[Snyk] Upgrade react-redux from 7.0.2 to 7.2.5

[snyk-bot]

Snyk has created this PR to upgrade react-redux from 7.0.2 to 7.2.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 19 versions ahead of your current version.
• The recommended version was released 2 months ago, on 2021-09-04.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Prototype Pollution SNYK-JS-Y18N-1021887	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-Y18N-1021887	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WEBSOCKETEXTENSIONS-570623	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TMPL-1583443	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Arbitrary File Write SNYK-JS-TAR-1579155	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579152	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Arbitrary File Write SNYK-JS-TAR-1579147	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536531	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-TAR-1536528	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SSRI-1246392	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-SETVALUE-450213	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-SETVALUE-1540541	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-SETVALUE-450213	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-SETVALUE-1540541	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-536840	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-NODEFORGE-598677	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-MIXINDEEP-450212	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-MERGEDEEP-1070277	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-608086	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-450202	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-YARGSPARSER-560381	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Open Redirect SNYK-JS-URLPARSE-1533425	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Improper Input Validation SNYK-JS-URLPARSE-1078283	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Denial of Service (DoS) SNYK-JS-SOCKJS-575261	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PROMPTS-1729737	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Command Injection SNYK-JS-NODENOTIFIER-1035794	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Denial of Service SNYK-JS-NODEFETCH-674311	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-559764	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-559764	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-567746	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-590103	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Command Injection SNYK-JS-LODASH-1040724	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-73638	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-608086	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-450202	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Command Injection SNYK-JS-LODASH-1040724	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-INI-1048974	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Arbitrary Code Execution SNYK-JS-HANDLEBARS-534478	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Denial of Service (DoS) SNYK-JS-HANDLEBARS-480388	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-LODASH-590103	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-HANDLEBARS-469063	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Arbitrary Code Execution SNYK-JS-ESLINTUTILS-460220	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Remote Memory Exposure SNYK-JS-DNSPACKET-1293563	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-AJV-584908	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-AJV-584908	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ACORN-559469	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-567746	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1243891	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ISSVG-1085627	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Man-in-the-Middle (MitM) SNYK-JS-HTTPSPROXYAGENT-469131	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Denial of Service (DoS) SNYK-JS-HTTPPROXY-569139	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-567742	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-1279029	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Timing Attack SNYK-JS-ELLIPTIC-511941	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Prototype Pollution SNYK-JS-DOTPROP-543489	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Validation Bypass SNYK-JS-KINDOF-537849	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Prototype Pollution SNYK-JS-HANDLEBARS-534988	472/1000 Why? Proof of Concept exploit, CVSS 7.3	No Known Exploit
	Remote Code Execution (RCE) SNYK-JS-HANDLEBARS-1056767	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	472/1000 Why? Proof of Concept exploit, CVSS 7.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: react-redux

• 7.2.5 - 2021-09-04
  

  This release shrinks the size of our internal Subscription class, and updates useSelector to avoid an unnecessary selector call on mount.

  Changes

  Subscription Size Refactor

  Our internal Subscription implementation has been written as a class ever since it was added in v5. By rewriting it as a closure factory, we were able to shave a few bytes off the final bundle size.

  useSelector Mount Optimization

  A user noticed that useSelector had never been given an early "bail out if the root state is the same" check to match how connect works. This resulted in a usually-unnecessary second call to the provided selector on mount. We've added that check.

  Entry Point Consolidation

  We've consolidated the list of exported public APIs into a single file, and both the index.js and alternate-renderers.js entry points now re-export everything from that file. No meaningful change here, just shuffling lines of code around for consistency.

  Other Updates

  React-Redux v8 and React 18 Development

  With the announcement of React 18, we've been working with the React team to plan our migration path to keep React-Redux fully compatible with React's upcoming features.

  We've already migrated the React-Redux main development branch to TypeScript, and are prototyping compatibility implementation updates. We'd appreciate any assistance from the community in testing out these changes so that we can ensure React-Redux works great for everyone when React 18 is ready!

  Internal Tooling Updates

  Our master branch now uses Yarn v2 for package management, is built with TypeScript, and we've made CI updates to test against multiple TS versions.

  The 7.x branch has also been updated to use Yarn v2 for consistency.

  These only affect contributors to the React-Redux package itself.

  Changelog

  • Port entry point consolidation from 8.x branch (#1811 - @ markerikson)
  • Update v7 branch to use Yarn v2 and improve CI process (#1810 - @ markerikson)
  • Reduce unnecessary calls to useSelector selector (#1803 - @ sufian-slack )
  • Port Subscription closure implementation from 8.x to 7.x (#1809 - @ mbelsky)

  v7.2.4...v7.2.5

• 7.2.4 - 2021-04-24
  

  This release drops our dependency on the core redux package by inlining bindActionCreators, and tweaks useSelector to ensure that selectors aren't run an extra time while re-rendering.

  Changelog

  Redux Dependency Removal

  React-Redux has always imported the bindActionCreators utility from the core redux package for use in connect. However, that meant that we had to have a peer dependency on redux, and this was the only reason we actually required that redux be installed. This became more annoying with the arrival of Redux Toolkit, which has its own dependency on redux internally, and thus users typically saw peer dependency warnings saying that "redux isn't listed as a dependency in your app".

  Code reuse across separate packages is a great thing, but sometimes the right thing to do is duplicate code. So, we've inlined bindActionCreators directly into React-Redux, and we've completely dropped the dependency on Redux. This means that React-Redux will no longer produce a peerDep warning when used with Redux Toolkit, and <Provider> and connect really only need a Redux-store-compatible value to work right.

  useSelector Fixes

  Users reported that useSelector was re-running selector functions again unnecessarily while rendering after a dispatch. We've tweaked the logic to ensure that doesn't happen.

  useSelector also now has checks in development to ensure that selector and equalityFn are functions.

  Changes

  • Remove wrapActionCreators (#1709 - @ xty)
  • Verify that selector and equalityF of useSelector are functions (#1706 - @ gshilin)
  • Import bindActionCreators from redux (#1705 - @ timdorr)
  • Don't re-run the selector after update (#1701 - @ timdorr)

  v7.2.3...v7.2.4

• 7.2.3 - 2021-03-23
  

  This release improves behavior in useSelector by returning the existing reference if the newly returned selector result passes the equality check, and adds a hard dependency on the @ types/react-redux package to ensure TS users always have the typedefs installed.

  Changes

  useSelector Results Reuse

  Issue #1654 reported that useSelector was returning new references from a selector even if the equality comparison function returned true. This is because the equality check was only ever being performed during the action dispatch process.

  We now run the equality comparison against the value calculated by the selector while rendering, and return the existing reference for consistency if the old and new values are considered equal. This should improve some cases where further derived values where being recalculated unnecessarily.

  TS Types Now Included

  React-Redux has always been written in plain JS, and the typedefs maintained by the community in DefinitelyTyped. We plan on eventually rewriting the library in TypeScript in a future React-Redux v8 release, but until then the types can stay in DT.

  However, having to always manually install @ types/react-redux is annoying, and some users have gotten confused by that. This release adds a hard dependency on @ types/react-redux, so that if you install react-redux, you automatically get the types as well. This should simplify the process for TS users.

  Docs Updates

  We've made several docs updates recently:

  • Renamed "Quick Start" to "Getting Started" and "Static Typing" to "Usage with TypeScript"
  • Dropped the docs API versioning setup, as the legacy API version docs pages were rarely viewed and the versioning setup confused docs contributors
  • Moved the old "Intro > Basic Tutorial" to "Tutorials > Connect" and marked it as semi-obsolete

  We are currently working on a new React-Redux tutorial that will teach the React-Redux hooks as the primary approach, based on the "UI and React" page in the Redux docs "Fundamentals" tutorial.

  Changelog

  • Automatically install @ types/react-redux as a dependency (#1699 - @ markerikson )
  • Reuse latest selected state on selector re-run (#1654) (#1660 - @ otakustay)
  • Use useIsomorphicLayoutEffect in Provider for consistency (#1683 - @ speakingcode )

  v7.2.2...v7.2.3

• 7.2.2 - 2020-10-26
  

  This release allows you to use React Redux with React 17 without a warning when installing. That's about it.

  Changes

  • Upgrade react peer dependency to v17 (#1647 by @ wachunei)
• 7.2.1 - 2020-07-25
  

  This release improves useSelector value display in the React DevTools, fixes a potential race condition, and fixes a couple additional minor issues.

  useSelector DevTools Display

  The React DevTools normally show custom hooks with their inspected name (such as "Selector" for useSelector), and any calls to core hooks inside. This is not always informative, so React has the useDebugValue hook to allow custom hooks to specify what value should be shown instead.

  useSelector now calls useDebugValue to specifically show the current selected value instead of its internal hooks usage.

  Bug Fixes

  This release has a few different bug fixes:

  • A potential race condition when dispatching actions from child components in the commit phase vs selecting data in a parent
  • Removed an excess new object creation when forcing a re-render
  • Our internal prop name for a forwarded ref is now reactReduxForwardedRef to avoid a rare situation where someone else might be passing down a field named forwardedRef
  • Fixed a typo in a useSelector error message

  Changes

  • Fix error message typo in useSelector ('You must pass a selector...). (@ Pixelwelder - #1581)
  • fix useSelector race condition with memoized selector when dispatching in child components useLayoutEffect as well as cDM/cDU (@ dai-shi - #1536)
  • removed a redundant object creation when using forceUpdate (@ vzaidman - #1567)
  • Rename internal forwardedRef usage (@ dtschust - #1553)
  • Show useSelector result in React DevTools (@ Finesse - #1530)
• 7.2.0 - 2020-02-18
  Read more
• 7.1.3 - 2019-11-06
  

  Forgot to remove a console statement before I published 7.1.2. Oops!

  Lint your source code before publishing, folks.

  Changes

  • Remove leftover console statement (@ markerikson - 30101bb)
• 7.1.2 - 2019-11-06
  Read more
• 7.1.2-alpha.0 - 2019-11-05
• 7.1.1 - 2019-08-26
• 7.1.0 - 2019-06-11
• 7.1.0-rc.1 - 2019-05-30
• 7.1.0-alpha.5 - 2019-05-20
• 7.1.0-alpha.4 - 2019-05-01
• 7.1.0-alpha.3 - 2019-04-28
• 7.1.0-alpha.2 - 2019-04-28
• 7.1.0-alpha.1 - 2019-04-22
• 7.1.0-alpha.0 - 2019-04-22
• 7.0.3 - 2019-04-28
• 7.0.2 - 2019-04-12

from react-redux GitHub release notes

Commit messages

Package name: react-redux

• 0691cca 7.2.5
• c8f5674 Port entry point consolidation from 8.x branch (complete example 'action' and 'filter'，separate component reduxjs/redux#1811)
• c16d3c1 Update v7 branch to use Yarn v2 and improve CI process (change "combineReducers" to "joinReducers" reduxjs/redux#1810)
• 099e104 Reduce unnecessary calls to useSelector selector (bug: webpack error reduxjs/redux#1803)
• e7807ef Port Subscription closure implementation from 8.x to 7.x (Correct first argument name into mapStateToProps reduxjs/redux#1807) (Could not access customized property of component after using connect() reduxjs/redux#1809)
• 2c7ef25 Bump react-native from 0.63.3 to 0.64.1 (Splitting logic between reducers and action creators. reduxjs/redux#1773)
• b226f76 Update config.yml
• 540f3a6 OK, blanks
• 82b604a Update and rename Feature_request.md to feature_request.yml
• aa6f768 YAML is dumb
• 332d5e3 Typo
• 270f9e1 Update and rename Bug_report.md to bug_report.yml
• c60ccc5 Add an edit button to the docs site.
• 756e681 Update docusaurus and lockfile version
• 143a217 Bump prismjs from 1.23.0 to 1.24.0 in /website (RFC: Simplify middleware signature reduxjs/redux#1744)
• a24b885 Bump @ testing-library/react to 12.0.0 (fix(index.js): Add check for process object which might not be defined reduxjs/redux#1741)
• 4c471b0 Update Docusaurus to 2.0-beta.1 (Add favicon to the website reduxjs/redux#1735)
• 7de6008 Bump @ testing-library/react to 11.2.7 (Saving API token in the application reduxjs/redux#1734)
• 94ca8a9 Adding style guide link to CONTRIBUTING.MD (bindActionCreators refactor for a more functional approach reduxjs/redux#1730)
• 4a65734 docs: Remove unnecessary semicolon in connect docs (Storing “global” object outside of Redux store in React/Redux app reduxjs/redux#1728)
• 2d3309d Update Docusaurus to beta.0 and add "Learn Modern Redux" embed (Logic within render for the container in redux-async example reduxjs/redux#1724)
• c136fb5 chore: Docusaurus with webpack 5 (Dispatch a redux action from an external javascript module reduxjs/redux#1714)
• 86e962e 7.2.4
• b3b4e8b docs: add link to source in getting-started.md (accessing a prop found in either reducer reduxjs/redux#1713)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs