react-apollo-form
react-apollo-form copied to clipboard
charlypoly
fix(deps): update dependency react-dom to v16.4.2 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| react-dom (source) | 16.4.0 -> 16.4.2 |
GitHub Vulnerability Alerts
CVE-2018-6341
Affected versions of react-dom are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to:
- be a server-side React app
- be rendered to HTML using
ReactDOMServer - include an attribute name from user input in an HTML tag
Recommendation
If you are using react-dom 16.0.x, upgrade to 16.0.1 or later.
If you are using react-dom 16.1.x, upgrade to 16.1.2 or later.
If you are using react-dom 16.2.x, upgrade to 16.2.1 or later.
If you are using react-dom 16.3.x, upgrade to 16.3.3 or later.
If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.
Release Notes
facebook/react (react-dom)
v16.4.2
React DOM Server
-
Fix a potential XSS vulnerability when the attacker controls an attribute name (
CVE-2018-6341). This fix is available in the latest[email protected], as well as in previous affected minor versions:[email protected],[email protected],[email protected], and[email protected]. (@gaearon in #13302) -
Fix a crash in the server renderer when an attribute is called
hasOwnProperty. This fix is only available in[email protected]. (@gaearon in #13303)
v16.4.1
React
React DOM
- Fix a crash when the input
typechanges from some other types totext. (@spirosikmd in #12135) - Fix a crash in IE11 when restoring focus to an SVG element. (@ThaddeusJiang in #12996)
- Fix a range input not updating in some cases. (@Illu in #12939)
- Fix input validation triggering unnecessarily in Firefox. (@nhunzaker in #12925)
- Fix an incorrect
event.targetvalue for theonChangeevent in IE9. (@nhunzaker in #12976) - Fix a false positive error when returning an empty
<React.Fragment />from a component. (@philipp-spiess in #12966)
React DOM Server
- Fix an incorrect value being provided by new context API. (@ericsoderberghp in #12985, @gaearon in #13019)
React Test Renderer
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠️ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: package-lock.json
(node:879) [DEP0060] DeprecationWarning: The `util._extend` API is deprecated. Please use Object.assign() instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
npm ERR! Cannot read properties of undefined (reading 'match')
npm ERR! A complete log of this run can be found in:
npm ERR! /runner/cache/others/npm/_logs/2025-11-19T23_32_27_868Z-debug.log