Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade redux from 4.0.5 to 4.2.1 #4

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

TooX12
Copy link
Owner

@TooX12 TooX12 commented Jun 29, 2024

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade redux from 4.0.5 to 4.2.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 7 versions ahead of your current version.

  • The recommended version was released on a year ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Prototype Poisoning
SNYK-JS-QS-3153490
372 Proof of Concept
high severity Prototype Pollution
SNYK-JS-MERGEDEEP-1070277
372 No Known Exploit
high severity Prototype Pollution
SNYK-JS-INI-1048974
372 Proof of Concept
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864
372 Proof of Concept
high severity Prototype Poisoning
SNYK-JS-QS-3153490
372 Proof of Concept
high severity Prototype Pollution
SNYK-JS-AJV-584908
372 No Known Exploit
high severity Prototype Pollution
SNYK-JS-ASYNC-2441827
372 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SSRI-1246392
372 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SSRI-1246392
372 Proof of Concept
high severity Arbitrary File Overwrite
SNYK-JS-TAR-1536528
372 No Known Exploit
high severity Arbitrary File Overwrite
SNYK-JS-TAR-1536531
372 No Known Exploit
high severity Arbitrary File Write
SNYK-JS-TAR-1579147
372 No Known Exploit
high severity Arbitrary File Write
SNYK-JS-TAR-1579152
372 No Known Exploit
high severity Arbitrary File Write
SNYK-JS-TAR-1579155
372 No Known Exploit
high severity Prototype Pollution
SNYK-JS-NODEFORGE-598677
372 Proof of Concept
high severity Improper Verification of Cryptographic Signature
SNYK-JS-BROWSERIFYSIGN-6037026
372 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHPARSE-1077067
372 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PROMPTS-1729737
372 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-MINIMIST-559764
372 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-MINIMIST-559764
372 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-HOSTEDGITINFO-1088355
372 Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JS-HTTPPROXY-569139
372 Proof of Concept
medium severity Command Injection
SNYK-JS-NODENOTIFIER-1035794
372 No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JS-NWSAPI-2841516
372 No Known Exploit
medium severity Uncontrolled Resource Consumption ('Resource Exhaustion')
SNYK-JS-TAR-6476909
372 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-TERSER-2806366
372 No Known Exploit
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1085627
372 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-COLORSTRING-1082939
372 Proof of Concept
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795
372 Proof of Concept
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795
372 Proof of Concept
low severity Prototype Pollution
SNYK-JS-MINIMIST-2429795
372 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-TAR-1536758
372 No Known Exploit
critical severity Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962462
372 Proof of Concept
high severity Prototype Pollution
SNYK-JS-JSONSCHEMA-1920922
372 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JS-DECODEURICOMPONENT-3149970
372 Proof of Concept
high severity Remote Memory Exposure
SNYK-JS-DNSPACKET-1293563
372 No Known Exploit
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WEBSOCKETEXTENSIONS-570623
372 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574
372 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574
372 Proof of Concept
high severity Prototype Pollution
SNYK-JS-Y18N-1021887
372 Proof of Concept
high severity Cryptographic Issues
SNYK-JS-ELLIPTIC-571484
372 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ES5EXT-6095076
372 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-TMPL-1583443
372 Proof of Concept
high severity Improper Input Validation
SNYK-JS-URLPARSE-2407770
372 Proof of Concept
high severity Code Injection
SNYK-JS-LODASH-1040724
372 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-567746
372 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-608086
372 Proof of Concept
high severity Prototype Pollution
SNYK-JS-LODASH-6139239
372 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ISSVG-1243891
372 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-JSON5-3182856
372 Proof of Concept
medium severity Prototype Pollution
SNYK-JS-JSON5-3182856
372 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
372 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
372 Proof of Concept
medium severity Cryptographic Issues
SNYK-JS-ELLIPTIC-1064899
372 No Known Exploit
medium severity Information Exposure
SNYK-JS-EVENTSOURCE-2823375
372 Proof of Concept
medium severity Open Redirect
SNYK-JS-EXPRESS-6474509
372 No Known Exploit
medium severity Improper Input Validation
SNYK-JS-URLPARSE-1078283
372 No Known Exploit
medium severity Open Redirect
SNYK-JS-URLPARSE-1533425
372 Proof of Concept
medium severity Access Restriction Bypass
SNYK-JS-URLPARSE-2401205
372 Proof of Concept
medium severity Authorization Bypass
SNYK-JS-URLPARSE-2407759
372 Proof of Concept
medium severity Authorization Bypass Through User-Controlled Key
SNYK-JS-URLPARSE-2412697
372 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-LODASH-1018905
372 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WORDWRAP-3149973
372 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
372 Proof of Concept
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
372 Proof of Concept
Release notes
Package name: redux
  • 4.2.1 - 2023-01-28

    This bugfix release removes the isMinified internal check to fix a compat issue with Expo. That check has added in early 2016, soon after Redux 3.0 was released, at a time when it was still less common to use bundlers with proper production build settings. Today that check is irrelevant, so we've removed it.

    What's Changed

    Full Changelog: v4.2.0...v4.2.1

  • 4.2.0 - 2022-04-18

    This release marks the original createStore API as @ deprecated to encourage users to migrate to Redux Toolkit, and adds a new legacy_createStore API as an alias without the deprecation warning.

    Goal

    Redux Toolkit (the @ reduxjs/toolkit package) is the right way for Redux users to write Redux code today:

    https://redux.js.org/introduction/why-rtk-is-redux-today

    Unfortunately, many tutorials are still showing legacy "hand-written" Redux patterns, which result in a much worse experience for users. New learners going through a bootcamp or an outdated Udemy course just follow the examples they're being shown, don't know that RTK is the better and recommended approach, and don't even think to look at our docs.

    Given that, the goal is to provide them with a visual indicator in their editor, like createStore . When users hover over the createStore import or function call, the doc tooltip recommends using configureStore from RTK instead, and points them to that docs page. We hope that new learners will see the strikethrough, read the tooltip, read the docs page, learn about RTK, and begin using it.

    To be extremely clear:

    WE ARE NOT GOING TO ACTUALLY REMOVE THE createStore API, AND ALL YOUR EXISTING CODE WILL STILL CONTINUE TO WORK AS-IS!

    We are just marking createStore as "deprecated":

    "the discouragement of use of some feature or practice, typically because it has been superseded or is no longer considered efficient or safe, without completely removing it or prohibiting its use"

    For additional details, see the extensive discussion in #4325 .

    Rationale

    • RTK provides a vastly improved Redux usage experience, with APIs that simplify standard usage patterns and eliminate common bugs like accidental mutations
    • We've had suggestions to merge all of RTK into the redux core package, or fully deprecate the entire redux package and rename it to @ reduxjs/core. Unfortunately, those bring up too many complexities:
      • We already had a package rename from redux-starter-kit to @ reduxjs/toolkit, and all of our docs and tutorials have pointed to it for the last three years. I don't want to put users through another whiplash package transition for no real benefit
      • Merging or rearranging our packages would effectively require merging all of the Redux repos into a single monorepo. That would require hundreds of hours of effort from us maintainers, including needing to somehow merge all of our docs sites together. We don't have the time to do that.
    • I don't want to add runtime warnings that would be really annoying

    So, this is the minimum possible approach we can take to reach out to users who otherwise would never know that they are following outdated patterns, while avoiding breaking running user code or having to completely rewrite our package and repo structure.

    Results

    When a user imports createStore in their editor, they will see a visual strikethrough. Hovering over it will show a doc tooltip that encourages them to use configureStore from RTK, and points to an explanatory docs page:

    image

    Again, no broken code, and no runtime warnings.

    If users do not want to see that strikethrough, they have three options:

    • Follow our suggestion to switch over to Redux Toolkit and configureStore
    • Do nothing. It's just a visual strikethrough, and it doesn't affect how your code behaves. Ignore it.
    • Switch to using the legacy_createStore API that is now exported, which is the exact same function but with no @ deprecation tag. The simplest option is to do an aliased import rename:

    image

    What's Changed

    • Mark createStore as deprecated, and add legacy_createStore alias by @ markerikson in #4336

    Full Changelog: v4.1.2...v4.2.0

  • 4.2.0-alpha.0 - 2021-10-30

    4.2.0-alpha.0

  • 4.1.2 - 2021-10-28

    This release fixes a small specific TS types issue where state types that had a nested unknown field inside would cause compilation failures when used as the preloadedState argument.

    What's Changed

    Full Changelog: v4.1.1...v4.1.2

  • 4.1.1 - 2021-08-03

    Just a small fix for Safari users in development mode.

    Changes

    • Move miniKindOf out of if scope to fix ES5 compatibility issue (#4090 by @ embeddedt)
  • 4.1.0 - 2021-04-24

    This release shrinks our bundle size via error message extraction, updates several error messages for clarity, and optimizes our list of runtime dependencies.

    Overall, version 4.1 shrinks from 2.6K min+gz to 1.6K min+gz thanks to these changes.

    Be sure to check out the Redux Toolkit 1.6 alpha containing our new "RTK Query" data fetching APIs! It also includes Redux 4.1 as a dependency.

    Changelog

    Error Message Extraction and Improvements

    We now extract all of our error messages from production builds in order to save on bundle size, using a technique inspired from React's error code extraction. The error messages will still show as normal in development, but in production they will reference a specific numeric error code and provide a link to a Redux docs page that has the full error message.

    An example of this is: https://redux.js.org/errors?code=5 , which shows the "can't subscribe while reducers are executing" error.

    The error code extraction saves about 800 bytes out of a production build.

    Thanks to @ andrewmcgivery for doing all the hard work on implementing the error extraction!

    We've also updated many of our error messages to provide additional details at runtime about what happened, especially runtime type checks such as "actions must be plain objects". They now provide a more specific type for the unexpected value, such as indicating promise or function:

    Changes
  • 4.1.0-alpha.0 - 2021-04-04

    This pre-release for 4.1.0 shrinks our bundle size via tooling updates, and updates several error messages for clarity. This is all the changes we plan to have for 4.1, so if feedback looks good, we'll release 4.1.0 shortly.

    Changelog Summary

    The 4.1.0 release will have a more complete changelog, but summarizing:

    • Shrinks our bundle sizes by extracting error messages from production builds and replacing them with error codes (similar to React). Thanks to @ andrewmcgivery for implementing this!
    • Inlines the symbol-observable polyfill
    • Drops the legacy loose-envify dependency
    • Externalizes the @ babel/runtime helpers
    • Fixed a TS typedef to work better with TS 4.3

    We've also updated the error messages to clarify what's happening, provide more details when runtime type checks fail, and link to relevant documentation.

    Changes

    • Merge pull request #4058 from reduxjs/feature/4x-remove-legacy-deps 9a1d065
    • Inline the symbol-observable polyfill 0d7d94d
    • Remove symbol-observable and loose-envify deps b882d9a
    • Merge pull request #4057 from reduxjs/feature/4x-error-messages f3680b5
    • Port error message updates from master 46f5c94
    • Port error extraction setup from master 05d5505
    • Merge pull request #4056 from reduxjs/feature/4x-update-build-tooling 82ad636
    • fix: Declare "EmptyObject" interface to wrap $CombinedState (#4031) c3cbe2e
    • Only apply mapped types to un-branded types (#3805) e23aa59

    v4.0.5...v4.1.0-alpha.0

  • 4.0.5 - 2019-12-24

    This release includes a memory leak fix, and a fix for removing reducers with replaceReducer and combineReducers.

    There are also some TypeScript changes, which require version 3.5 or higher. This also removes our DeepPartial type, which wasn't intended to be a public API. If you need this type, you can find an equivalent of likely higher quality in the utility-types package.

    Speaking of TypeScript, we are done with converting the code to TypeScript on master and are looking to get some TS improvements in before launching 5.0. If you're interested in helping, feel free to submit a PR with anything you'd like to contribute.

    Changes

from redux GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade redux from 4.0.5 to 4.2.1.

See this package in npm:
redux

See this project in Snyk:
https://app.snyk.io/org/toox12/project/3886b582-3513-45d3-bbb6-28c9d6edc821?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link
Contributor

deepsource-io bot commented Jun 29, 2024

Here's the code health analysis summary for commits 605f16a..bd5f9d9. View details on DeepSource ↗.

Analysis Summary

AnalyzerStatusSummaryLink
DeepSource JavaScript LogoJavaScript✅ SuccessView Check ↗
DeepSource PHP LogoPHP✅ SuccessView Check ↗

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants