Closed greglittlefield-wf closed 10 months ago
No security relevant content was detected by automated scans.
aviary.yaml
coverage of security relevant codeQuestions or Comments? Reach out on Slack: #support-infosec.
@Workiva/release-management-p
Motivation
The existing nullability/typings for
ReactDom.findDomNode
andReactDom.render
exported frompackage:react/react_client/react_interop.dart
are incorrect.findDOMNode
returns null in many cases, but its return type is incorrectly non-nullable.render
returns null for some cases (function components,null
),Element
for DOM components, andCharacterData
for strings and numbers, but is incorrectly typed as non-nullableReactComponent
. Thecomponent
argument also acceptsnull
and other "ReactNode" arguments to rendered, but its type is incorrectly non-nullable and restricted to justReactElement
.These bad typings cause runtime errors in some cases. Unfortunately, there wasn't good test coverage around these methods.
These typings also only affect these APIs under the
ReactDom
class in package:react/react_client/react_interop.dart, and not the top-levelFunction
-typedfindDOMNode
andrender
APIs exported frompackage:react/react_dom.dart
, which most consumers use.Because these typings were incorrect and will lead to runtime errors in some cases, and the changes have a low likelihood of causing breakages, it feels appropriate to release these changes as a patch.
Solution
Fix bad typings: