[Snyk] Upgrade: react, react-dom #754
Conversation
Snyk has created this PR to upgrade:
- react from 17.0.2 to 18.3.1.
See this package in npm: https://www.npmjs.com/package/react
- react-dom from 17.0.2 to 18.3.1.
See this package in npm: https://www.npmjs.com/package/react-dom
See this project in Snyk:
https://app.snyk.io/org/q1blue-rxw/project/c899d8da-c199-4766-8d40-aa8d9a71141f?utm_source=github&utm_medium=referral&page=upgrade-pr
|
|
馃毃 Potential security issues detected. Learn more about Socket for GitHub 鈫楋笌 To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is an install script?Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts. Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. What is telemetry?This package contains telemetry which tracks how it is used. Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade multiple dependencies.
馃懐鈥嶁檪 The following dependencies are linked and will therefore be updated together.鈩癸笍 Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
react
鈿狅笍 This is a major version upgrade, and may be a breaking change | 2 months ago
鈿狅笍 This is a major version upgrade, and may be a breaking change | 2 months ago
from 17.0.2 to 18.3.1 | 626 versions ahead of your current version
on 2024-04-26
react-dom
from 17.0.2 to 18.3.1 | 626 versions ahead of your current version
on 2024-04-26
Release notes
Package name: react
actfromreactf1338fThis release is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19.
Read the React 19 Upgrade Guide for more info.
React
this.refsto support string ref codemod 909071findDOMNodeoutside StrictMode c3b283test-utilsmethods d4ea75defaultPropsfor function components #25699key#25697actfromtest-utilsd4ea75React DOM
unmountComponentAtNode8a015brenderToStaticNodeStream#28874React DOM
onRecoverableError. (@ gnoff in #24591)documentcausing a blank page on mismatch. (@ gnoff in #24523)setStatein Safari when adding an iframe. (@ gaearon in #24459)React DOM Server
<title>elements to match the browser constraints. (@ gnoff in #24679)highWaterMarkto0. (@ jplhomer in #24641)Server Components (Experimental)
useId()inside Server Components. (@ gnoff) in #24172React DOM
react-dom/clientwhen using UMD bundle. (@ alireza-molaee in #24274)suppressHydrationWarningto work in production too. (@ gaearon in #24271)componentWillUnmountfiring twice inside of Suspense. (@ acdlite in #24308)useDeferredValuecausing an infinite loop when passed an unmemoized value. (@ acdlite in #24247)setStateloop inuseEffect. (@ gaearon in #24298)setStateinuseInsertionEffect. (@ gaearon in #24295)React DOM Server
bootstrapScriptContentcontents. (@ gnoff in #24385)renderToPipeableStream. (@ gnoff in #24291)ESLint Plugin: React Hooks
Use Subscription
use-sync-external-storeshim. (@ gaearon in #24289)Below is a list of all new features, APIs, deprecations, and breaking changes.
Read React 18 release post and React 18 upgrade guide for more information.
New Features
React
useIdis a new hook for generating unique IDs on both the client and server, while avoiding hydration mismatches. It is primarily useful for component libraries integrating with accessibility APIs that require unique IDs. This solves an issue that already exists in React 17 and below, but it鈥檚 even more important in React 18 because of how the new streaming server renderer delivers HTML out-of-order.startTransitionanduseTransitionlet you mark some state updates as not urgent. Other state updates are considered urgent by default. React will allow urgent state updates (for example, updating a text input) to interrupt non-urgent state updates (for example, rendering a list of search results).useDeferredValuelets you defer re-rendering a non-urgent part of the tree. It is similar to debouncing, but has a few advantages compared to it. There is no fixed time delay, so React will attempt the deferred render right after the first render is reflected on the screen. The deferred render is interruptible and doesn't block user input.useSyncExternalStoreis a new hook that allows external stores to support concurrent reads by forcing updates to the store to be synchronous. It removes the need foruseEffectwhen implementing subscriptions to external data sources, and is recommended for any library that integrates with state external to React.useInsertionEffectis a new hook that allows CSS-in-JS libraries to address performance issues of injecting styles in render. Unless you鈥檝e already built a CSS-in-JS library we don鈥檛 expect you to ever use this. This hook will run after the DOM is mutated, but before layout effects read the new layout. This solves an issue that already exists in React 17 and below, but is even more important in React 18 because React yields to the browser during concurrent rendering, giving it a chance to recalculate layout.React DOM Client
These new APIs are now exported from
react-dom/client:createRoot: New method to create a root torenderorunmount. Use it instead ofReactDOM.render. New features in React 18 don't work without it.hydrateRoot: New method to hydrate a server rendered application. Use it instead ofReactDOM.hydratein conjunction with the new React DOM Server APIs. New features in React 18 don't work without it.Both
createRootandhydrateRootaccept a new option calledonRecoverableErrorin case you want to be notified when React recovers from errors during rendering or hydration for logging. By default, React will usereportError, orconsole.errorin the older browsers.React DOM Server
These new APIs are now exported from
react-dom/serverand have full support for streaming Suspense on the server:renderToPipeableStream: for streaming in Node environments.renderToReadableStream: for modern edge runtime environments, such as Deno and Cloudflare workers.The existing
renderToStringmethod keeps working but is discouraged.Deprecations
react-dom:ReactDOM.renderhas been deprecated. Using it will warn and run your app in React 17 mode.react-dom:ReactDOM.hydratehas been deprecated. Using it will warn and run your app in React 17 mode.react-dom:ReactDOM.unmountComponentAtNodehas been deprecated.react-dom:ReactDOM.renderSubtreeIntoContainerhas been deprecated.react-dom/server:ReactDOMServer.renderToNodeStreamhas been deprecated.Breaking Changes
React
flushSync.<Suspense>boundary in the tree. This ensures the hydrated tree is consistent and avoids potential privacy and security holes that can be caused by hydration mismatches.Promise,Symbol, andObject.assign. If you support older browsers and devices such as Internet Explorer which do not provide modern browser features natively or have non-compliant implementations, consider including a global polyfill in your bundled application.Scheduler (Experimental)
scheduler/tracingAPINotable Changes
React
undefined: React no longer throws if you returnundefinedfrom a component. This makes the allowed component return values consistent with values that are allowed in the middle of a component tree. We suggest to use a linter to prevent mistakes like forgetting areturnstatement before JSX.actwarnings are now opt-in: If you're running end-to-end tests, theactwarnings are unnecessary. We've introduced an opt-in mechanism so you can enable them only for unit tests where they are useful and beneficial.setStateon unmounted components: Previously, React warned about memory leaks when you callsetStateon an unmounted component. This warning was added for subscriptions, but people primarily run into it in scenarios where setting state is fine, and workarounds make the code worse. We've removed this warning.React DOM Server
renderToString: Will no longer error when suspending on the server. Instead, it will emit the fallback HTML for the closest<Suspense>boundary and then retry rendering the same content on the client. It is still recommended that you switch to a streaming API likerenderToPipeableStreamorrenderToReadableStreaminstead.renderToStaticMarkup: Will no longer error when suspending on the server. Instead, it will emit the fallback HTML for the closest<Suspense>boundary and retry rendering on the client.All Changes
React
useTransitionanduseDeferredValueto separate urgent updates from transitions. (#10426, #10715, #15593, #15272, #15578, #15769, #17058, #18796, #19121, #19703, #19719, #19724, #20672, #20976 by @ acdlite, @ lunaruan, @ rickhanlonii, and @ sebmarkbage)useIdfor generating unique IDs. (#17322, #18576, #22644, #22672, #21260 by @ acdlite, @ lunaruan, and @ sebmarkbage)useSyncExternalStoreto help external store libraries integrate with React. (#15022, #18000, #18771, #22211, #22292, #22239, #22347, #23150 by @ acdlite, @ bvaughn, and @ drarmstr)startTransitionas a version ofuseTransitionwithout pending feedback. (#19696 by @ rickhanlonii)useInsertionEffectfor CSS-in-JS libraries. (#21913 by @ rickhanlonii)