Update dependency react-dom to v16 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
react-dom (source)	^15.6.1 -> ^16.0.0

GitHub Vulnerability Alerts

CVE-2018-6341

Affected versions of react-dom are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to:

• be a server-side React app
• be rendered to HTML using ReactDOMServer
• include an attribute name from user input in an HTML tag

Recommendation

If you are using react-dom 16.0.x, upgrade to 16.0.1 or later.
If you are using react-dom 16.1.x, upgrade to 16.1.2 or later.
If you are using react-dom 16.2.x, upgrade to 16.2.1 or later.
If you are using react-dom 16.3.x, upgrade to 16.3.3 or later.
If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.

---

Release Notes

facebook/react (react-dom)

v16.4.2

Compare Source

React DOM Server

• Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@​gaearon in #​13302)

• Fix a crash in the server renderer when an attribute is called hasOwnProperty. This fix is only available in react-dom@16.4.2. (@​gaearon in #​13303)

v16.4.1

Compare Source

React

• You can now assign propTypes to components returned by React.ForwardRef. (@​bvaughn in #​12911)

React DOM

• Fix a crash when the input type changes from some other types to text. (@​spirosikmd in #​12135)
• Fix a crash in IE11 when restoring focus to an SVG element. (@​ThaddeusJiang in #​12996)
• Fix a range input not updating in some cases. (@​Illu in #​12939)
• Fix input validation triggering unnecessarily in Firefox. (@​nhunzaker in #​12925)
• Fix an incorrect event.target value for the onChange event in IE9. (@​nhunzaker in #​12976)
• Fix a false positive error when returning an empty <React.Fragment /> from a component. (@​philipp-spiess in #​12966)

React DOM Server

• Fix an incorrect value being provided by new context API. (@​ericsoderberghp in #​12985, @​gaearon in #​13019)

React Test Renderer

• Allow multiple root children in test renderer traversal API. (@​gaearon in #​13017)
• Fix getDerivedStateFromProps() in the shallow renderer to not discard the pending state. (@​fatfisz in #​13030)

v16.4.0

React

• Add a new experimental React.unstable_Profiler component for measuring performance. (@​bvaughn in #​12745)

React DOM

• Add support for the Pointer Events specification. (@​philipp-spiess in #​12507)
• Properly call getDerivedStateFromProps() regardless of the reason for re-rendering. (@​acdlite in #​12600 and #​12802)
• Fix a bug that prevented context propagation in some cases. (@​gaearon in #​12708)
• Fix re-rendering of components using forwardRef() on a deeper setState(). (@​gaearon in #​12690)
• Fix some attributes incorrectly getting removed from custom element nodes. (@​airamrguez in #​12702)
• Fix context providers to not bail out on children if there's a legacy context provider above. (@​gaearon in #​12586)
• Add the ability to specify propTypes on a context provider component. (@​nicolevy in #​12658)
• Fix a false positive warning when using react-lifecycles-compat in <StrictMode>. (@​bvaughn in #​12644)
• Warn when the forwardRef() render function has propTypes or defaultProps. (@​bvaughn in #​12644)
• Improve how forwardRef() and context consumers are displayed in the component stack. (@​sophiebits in #​12777)
• Change internal event names. This can break third-party packages that rely on React internals in unsupported ways. (@​philipp-spiess in #​12629)

React Test Renderer

• Fix the getDerivedStateFromProps() support to match the new React DOM behavior. (@​koba04 in #​12676)
• Fix a testInstance.parent crash when the parent is a fragment or another special node. (@​gaearon in #​12813)
• forwardRef() components are now discoverable by the test renderer traversal methods. (@​gaearon in #​12725)
• Shallow renderer now ignores setState() updaters that return null or undefined. (@​koba04 in #​12756)

React ART

• Fix reading context provided from the tree managed by React DOM. (@​acdlite in #​12779)

React Call Return (Experimental)

• This experiment was deleted because it was affecting the bundle size and the API wasn't good enough. It's likely to come back in the future in some other form. (@​gaearon in #​12820)

React Reconciler (Experimental)

• The new host config shape is flat and doesn't use nested objects. (@​gaearon in #​12792)

v16.3.3

React DOM Server

• Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@​gaearon in #​13302)

v16.3.2

Compare Source

React

• Improve the error message when passing null or undefined to React.cloneElement. (@​nicolevy in #​12534)

React DOM

• Fix an IE crash in development when using <StrictMode>. (@​bvaughn in #​12546)
• Fix labels in User Timing measurements for new component types. (@​bvaughn in #​12609)
• Improve the warning about wrong component type casing. (@​nicolevy in #​12533)
• Improve general performance in development mode. (@​gaearon in #​12537)
• Improve performance of the experimental unstable_observedBits API with nesting. (@​gaearon in #​12543)

React Test Renderer

• Add a UMD build. (@​bvaughn in #​12594)

v16.3.1

Compare Source

React

• Fix a false positive warning in IE11 when using Fragment. (@​heikkilamarko in #​12504)
• Prefix a private API. (@​Andarist in #​12501)
• Improve the warning when calling setState() in constructor. (@​gaearon in #​12532)

React DOM

• Fix getDerivedStateFromProps() not getting applied in some cases. (@​acdlite in #​12528)
• Fix a performance regression in development mode. (@​gaearon in #​12510)
• Fix error handling bugs in development mode. (@​gaearon and @​acdlite in #​12508)
• Improve user timing API messages for profiling. (@​flarnie in #​12384)

Create Subscription

• Set the package version to be in sync with React releases. (@​bvaughn in #​12526)
• Add a peer dependency on React 16.3+. (@​NMinhNguyen in #​12496)

v16.3.0

React

• Add a new officially supported context API. (@​acdlite in #​11818)
• Add a new React.createRef() API as an ergonomic alternative to callback refs. (@​trueadm in #​12162)
• Add a new React.forwardRef() API to let components forward their refs to a child. (@​bvaughn in #​12346)
• Fix a false positive warning in IE11 when using React.Fragment. (@​XaveScor in #​11823)
• Replace React.unstable_AsyncComponent with React.unstable_AsyncMode. (@​acdlite in #​12117)
• Improve the error message when calling setState() on an unmounted component. (@​sophiebits in #​12347)

React DOM

• Add a new getDerivedStateFromProps() lifecycle and UNSAFE_ aliases for the legacy lifecycles. (@​bvaughn in #​12028)
• Add a new getSnapshotBeforeUpdate() lifecycle. (@​bvaughn in #​12404)
• Add a new <React.StrictMode> wrapper to help prepare apps for async rendering. (@​bvaughn in #​12083)
• Add support for onLoad and onError events on the <link> tag. (@​roderickhsiao in #​11825)
• Add support for noModule boolean attribute on the <script> tag. (@​aweary in #​11900)
• Fix minor DOM input bugs in IE and Safari. (@​nhunzaker in #​11534)
• Correctly detect Ctrl + Enter in onKeyPress in more browsers. (@​nstraub in #​10514)
• Fix containing elements getting focused on SSR markup mismatch. (@​koba04 in #​11737)
• Fix value and defaultValue to ignore Symbol values. (@​nhunzaker in #​11741)
• Fix refs to class components not getting cleaned up when the attribute is removed. (@​bvaughn in #​12178)
• Fix an IE/Edge issue when rendering inputs into a different window. (@​M-ZubairAhmed in #​11870)
• Throw with a meaningful message if the component runs after jsdom has been destroyed. (@​gaearon in #​11677)
• Don't crash if there is a global variable called opera with a null value. @​alisherdavronov in #​11854)
• Don't check for old versions of Opera. (@​skiritsis in #​11921)
• Deduplicate warning messages about <option selected>. (@​watadarkstar in #​11821)
• Deduplicate warning messages about invalid callback. (@​yenshih in #​11833)
• Deprecate ReactDOM.unstable_createPortal() in favor of ReactDOM.createPortal(). (@​prometheansacrifice in #​11747)
• Don't emit User Timing entries for context types. (@​abhaynikam in #​12250)
• Improve the error message when context consumer child isn't a function. (@​raunofreiberg in #​12267)
• Improve the error message when adding a ref to a functional component. (@​skiritsis in #​11782)

React DOM Server

• Prevent an infinite loop when attempting to render portals with SSR. (@​gaearon in #​11709)
• Warn if a class doesn't extend React.Component. (@​wyze in #​11993)
• Fix an issue with this.state of different components getting mixed up. (@​sophiebits in #​12323)
• Provide a better message when component type is undefined. (@​HeroProtagonist in #​11966)

React Test Renderer

• Fix handling of fragments in toTree(). (@​maciej-ka in #​12107 and @​gaearon in #​12154)
• Shallow renderer should assign state to null for components that don't set it. (@​jwbay in #​11965)
• Shallow renderer should filter legacy context according to contextTypes. (@​koba04 in #​11922)
• Add an unstable API for testing asynchronous rendering. (@​acdlite in #​12478)

React Is (New)

• First release of the new package that libraries can use to detect different React node types. (@​bvaughn in #​12199)
• Add ReactIs.isValidElementType() to help higher-order components validate their inputs. (@​jamesreggio in #​12483)

React Lifecycles Compat (New)

• First release of the new package to help library developers target multiple versions of React. (@​bvaughn in #​12105)

Create Subscription (New)

• First release of the new package to subscribe to external data sources safely for async rendering. (@​bvaughn in #​12325)

React Reconciler (Experimental)

• Expose react-reconciler/persistent for building renderers that use persistent data structures. (@​gaearon in #​12156)
• Pass host context to finalizeInitialChildren(). (@​jquense in #​11970)
• Remove useSyncScheduling from the host config. (@​acdlite in #​11771)

React Call Return (Experimental)

• Fix a crash on updates. (@​rmhartog in #​11955)

v16.2.1

React DOM Server

• Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@​gaearon in #​13302)

v16.2.0

React

• Add Fragment as named export to React. (@​clemmy in #​10783)
• Support experimental Call/Return types in React.Children utilities. (@​MatteoVH in #​11422)

React DOM

• Fix radio buttons not getting checked when using multiple lists of radios. (@​landvibe in #​11227)
• Fix radio buttons not receiving the onChange event in some cases. (@​jquense in #​11028)

React Test Renderer

• Fix setState() callback firing too early when called from componentWillMount. (@​accordeiro in #​11507)

React Reconciler

• Expose react-reconciler/reflection with utilities useful to custom renderers. (@​rivenhk in #​11683)

Internal Changes

• Many tests were rewritten against the public API. Big thanks to everyone who contributed!

v16.1.2

React DOM Server

• Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@​gaearon in #​13302)

v16.1.1

Compare Source

React

• Improve the warning about undefined component type. (@​selbekk in #​11505)

React DOM

• Support string values for the capture attribute. (@​maxschmeling in #​11424)

React DOM Server

• Don't freeze the ReactDOMServer public API. (@​travi in #​11531)
• Don't emit autoFocus={false} attribute on the server. (@​gaearon in #​11543)

React Reconciler

• Change the hydration API for better Flow typing. (@​sebmarkbage in #​11493)

v16.1.0

Discontinuing Bower Releases

Starting with 16.1.0, we will no longer be publishing new releases on Bower. You can continue using Bower for old releases, or point your Bower configs to the React UMD builds hosted on unpkg that mirror npm releases and will continue to be updated.

All Packages

• Fix an accidental extra global variable in the UMD builds. (@​gaearon in #​10935)

React

• Add support for portals in React.Children utilities. (@​MatteoVH in #​11378)
• Warn when a class has a render method but doesn't extend a known base class. (@​sw-yx in #​11168)
• Improve the warning when accidentally returning an object from constructor. (@​deanbrophy in #​11395)

React DOM

• Allow on as a custom attribute for AMP. (@​nuc in #​11153)
• Fix onMouseEnter and onMouseLeave firing on wrong elements. (@​gaearon in #​11164)
• Fix null showing up in a warning instead of the component stack. (@​gaearon in #​10915)
• Fix IE11 crash in development mode. (@​leidegre in #​10921)
• Fix tabIndex not getting applied to SVG elements. (@​gaearon in #​11034)
• Fix SVG children not getting cleaned up on dangerouslySetInnerHTML in IE. (@​OriR in #​11108)
• Fix false positive text mismatch warning caused by newline normalization. (@​gaearon in #​11119)
• Fix form.reset() to respect defaultValue on uncontrolled <select>. (@​aweary in #​11057)
• Fix <textarea> placeholder not rendering on IE11. (@​gaearon in #​11177)
• Fix a crash rendering into shadow root. (@​gaearon in #​11037)
• Fix false positive warning about hydrating mixed case SVG tags. (@​gaearon in #​11174)
• Suppress the new unknown tag warning for <dialog> element. (@​gaearon in #​11035)
• Warn when defining a non-existent componentDidReceiveProps method. (@​iamtommcc in #​11479)
• Warn about function child no more than once. (@​andreysaleba in #​11120)
• Warn about nested updates no more than once. (@​anushreesubramani in #​11113)
• Deduplicate other warnings about updates. (@​anushreesubramani in #​11216)
• Include component stack into the warning about contentEditable and children. (@​Ethan-Arrowood in #​11208)
• Improve the warning about booleans passed to event handlers. (@​NicBonetto in #​11308)
• Improve the warning when a multiple select gets null value. (@​Hendeca in #​11141)
• Move link in the warning message to avoid redirect. (@​marciovicente in #​11400)
• Add a way to suppress the React DevTools installation prompt. (@​gaearon in #​11448)
• Remove unused code. (@​gaearon in #​10802, #​10803)

React DOM Server

• Add a new suppressHydrationWarning attribute for intentional client/server text mismatches. (@​sebmarkbage in #​11126)
• Fix markup generation when components return strings. (@​gaearon in #​11109)
• Fix obscure error message when passing an invalid style value. (@​iamdustan in #​11173)
• Include the autoFocus attribute into SSR markup. (@​gaearon in #​11192)
• Include the component stack into more warnings. (@​gaearon in #​11284)

React Test Renderer and Test Utils

• Fix multiple setState() calls in componentWillMount() in shallow renderer. (@​Hypnosphi in #​11167)
• Fix shallow renderer to ignore shouldComponentUpdate() after forceUpdate(). (@​d4rky-pl in #​11239 and #​11439)
• Handle forceUpdate() and React.PureComponent correctly. (@​koba04 in #​11440)
• Add back support for running in production mode. (@​gaearon in #​11112)
• Add a missing package.json dependency. (@​gaearon in #​11340)

React ART

• Add a missing package.json dependency. (@​gaearon in #​11341)
• Expose react-art/Circle, react-art/Rectangle, and react-art/Wedge. (@​gaearon in #​11343)

React Reconciler (Experimental)

• First release of the new experimental package for creating custom renderers. (@​iamdustan in #​10758)
• Add support for React DevTools. (@​gaearon in #​11463)

React Call Return (Experimental)

• First release of the new experimental package for parent-child communication. (@​gaearon in #​11364)

v16.0.1

React DOM Server

• Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@​gaearon in #​13302)

v16.0.0

Compare Source

New JS Environment Requirements

• React 16 depends on the collection types Map and Set, as well as requestAnimationFrame. If you support older browsers and devices which may not yet provide these natively (e.g. <IE11), you may want to include a polyfill.

New Features

• Components can now return arrays and strings from render. (Docs coming soon!)
• Improved error handling with introduction of "error boundaries". Error boundaries are React components that catch JavaScript errors anywhere in their child component tree, log those errors, and display a fallback UI instead of the component tree that crashed.
• First-class support for declaratively rendering a subtree into another DOM node with ReactDOM.createPortal(). (Docs coming soon!)
• Streaming mode for server side rendering is enabled with ReactDOMServer.renderToNodeStream() and ReactDOMServer.renderToStaticNodeStream(). (@​aickin in #​10425, #​10044, #​10039, #​10024, #​9264, and others.)
• React DOM now allows passing non-standard attributes. (@​nhunzaker in #​10385, 10564, #​10495 and others)

Breaking Changes

• There are several changes to the behavior of scheduling and lifecycle methods:
  • ReactDOM.render() and ReactDOM.unstable_renderIntoContainer() now return null if called from inside a lifecycle method.
    • To work around this, you can either use the new portal API or refs.
  • Minor changes to setState behavior:
    • Calling setState with null no longer triggers an update. This allows you to decide in an updater function if you want to re-render.
    • Calling setState directly in render always causes an update. This was not previously the case. Regardless, you should not be calling setState from render.
    • setState callback (second argument) now fires immediately after componentDidMount / componentDidUpdate instead of after all components have rendered.
  • When replacing <A /> with <B />, B.componentWillMount now always happens before A.componentWillUnmount. Previously, A.componentWillUnmount could fire first in some cases.
  • Previously, changing the ref to a component would always detach the ref before that component's render is called. Now, we change the ref later, when applying the changes to the DOM.
  • It is not safe to re-render into a container that was modified by something other than React. This worked previously in some cases but was never supported. We now emit a warning in this case. Instead you should clean up your component trees using ReactDOM.unmountComponentAtNode. See this example.
  • componentDidUpdate lifecycle no longer receives prevContext param. (@​bvaughn in #​8631)
  • Non-unique keys may now cause children to be duplicated and/or omitted. Using non-unique keys is not (and has never been) supported, but previously it was a hard error.
  • Shallow renderer no longer calls componentDidUpdate() because DOM refs are not available. This also makes it consistent with componentDidMount() (which does not get called in previous versions either).
  • Shallow renderer does not implement unstable_batchedUpdates() anymore.
  • ReactDOM.unstable_batchedUpdates now only takes one extra argument after the callback.
• The names and paths to the single-file browser builds have changed to emphasize the difference between development and production builds. For example:
  • react/dist/react.js → react/umd/react.development.js
  • react/dist/react.min.js → react/umd/react.production.min.js
  • react-dom/dist/react-dom.js → react-dom/umd/react-dom.development.js
  • react-dom/dist/react-dom.min.js → react-dom/umd/react-dom.production.min.js

• The server renderer has been completely rewritten, with some improvements:
  • Server rendering does not use markup validation anymore, and instead tries its best to attach to existing DOM, warning about inconsistencies. It also doesn't use comments for empty components and data-reactid attributes on each node anymore.
  • Hydrating a server rendered container now has an explicit API. Use ReactDOM.hydrate instead of ReactDOM.render if you're reviving server rendered HTML. Keep using ReactDOM.render if you're just doing client-side rendering.
• When "unknown" props are passed to DOM components, for valid values, React will now render them in the DOM. See this post for more details. (@​nhunzaker in #​10385, 10564, #​10495 and others)
• Errors in the render and lifecycle methods now unmount the component tree by default. To prevent this, add error boundaries to the appropriate places in the UI.

Removed Deprecations

• There is no react-with-addons.js build anymore. All compatible addons are published separately on npm, and have single-file browser versions if you need them.
• The deprecations introduced in 15.x have been removed from the core package. React.createClass is now available as create-react-class, React.PropTypes as prop-types, React.DOM as react-dom-factories, react-addons-test-utils as react-dom/test-utils, and shallow renderer as react-test-renderer/shallow. See 15.5.0 and 15.6.0 blog posts for instructions on migrating code and automated codemods.

v15.7.0

Compare Source

React

• Backport support for the new JSX transform to 15.x. (@​lunaruan in #​18299 and @​gaearon in #​20024)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.