Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency react to v0.14.0 [SECURITY] #49

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Feb 10, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
react (source) 0.13.3 -> 0.14.0 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-hg79-j56m-fxgv

Versions of react prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package's createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 0.14.0 or later.


Release Notes

facebook/react (react)

v0.14.0

Compare Source

Major changes
  • Split the main react package into two: react and react-dom. This paves the way to writing components that can be shared between the web version of React and React Native. This means you will need to include both files and some functions have been moved from React to ReactDOM.
  • Addons have been moved to separate packages (react-addons-clone-with-props, react-addons-create-fragment, react-addons-css-transition-group, react-addons-linked-state-mixin, react-addons-perf, react-addons-pure-render-mixin, react-addons-shallow-compare, react-addons-test-utils, react-addons-transition-group, react-addons-update, ReactDOM.unstable_batchedUpdates).
  • Stateless functional components - React components were previously created using React.createClass or using ES6 classes. This release adds a new syntax where a user defines a single stateless render function (with one parameter: props) which returns a JSX element, and this function may be used as a component.
  • Refs to DOM components as the DOM node itself. Previously the only useful thing you can do with a DOM component is call getDOMNode() to get the underlying DOM node. Starting with this release, a ref to a DOM component is the actual DOM node. Note that refs to custom (user-defined) components work exactly as before; only the built-in DOM components are affected by this change.
Breaking changes
  • React.initializeTouchEvents is no longer necessary and has been removed completely. Touch events now work automatically.
  • Add-Ons: Due to the DOM node refs change mentioned above, TestUtils.findAllInRenderedTree and related helpers are no longer able to take a DOM component, only a custom component.
  • The props object is now frozen, so mutating props after creating a component element is no longer supported. In most cases, React.cloneElement should be used instead. This change makes your components easier to reason about and enables the compiler optimizations mentioned above.
  • Plain objects are no longer supported as React children; arrays should be used instead. You can use the createFragment helper to migrate, which now returns an array.
  • Add-Ons: classSet has been removed. Use classnames instead.
  • Web components (custom elements) now use native property names. Eg: class instead of className.
Deprecations
  • this.getDOMNode() is now deprecated and ReactDOM.findDOMNode(this) can be used instead. Note that in the common case, findDOMNode is now unnecessary since a ref to the DOM component is now the actual DOM node.
  • setProps and replaceProps are now deprecated. Instead, call ReactDOM.render again at the top level with the new props.
  • ES6 component classes must now extend React.Component in order to enable stateless function components. The ES3 module pattern will continue to work.
  • Reusing and mutating a style object between renders has been deprecated. This mirrors our change to freeze the props object.
  • Add-Ons: cloneWithProps is now deprecated. Use React.cloneElement instead (unlike cloneWithProps, cloneElement does not merge className or style automatically; you can merge them manually if needed).
  • Add-Ons: To improve reliability, CSSTransitionGroup will no longer listen to transition events. Instead, you should specify transition durations manually using props such as transitionEnterTimeout={500}.
Notable enhancements
  • Added React.Children.toArray which takes a nested children object and returns a flat array with keys assigned to each child. This helper makes it easier to manipulate collections of children in your render methods, especially if you want to reorder or slice this.props.children before passing it down. In addition, React.Children.map now returns plain arrays too.
  • React uses console.error instead of console.warn for warnings so that browsers show a full stack trace in the console. (Our warnings appear when you use patterns that will break in future releases and for code that is likely to behave unexpectedly, so we do consider our warnings to be “must-fix” errors.)
  • Previously, including untrusted objects as React children could result in an XSS security vulnerability. This problem should be avoided by properly validating input at the application layer and by never passing untrusted objects around your application code. As an additional layer of protection, React now tags elements with a specific ES2015 (ES6) Symbol in browsers that support it, in order to ensure that React never considers untrusted JSON to be a valid element. If this extra security protection is important to you, you should add a Symbol polyfill for older browsers, such as the one included by Babel’s polyfill.
  • When possible, React DOM now generates XHTML-compatible markup.
  • React DOM now supports these standard HTML attributes: capture, challenge, inputMode, is, keyParams, keyType, minLength, summary, wrap. It also now supports these non-standard attributes: autoSave, results, security.
  • React DOM now supports these SVG attributes, which render into namespaced attributes: xlinkActuate, xlinkArcrole, xlinkHref, xlinkRole, xlinkShow, xlinkTitle, xlinkType, xmlBase, xmlLang, xmlSpace.
  • The image SVG tag is now supported by React DOM.
  • In React DOM, arbitrary attributes are supported on custom elements (those with a hyphen in the tag name or an is="..." attribute).
  • React DOM now supports these media events on audio and video tags: onAbort, onCanPlay, onCanPlayThrough, onDurationChange, onEmptied, onEncrypted, onEnded, onError, onLoadedData, onLoadedMetadata, onLoadStart, onPause, onPlay, onPlaying, onProgress, onRateChange, onSeeked, onSeeking, onStalled, onSuspend, onTimeUpdate, onVolumeChange, onWaiting.
  • Many small performance improvements have been made.
  • Many warnings show more context than before.
  • Add-Ons: A shallowCompare add-on has been added as a migration path for PureRenderMixin in ES6 classes.
  • Add-Ons: CSSTransitionGroup can now use custom class names instead of appending -enter-active or similar to the transition name.
New helpful warnings
  • React DOM now warns you when nesting HTML elements invalidly, which helps you avoid surprising errors during updates.
  • Passing document.body directly as the container to ReactDOM.render now gives a warning as doing so can cause problems with browser extensions that modify the DOM.
  • Using multiple instances of React together is not supported, so we now warn when we detect this case to help you avoid running into the resulting problems.
Notable bug fixes
  • Click events are handled by React DOM more reliably in mobile browsers, particularly in Mobile Safari.
  • SVG elements are created with the correct namespace in more cases.
  • React DOM now renders <option> elements with multiple text children properly and renders <select> elements on the server with the correct option selected.
  • When two separate copies of React add nodes to the same document (including when a browser extension uses React), React DOM tries harder not to throw exceptions during event handling.
  • Using non-lowercase HTML tag names in React DOM (e.g., React.createElement('DIV')) no longer causes problems, though we continue to recommend lowercase for consistency with the JSX tag name convention (lowercase names refer to built-in components, capitalized names refer to custom components).
  • React DOM understands that these CSS properties are unitless and does not append “px” to their values: animationIterationCount, boxOrdinalGroup, flexOrder, tabSize, stopOpacity.
  • Add-Ons: When using the test utils, Simulate.mouseEnter and Simulate.mouseLeave now work.
  • Add-Ons: ReactTransitionGroup now correctly handles multiple nodes being removed simultaneously.
React Tools / Babel
Breaking Changes
  • The react-tools package and JSXTransformer.js browser file have been deprecated. You can continue using version 0.13.3 of both, but we no longer support them and recommend migrating to Babel, which has built-in support for React and JSX.
New Features
  • Babel 5.8.24 introduces Inlining React elements: The optimisation.react.inlineElements transform converts JSX elements to object literals like {type: 'div', props: ...} instead of calls to React.createElement. This should only be enabled in production, since it disables some development warnings/checks.
  • Babel 5.8.24 introduces Constant hoisting for React elements: The optimisation.react.constantElements transform hoists element creation to the top level for subtrees that are fully static, which reduces calls to React.createElement and the resulting allocations. More importantly, it tells React that the subtree hasn’t changed so React can completely skip it when reconciling. This should only be enabled in production, since it disables some development warnings/checks.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants