Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade @reduxjs/toolkit from 1.9.5 to 1.9.7 #329

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

psturc
Copy link
Member

@psturc psturc commented Jun 29, 2024

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade @reduxjs/toolkit from 1.9.5 to 1.9.7.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 2 versions ahead of your current version.

  • The recommended version was released on 9 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
432 Proof of Concept
high severity Path Traversal
SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555
432 Proof of Concept
high severity Uncontrolled resource consumption
SNYK-JS-BRACES-6838727
432 Proof of Concept
high severity Improper Input Validation
SNYK-JS-FOLLOWREDIRECTS-6141137
432 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
432 Proof of Concept
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
432 Proof of Concept
medium severity Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-6147607
432 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
432 No Known Exploit
Release notes
Package name: @reduxjs/toolkit
  • 1.9.7 - 2023-10-04

    This bugfix release rewrites the RTKQ hook TS types to significantly improve TS perf.

    Changelog

    RTKQ TS Perf

    A number of users had reported that Intellisense for RTKQ API objects was extremely slow (multiple seconds) - see discussion in #3214 . We did some perf investigation on user-provided examples, and concluded that the biggest factor to slow RTKQ TS perf was the calculation of hook names like useGetPokemonQuery, which was generating a large TS union of types.

    We've rewritten that hook names type calculation to use mapped types and a couple of intersections. In a specific user-provided stress test repo, it dropped TS calculation time by 60% (2600ms to 1000ms).

    There's more potential work we can do to improve things, but this seems like a major perf improvement worth shipping now.

    What's Changed

    Full Changelog: v1.9.6...v1.9.7

  • 1.9.6 - 2023-09-24

    This bugfix release adds a new dev-mode middleware to catch accidentally dispatching an action creator, adds a new listener middleware option around waiting for forks, adds a new option to update provided tags when updateQueryData is used, reworks internal types to better handle uses with TS declaration output, and fixes a variety of small issues.

    Changelog

    Action Creator Dev Check Middleware

    RTK already includes dev-mode middleware that check for the common mistakes of accidentally mutating state and putting non-serializable values into state or actions.

    Over the years we've also seen a semi-frequent error where users accidentally pass an action creator reference to dispatch, instead of calling it and dispatching the action it returns.

    We've added another dev-mode middleware that specifically catches this error and warns about it.

    Additional Options

    The listener middleware's listenerApi.fork() method now has an optional autoJoin flag that can be used to keep the effect from finishing until all active forked tasks have completed.

    updateQueryData now has an updateProvidedTags option that will force a recalculation of that endpoint's provided tags. It currently defaults to false, and we'll likely turn that to true in the next major.

    Other Fixes

    The builder.addCase method now throws an error if a type string is empty.

    fetchBaseQuery now uses an alternate method to clone the original Request in order to work around an obscure Chrome bug.

    The immutability middleware logic was tweaked to avoid a potential stack overflow.

    Types Changes

    The internal type imports have been reworked to try to fix "type portability" issues when used in combination with TS declaration outputs.

    A couple additional types were exported to help with wrapping createAsyncThunk.

    What's Changed

    Full Changelog: v1.9.5...v1.9.6

  • 1.9.5 - 2023-04-18

    This bugfix release includes notable improvements to TS type inference when using the enhancers option in configureStore, and updates the listener middleware to only check predicates if the dispatched value is truly an action object.

    What's Changed

    • update to latest remark-typescript-tools by @ EskiMojo14 in #3311
    • add isAction helper function, and ensure listener middleware only runs for actions by @ EskiMojo14 in #3372
    • Allow inference of enhancer state extensions, and fix inference when using callback form by @ EskiMojo14 in #3207

    Full Changelog: v1.9.4...v1.9.5

from @reduxjs/toolkit GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants