Update dependency react-dom to v16.2.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
react-dom (source)	^15.3.1 → ^16.2.1
react-dom (source)	^15.3.2 → ^16.2.1
react-dom (source)	16.2.0 → 16.2.1
react-dom (source)	^15.6.1 → ^16.0.0
react-dom (source)	^15.5.4 → ^16.0.0

---

Cross-Site Scripting in react-dom

CVE-2018-6341 / GHSA-mvjj-gqq2-p4hw

More information

Details

Affected versions of react-dom are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to:

• be a server-side React app
• be rendered to HTML using ReactDOMServer
• include an attribute name from user input in an HTML tag

Recommendation

If you are using react-dom 16.0.x, upgrade to 16.0.1 or later.
If you are using react-dom 16.1.x, upgrade to 16.1.2 or later.
If you are using react-dom 16.2.x, upgrade to 16.2.1 or later.
If you are using react-dom 16.3.x, upgrade to 16.3.3 or later.
If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-6341
• https://github.com/advisories/GHSA-mvjj-gqq2-p4hw
• https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html
• https://snyk.io/vuln/npm:react-dom:20180802
• https://www.npmjs.com/advisories/1421
• https://twitter.com/reactjs/status/1024745321987887104

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

facebook/react (react-dom)

v16.2.1

React DOM Server

• Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@​gaearon in #​13302)

v16.2.0

React

• Add Fragment as named export to React. (@​clemmy in #​10783)
• Support experimental Call/Return types in React.Children utilities. (@​MatteoVH in #​11422)

React DOM

• Fix radio buttons not getting checked when using multiple lists of radios. (@​landvibe in #​11227)
• Fix radio buttons not receiving the onChange event in some cases. (@​jquense in #​11028)

React Test Renderer

• Fix setState() callback firing too early when called from componentWillMount. (@​accordeiro in #​11507)

React Reconciler

• Expose react-reconciler/reflection with utilities useful to custom renderers. (@​rivenhk in #​11683)

Internal Changes

• Many tests were rewritten against the public API. Big thanks to everyone who contributed!

v16.1.2

React DOM Server

• Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@​gaearon in #​13302)

v16.1.1

Compare Source

React

• Improve the warning about undefined component type. (@​selbekk in #​11505)

React DOM

• Support string values for the capture attribute. (@​maxschmeling in #​11424)

React DOM Server

• Don't freeze the ReactDOMServer public API. (@​travi in #​11531)
• Don't emit autoFocus={false} attribute on the server. (@​gaearon in #​11543)

React Reconciler

• Change the hydration API for better Flow typing. (@​sebmarkbage in #​11493)

v16.1.0

Discontinuing Bower Releases

Starting with 16.1.0, we will no longer be publishing new releases on Bower. You can continue using Bower for old releases, or point your Bower configs to the React UMD builds hosted on unpkg that mirror npm releases and will continue to be updated.

All Packages

• Fix an accidental extra global variable in the UMD builds. (@​gaearon in #​10935)

React

• Add support for portals in React.Children utilities. (@​MatteoVH in #​11378)
• Warn when a class has a render method but doesn't extend a known base class. (@​sw-yx in #​11168)
• Improve the warning when accidentally returning an object from constructor. (@​deanbrophy in #​11395)

React DOM

• Allow on as a custom attribute for AMP. (@​nuc in #​11153)
• Fix onMouseEnter and onMouseLeave firing on wrong elements. (@​gaearon in #​11164)
• Fix null showing up in a warning instead of the component stack. (@​gaearon in #​10915)
• Fix IE11 crash in development mode. (@​leidegre in #​10921)
• Fix tabIndex not getting applied to SVG elements. (@​gaearon in #​11034)
• Fix SVG children not getting cleaned up on dangerouslySetInnerHTML in IE. (@​OriR in #​11108)
• Fix false positive text mismatch warning caused by newline normalization. (@​gaearon in #​11119)
• Fix form.reset() to respect defaultValue on uncontrolled <select>. (@​aweary in #​11057)
• Fix <textarea> placeholder not rendering on IE11. (@​gaearon in #​11177)
• Fix a crash rendering into shadow root. (@​gaearon in #​11037)
• Fix false positive warning about hydrating mixed case SVG tags. (@​gaearon in #​11174)
• Suppress the new unknown tag warning for <dialog> element. (@​gaearon in #​11035)
• Warn when defining a non-existent componentDidReceiveProps method. (@​iamtommcc in #​11479)
• Warn about function child no more than once. (@​andreysaleba in #​11120)
• Warn about nested updates no more than once. (@​anushreesubramani in #​11113)
• Deduplicate other warnings about updates. (@​anushreesubramani in #​11216)
• Include component stack into the warning about contentEditable and children. (@​Ethan-Arrowood in #​11208)
• Improve the warning about booleans passed to event handlers. (@​NicBonetto in #​11308)
• Improve the warning when a multiple select gets null value. (@​Hendeca in #​11141)
• Move link in the warning message to avoid redirect. (@​marciovicente in #​11400)
• Add a way to suppress the React DevTools installation prompt. (@​gaearon in #​11448)
• Remove unused code. (@​gaearon in #​10802, #​10803)

React DOM Server

• Add a new suppressHydrationWarning attribute for intentional client/server text mismatches. (@​sebmarkbage in #​11126)
• Fix markup generation when components return strings. (@​gaearon in #​11109)
• Fix obscure error message when passing an invalid style value. (@​iamdustan in #​11173)
• Include the autoFocus attribute into SSR markup. (@​gaearon in #​11192)
• Include the component stack into more warnings. (@​gaearon in #​11284)

React Test Renderer and Test Utils

• Fix multiple setState() calls in componentWillMount() in shallow renderer. (@​Hypnosphi in #​11167)
• Fix shallow renderer to ignore shouldComponentUpdate() after forceUpdate(). (@​d4rky-pl in #​11239 and #​11439)
• Handle forceUpdate() and React.PureComponent correctly. (@​koba04 in #​11440)
• Add back support for running in production mode. (@​gaearon in #​11112)
• Add a missing package.json dependency. (@​gaearon in #​11340)

React ART

• Add a missing package.json dependency. (@​gaearon in #​11341)
• Expose react-art/Circle, react-art/Rectangle, and react-art/Wedge. (@​gaearon in #​11343)

React Reconciler (Experimental)

• First release of the new experimental package for creating custom renderers. (@​iamdustan in #​10758)
• Add support for React DevTools. (@​gaearon in #​11463)

React Call Return (Experimental)

• First release of the new experimental package for parent-child communication. (@​gaearon in #​11364)

v16.0.1

React DOM Server

• Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@​gaearon in #​13302)

v16.0.0

Compare Source

New JS Environment Requirements

• React 16 depends on the collection types Map and Set, as well as requestAnimationFrame. If you support older browsers and devices which may not yet provide these natively (e.g. <IE11), you may want to include a polyfill.

New Features

• Components can now return arrays and strings from render. (Docs coming soon!)
• Improved error handling with introduction of "error boundaries". Error boundaries are React components that catch JavaScript errors anywhere in their child component tree, log those errors, and display a fallback UI instead of the component tree that crashed.
• First-class support for declaratively rendering a subtree into another DOM node with ReactDOM.createPortal(). (Docs coming soon!)
• Streaming mode for server side rendering is enabled with ReactDOMServer.renderToNodeStream() and ReactDOMServer.renderToStaticNodeStream(). (@​aickin in #​10425, #​10044, #​10039, #​10024, #​9264, and others.)
• React DOM now allows passing non-standard attributes. (@​nhunzaker in #​10385, 10564, #​10495 and others)

Breaking Changes

• There are several changes to the behavior of scheduling and lifecycle methods:
  • ReactDOM.render() and ReactDOM.unstable_renderIntoContainer() now return null if called from inside a lifecycle method.
    • To work around this, you can either use the new portal API or refs.
  • Minor changes to setState behavior:
    • Calling setState with null no longer triggers an update. This allows you to decide in an updater function if you want to re-render.
    • Calling setState directly in render always causes an update. This was not previously the case. Regardless, you should not be calling setState from render.
    • setState callback (second argument) now fires immediately after componentDidMount / componentDidUpdate instead of after all components have rendered.
  • When replacing <A /> with <B />, B.componentWillMount now always happens before A.componentWillUnmount. Previously, A.componentWillUnmount could fire first in some cases.
  • Previously, changing the ref to a component would always detach the ref before that component's render is called. Now, we change the ref later, when applying the changes to the DOM.
  • It is not safe to re-render into a container that was modified by something other than React. This worked previously in some cases but was never supported. We now emit a warning in this case. Instead you should clean up your component trees using ReactDOM.unmountComponentAtNode. See this example.
  • componentDidUpdate lifecycle no longer receives prevContext param. (@​bvaughn in #​8631)
  • Non-unique keys may now cause children to be duplicated and/or omitted. Using non-unique keys is not (and has never been) supported, but previously it was a hard error.
  • Shallow renderer no longer calls componentDidUpdate() because DOM refs are not available. This also makes it consistent with componentDidMount() (which does not get called in previous versions either).
  • Shallow renderer does not implement unstable_batchedUpdates() anymore.
  • ReactDOM.unstable_batchedUpdates now only takes one extra argument after the callback.
• The names and paths to the single-file browser builds have changed to emphasize the difference between development and production builds. For example:
  • react/dist/react.js → react/umd/react.development.js
  • react/dist/react.min.js → react/umd/react.production.min.js
  • react-dom/dist/react-dom.js → react-dom/umd/react-dom.development.js
  • react-dom/dist/react-dom.min.js → react-dom/umd/react-dom.production.min.js

• The server renderer has been completely rewritten, with some improvements:
  • Server rendering does not use markup validation anymore, and instead tries its best to attach to existing DOM, warning about inconsistencies. It also doesn't use comments for empty components and data-reactid attributes on each node anymore.
  • Hydrating a server rendered container now has an explicit API. Use ReactDOM.hydrate instead of ReactDOM.render if you're reviving server rendered HTML. Keep using ReactDOM.render if you're just doing client-side rendering.
• When "unknown" props are passed to DOM components, for valid values, React will now render them in the DOM. See this post for more details. (@​nhunzaker in #​10385, 10564, #​10495 and others)
• Errors in the render and lifecycle methods now unmount the component tree by default. To prevent this, add error boundaries to the appropriate places in the UI.

Removed Deprecations

• There is no react-with-addons.js build anymore. All compatible addons are published separately on npm, and have single-file browser versions if you need them.
• The deprecations introduced in 15.x have been removed from the core package. React.createClass is now available as create-react-class, React.PropTypes as prop-types, React.DOM as react-dom-factories, react-addons-test-utils as react-dom/test-utils, and shallow renderer as react-test-renderer/shallow. See 15.5.0 and 15.6.0 blog posts for instructions on migrating code and automated codemods.

v15.7.0

Compare Source

React

• Backport support for the new JSX transform to 15.x. (@​lunaruan in #​18299 and @​gaearon in #​20024)

v15.6.2

Compare Source

All Packages

• Switch from BSD + Patents to MIT license

React DOM

• Fix a bug where modifying document.documentMode would trigger IE detection in other browsers, breaking change events. (@​aweary in #​10032)
• CSS Columns are treated as unitless numbers. (@​aweary in #​10115)
• Fix bug in QtWebKit when wrapping synthetic events in proxies. (@​walrusfruitcake in #​10115)
• Prevent event handlers from receiving extra argument in development. (@​aweary in #​10115)
• Fix cases where onChange would not fire with defaultChecked on radio inputs. (@​jquense in #​10156)
• Add support for controlList attribute to allowed DOM properties (@​nhunzaker in #​9940)
• Fix a bug where creating an element with a ref in a constructor did not throw an error in development. (@​iansu in #​10025)

v15.6.1

Compare Source

React DOM

• Fix a crash on iOS Safari. (@​jquense in #​9960)
• Don't add px to custom CSS property values. (@​TrySound in #​9966)

v15.6.0

Compare Source

React

• Downgrade deprecation warnings to use console.warn instead of console.error. (@​flarnie in #​9753)
• Add a deprecation warning for React.createClass. Points users to create-react-class instead. (@​flarnie in #​9771)
• Add deprecation warnings and separate module for React.DOM factory helpers. (@​nhunzaker in #​8356)
• Warn for deprecation of React.createMixin helper, which was never used. (@​aweary in #​8853)

React DOM

• Add support for CSS variables in style attribute. (@​aweary in #​9302)
• Add support for CSS Grid style properties. (@​ericsakmar in #​9185)
• Fix bug where inputs mutated value on type conversion. (@​nhunzaker in #​9806)
• Fix issues with onChange not firing properly for some inputs. (@​jquense in #​8575)
• Fix bug where controlled number input mistakenly allowed period. (@​nhunzaker in #​9584)
• Fix bug where performance entries were being cleared. (@​chrisui in #​9451)

React Addons

• Fix AMD support for addons depending on react. (@​flarnie in #​9919)
• Fix isMounted() to return true in componentWillUnmount. (@​mridgway in #​9638)
• Fix react-addons-update to not depend on native Object.assign. (@​gaearon in #​9937)
• Remove broken Google Closure Compiler annotation from create-react-class. (@​gaearon in #​9933)
• Remove unnecessary dependency from react-linked-input. (@​gaearon in #​9766)
• Point react-addons-(css-)transition-group to the new package. (@​gaearon in #​9937)

v15.5.4

Compare Source

React Addons

• Critical Bugfix: Update the version of prop-types to fix critical bug. (@​gaearon in 545c87f)
• Fix react-addons-create-fragment package to include loose-envify transform for Browserify users. (@​mridgway in #​9642)

React Test Renderer

• Fix compatibility with Enzyme by exposing batchedUpdates on shallow renderer. (@​gaearon in 9382)

v15.5.3

Compare Source

Note: this release has a critical issue and was deprecated. Please update to 15.5.4 or higher.

React Addons

• Fix react-addons-create-fragment package to export correct thing. (@​gaearon in #​9385)
• Fix create-react-class package to include loose-envify transform for Browserify users. (@​mridgway in #​9642)

v15.5.2

Compare Source

Note: this release has a critical issue and was deprecated. Please update to 15.5.4 or higher.

React Addons

• Fix the production single-file builds to not include the development code. (@​gaearon in #​9385)
• Apply better minification to production single-file builds. (@​gaearon in #​9385)
• Add missing and remove unnecessary dependencies to packages. (@​gaearon in #​9385)

v15.5.1

Compare Source

Note: this release has a critical issue and was deprecated. Please update to 15.5.4 or higher.

React

• Fix erroneous PropTypes access warning. (@​acdlite in (ec97ebb)

v15.5.0

Compare Source

Note: this release has a critical issue and was deprecated. Please update to 15.5.4 or higher.

React

• Added a deprecation warning for React.createClass. Points users to create-react-class instead. (@​acdlite in #d9a4fa4)
• Added a deprecation warning for React.PropTypes. Points users to prop-types instead. (@​acdlite in #​043845c)
• Fixed an issue when using ReactDOM together with ReactDOMServer. (@​wacii in #​9005)
• Fixed issue with Closure Compiler. (@​anmonteiro in #​8895)
• Another fix for Closure Compiler. (@​Shastel in #​8882)
• Added component stack info to invalid element type warning. (@​n3tr in #​8495)

React DOM

• Fixed Chrome bug when backspacing in number inputs. (@​nhunzaker in #​7359)
• Added react-dom/test-utils, which exports the React Test Utils. (@​bvaughn)

React Test Renderer

• Fixed bug where componentWillUnmount was not called for children. (@​gre in #​8512)
• Added react-test-renderer/shallow, which exports the shallow renderer. (@​bvaughn)

React Addons

• Last release for addons; they will no longer be actively maintained.
• Removed peerDependencies so that addons continue to work indefinitely. (@​acdlite and @​bvaughn in 8a06cd7 and 67a8db3)
• Updated to remove references to React.createClass and React.PropTypes (@​acdlite in 12a96b9)
• react-addons-test-utils is deprecated. Use react-dom/test-utils and react-test-renderer/shallow instead. (@​bvaughn)

v15.4.2

Compare Source

React

• Fixed build issues with the Brunch bundler. (@​gaearon in #​8686)
• Improved error messages for invalid element types. (@​sophiebits in #​8612)
• Removed a warning about getInitialState when this.state is set. (@​bvaughn in #​8594)
• Removed some dead code. (@​diegomura in #​8050, @​dfrownfelter in #​8597)

React DOM

• Fixed a decimal point issue on uncontrolled number inputs. (@​nhunzaker in #​7750)
• Fixed rendering of textarea placeholder in IE11. (@​aweary in #​8020)
• Worked around a script engine bug in IE9. (@​eoin in #​8018)

React Addons

• Fixed build issues in RequireJS and SystemJS environments. (@​gaearon in #​8686)
• Added missing package dependencies. (@​kweiberth in #​8467)

v15.4.1

Compare Source

React

• Restructure variable assignment to work around a Rollup bug (@​gaearon in #​8384)

React DOM

• Fixed event handling on disabled button elements (@​sophiebits in #​8387)
• Fixed compatibility of browser build with AMD environments (@​zpao in #​8374)

v15.4.0

Compare Source

React

• React package and browser build no longer "secretly" includes React DOM. (@​sebmarkbage in #​7164 and #​7168)
• Required PropTypes now fail with specific messages for null and undefined. (@​chenglou in #​7291)
• Improved development performance by freezing children instead of copying. (@​keyanzhang in #​7455)

React DOM

• Fixed occasional test failures when React DOM is used together with shallow renderer. (@​goatslacker in #​8097)
• Added a warning for invalid aria- attributes. (@​jessebeach in #​7744)
• Added a warning for using autofocus rather than autoFocus. (@​hkal in #​7694)
• Removed an unnecessary warning about polyfilling String.prototype.split. (@​nhunzaker in #​7629)
• Clarified the warning about not calling PropTypes manually. (@​jedwards1211 in #​7777)
• The unstable batchedUpdates API now passes the wrapped function's return value through. (@​bgnorlov in #​7444)
• Fixed a bug with updating text in IE 8. (@​mnpenner in #​7832)

React Perf

• When ReactPerf is started, you can now view the relative time spent in components as a chart in Chrome Timeline. (@​gaearon in #​7549)

React Test Utils

• If you call Simulate.click() on a <input disabled onClick={foo} /> then foo will get called whereas it didn't before. (@​nhunzaker in #​7642)

React Test Renderer

• Due to packaging changes, it no longer crashes when imported together with React DOM in the same file. (@​sebmarkbage in #​7164 and #​7168)
• ReactTestRenderer.create() now accepts {createNodeMock: element => mock} as an optional argument so you can mock refs with snapshot testing. (@​Aweary in #​7649, #​8261)

v15.3.2

Compare Source

React

• Remove plain object warning from React.createElement & React.cloneElement. (@​spudly in #​7724)

React DOM

• Add playsInline to supported HTML attributes. (@​reaperhulk in #​7519)
• Add as to supported HTML attributes. (@​kevinslin in #​7582)
• Improve DOM nesting validation warning about whitespace. (@​sophiebits in #​7515)
• Avoid "Member not found" exception in IE10 when calling preventDefault() in Synthetic Events. (@​g-palmer in #​7411)
• Fix memory leak in onSelect implementation. (@​AgtLucas in #​7533)
• Improve robustness of document.documentMode checks to handle Google Tag Manager. (@​SchleyB in #​7594)
• Add more cases to controlled inputs warning. (@​marcin-mazurek in #​7544)
• Handle case of popup blockers overriding document.createEvent. (@​Andarist in #​7621)
• Fix issue with dangerouslySetInnerHTML and SVG in Internet Explorer. (@​zpao in #​7618)
• Improve handling of Japanese IME on Internet Explorer. (@​msmania in #​7107)

React Test Renderer

• Support error boundaries. (@​millermedeiros in #​7558, #​7569, #​7619)
• Skip null ref warning. (@​Aweary in #​7658)

React Perf Add-on

• Ensure lifecycle timers are stopped on errors. (@​gaearon in #​7548)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.