2018-6341

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected.

This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Release Notes

facebook/react

`v16.8.6`

React DOM

Fix an incorrect bailout in useReducer(). (@acdlite in #15124)
Fix iframe warnings in Safari DevTools. (@renanvalentin in #15099)
Warn if contextType is set to Context.Consumer instead of Context. (@aweary in #14831)
Warn if contextType is set to invalid values. (@gaearon in #15142)

`v16.8.5`

React DOM

Don't set the first option as selected in select tag with size attribute. (@kulek1 in #14242)
Improve the useEffect(async () => ...) warning message. (@gaearon in #15118)
Improve the error message sometimes caused by duplicate React. (@jaredpalmer in #15139)

React DOM Server

Improve the useLayoutEffect warning message when server rendering. (@gaearon in #15158)

React Shallow Renderer

Fix setState in shallow renderer to work with Hooks. (@gaearon in #15120)
Fix shallow renderer to support React.memo. (@aweary in #14816)
Fix shallow renderer to support Hooks inside forwardRef. (@eps1lon in #15100)

`v16.8.4`

React DOM and other renderers

Fix a bug where DevTools caused a runtime error when inspecting a component that used a useContext hook. (@bvaughn in #14940)

`v16.8.3`

React DOM

Fix a bug that caused inputs to behave incorrectly in UMD builds. (@gaearon in #14914)
Fix a bug that caused render phase updates to be discarded. (@gaearon in #14852)

React DOM Server

Unwind the context stack when a stream is destroyed without completing, to prevent incorrect values during a subsequent render. (@overlookmotel in #14706)

ESLint Plugin for React Hooks

Add a new recommended exhaustive-deps rule. (@gaearon in #14636)

`v16.8.2`

React DOM

Fix ReactDOM.render being ignored inside useEffect. (@gaearon in #14799)
Fix a crash when unmounting empty portals. (@gaearon in #14820)
Fix useImperativeHandle to work correctly when no deps are specified. (@gaearon in #14801)
Fix crossOrigin attribute to work in SVG image elements. (@aweary in #14832)
Fix a false positive warning when using Suspense with Hooks. (@gaearon in #14821)

React Test Utils and React Test Renderer

Include component stack into the act() warning. (@threepointone in #14855)

`v16.8.1`

React DOM and React Test Renderer

Fix a crash when used together with an older version of React. (@bvaughn in #14770)

React Test Utils

Fix a crash in Node environment. (@threepointone in #14768)

`v16.8.0`

React

Add Hooks — a way to use state and other React features without writing a class. (@acdlite et al. in #13968)
Improve the useReducer Hook lazy initialization API. (@acdlite in #14723)

React DOM

Bail out of rendering on identical values for useState and useReducer Hooks. (@acdlite in #14569)
Use Object.is algorithm for comparing useState and useReducer values. (@Jessidhia in #14752)
Don’t compare the first argument passed to useEffect/useMemo/useCallback Hooks. (@acdlite in #14594)
Support synchronous thenables passed to React.lazy(). (@gaearon in #14626)
Render components with Hooks twice in Strict Mode (DEV-only) to match class behavior. (@gaearon in #14654)
Warn about mismatching Hook order in development. (@threepointone in #14585 and @acdlite in #14591)
Effect clean-up functions must return either undefined or a function. All other values, including null, are not allowed. @acdlite in #14119

React Test Renderer and Test Utils

Support Hooks in the shallow renderer. (@trueadm in #14567)
Fix wrong state in shouldComponentUpdate in the presence of getDerivedStateFromProps for Shallow Renderer. (@chenesan in #14613)
Add ReactTestRenderer.act() and ReactTestUtils.act() for batching updates so that tests more closely match real behavior. (@threepointone in #14744)

ESLint Plugin: React Hooks

Initial release. (@calebmer in #13968)
Fix reporting after encountering a loop. (@calebmer and @Yurickh in #14661)
Don't consider throwing to be a rule violation. (@sophiebits in #14040)

`v16.7.0`

React DOM

Fix performance of React.lazy for large numbers of lazily-loaded components. (@acdlite in #14429)
Clear fields on unmount to avoid memory leaks. (@trueadm in #14276)
Fix bug with SSR and context when mixing react-dom/server@16.6 and react@<16.6. (@gaearon in #14291)
Fix a performance regression in profiling mode. (@bvaughn in #14383)

Scheduler (Experimental)

Post to MessageChannel instead of window. (@acdlite in #14234)
Reduce serialization overhead. (@developit in #14249)
Fix fallback to setTimeout in testing environments. (@bvaughn in #14358)
Add methods for debugging. (@mrkev in #14053)

`v16.6.3`

React DOM

Fix bugs in Suspense and lazy. (@acdlite in #14133, #14157, and #14164)
Fix highlighting of React.memo updates in React DevTools. (@bvaughn in #14141)
Fix interaction of Suspense with the React Profiler. (@bvaughn in #14065)
Fix a false positive warning when using Suspense. (@acdlite in #14158)

React DOM Server

Fix incorrect sharing of context state between renderToNodeStream() calls. (@sebmarkbage in #14182)
Add a warning about incorrect usage of the context API. (@trueadm in #14033)

`v16.6.2`

This release was published in a broken state and should be skipped.

`v16.6.1`

React DOM

Fallback should not remount every time a promise resolves. (@acdlite in #14083)
Fix bug where Suspense keeps showing fallback even after everything finishes loading. (@acdlite in #14083)
Fix a crash when Suspense finishes loading in IE11. (@sophiebits in #14126)
Fix unresolved default props in lifecycle methods of a lazy component. (@gaearon in #14112)
Fix bug when recovering from an error thrown during complete phase. (@gaearon in #14104)

Scheduler (Experimental)

Switch from deadline object to shouldYield API. (@acdlite in #14025)

`v16.6.0`

React

Add React.memo() as an alternative to PureComponent for functions. (@acdlite in #13748)
Add React.lazy() for code splitting components. (@acdlite in #13885)
React.StrictMode now warns about legacy context API. (@bvaughn in #13760)
React.StrictMode now warns about findDOMNode. (@sebmarkbage in #13841)
Rename unstable_AsyncMode to unstable_ConcurrentMode. (@trueadm in #13732)
Rename unstable_Placeholder to Suspense, and delayMs to maxDuration. (@gaearon in #13799 and @sebmarkbage in #13922)

React DOM

Add contextType as a more ergonomic way to subscribe to context from a class. (@bvaughn in #13728)
Add getDerivedStateFromError lifecycle method for catching errors in a future asynchronous server-side renderer. (@bvaughn in #13746)
Warn when <Context> is used instead of <Context.Consumer>. (@trueadm in #13829)
Fix gray overlay on iOS Safari. (@philipp-spiess in #13778)
Fix a bug caused by overwriting window.event in development. (@sergei-startsev in #13697)

React DOM Server

Add support for React.memo(). (@alexmckenley in #13855)
Add support for contextType. (@alexmckenley and @sebmarkbage in #13889)

Scheduler (Experimental)

Rename the package to scheduler. (@gaearon in #13683)
Support priority levels, continuations, and wrapped callbacks. (@acdlite in #13720 and #13842)
Improve the fallback mechanism in non-DOM environments. (@acdlite in #13740)
Schedule requestAnimationFrame earlier. (@acdlite in #13785)
Fix the DOM detection to be more thorough. (@trueadm in #13731)
Fix bugs with interaction tracing. (@bvaughn in #13590)
Add the envify transform to the package. (@mridgway in #13766)

`v16.5.2`

React DOM

Fixed a recent <iframe> regression (@JSteunou in #13650)
Fix updateWrapper so that <textarea>s no longer re-render when data is unchanged (@joelbarbosa in #13643)

Schedule (Experimental)

Renaming "tracking" API to "tracing" (@bvaughn in #13641)
Add UMD production+profiling entry points (@bvaughn in #13642)
Refactored schedule to remove some React-isms and improve performance for when deferred updates time out (@acdlite in #13582)

`v16.5.1`

React

Improve the warning when React.forwardRef receives an unexpected number of arguments. (@andresroberto in #13636)

React DOM

Fix a regression in unstable exports used by React Native Web. (@aweary in #13598)
Fix a crash when component defines a method called isReactComponent. (@gaearon in #13608)
Fix a crash in development mode in IE9 when printing a warning. (@link-alex in #13620)
Provide a better error message when running react-dom/profiling with schedule/tracking. (@bvaughn in #13605)
If a ForwardRef component defines a displayName, use it in warnings. (@probablyup in #13615)

Schedule (Experimental)

Add a separate profiling entry point at schedule/tracking-profiling. (@bvaughn in #13605)

`v16.5.0`

React

Add a warning if React.forwardRef render function doesn't take exactly two arguments (@bvaughn in #13168)
Improve the error message when passing an element to createElement by mistake (@DCtheTall in #13131)
Don't call profiler onRender until after mutations (@bvaughn in #13572)

React DOM

Add support for React DevTools Profiler (@bvaughn in #13058)
Add react-dom/profiling entry point alias for profiling in production (@bvaughn in #13570)
Add onAuxClick event for browsers that support it (@jquense in #11571)
Add movementX and movementY fields to mouse events (@jasonwilliams in #9018)
Add tangentialPressure and twist fields to pointer events (@motiz88 in #13374)
Minimally support iframes (nested browsing contexts) in selection event handling (@acusti in #12037)
Support passing booleans to the focusable SVG attribute (@gaearon in #13339)
Ignore <noscript> on the client when hydrating (@Ephem in #13537)
Fix gridArea to be treated as a unitless CSS property (@mgol in #13550)
Fix incorrect data in compositionend event when typing Korean on IE11 (@crux153 in #12563)
Fix a crash when using dynamic children in the <option> tag (@Slowyn in #13261, @gaearon in #13465)
Fix the checked attribute not getting initially set on the input (@dilidili in #13114)
Fix hydration of dangerouslySetInnerHTML when __html is not a string (@gaearon in #13353)
Fix a warning about missing controlled onChange to fire on falsy values too (@nicolevy in #12628)
Fix submit and reset buttons getting an empty label (@ellsclytn in #12780)
Fix the onSelect event not being triggered after drag and drop (@gaearon in #13422)
Fix the onClick event not working inside a portal on iOS (@aweary in #11927)
Fix a performance issue when thousands of roots are re-rendered (@gaearon in #13335)
Fix a performance regression that also caused onChange to not fire in some cases (@gaearon in #13423)
Handle errors in more edge cases gracefully (@gaearon in #13237 and @acdlite in #13269)
Don't use proxies for synthetic events in development (@gaearon in #12171)
Warn when "false" or "true" is the value of a boolean DOM prop (@motiz88 in #13372)
Warn when this.state is initialized to props (@veekas in #11658)
Don't compare style on hydration in IE due to noisy false positives (@mgol in #13534)
Include StrictMode in the component stack (@gaearon in #13240)
Don't overwrite window.event in IE (@ConradIrwin in #11696)
Improve component stack for the folder/index.js naming convention (@gaearon in #12059)
Improve a warning when using getDerivedStateFromProps without initialized state (@flxwu in #13317)
Improve a warning about invalid textarea usage (@raunofreiberg in #13361)
Treat invalid Symbol and function values more consistently (@raunofreiberg in #13362 and #13389)
Allow Electron <webview> tag without warnings (@philipp-spiess in #13301)
Don't show the uncaught error addendum if e.preventDefault() was called (@gaearon in #13384)
Warn about rendering Generators (@gaearon in #13312)
Remove irrelevant suggestion of a legacy method from a warning (@zx6658 in #13169)
Remove unstable_deferredUpdates in favor of unstable_scheduleWork from schedule (@gaearon in #13488)
Fix unstable asynchronous mode from doing unnecessary work when an update takes too long (@acdlite in #13503)

React DOM Server

Fix crash with nullish children when using dangerouslySetInnerHtml in a selected <option> (@mridgway in #13078)
Fix crash when setTimeout is missing (@dustinsoftware in #13088)

React Test Renderer and Test Utils

Fix this in a functional component for shallow renderer to be undefined (@koba04 in #13144)
Deprecate a Jest-specific ReactTestUtils.mockComponent() helper (@bvaughn in #13193)
Warn about ReactDOM.createPortal usage within the test renderer (@bvaughn in #12895)
Improve a confusing error message (@gaearon in #13351)

React ART

Add support for DevTools (@yunchancho in #13173)

Schedule (Experimental)

New package for cooperatively scheduling work in a browser environment. It's used by React internally, but its public API is not finalized yet. (@flarnie in #12624)

`v16.4.2`

React DOM Server

Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@gaearon in #13302)
Fix a crash in the server renderer when an attribute is called hasOwnProperty. This fix is only available in react-dom@16.4.2. (@gaearon in #13303)

`v16.4.1`

React

You can now assign propTypes to components returned by React.ForwardRef. (@bvaughn in #12911)

React DOM

Fix a crash when the input type changes from some other types to text. (@spirosikmd in #12135)
Fix a crash in IE11 when restoring focus to an SVG element. (@ThaddeusJiang in #12996)
Fix a range input not updating in some cases. (@Illu in #12939)
Fix input validation triggering unnecessarily in Firefox. (@nhunzaker in #12925)
Fix an incorrect event.target value for the onChange event in IE9. (@nhunzaker in #12976)
Fix a false positive error when returning an empty <React.Fragment /> from a component. (@philipp-spiess in #12966)

React DOM Server

Fix an incorrect value being provided by new context API. (@ericsoderberghp in #12985, @gaearon in #13019)

React Test Renderer

Allow multiple root children in test renderer traversal API. (@gaearon in #13017)
Fix getDerivedStateFromProps() in the shallow renderer to not discard the pending state. (@fatfisz in #13030)

`v16.4.0`

React

Add a new experimental React.unstable_Profiler component for measuring performance. (@bvaughn in #12745)

React DOM

Add support for the Pointer Events specification. (@philipp-spiess in #12507)
Properly call getDerivedStateFromProps() regardless of the reason for re-rendering. (@acdlite in #12600 and #12802)
Fix a bug that prevented context propagation in some cases. (@gaearon in #12708)
Fix re-rendering of components using forwardRef() on a deeper setState(). (@gaearon in #12690)
Fix some attributes incorrectly getting removed from custom element nodes. (@airamrguez in #12702)
Fix context providers to not bail out on children if there's a legacy context provider above. (@gaearon in #12586)
Add the ability to specify propTypes on a context provider component. (@nicolevy in #12658)
Fix a false positive warning when using react-lifecycles-compat in <StrictMode>. (@bvaughn in #12644)
Warn when the forwardRef() render function has propTypes or defaultProps. (@bvaughn in #12644)
Improve how forwardRef() and context consumers are displayed in the component stack. (@sophiebits in #12777)
Change internal event names. This can break third-party packages that rely on React internals in unsupported ways. (@philipp-spiess in #12629)

React Test Renderer

Fix the getDerivedStateFromProps() support to match the new React DOM behavior. (@koba04 in #12676)
Fix a testInstance.parent crash when the parent is a fragment or another special node. (@gaearon in #12813)
forwardRef() components are now discoverable by the test renderer traversal methods. (@gaearon in #12725)
Shallow renderer now ignores setState() updaters that return null or undefined. (@koba04 in #12756)

React ART

Fix reading context provided from the tree managed by React DOM. (@acdlite in #12779)

React Call Return (Experimental)

This experiment was deleted because it was affecting the bundle size and the API wasn't good enough. It's likely to come back in the future in some other form. (@gaearon in #12820)

React Reconciler (Experimental)

The new host config shape is flat and doesn't use nested objects. (@gaearon in #12792)

`v16.3.3`

React DOM Server

Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@gaearon in #13302)

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot. View repository job log here.

coveralls commented Mar 11, 2019 •

edited

Pull Request Test Coverage Report for Build 75

0 of 0 changed or added relevant lines in 0 files are covered.
No unchanged relevant lines lost coverage.
Overall coverage remained the same at 100.0%

Totals
Change from base Build 59:	0.0%
Covered Lines:	321
Relevant Lines:	321

💛 - Coveralls

renovate bot force-pushed the renovate/npm-react-dom-vulnerability branch from 649f425 to 21f2bf4 Compare

March 22, 2019 16:55

renovate bot changed the title ~~Update dependency react-dom to v16.8.4 [SECURITY]~~ Update dependency react-dom to v16.8.5 [SECURITY]

renovate bot force-pushed the renovate/npm-react-dom-vulnerability branch 4 times, most recently from 89eae0d to a4f039e Compare

March 24, 2019 05:49


          Update dependency react-dom to v16.8.6 [SECURITY]

f72f01c

renovate bot force-pushed the renovate/npm-react-dom-vulnerability branch from a4f039e to f72f01c Compare

March 28, 2019 09:53

renovate bot changed the title ~~Update dependency react-dom to v16.8.5 [SECURITY]~~ Update dependency react-dom to v16.8.6 [SECURITY]

10xjs merged commit c0b1cd3 into master

10xjs deleted the renovate/npm-react-dom-vulnerability branch

April 7, 2019 20:56

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment