Update dependency react to v0.14.0 [SECURITY] #49
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.13.3
->0.14.0
GitHub Vulnerability Alerts
GHSA-hg79-j56m-fxgv
Versions of
react
prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package'screateElement
function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.Recommendation
Upgrade to version 0.14.0 or later.
Release Notes
facebook/react (react)
v0.14.0
Compare Source
Major changes
react
package into two:react
andreact-dom
. This paves the way to writing components that can be shared between the web version of React and React Native. This means you will need to include both files and some functions have been moved fromReact
toReactDOM
.react-addons-clone-with-props
,react-addons-create-fragment
,react-addons-css-transition-group
,react-addons-linked-state-mixin
,react-addons-perf
,react-addons-pure-render-mixin
,react-addons-shallow-compare
,react-addons-test-utils
,react-addons-transition-group
,react-addons-update
,ReactDOM.unstable_batchedUpdates
).props
) which returns a JSX element, and this function may be used as a component.getDOMNode()
to get the underlying DOM node. Starting with this release, a ref to a DOM component is the actual DOM node. Note that refs to custom (user-defined) components work exactly as before; only the built-in DOM components are affected by this change.Breaking changes
React.initializeTouchEvents
is no longer necessary and has been removed completely. Touch events now work automatically.TestUtils.findAllInRenderedTree
and related helpers are no longer able to take a DOM component, only a custom component.props
object is now frozen, so mutating props after creating a component element is no longer supported. In most cases,React.cloneElement
should be used instead. This change makes your components easier to reason about and enables the compiler optimizations mentioned above.createFragment
helper to migrate, which now returns an array.classSet
has been removed. Use classnames instead.class
instead ofclassName
.Deprecations
this.getDOMNode()
is now deprecated andReactDOM.findDOMNode(this)
can be used instead. Note that in the common case,findDOMNode
is now unnecessary since a ref to the DOM component is now the actual DOM node.setProps
andreplaceProps
are now deprecated. Instead, call ReactDOM.render again at the top level with the new props.React.Component
in order to enable stateless function components. The ES3 module pattern will continue to work.style
object between renders has been deprecated. This mirrors our change to freeze theprops
object.cloneWithProps
is now deprecated. UseReact.cloneElement
instead (unlikecloneWithProps
,cloneElement
does not mergeclassName
orstyle
automatically; you can merge them manually if needed).CSSTransitionGroup
will no longer listen to transition events. Instead, you should specify transition durations manually using props such astransitionEnterTimeout={500}
.Notable enhancements
React.Children.toArray
which takes a nested children object and returns a flat array with keys assigned to each child. This helper makes it easier to manipulate collections of children in yourrender
methods, especially if you want to reorder or slicethis.props.children
before passing it down. In addition,React.Children.map
now returns plain arrays too.console.error
instead ofconsole.warn
for warnings so that browsers show a full stack trace in the console. (Our warnings appear when you use patterns that will break in future releases and for code that is likely to behave unexpectedly, so we do consider our warnings to be “must-fix” errors.)Symbol
in browsers that support it, in order to ensure that React never considers untrusted JSON to be a valid element. If this extra security protection is important to you, you should add aSymbol
polyfill for older browsers, such as the one included by Babel’s polyfill.capture
,challenge
,inputMode
,is
,keyParams
,keyType
,minLength
,summary
,wrap
. It also now supports these non-standard attributes:autoSave
,results
,security
.xlinkActuate
,xlinkArcrole
,xlinkHref
,xlinkRole
,xlinkShow
,xlinkTitle
,xlinkType
,xmlBase
,xmlLang
,xmlSpace
.image
SVG tag is now supported by React DOM.is="..."
attribute).audio
andvideo
tags:onAbort
,onCanPlay
,onCanPlayThrough
,onDurationChange
,onEmptied
,onEncrypted
,onEnded
,onError
,onLoadedData
,onLoadedMetadata
,onLoadStart
,onPause
,onPlay
,onPlaying
,onProgress
,onRateChange
,onSeeked
,onSeeking
,onStalled
,onSuspend
,onTimeUpdate
,onVolumeChange
,onWaiting
.shallowCompare
add-on has been added as a migration path forPureRenderMixin
in ES6 classes.CSSTransitionGroup
can now use custom class names instead of appending-enter-active
or similar to the transition name.New helpful warnings
document.body
directly as the container toReactDOM.render
now gives a warning as doing so can cause problems with browser extensions that modify the DOM.Notable bug fixes
<option>
elements with multiple text children properly and renders<select>
elements on the server with the correct option selected.React.createElement('DIV')
) no longer causes problems, though we continue to recommend lowercase for consistency with the JSX tag name convention (lowercase names refer to built-in components, capitalized names refer to custom components).animationIterationCount
,boxOrdinalGroup
,flexOrder
,tabSize
,stopOpacity
.Simulate.mouseEnter
andSimulate.mouseLeave
now work.React Tools / Babel
Breaking Changes
react-tools
package andJSXTransformer.js
browser file have been deprecated. You can continue using version0.13.3
of both, but we no longer support them and recommend migrating to Babel, which has built-in support for React and JSX.New Features
optimisation.react.inlineElements
transform converts JSX elements to object literals like{type: 'div', props: ...}
instead of calls toReact.createElement
. This should only be enabled in production, since it disables some development warnings/checks.optimisation.react.constantElements
transform hoists element creation to the top level for subtrees that are fully static, which reduces calls toReact.createElement
and the resulting allocations. More importantly, it tells React that the subtree hasn’t changed so React can completely skip it when reconciling. This should only be enabled in production, since it disables some development warnings/checks.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.