GroceriStar / react-only-intern-20

0 stars 0 forks source link

[Security] Bump react-dom from 16.4.1 to 16.8.2 #76

Closed dependabot-preview[bot] closed 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps react-dom from 16.4.1 to 16.8.2. This update includes security fixes.

Vulnerabilities fixed *Sourced from The GitHub Security Advisory Database.* > **Low severity vulnerability that affects react-dom** > React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected. > > This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2. > > Affected versions: >= 16.4.0 < 16.4.2
Release notes *Sourced from [react-dom's releases](https://github.com/facebook/react/releases).* > ## v16.8.2 > > ## 16.8.2 (February 14, 2019) > > ### React DOM > > * Fix `ReactDOM.render` being ignored inside `useEffect`. ([@​gaearon](https://github.com/gaearon) in [#14799](https://github-redirect.dependabot.com/facebook/react/pull/14799)) > * Fix a crash when unmounting empty portals. ([@​gaearon](https://github.com/gaearon) in [#14820](https://github-redirect.dependabot.com/facebook/react/pull/14820)) > * Fix `useImperativeHandle` to work correctly when no deps are specified. ([@​gaearon](https://github.com/gaearon) in [#14801](https://github-redirect.dependabot.com/facebook/react/pull/14801)) > * Fix `crossOrigin` attribute to work in SVG `image` elements. ([@​aweary](https://github.com/aweary) in [#14832](https://github-redirect.dependabot.com/facebook/react/pull/14832)) > * Fix a false positive warning when using Suspense with Hooks. ([@​gaearon](https://github.com/gaearon) in [#14821](https://github-redirect.dependabot.com/facebook/react/pull/14821)) > > ### React Test Utils and React Test Renderer > > * Include component stack into the `act()` warning. ([@​threepointone](https://github.com/threepointone) in [#14855](https://github-redirect.dependabot.com/facebook/react/pull/14855)) > > ## v16.8.1 > ## 16.8.1 (February 6, 2019) > > ### React DOM and React Test Renderer > > * Fix a crash when used together with an older version of React. ([@​bvaughn](https://github.com/bvaughn) in [#14770](https://github-redirect.dependabot.com/facebook/react/pull/14770)) > > ### React Test Utils > > * Fix a crash in Node environment. ([@​threepointone](https://github.com/threepointone) in [#14768](https://github-redirect.dependabot.com/facebook/react/pull/14768)) > > ## v16.8.0 > ### React > > * Add [Hooks](https://reactjs.org/docs/hooks-intro.html) — a way to use state and other React features without writing a class. ([@​acdlite](https://github.com/acdlite) et al. in [#13968](https://github-redirect.dependabot.com/facebook/react/pull/13968)) > * Improve the `useReducer` Hook lazy initialization API. ([@​acdlite](https://github.com/acdlite) in [#14723](https://github-redirect.dependabot.com/facebook/react/pull/14723)) > > ### React DOM > > * Bail out of rendering on identical values for `useState` and `useReducer` Hooks. ([@​acdlite](https://github.com/acdlite) in [#14569](https://github-redirect.dependabot.com/facebook/react/pull/14569)) > * Use `Object.is` algorithm for comparing `useState` and `useReducer` values. ([@​Jessidhia](https://github.com/Jessidhia) in [#14752](https://github-redirect.dependabot.com/facebook/react/pull/14752)) > * Don’t compare the first argument passed to `useEffect`/`useMemo`/`useCallback` Hooks. ([@​acdlite](https://github.com/acdlite) in [#14594](https://github-redirect.dependabot.com/facebook/react/pull/14594)) > * Support synchronous thenables passed to `React.lazy()`. ([@​gaearon](https://github.com/gaearon) in [#14626](https://github-redirect.dependabot.com/facebook/react/pull/14626)) > * Render components with Hooks twice in Strict Mode (DEV-only) to match class behavior. ([@​gaearon](https://github.com/gaearon) in [#14654](https://github-redirect.dependabot.com/facebook/react/pull/14654)) > * Warn about mismatching Hook order in development. ([@​threepointone](https://github.com/threepointone) in [#14585](https://github-redirect.dependabot.com/facebook/react/pull/14585) and [@​acdlite](https://github.com/acdlite) in [#14591](https://github-redirect.dependabot.com/facebook/react/pull/14591)) > * Effect clean-up functions must return either `undefined` or a function. All other values, including `null`, are not allowed. [@​acdlite](https://github.com/acdlite) in [#14119](https://github-redirect.dependabot.com/facebook/react/pull/14119) > > ### React Test Renderer and Test Utils > > * Support Hooks in the shallow renderer. ([@​trueadm](https://github.com/trueadm) in [#14567](https://github-redirect.dependabot.com/facebook/react/pull/14567)) > * Fix wrong state in `shouldComponentUpdate` in the presence of `getDerivedStateFromProps` for Shallow Renderer. ([@​chenesan](https://github.com/chenesan) in [#14613](https://github-redirect.dependabot.com/facebook/react/pull/14613)) > * Add `ReactTestRenderer.act()` and `ReactTestUtils.act()` for batching updates so that tests more closely match real behavior. ([@​threepointone](https://github.com/threepointone) in [#14744](https://github-redirect.dependabot.com/facebook/react/pull/14744)) > > > ... (truncated)
Changelog *Sourced from [react-dom's changelog](https://github.com/facebook/react/blob/master/CHANGELOG.md).* > ## 16.8.2 (February 14, 2019) > > ### React DOM > > * Fix `ReactDOM.render` being ignored inside `useEffect`. ([@​gaearon](https://github.com/gaearon) in [#14799](https://github-redirect.dependabot.com/facebook/react/pull/14799)) > * Fix a crash when unmounting empty portals. ([@​gaearon](https://github.com/gaearon) in [#14820](https://github-redirect.dependabot.com/facebook/react/pull/14820)) > * Fix `useImperativeHandle` to work correctly when no deps are specified. ([@​gaearon](https://github.com/gaearon) in [#14801](https://github-redirect.dependabot.com/facebook/react/pull/14801)) > * Fix `crossOrigin` attribute to work in SVG `image` elements. ([@​aweary](https://github.com/aweary) in [#14832](https://github-redirect.dependabot.com/facebook/react/pull/14832)) > * Fix a false positive warning when using Suspense with Hooks. ([@​gaearon](https://github.com/gaearon) in [#14821](https://github-redirect.dependabot.com/facebook/react/pull/14821)) > > ### React Test Utils and React Test Renderer > > * Include component stack into the `act()` warning. ([@​threepointone](https://github.com/threepointone) in [#14855](https://github-redirect.dependabot.com/facebook/react/pull/14855)) > > ## 16.8.1 (February 6, 2019) > > ### React DOM and React Test Renderer > > * Fix a crash when used together with an older version of React. ([@​bvaughn](https://github.com/bvaughn) in [#14770](https://github-redirect.dependabot.com/facebook/react/pull/14770)) > > ### React Test Utils > > * Fix a crash in Node environment. ([@​threepointone](https://github.com/threepointone) in [#14768](https://github-redirect.dependabot.com/facebook/react/pull/14768)) > > ## 16.8.0 (February 6, 2019) > > ### React > > * Add [Hooks](https://reactjs.org/docs/hooks-intro.html) — a way to use state and other React features without writing a class. ([@​acdlite](https://github.com/acdlite) et al. in [#13968](https://github-redirect.dependabot.com/facebook/react/pull/13968)) > * Improve the `useReducer` Hook lazy initialization API. ([@​acdlite](https://github.com/acdlite) in [#14723](https://github-redirect.dependabot.com/facebook/react/pull/14723)) > > ### React DOM > > * Bail out of rendering on identical values for `useState` and `useReducer` Hooks. ([@​acdlite](https://github.com/acdlite) in [#14569](https://github-redirect.dependabot.com/facebook/react/pull/14569)) > * Use `Object.is` algorithm for comparing `useState` and `useReducer` values. ([@​Jessidhia](https://github.com/Jessidhia) in [#14752](https://github-redirect.dependabot.com/facebook/react/pull/14752)) > * Don’t compare the first argument passed to `useEffect`/`useMemo`/`useCallback` Hooks. ([@​acdlite](https://github.com/acdlite) in [#14594](https://github-redirect.dependabot.com/facebook/react/pull/14594)) > * Support synchronous thenables passed to `React.lazy()`. ([@​gaearon](https://github.com/gaearon) in [#14626](https://github-redirect.dependabot.com/facebook/react/pull/14626)) > * Render components with Hooks twice in Strict Mode (DEV-only) to match class behavior. ([@​gaearon](https://github.com/gaearon) in [#14654](https://github-redirect.dependabot.com/facebook/react/pull/14654)) > * Warn about mismatching Hook order in development. ([@​threepointone](https://github.com/threepointone) in [#14585](https://github-redirect.dependabot.com/facebook/react/pull/14585) and [@​acdlite](https://github.com/acdlite) in [#14591](https://github-redirect.dependabot.com/facebook/react/pull/14591)) > * Effect clean-up functions must return either `undefined` or a function. All other values, including `null`, are not allowed. [@​acdlite](https://github.com/acdlite) in [#14119](https://github-redirect.dependabot.com/facebook/react/pull/14119) > > ### React Test Renderer and Test Utils > > * Support Hooks in the shallow renderer. ([@​trueadm](https://github.com/trueadm) in [#14567](https://github-redirect.dependabot.com/facebook/react/pull/14567)) > * Fix wrong state in `shouldComponentUpdate` in the presence of `getDerivedStateFromProps` for Shallow Renderer. ([@​chenesan](https://github.com/chenesan) in [#14613](https://github-redirect.dependabot.com/facebook/react/pull/14613)) > * Add `ReactTestRenderer.act()` and `ReactTestUtils.act()` for batching updates so that tests more closely match real behavior. ([@​threepointone](https://github.com/threepointone) in [#14744](https://github-redirect.dependabot.com/facebook/react/pull/14744)) > > > ### ESLint Plugin: React Hooks > > ... (truncated)
Commits - [`dfabb77`](https://github.com/facebook/react/commit/dfabb77a97141baf07cfdad620949874e36516d7) Include another change in 16.8.2 - [`c555c00`](https://github.com/facebook/react/commit/c555c008b6e13004c57784950eb325ed1d917575) Include component stack in 'act(...)' warning ([#14855](https://github-redirect.dependabot.com/facebook/react/issues/14855)) - [`ff188d6`](https://github.com/facebook/react/commit/ff188d666bcb4c7aad38009ee61ad292349244b0) Add React 16.8.2 changelog ([#14851](https://github-redirect.dependabot.com/facebook/react/issues/14851)) - [`c4d8ef6`](https://github.com/facebook/react/commit/c4d8ef643002a2b181029ffed22abd451fb326df) Fix typo in code comment ([#14836](https://github-redirect.dependabot.com/facebook/react/issues/14836)) - [`08e9554`](https://github.com/facebook/react/commit/08e95543571eacbe88a03382adc9399607d53425) Statically enable suspense/partial hydration flag in www ([#14842](https://github-redirect.dependabot.com/facebook/react/issues/14842)) - [`0e4135e`](https://github.com/facebook/react/commit/0e4135e8c2f1bc9cd14f439190aa28865395e4b1) Revert "[ShallowRenderer] Queue/rerender on dispatched action after render co... - [`6d4038f`](https://github.com/facebook/react/commit/6d4038f0a638d82e9e528f02cc5a86afb410cf11) [ShallowRenderer] Queue/rerender on dispatched action after render component ... - [`fa6205d`](https://github.com/facebook/react/commit/fa6205d522a9d3e3f228be18dd29f11f8930c394) Special case crossOrigin for SVG image elements ([#14832](https://github-redirect.dependabot.com/facebook/react/issues/14832)) - [`c6bee76`](https://github.com/facebook/react/commit/c6bee765ba865298c69acdea70e1ec2d79f69efe) Remove false positive warning and add TODOs about `current` being non-null (#... - [`3ae94e1`](https://github.com/facebook/react/commit/3ae94e1885b673543a30a05906c4f9a0e4b682cb) Fix ignored sync work in passive effects ([#14799](https://github-redirect.dependabot.com/facebook/react/issues/14799)) - Additional commits viewable in [compare view](https://github.com/facebook/react/compare/v16.4.1...v16.8.2)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.
dependabot-preview[bot] commented 5 years ago

Superseded by #78.