Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade redux from 4.0.5 to 4.1.0 #16

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade redux from 4.0.5 to 4.1.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 2 versions ahead of your current version.
  • The recommended version was released 3 months ago, on 2021-04-24.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Prototype Pollution
SNYK-JS-Y18N-1021887
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WEBSOCKETEXTENSIONS-570623
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SSRI-1085630
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SSRI-1085630
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Arbitrary Code Injection
SNYK-JS-SERIALIZEJAVASCRIPT-570062
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-OBJECTPATH-1017036
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-NORMALIZEURL-1296539
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-NORMALIZEURL-1296539
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-NODEFORGE-598677
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-MERGEDEEP-1070277
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-LODASH-608086
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-LODASH-590103
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Command Injection
SNYK-JS-LODASH-1040724
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-INI-1048974
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Cryptographic Issues
SNYK-JS-ELLIPTIC-571484
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Remote Memory Exposure
SNYK-JS-DNSPACKET-1293563
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-AJV-584908
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ACORN-559469
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ACORN-559469
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-YARGSPARSER-560381
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-YARGSPARSER-560381
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Improper Input Validation
SNYK-JS-URLPARSE-1078283
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Denial of Service (DoS)
SNYK-JS-SOCKJS-575261
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHPARSE-1077067
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Command Injection
SNYK-JS-NODENOTIFIER-1035794
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Prototype Pollution
SNYK-JS-MINIMIST-559764
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-MINIMIST-559764
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Prototype Pollution
SNYK-JS-LODASH-567746
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1243891
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1085627
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Denial of Service (DoS)
SNYK-JS-HTTPPROXY-569139
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355
472/1000
Why? Proof of Concept exploit, CVSS 7.3
Proof of Concept
Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit
Regular Expression Denial of Service (ReDoS)
SNYK-JS-COLORSTRING-1082939
472/1000
Why? Proof of Concept exploit, CVSS 7.3
No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: redux
  • 4.1.0 - 2021-04-24

    This release shrinks our bundle size via error message extraction, updates several error messages for clarity, and optimizes our list of runtime dependencies.

    Overall, version 4.1 shrinks from 2.6K min+gz to 1.6K min+gz thanks to these changes.

    Be sure to check out the Redux Toolkit 1.6 alpha containing our new "RTK Query" data fetching APIs! It also includes Redux 4.1 as a dependency.

    Changelog

    Error Message Extraction and Improvements

    We now extract all of our error messages from production builds in order to save on bundle size, using a technique inspired from React's error code extraction. The error messages will still show as normal in development, but in production they will reference a specific numeric error code and provide a link to a Redux docs page that has the full error message.

    An example of this is: https://redux.js.org/errors?code=5 , which shows the "can't subscribe while reducers are executing" error.

    The error code extraction saves about 800 bytes out of a production build.

    Thanks to @ andrewmcgivery for doing all the hard work on implementing the error extraction!

    We've also updated many of our error messages to provide additional details at runtime about what happened, especially runtime type checks such as "actions must be plain objects". They now provide a more specific type for the unexpected value, such as indicating promise or function:

    expect(() => store.dispatch(() => {})).toThrow(
    /the actual type was: 'function'/
    )

    <span class="pl-en">expect</span><span class="pl-kos">(</span><span class="pl-kos">(</span><span class="pl-kos">)</span> <span class="pl-c1">=&gt;</span> <span class="pl-s1">store</span><span class="pl-kos">.</span><span class="pl-en">dispatch</span><span class="pl-kos">(</span><span class="pl-k">new</span> <span class="pl-v">Date</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">)</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">toThrow</span><span class="pl-kos">(</span>
      <span class="pl-pds"><span class="pl-c1">/</span>the actual type was: 'date'<span class="pl-c1">/</span></span>
    <span class="pl-kos">)</span></pre></div>
    

    Dependency Updates

    We've updated the list of runtime dependencies for Redux:

    • We inlined the symbol-observable polyfill. This shrinks bundle size by a few bytes,
    • We've removed the legacy loose-envify dependency, which was only ever needed by Browserify users. If you still happen to be using Browserify, please review your build settings and see if you need to make any updates.
    • We now explicitly depend on @ babel/runtime to extract some additional helpers out of our bundle. It's likely that your app already is pulling in those helpers anyway, so that removes some potential duplication.

    Typing Tweaks

    We've merged fixes for a couple edge cases in the 4.x TS typings related to state types.

    Changes

    v4.0.5...v4.1.0

  • 4.1.0-alpha.0 - 2021-04-04

    This pre-release for 4.1.0 shrinks our bundle size via tooling updates, and updates several error messages for clarity. This is all the changes we plan to have for 4.1, so if feedback looks good, we'll release 4.1.0 shortly.

    Changelog Summary

    The 4.1.0 release will have a more complete changelog, but summarizing:

    • Shrinks our bundle sizes by extracting error messages from production builds and replacing them with error codes (similar to React). Thanks to @ andrewmcgivery for implementing this!
    • Inlines the symbol-observable polyfill
    • Drops the legacy loose-envify dependency
    • Externalizes the @ babel/runtime helpers
    • Fixed a TS typedef to work better with TS 4.3

    We've also updated the error messages to clarify what's happening, provide more details when runtime type checks fail, and link to relevant documentation.

    Changes

    • Merge pull request #4058 from reduxjs/feature/4x-remove-legacy-deps 9a1d065
    • Inline the symbol-observable polyfill 0d7d94d
    • Remove symbol-observable and loose-envify deps b882d9a
    • Merge pull request #4057 from reduxjs/feature/4x-error-messages f3680b5
    • Port error message updates from master 46f5c94
    • Port error extraction setup from master 05d5505
    • Merge pull request #4056 from reduxjs/feature/4x-update-build-tooling 82ad636
    • fix: Declare "EmptyObject" interface to wrap $CombinedState (#4031) c3cbe2e
    • Only apply mapped types to un-branded types (#3805) e23aa59

    v4.0.5...v4.1.0-alpha.0

  • 4.0.5 - 2019-12-24

    This release includes a memory leak fix, and a fix for removing reducers with replaceReducer and combineReducers.

    There are also some TypeScript changes, which require version 3.5 or higher. This also removes our DeepPartial type, which wasn't intended to be a public API. If you need this type, you can find an equivalent of likely higher quality in the utility-types package.

    Speaking of TypeScript, we are done with converting the code to TypeScript on master and are looking to get some TS improvements in before launching 5.0. If you're interested in helping, feel free to submit a PR with anything you'd like to contribute.

    Changes

from redux GitHub release notes
Commit messages
Package name: redux

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant