Versions of react prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package's createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.
Recommendation
Upgrade to version 0.14.0 or later.
Release Notes
facebook/react
### [`v17.0.1`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#1701-October-22-2020)
[Compare Source](https://togithub.com/facebook/react/compare/v17.0.0...v17.0.1)
##### React DOM
- Fix a crash in IE11. ([@gaearon](https://togithub.com/gaearon) in [#20071](https://togithub.com/facebook/react/pull/20071))
### [`v17.0.0`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#1700-October-20-2020)
[Compare Source](https://togithub.com/facebook/react/compare/v16.14.0...v17.0.0)
Today, we are releasing React 17!
**[Learn more about React 17 and how to update to it on the official React blog.](https://reactjs.org/blog/2020/10/20/react-v17.html)**
##### React
- Add `react/jsx-runtime` and `react/jsx-dev-runtime` for the [new JSX transform](https://babeljs.io/blog/2020/03/16/7.9.0#a-new-jsx-transform-11154-https-githubcom-babel-babel-pull-11154). ([@lunaruan](https://togithub.com/lunaruan) in [#18299](https://togithub.com/facebook/react/pull/18299))
- Build component stacks from native error frames. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18561](https://togithub.com/facebook/react/pull/18561))
- Allow to specify `displayName` on context for improved stacks. ([@eps1lon](https://togithub.com/eps1lon) in [#18224](https://togithub.com/facebook/react/pull/18224))
- Prevent `'use strict'` from leaking in the UMD bundles. ([@koba04](https://togithub.com/koba04) in [#19614](https://togithub.com/facebook/react/pull/19614))
- Stop using `fb.me` for redirects. ([@cylim](https://togithub.com/cylim) in [#19598](https://togithub.com/facebook/react/pull/19598))
##### React DOM
- Delegate events to roots instead of `document`. ([@trueadm](https://togithub.com/trueadm) in [#18195](https://togithub.com/facebook/react/pull/18195) and [others](https://togithub.com/facebook/react/pulls?q=is%3Apr+author%3Atrueadm+modern+event+is%3Amerged))
- Clean up all effects before running any next effects. ([@bvaughn](https://togithub.com/bvaughn) in [#17947](https://togithub.com/facebook/react/pull/17947))
- Run `useEffect` cleanup functions asynchronously. ([@bvaughn](https://togithub.com/bvaughn) in [#17925](https://togithub.com/facebook/react/pull/17925))
- Use browser `focusin` and `focusout` for `onFocus` and `onBlur`. ([@trueadm](https://togithub.com/trueadm) in [#19186](https://togithub.com/facebook/react/pull/19186))
- Make all `Capture` events use the browser capture phase. ([@trueadm](https://togithub.com/trueadm) in [#19221](https://togithub.com/facebook/react/pull/19221))
- Don't emulate bubbling of the `onScroll` event. ([@gaearon](https://togithub.com/gaearon) in [#19464](https://togithub.com/facebook/react/pull/19464))
- Throw if `forwardRef` or `memo` component returns `undefined`. ([@gaearon](https://togithub.com/gaearon) in [#19550](https://togithub.com/facebook/react/pull/19550))
- Remove event pooling. ([@trueadm](https://togithub.com/trueadm) in [#18969](https://togithub.com/facebook/react/pull/18969))
- Stop exposing internals that won’t be needed by React Native Web. ([@necolas](https://togithub.com/necolas) in [#18483](https://togithub.com/facebook/react/pull/18483))
- Attach all known event listeners when the root mounts. ([@gaearon](https://togithub.com/gaearon) in [#19659](https://togithub.com/facebook/react/pull/19659))
- Disable `console` in the second render pass of DEV mode double render. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18547](https://togithub.com/facebook/react/pull/18547))
- Deprecate the undocumented and misleading `ReactTestUtils.SimulateNative` API. ([@gaearon](https://togithub.com/gaearon) in [#13407](https://togithub.com/facebook/react/pull/13407))
- Rename private field names used in the internals. ([@gaearon](https://togithub.com/gaearon) in [#18377](https://togithub.com/facebook/react/pull/18377))
- Don't call User Timing API in development. ([@gaearon](https://togithub.com/gaearon) in [#18417](https://togithub.com/facebook/react/pull/18417))
- Disable console during the repeated render in Strict Mode. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18547](https://togithub.com/facebook/react/pull/18547))
- In Strict Mode, double-render components without Hooks too. ([@eps1lon](https://togithub.com/eps1lon) in [#18430](https://togithub.com/facebook/react/pull/18430))
- Allow calling `ReactDOM.flushSync` during lifecycle methods (but warn). ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18759](https://togithub.com/facebook/react/pull/18759))
- Add the `code` property to the keyboard event objects. ([@bl00mber](https://togithub.com/bl00mber) in [#18287](https://togithub.com/facebook/react/pull/18287))
- Add the `disableRemotePlayback` property for `video` elements. ([@tombrowndev](https://togithub.com/tombrowndev) in [#18619](https://togithub.com/facebook/react/pull/18619))
- Add the `enterKeyHint` property for `input` elements. ([@eps1lon](https://togithub.com/eps1lon) in [#18634](https://togithub.com/facebook/react/pull/18634))
- Warn when no `value` is provided to ``. ([@charlie1404](https://togithub.com/charlie1404) in [#19054](https://togithub.com/facebook/react/pull/19054))
- Warn when `memo` or `forwardRef` components return `undefined`. ([@bvaughn](https://togithub.com/bvaughn) in [#19550](https://togithub.com/facebook/react/pull/19550))
- Improve the error message for invalid updates. ([@JoviDeCroock](https://togithub.com/JoviDeCroock) in [#18316](https://togithub.com/facebook/react/pull/18316))
- Exclude forwardRef and memo from stack frames. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18559](https://togithub.com/facebook/react/pull/18559))
- Improve the error message when switching between controlled and uncontrolled inputs. ([@vcarl](https://togithub.com/vcarl) in [#17070](https://togithub.com/facebook/react/pull/17070))
- Keep `onTouchStart`, `onTouchMove`, and `onWheel` passive. ([@gaearon](https://togithub.com/gaearon) in [#19654](https://togithub.com/facebook/react/pull/19654))
- Fix `setState` hanging in development inside a closed iframe. ([@gaearon](https://togithub.com/gaearon) in [#19220](https://togithub.com/facebook/react/pull/19220))
- Fix rendering bailout for lazy components with `defaultProps`. ([@jddxf](https://togithub.com/jddxf) in [#18539](https://togithub.com/facebook/react/pull/18539))
- Fix a false positive warning when `dangerouslySetInnerHTML` is `undefined`. ([@eps1lon](https://togithub.com/eps1lon) in [#18676](https://togithub.com/facebook/react/pull/18676))
- Fix Test Utils with non-standard `require` implementation. ([@just-boris](https://togithub.com/just-boris) in [#18632](https://togithub.com/facebook/react/pull/18632))
- Fix `onBeforeInput` reporting an incorrect `event.type`. ([@eps1lon](https://togithub.com/eps1lon) in [#19561](https://togithub.com/facebook/react/pull/19561))
- Fix `event.relatedTarget` reported as `undefined` in Firefox. ([@claytercek](https://togithub.com/claytercek) in [#19607](https://togithub.com/facebook/react/pull/19607))
- Fix "unspecified error" in IE11. ([@hemakshis](https://togithub.com/hemakshis) in [#19664](https://togithub.com/facebook/react/pull/19664))
- Fix rendering into a shadow root. ([@Jack-Works](https://togithub.com/Jack-Works) in [#15894](https://togithub.com/facebook/react/pull/15894))
- Fix `movementX/Y` polyfill with capture events. ([@gaearon](https://togithub.com/gaearon) in [#19672](https://togithub.com/facebook/react/pull/19672))
- Use delegation for `onSubmit` and `onReset` events. ([@gaearon](https://togithub.com/gaearon) in [#19333](https://togithub.com/facebook/react/pull/19333))
- Improve memory usage. ([@trueadm](https://togithub.com/trueadm) in [#18970](https://togithub.com/facebook/react/pull/18970))
##### React DOM Server
- Make `useCallback` behavior consistent with `useMemo` for the server renderer. ([@alexmckenley](https://togithub.com/alexmckenley) in [#18783](https://togithub.com/facebook/react/pull/18783))
- Fix state leaking when a function component throws. ([@pmaccart](https://togithub.com/pmaccart) in [#19212](https://togithub.com/facebook/react/pull/19212))
##### React Test Renderer
- Improve `findByType` error message. ([@henryqdineen](https://togithub.com/henryqdineen) in [#17439](https://togithub.com/facebook/react/pull/17439))
##### Concurrent Mode (Experimental)
- Revamp the priority batching heuristics. ([@acdlite](https://togithub.com/acdlite) in [#18796](https://togithub.com/facebook/react/pull/18796))
- Add the `unstable_` prefix before the experimental APIs. ([@acdlite](https://togithub.com/acdlite) in [#18825](https://togithub.com/facebook/react/pull/18825))
- Remove `unstable_discreteUpdates` and `unstable_flushDiscreteUpdates`. ([@trueadm](https://togithub.com/trueadm) in [#18825](https://togithub.com/facebook/react/pull/18825))
- Remove the `timeoutMs` argument. ([@acdlite](https://togithub.com/acdlite) in [#19703](https://togithub.com/facebook/react/pull/19703))
- Disable `` prerendering in favor of a different future API. ([@acdlite](https://togithub.com/acdlite) in [#18917](https://togithub.com/facebook/react/pull/18917))
- Add `unstable_expectedLoadTime` to Suspense for CPU-bound trees. ([@acdlite](https://togithub.com/acdlite) in [#19936](https://togithub.com/facebook/react/pull/19936))
- Add an experimental `unstable_useOpaqueIdentifier` Hook. ([@lunaruan](https://togithub.com/lunaruan) in [#17322](https://togithub.com/facebook/react/pull/17322))
- Add an experimental `unstable_startTransition` API. ([@rickhanlonii](https://togithub.com/rickhanlonii) in [#19696](https://togithub.com/facebook/react/pull/19696))
- Using `act` in the test renderer no longer flushes Suspense fallbacks. ([@acdlite](https://togithub.com/acdlite) in [#18596](https://togithub.com/facebook/react/pull/18596))
- Use global render timeout for CPU Suspense. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#19643](https://togithub.com/facebook/react/pull/19643))
- Clear the existing root content before mounting. ([@bvaughn](https://togithub.com/bvaughn) in [#18730](https://togithub.com/facebook/react/pull/18730))
- Fix a bug with error boundaries. ([@acdlite](https://togithub.com/acdlite) in [#18265](https://togithub.com/facebook/react/pull/18265))
- Fix a bug causing dropped updates in a suspended tree. ([@acdlite](https://togithub.com/acdlite) in [#18384](https://togithub.com/facebook/react/pull/18384) and [#18457](https://togithub.com/facebook/react/pull/18457))
- Fix a bug causing dropped render phase updates. ([@acdlite](https://togithub.com/acdlite) in [#18537](https://togithub.com/facebook/react/pull/18537))
- Fix a bug in SuspenseList. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18412](https://togithub.com/facebook/react/pull/18412))
- Fix a bug causing Suspense fallback to show too early. ([@acdlite](https://togithub.com/acdlite) in [#18411](https://togithub.com/facebook/react/pull/18411))
- Fix a bug with class components inside SuspenseList. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18448](https://togithub.com/facebook/react/pull/18448))
- Fix a bug with inputs that may cause updates to be dropped. ([@jddxf](https://togithub.com/jddxf) in [#18515](https://togithub.com/facebook/react/pull/18515) and [@acdlite](https://togithub.com/acdlite) in [#18535](https://togithub.com/facebook/react/pull/18535))
- Fix a bug causing Suspense fallback to get stuck. ([@acdlite](https://togithub.com/acdlite) in [#18663](https://togithub.com/facebook/react/pull/18663))
- Don't cut off the tail of a SuspenseList if hydrating. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18854](https://togithub.com/facebook/react/pull/18854))
- Fix a bug in `useMutableSource` that may happen when `getSnapshot` changes. ([@bvaughn](https://togithub.com/bvaughn) in [#18297](https://togithub.com/facebook/react/pull/18297))
- Fix a tearing bug in `useMutableSource`. ([@bvaughn](https://togithub.com/bvaughn) in [#18912](https://togithub.com/facebook/react/pull/18912))
- Warn if calling setState outside of render but before commit. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18838](https://togithub.com/facebook/react/pull/18838))
### [`v16.14.0`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#16140-October-14-2020)
[Compare Source](https://togithub.com/facebook/react/compare/v16.13.1...v16.14.0)
##### React
- Add support for the [new JSX transform](https://reactjs.org/blog/2020/09/22/introducing-the-new-jsx-transform.html). ([@lunaruan](https://togithub.com/lunaruan) in [#18299](https://togithub.com/facebook/react/pull/18299))
### [`v16.13.1`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#16131-March-19-2020)
[Compare Source](https://togithub.com/facebook/react/compare/v16.13.0...v16.13.1)
##### React DOM
- Fix bug in legacy mode Suspense where effect clean-up functions are not fired. This only affects users who use Suspense for data fetching in legacy mode, which is not technically supported. ([@acdlite](https://togithub.com/acdlite) in [#18238](https://togithub.com/facebook/react/pull/18238))
- Revert warning for cross-component updates that happen inside class render lifecycles (`componentWillReceiveProps`, `shouldComponentUpdate`, and so on). ([@gaearon](https://togithub.com/gaearon) in [#18330](https://togithub.com/facebook/react/pull/18330))
### [`v16.13.0`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#16130-February-26-2020)
[Compare Source](https://togithub.com/facebook/react/compare/v16.12.0...v16.13.0)
##### React
- Warn when a string ref is used in a manner that's not amenable to a future codemod ([@lunaruan](https://togithub.com/lunaruan) in [#17864](https://togithub.com/facebook/react/pull/17864))
- Deprecate `React.createFactory()` ([@trueadm](https://togithub.com/trueadm) in [#17878](https://togithub.com/facebook/react/pull/17878))
##### React DOM
- Warn when changes in `style` may cause an unexpected collision ([@sophiebits](https://togithub.com/sophiebits) in [#14181](https://togithub.com/facebook/react/pull/14181), [#18002](https://togithub.com/facebook/react/pull/18002))
- Warn when a function component is updated during another component's render phase ([@acdlite](https://togithub.com/acdlite) in [#17099](https://togithub.com/facebook/react/pull/17099))
- Deprecate `unstable_createPortal` ([@trueadm](https://togithub.com/trueadm) in [#17880](https://togithub.com/facebook/react/pull/17880))
- Fix `onMouseEnter` being fired on disabled buttons ([@AlfredoGJ](https://togithub.com/AlfredoGJ) in [#17675](https://togithub.com/facebook/react/pull/17675))
- Call `shouldComponentUpdate` twice when developing in `StrictMode` ([@bvaughn](https://togithub.com/bvaughn) in [#17942](https://togithub.com/facebook/react/pull/17942))
- Add `version` property to ReactDOM ([@ealush](https://togithub.com/ealush) in [#15780](https://togithub.com/facebook/react/pull/15780))
- Don't call `toString()` of `dangerouslySetInnerHTML` ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#17773](https://togithub.com/facebook/react/pull/17773))
- Show component stacks in more warnings ([@gaearon](https://togithub.com/gaearon) in [#17922](https://togithub.com/facebook/react/pull/17922), [#17586](https://togithub.com/facebook/react/pull/17586))
##### Concurrent Mode (Experimental)
- Warn for problematic usages of `ReactDOM.createRoot()` ([@trueadm](https://togithub.com/trueadm) in [#17937](https://togithub.com/facebook/react/pull/17937))
- Remove `ReactDOM.createRoot()` callback params and added warnings on usage ([@bvaughn](https://togithub.com/bvaughn) in [#17916](https://togithub.com/facebook/react/pull/17916))
- Don't group Idle/Offscreen work with other work ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#17456](https://togithub.com/facebook/react/pull/17456))
- Adjust `SuspenseList` CPU bound heuristic ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#17455](https://togithub.com/facebook/react/pull/17455))
- Add missing event plugin priorities ([@trueadm](https://togithub.com/trueadm) in [#17914](https://togithub.com/facebook/react/pull/17914))
- Fix `isPending` only being true when transitioning from inside an input event ([@acdlite](https://togithub.com/acdlite) in [#17382](https://togithub.com/facebook/react/pull/17382))
- Fix `React.memo` components dropping updates when interrupted by a higher priority update ([@acdlite]((https://github.com/acdlite)) in [#18091](https://togithub.com/facebook/react/pull/18091))
- Don't warn when suspending at the wrong priority ([@gaearon](https://togithub.com/gaearon) in [#17971](https://togithub.com/facebook/react/pull/17971))
- Fix a bug with rebasing updates ([@acdlite](https://togithub.com/acdlite) and [@sebmarkbage](https://togithub.com/sebmarkbage) in [#17560](https://togithub.com/facebook/react/pull/17560), [#17510](https://togithub.com/facebook/react/pull/17510), [#17483](https://togithub.com/facebook/react/pull/17483), [#17480](https://togithub.com/facebook/react/pull/17480))
### [`v16.12.0`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#16120-November-14-2019)
[Compare Source](https://togithub.com/facebook/react/compare/v16.11.0...v16.12.0)
##### React DOM
- Fix passive effects (`useEffect`) not being fired in a multi-root app. ([@acdlite](https://togithub.com/acdlite) in [#17347](https://togithub.com/facebook/react/pull/17347))
##### React Is
- Fix `lazy` and `memo` types considered elements instead of components ([@bvaughn](https://togithub.com/bvaughn) in [#17278](https://togithub.com/facebook/react/pull/17278))
### [`v16.11.0`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#16110-October-22-2019)
[Compare Source](https://togithub.com/facebook/react/compare/v16.10.2...v16.11.0)
##### React DOM
- Fix `mouseenter` handlers from firing twice inside nested React containers. [@yuanoook](https://togithub.com/yuanoook) in [#16928](https://togithub.com/facebook/react/pull/16928)
- Remove `unstable_createRoot` and `unstable_createSyncRoot` experimental APIs. (These are available in the Experimental channel as `createRoot` and `createSyncRoot`.) ([@acdlite](http://github.com/acdlite) in [#17088](https://togithub.com/facebook/react/pull/17088))
### [`v16.10.2`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#16102-October-3-2019)
[Compare Source](https://togithub.com/facebook/react/compare/v16.10.1...v16.10.2)
##### React DOM
- Fix regression in react-native-web by restoring order of arguments in event plugin extractors ([@necolas](https://togithub.com/necolas) in [#16978](https://togithub.com/facebook/react/pull/16978))
### [`v16.10.1`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#16101-September-28-2019)
[Compare Source](https://togithub.com/facebook/react/compare/v16.10.0...v16.10.1)
##### React DOM
- Fix regression in Next.js apps by allowing Suspense mismatch during hydration to silently proceed ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#16943](https://togithub.com/facebook/react/pull/16943))
### [`v16.10.0`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#16100-September-27-2019)
[Compare Source](https://togithub.com/facebook/react/compare/v16.9.0...v16.10.0)
##### React DOM
- Fix edge case where a hook update wasn't being memoized. ([@sebmarkbage](http://github.com/sebmarkbage) in [#16359](https://togithub.com/facebook/react/pull/16359))
- Fix heuristic for determining when to hydrate, so we don't incorrectly hydrate during an update. ([@sebmarkbage](http://github.com/sebmarkbage) in [#16739](https://togithub.com/facebook/react/pull/16739))
- Clear additional fiber fields during unmount to save memory. ([@trueadm](http://github.com/trueadm) in [#16807](https://togithub.com/facebook/react/pull/16807))
- Fix bug with required text fields in Firefox. ([@halvves](http://github.com/halvves) in [#16578](https://togithub.com/facebook/react/pull/16578))
- Prefer `Object.is` instead of inline polyfill, when available. ([@ku8ar](http://github.com/ku8ar) in [#16212](https://togithub.com/facebook/react/pull/16212))
- Fix bug when mixing Suspense and error handling. ([@acdlite](http://github.com/acdlite) in [#16801](https://togithub.com/facebook/react/pull/16801))
##### Scheduler (Experimental)
- Improve queue performance by switching its internal data structure to a min binary heap. ([@acdlite](http://github.com/acdlite) in [#16245](https://togithub.com/facebook/react/pull/16245))
- Use `postMessage` loop with short intervals instead of attempting to align to frame boundaries with `requestAnimationFrame`. ([@acdlite](http://github.com/acdlite) in [#16214](https://togithub.com/facebook/react/pull/16214))
##### useSubscription
- Avoid tearing issue when a mutation happens and the previous update is still in progress. ([@bvaughn](http://github.com/bvaughn) in [#16623](https://togithub.com/facebook/react/pull/16623))
### [`v16.9.0`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#1690-August-8-2019)
[Compare Source](https://togithub.com/facebook/react/compare/v16.8.6...v16.9.0)
##### React
- Add `` API for gathering performance measurements programmatically. ([@bvaughn](https://togithub.com/bvaughn) in [#15172](https://togithub.com/facebook/react/pull/15172))
- Remove `unstable_ConcurrentMode` in favor of `unstable_createRoot`. ([@acdlite](https://togithub.com/acdlite) in [#15532](https://togithub.com/facebook/react/pull/15532))
##### React DOM
- Deprecate old names for the `UNSAFE_*` lifecycle methods. ([@bvaughn](https://togithub.com/bvaughn) in [#15186](https://togithub.com/facebook/react/pull/15186) and [@threepointone](https://togithub.com/threepointone) in [#16103](https://togithub.com/facebook/react/pull/16103))
- Deprecate `javascript:` URLs as a common attack surface. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#15047](https://togithub.com/facebook/react/pull/15047))
- Deprecate uncommon "module pattern" (factory) components. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#15145](https://togithub.com/facebook/react/pull/15145))
- Add support for the `disablePictureInPicture` attribute on `
Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:ghost: Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^15.5.0
->^15.5.0 \|\| ^17.0.0
^16.2.0
->^17.0.0
0.13.x \|\| 0.14.x \|\| ^15.0.0-0 \|\| ^16.0.0-0
->0.13.x \|\| 0.14.x \|\| ^15.0.0-0 \|\| ^16.0.0-0 \|\| ^17.0.0
0.13.x \|\| 0.14.x \|\| ^15.0.0-0 \|\| ^16.0.0-0 \|\| ^16.3.0-0 \|\| ^16.4.0-0
->^17.0.0
~16.3.0-0
->~16.3.0-0 \|\| ~16.14.0
~16.2
->~16.2 \|\| ~16.14.0
~16.0.0-0 \|\| ~16.1
->~16.0.0-0 \|\| ~16.1 \|\| ~16.14.0
15.0.0-0 - 15.4.x
->15.0.0-0 - 15.7.x
^0.14.0
->^0.14.0 \|\| ^17.0.0
^0.13.0
->^0.13.0 \|\| ^0.14.0
GitHub Vulnerability Alerts
GHSA-hg79-j56m-fxgv
Versions of
react
prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package'screateElement
function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.Recommendation
Upgrade to version 0.14.0 or later.
Release Notes
facebook/react
### [`v17.0.1`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#1701-October-22-2020) [Compare Source](https://togithub.com/facebook/react/compare/v17.0.0...v17.0.1) ##### React DOM - Fix a crash in IE11. ([@gaearon](https://togithub.com/gaearon) in [#20071](https://togithub.com/facebook/react/pull/20071)) ### [`v17.0.0`](https://togithub.com/facebook/react/blob/master/CHANGELOG.md#1700-October-20-2020) [Compare Source](https://togithub.com/facebook/react/compare/v16.14.0...v17.0.0) Today, we are releasing React 17! **[Learn more about React 17 and how to update to it on the official React blog.](https://reactjs.org/blog/2020/10/20/react-v17.html)** ##### React - Add `react/jsx-runtime` and `react/jsx-dev-runtime` for the [new JSX transform](https://babeljs.io/blog/2020/03/16/7.9.0#a-new-jsx-transform-11154-https-githubcom-babel-babel-pull-11154). ([@lunaruan](https://togithub.com/lunaruan) in [#18299](https://togithub.com/facebook/react/pull/18299)) - Build component stacks from native error frames. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18561](https://togithub.com/facebook/react/pull/18561)) - Allow to specify `displayName` on context for improved stacks. ([@eps1lon](https://togithub.com/eps1lon) in [#18224](https://togithub.com/facebook/react/pull/18224)) - Prevent `'use strict'` from leaking in the UMD bundles. ([@koba04](https://togithub.com/koba04) in [#19614](https://togithub.com/facebook/react/pull/19614)) - Stop using `fb.me` for redirects. ([@cylim](https://togithub.com/cylim) in [#19598](https://togithub.com/facebook/react/pull/19598)) ##### React DOM - Delegate events to roots instead of `document`. ([@trueadm](https://togithub.com/trueadm) in [#18195](https://togithub.com/facebook/react/pull/18195) and [others](https://togithub.com/facebook/react/pulls?q=is%3Apr+author%3Atrueadm+modern+event+is%3Amerged)) - Clean up all effects before running any next effects. ([@bvaughn](https://togithub.com/bvaughn) in [#17947](https://togithub.com/facebook/react/pull/17947)) - Run `useEffect` cleanup functions asynchronously. ([@bvaughn](https://togithub.com/bvaughn) in [#17925](https://togithub.com/facebook/react/pull/17925)) - Use browser `focusin` and `focusout` for `onFocus` and `onBlur`. ([@trueadm](https://togithub.com/trueadm) in [#19186](https://togithub.com/facebook/react/pull/19186)) - Make all `Capture` events use the browser capture phase. ([@trueadm](https://togithub.com/trueadm) in [#19221](https://togithub.com/facebook/react/pull/19221)) - Don't emulate bubbling of the `onScroll` event. ([@gaearon](https://togithub.com/gaearon) in [#19464](https://togithub.com/facebook/react/pull/19464)) - Throw if `forwardRef` or `memo` component returns `undefined`. ([@gaearon](https://togithub.com/gaearon) in [#19550](https://togithub.com/facebook/react/pull/19550)) - Remove event pooling. ([@trueadm](https://togithub.com/trueadm) in [#18969](https://togithub.com/facebook/react/pull/18969)) - Stop exposing internals that won’t be needed by React Native Web. ([@necolas](https://togithub.com/necolas) in [#18483](https://togithub.com/facebook/react/pull/18483)) - Attach all known event listeners when the root mounts. ([@gaearon](https://togithub.com/gaearon) in [#19659](https://togithub.com/facebook/react/pull/19659)) - Disable `console` in the second render pass of DEV mode double render. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18547](https://togithub.com/facebook/react/pull/18547)) - Deprecate the undocumented and misleading `ReactTestUtils.SimulateNative` API. ([@gaearon](https://togithub.com/gaearon) in [#13407](https://togithub.com/facebook/react/pull/13407)) - Rename private field names used in the internals. ([@gaearon](https://togithub.com/gaearon) in [#18377](https://togithub.com/facebook/react/pull/18377)) - Don't call User Timing API in development. ([@gaearon](https://togithub.com/gaearon) in [#18417](https://togithub.com/facebook/react/pull/18417)) - Disable console during the repeated render in Strict Mode. ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18547](https://togithub.com/facebook/react/pull/18547)) - In Strict Mode, double-render components without Hooks too. ([@eps1lon](https://togithub.com/eps1lon) in [#18430](https://togithub.com/facebook/react/pull/18430)) - Allow calling `ReactDOM.flushSync` during lifecycle methods (but warn). ([@sebmarkbage](https://togithub.com/sebmarkbage) in [#18759](https://togithub.com/facebook/react/pull/18759)) - Add the `code` property to the keyboard event objects. ([@bl00mber](https://togithub.com/bl00mber) in [#18287](https://togithub.com/facebook/react/pull/18287)) - Add the `disableRemotePlayback` property for `video` elements. ([@tombrowndev](https://togithub.com/tombrowndev) in [#18619](https://togithub.com/facebook/react/pull/18619)) - Add the `enterKeyHint` property for `input` elements. ([@eps1lon](https://togithub.com/eps1lon) in [#18634](https://togithub.com/facebook/react/pull/18634)) - Warn when no `value` is provided to `Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:ghost: Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by WhiteSource Renovate. View repository job log here.