Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade: react, react-dom, bootstrap, react-bootstrap, react-scripts, redux, redux-thunk, styled-components #108

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade: react, react-dom, bootstrap, react-bootstrap, react-scripts, redux, redux-thunk, styled-components #108

wants to merge 1 commit into from

Conversation

tiff-es
Copy link
Owner

@tiff-es tiff-es commented Sep 18, 2024

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

react
from 16.13.1 to 16.14.0 | 1 version ahead of your current version | 4 years ago
on 2020-10-14
react-dom
from 16.13.1 to 16.14.0 | 1 version ahead of your current version | 4 years ago
on 2020-10-14
bootstrap
from 4.5.0 to 4.6.2 | 6 versions ahead of your current version | 2 years ago
on 2022-07-19
react-bootstrap
from 1.0.1 to 1.6.8 | 23 versions ahead of your current version | 9 months ago
on 2023-12-22
react-scripts
from 3.4.1 to 3.4.4 | 3 versions ahead of your current version | 4 years ago
on 2020-10-20
redux
from 4.0.5 to 4.2.1 | 7 versions ahead of your current version | 2 years ago
on 2023-01-28
redux-thunk
from 2.3.0 to 2.4.2 | 3 versions ahead of your current version | 2 years ago
on 2022-11-04
styled-components
from 5.1.1 to 5.3.11 | 31 versions ahead of your current version | a year ago
on 2023-05-26

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Prototype Pollution
SNYK-JS-NODEFORGE-598677		 472 Proof of Concept
high severity Prototype Pollution
SNYK-JS-OBJECTPATH-1017036		 472 Proof of Concept
high severity Prototype Pollution
SNYK-JS-OBJECTPATH-1585658		 472 No Known Exploit
high severity Improper Input Validation
SNYK-JS-FOLLOWREDIRECTS-6141137		 472 Proof of Concept
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864		 472 Proof of Concept
high severity Prototype Pollution
SNYK-JS-ASYNC-2441827		 472 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-OBJECTPATH-1569453		 472 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610		 472 Proof of Concept
critical severity Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962462		 472 Proof of Concept
critical severity Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962462		 472 Proof of Concept
high severity Asymmetric Resource Consumption (Amplification)
SNYK-JS-BODYPARSER-7926860		 472 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ES5EXT-6095076		 472 Proof of Concept
high severity Code Injection
SNYK-JS-LODASH-1040724		 472 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-567746		 472 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-608086		 472 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-6139239		 472 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASHES-2434283		 472 Proof of Concept
high severity Code Injection
SNYK-JS-LODASHES-2434284		 472 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASHES-2434285		 472 Proof of Concept
high severity Remote Memory Exposure
SNYK-JS-DNSPACKET-1293563		 472 No Known Exploit
high severity Arbitrary Code Injection
SNYK-JS-SERIALIZEJAVASCRIPT-570062		 472 Proof of Concept
high severity Improper Input Validation
SNYK-JS-URLPARSE-2407770		 472 Proof of Concept
medium severity Information Exposure
SNYK-JS-EVENTSOURCE-2823375		 472 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509		 472 No Known Exploit
medium severity Cross-site Scripting
SNYK-JS-EXPRESS-7926867		 472 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905		 472 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASHES-2434289		 472 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2332181		 472 Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JS-SOCKJS-575261		 472 Proof of Concept
medium severity Improper Input Validation
SNYK-JS-URLPARSE-1078283		 472 No Known Exploit
medium severity Open Redirect
SNYK-JS-URLPARSE-1533425		 472 Proof of Concept
medium severity Access Restriction Bypass
SNYK-JS-URLPARSE-2401205		 472 Proof of Concept
medium severity Authorization Bypass
SNYK-JS-URLPARSE-2407759		 472 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHTOREGEXP-7925106		 472 Proof of Concept
medium severity Authorization Bypass Through User-Controlled Key
SNYK-JS-URLPARSE-2412697		 472 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-YARGSPARSER-560381		 472 Proof of Concept
low severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2396346		 472 No Known Exploit
low severity Cross-site Scripting
SNYK-JS-SEND-7926862		 472 No Known Exploit
low severity Cross-site Scripting
SNYK-JS-SERVESTATIC-7926865		 472 No Known Exploit
Release notes
Package name: react from react GitHub release notes
Package name: react-dom from react-dom GitHub release notes
Package name: bootstrap from bootstrap GitHub release notes
Package name: react-bootstrap
  • 1.6.8 - 2023-12-22

    1.6.8 (2023-12-22)

    Bug Fixes

  • 1.6.7 - 2023-05-03

    1.6.7 (2023-05-03)

    Bug Fixes

  • 1.6.6 - 2022-08-25
  • 1.6.5 - 2022-05-11
  • 1.6.4 - 2021-09-24
  • 1.6.3 - 2021-09-08
  • 1.6.2 - 2021-09-07
  • 1.6.1 - 2021-06-04
  • 1.6.0 - 2021-05-11
  • 1.5.2 - 2021-03-11
  • 1.5.1 - 2021-03-02
  • 1.5.0 - 2021-02-16
  • 1.4.3 - 2021-01-07
  • 1.4.2 - 2021-01-07
  • 1.4.1 - 2021-01-07
  • 1.4.0 - 2020-10-21
  • 1.3.0 - 2020-07-23
  • 1.2.2 - 2020-07-12
  • 1.2.1 - 2020-07-10
  • 1.2.0 - 2020-07-10
  • 1.1.1 - 2020-07-07
  • 1.1.0 - 2020-07-06
  • 1.1.0-rc.0 - 2020-05-27
  • 1.0.1 - 2020-04-22
from react-bootstrap GitHub release notes
Package name: react-scripts
  • 3.4.4 - 2020-10-20
  • 3.4.3 - 2020-08-12
  • 3.4.2 - 2020-08-11
  • 3.4.1 - 2020-03-21
from react-scripts GitHub release notes
Package name: redux
  • 4.2.1 - 2023-01-28

    This bugfix release removes the isMinified internal check to fix a compat issue with Expo. That check has added in early 2016, soon after Redux 3.0 was released, at a time when it was still less common to use bundlers with proper production build settings. Today that check is irrelevant, so we've removed it.

    What's Changed

    Full Changelog: v4.2.0...v4.2.1

  • 4.2.0 - 2022-04-18

    This release marks the original createStore API as @ deprecated to encourage users to migrate to Redux Toolkit, and adds a new legacy_createStore API as an alias without the deprecation warning.

    Goal

    Redux Toolkit (the @ reduxjs/toolkit package) is the right way for Redux users to write Redux code today:

    https://redux.js.org/introduction/why-rtk-is-redux-today

    Unfortunately, many tutorials are still showing legacy "hand-written" Redux patterns, which result in a much worse experience for users. New learners going through a bootcamp or an outdated Udemy course just follow the examples they're being shown, don't know that RTK is the better and recommended approach, and don't even think to look at our docs.

    Given that, the goal is to provide them with a visual indicator in their editor, like createStore . When users hover over the createStore import or function call, the doc tooltip recommends using configureStore from RTK instead, and points them to that docs page. We hope that new learners will see the strikethrough, read the tooltip, read the docs page, learn about RTK, and begin using it.

    To be extremely clear:

    WE ARE NOT GOING TO ACTUALLY REMOVE THE createStore API, AND ALL YOUR EXISTING CODE WILL STILL CONTINUE TO WORK AS-IS!

    We are just marking createStore as "deprecated":

    "the discouragement of use of some feature or practice, typically because it has been superseded or is no longer considered efficient or safe, without completely removing it or prohibiting its use"

    For additional details, see the extensive discussion in #4325 .

    Rationale

    • RTK provides a vastly improved Redux usage experience, with APIs that simplify standard usage patterns and eliminate common bugs like accidental mutations
    • We've had suggestions to merge all of RTK into the redux core package, or fully deprecate the entire redux package and rename it to @ reduxjs/core. Unfortunately, those bring up too many complexities:
      • We already had a package rename from redux-starter-kit to @ reduxjs/toolkit, and all of our docs and tutorials have pointed to it for the last three years. I don't want to put users through another whiplash package transition for no real benefit
      • Merging or rearranging our packages would effectively require merging all of the Redux repos into a single monorepo. That would require hundreds of hours of effort from us maintainers, including needing to somehow merge all of our docs sites together. We don't have the time to do that.
    • I don't want to add runtime warnings that would be really annoying

    So, this is the minimum possible approach we can take to reach out to users who otherwise would never know that they are following outdated patterns, while avoiding breaking running user code or having to completely rewrite our package and repo structure.

    Results

    When a user imports createStore in their editor, they will see a visual strikethrough. Hovering over it will show a doc tooltip that encourages them to use configureStore from RTK, and points to an explanatory docs page:

    image

    Again, no broken code, and no runtime warnings.

    If users do not want to see that strikethrough, they have three options:

    • Follow our suggestion to switch over to Redux Toolkit and configureStore
    • Do nothing. It's just a visual strikethrough, and it doesn't affect how your code behaves. Ignore it.
    • Switch to using the legacy_createStore API that is now exported, which is the exact same function but with no @ deprecation tag. The simplest option is to do an aliased import rename:

    image

    What's Changed

    • Mark createStore as deprecated, and add legacy_createStore alias by @ markerikson in #4336

    Full Changelog: v4.1.2...v4.2.0

  • 4.2.0-alpha.0 - 2021-10-30

    4.2.0-alpha.0

  • 4.1.2 - 2021-10-28

    This release fixes a small specific TS types issue where state types that had a nested unknown field inside would cause compilation failures when used as the preloadedState argument.

    What's Changed

@snyk-bot
fix: upgrade multiple dependencies with Snyk
d77477d 
Snyk has created this PR to upgrade:
  - react from 16.13.1 to 16.14.0.
    See this package in npm: https://www.npmjs.com/package/react
  - react-dom from 16.13.1 to 16.14.0.
    See this package in npm: https://www.npmjs.com/package/react-dom
  - bootstrap from 4.5.0 to 4.6.2.
    See this package in npm: https://www.npmjs.com/package/bootstrap
  - react-bootstrap from 1.0.1 to 1.6.8.
    See this package in npm: https://www.npmjs.com/package/react-bootstrap
  - react-scripts from 3.4.1 to 3.4.4.
    See this package in npm: https://www.npmjs.com/package/react-scripts
  - redux from 4.0.5 to 4.2.1.
    See this package in npm: https://www.npmjs.com/package/redux
  - redux-thunk from 2.3.0 to 2.4.2.
    See this package in npm: https://www.npmjs.com/package/redux-thunk
  - styled-components from 5.1.1 to 5.3.11.
    See this package in npm: https://www.npmjs.com/package/styled-components

See this project in Snyk:
https://app.snyk.io/org/boostinwrx/project/dac12562-aff7-4c95-9b97-f86a082fe9ea?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tiff-es @snyk-bot