This is a security patch for a vulnerability that could cause maliciously crafted record IDs to
cause all or some of user's data to be deleted. More information available via GitHub security advisory
0.16.1 - 2020-05-18
Changes
Database.unsafeResetDatabase() is now less unsafe — more application bugs are being caught
Fixes
[iOS] Fix build in apps using Flipper
[Typescript] Added type definition for setGenerator.
[Typescript] Fixed types of decorators.
[Typescript] Add Tests to test Types.
Fixed typo in learn-to-use docs.
[Typescript] Fixed types of changes.
Internal
[SQLite] Infrastruture for a future JSI adapter has been added
0.16 - 2020-03-06
⚠️ Breaking
experimentalUseIncrementalIndexedDB has been renamed to useIncrementalIndexedDB
Low breakage risk
[adapters] Adapter API has changed from returning Promise to taking callbacks as the last argument. This won't affect you unless you call on adapter methods directly. database.adapter returns a new DatabaseAdapterCompat which has the same shape as old adapter API. You can use database.adapter.underlyingAdapter to get back SQLiteAdapter / LokiJSAdapter
[Collection] Collection.fetchQuery and Collection.fetchCount are removed. Please use Query.fetch() and Query.fetchCount().
New features
[SQLiteAdapter] [iOS] Add new synchronous option to adapter: new SQLiteAdapter({ ..., synchronous: true }).
When enabled, database operations will block JavaScript thread. Adapter actions will resolve in the
next microtask, which simplifies building flicker-free interfaces. Adapter will fall back to async
operation when synchronous adapter is not available (e.g. when doing remote debugging)
[LokiJS] Added new onQuotaExceededError?: (error: Error) => void option to LokiJSAdapter constructor.
This is called when underlying IndexedDB encountered a quota exceeded error (ran out of allotted disk space for app)
This means that app can't save more data or that it will fall back to using in-memory database only
Note that this only works when useWebWorker: false
Changes
[Performance] Watermelon internals have been rewritten not to rely on Promises and allow some fetch/observe calls to resolve synchronously. Do not rely on this -- external API is still based on Rx and Promises and may resolve either asynchronously or synchronously depending on capabilities. This is meant as a internal performance optimization only for the time being.
[LokiJS] [Performance] Improved worker queue implementation for performance
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Nozbe/withObservables/network/alerts).
Bumps @nozbe/watermelondb from 0.16.0 to 0.16.2.
Changelog
Sourced from @nozbe/watermelondb's changelog.
... (truncated)
Commits
3aeea90v0.16.2a731027Fix destroyDeletedRecords vulnerabilityef41f92v0.16.1c580c33Update CHANGELOG36221ddDisable JSLockPerfHack - will cause compilation errors without RN patch213a977Tweak the database error on reset0fd6076Update Sync.mdaf439e7Merge pull request #676 from fahrinh/patch-1e9e549dMerge pull request #679 from Nozbe/dependabot/npm_and_yarn/handlebars-4.7.6be8d2f2[Security] Bump handlebars from 4.5.3 to 4.7.6Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Nozbe/withObservables/network/alerts).