[Snyk] Upgrade solid-js from 1.3.17 to 1.9.5

[sumansaurabh]

User description

Snyk has created this PR to upgrade solid-js from 1.3.17 to 1.9.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 108 versions ahead of your current version.

• The recommended version was released 24 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-site Scripting (XSS) SNYK-JS-SOLIDJS-8743940	648	Proof of Concept

Release notes

Package name: solid-js

• 1.9.5 - 2025-02-21
  No content.
• 1.9.4 - 2025-01-07
  No content.
• 1.9.3 - 2024-10-22
  No content.
• 1.9.2 - 2024-10-07
  No content.
• 1.9.1 - 2024-09-25
• 1.9.0 - 2024-09-24
  

  This release like the last is focusing on small quality of life improvements and adjustments that will help us move towards 2.0. So while not the most exciting release to everyone it provides some really important features and fixes to some developers.

  And unlike many previous releases the vast majority of the work and features came from PRs from the community. So really all I can say is Looks Good to Me!

  Better JSX Validation

  While still incomplete across templates we've added JSDOM to the compiler to better detect invalid HTML at build time by comparing what we expect the template to be with what a browser would output. This now includes things that are nested we didn't detect before like putting <a> inside other <a> tags which will lead to the browser "correcting" it in less than intuitive ways.

  Improved Exports

  While each environment in solid-js/web has its own methods to be used in the compiler. We are now exporting the client methods from the server to prevent weird import errors. Now these methods will throw if used in this environment but shouldn't break your build.

  Additionally we have seen some issues in bundlers that incorrectly feed our ESM exports back through the browser field. While this is a known issue they all pointed issues at each other and with no intention of fixing it. We have removed the browser field in this release, meaning some legacy packages may have issues resolving browser if they don't support export conditions.

  This is regretful but this blocked deployments on several platforms and since this was the only fix at our disposal after two years of attempting to push this issue to the bundlers to no avail, we've moved forward with it.

  Custom Element improvements

  We have a few improvements to our custom element support in this release. First off we now detect elements with the is attribute as custom elements which means all the special behavior is afforded to them.

  We've also improved our event handler delegating retargetting to better handle shadow DOM events. There were cases where we skipped over part of the tree.

  Finally we've added the bool: attribute namespace to handle explicitly setting certain attributes according to boolean attribute rules. While this isn't necessary for built-in booleans currently we handle most attributes as properties and we lacked a specific override. But now we have it:

  <my-element bool:enable={isEnabled()}></my-element>

  Support for handleEvent Syntax in Non-Delegated Events

  A little known thing is that events actually also support objects instead of functions (See: https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener)

  We(thanks @ titoBouzout) realized we can use this mechanism as a way to set advanced rules like passive or capture on this object as way to handle all current and future event attributes that browsers might add. This way we don't need specific mechanisms like oncapture: (which is now deprecated).

  Instead using on: you can set the event properties you wish.

  <>
    <div on:click={{
      handleEvent(e) {
        console.log("clicked", e)
      },
      once:true
    }/>
    <div on:wheel={{
      handleEvent(e) {
        e.preventDefault() // only works on not passive events
        e.stopPropagation()  
        console.log("wheel stopped?")
      },
      passive: false
    }} />
  </>

  Other Updates

  We've fixed an issue with lazy images. Apparently, cloneNode doesn't handle them properly so we've updated our heuristic to treat templates with lazy images to be handled with importNode.

  We've improved our Hydration Mismatch Error to output the template of that it can't find the matching ID for. This should make it easier to track down where the hydration errors are occurring. There have been several hydration improvements over the later 1.8 releases so upgrading will likely improve the situation for those who have been facing issues.

  Finally, we've improved some of the types in the JSX and Signal Setter in this release.

  ---

  Big thanks to those who contributed to this release: @ wkelly17, @ olivercoad, @ titoBouzout, @ trusktr, @ Huliiiiii. And thanks to all of you who gave feedback on the Metadata/Head Tag RFC. While it didn't make it in this time around you've definitely given us stuff to consider for its future design.

  Best,
  @ ryansolid

• 1.8.23 - 2024-09-23
  No content.
• 1.8.22 - 2024-08-27
  No content.
• 1.8.21 - 2024-08-13
  No content.
• 1.8.20 - 2024-08-08
  No content.
• 1.8.19 - 2024-07-24
• 1.8.18 - 2024-06-28
• 1.8.17 - 2024-04-22
• 1.8.16 - 2024-03-19
• 1.8.15 - 2024-02-14
• 1.8.14 - 2024-02-05
• 1.8.13 - 2024-02-05
• 1.8.12 - 2024-01-23
• 1.8.11 - 2024-01-12
• 1.8.10 - 2024-01-09
• 1.8.9 - 2024-01-08
• 1.8.8 - 2024-01-03
• 1.8.7 - 2023-12-01
• 1.8.6 - 2023-11-22
• 1.8.5 - 2023-10-30
• 1.8.4 - 2023-10-26
• 1.8.3 - 2023-10-18
• 1.8.2 - 2023-10-18
• 1.8.1 - 2023-10-10
• 1.8.0 - 2023-10-09
• 1.8.0-beta.2 - 2023-10-09
• 1.8.0-beta.1 - 2023-10-04
• 1.8.0-beta.0 - 2023-09-28
• 1.7.12 - 2023-09-18
• 1.7.11 - 2023-08-10
• 1.7.10 - 2023-08-09
• 1.7.9 - 2023-08-04
• 1.7.8 - 2023-07-11
• 1.7.7 - 2023-06-26
• 1.7.6 - 2023-05-31
• 1.7.5 - 2023-05-06
• 1.7.4 - 2023-05-01
• 1.7.3 - 2023-04-07
• 1.7.2 - 2023-04-04
• 1.7.1 - 2023-04-02
• 1.7.0 - 2023-03-30
• 1.7.0-beta.5 - 2023-03-27
• 1.7.0-beta.4 - 2023-03-23
• 1.7.0-beta.3 - 2023-03-21
• 1.7.0-beta.2 - 2023-03-20
• 1.7.0-beta.1 - 2023-03-17
• 1.7.0-beta.0 - 2023-02-17
• 1.6.16 - 2023-03-27
• 1.6.15 - 2023-03-16
• 1.6.14 - 2023-03-11
• 1.6.13 - 2023-03-09
• 1.6.12 - 2023-03-06
• 1.6.11 - 2023-02-14
• 1.6.10 - 2023-01-31
• 1.6.9 - 2023-01-13
• 1.6.8 - 2023-01-05
• 1.6.7 - 2023-01-04
• 1.6.6 - 2022-12-21
• 1.6.5 - 2022-12-13
• 1.6.4 - 2022-12-09
• 1.6.3 - 2022-12-07
• 1.6.2 - 2022-11-11
• 1.6.1 - 2022-10-30
• 1.6.0 - 2022-10-20
• 1.6.0-beta.4 - 2022-10-19
• 1.6.0-beta.3 - 2022-10-18
• 1.6.0-beta.2 - 2022-10-17
• 1.6.0-beta.1 - 2022-10-17
• 1.6.0-beta.0 - 2022-10-16
• 1.5.9 - 2022-10-17
• 1.5.8 - 2022-10-17
• 1.5.7 - 2022-09-29
• 1.5.6 - 2022-09-22
• 1.5.5 - 2022-09-15
• 1.5.4 - 2022-09-02
• 1.5.3 - 2022-08-31
• 1.5.2 - 2022-08-29
• 1.5.1 - 2022-08-26
• 1.5.0 - 2022-08-26
• 1.5.0-beta.7 - 2022-08-25
• 1.5.0-beta.6 - 2022-08-24
• 1.5.0-beta.5 - 2022-08-19
• 1.5.0-beta.4 - 2022-08-15
• 1.5.0-beta.3 - 2022-08-09
• 1.5.0-beta.2 - 2022-08-02
• 1.5.0-beta.1 - 2022-07-21
• 1.5.0-beta.0 - 2022-07-17
• 1.4.8 - 2022-07-24
• 1.4.7 - 2022-07-07
• 1.4.6 - 2022-07-03
• 1.4.5 - 2022-06-28
• 1.4.4 - 2022-06-10
• 1.4.3 - 2022-05-26
• 1.4.2 - 2022-05-19
• 1.4.1 - 2022-05-14
• 1.4.0 - 2022-05-12
• 1.4.0-beta.6 - 2022-05-11
• 1.4.0-beta.5 - 2022-05-09
• 1.4.0-beta.4 - 2022-05-09
• 1.4.0-beta.3 - 2022-05-08
• 1.4.0-beta.2 - 2022-05-07
• 1.4.0-beta.1 - 2022-05-03
• 1.4.0-beta.0 - 2022-05-02
• 1.3.17 - 2022-04-25

from solid-js GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

---

Description

• Upgraded solid-js dependency to version 1.9.5 to address vulnerabilities and improve performance.
• This upgrade includes new dependencies such as csstype and seroval.
• The recommended version is significantly ahead of the previous version, enhancing security and functionality.

---

Changes walkthrough 📝

Relevant files

Dependencies

package-lock.json Upgrade solid-js to version 1.9.5 in package-lock.json      frameworks/hello-world-solidjs/webview-ui/package-lock.json Upgraded solid-js from version 1.3.17 to 1.9.5. Added new dependencies: csstype and seroval with their respective versions. Updated integrity hashes for the solid-js package. +61/-7    package.json Upgrade solid-js to version 1.9.5 in package.json                frameworks/hello-world-solidjs/webview-ui/package.json Updated solid-js dependency version from 1.3.13 to 1.9.5. +1/-1

---

💡 Penify usage:
Comment /help on the PR to get a list of all available Penify tools and their descriptions

[penify-dev]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	2, because the changes are primarily version upgrades in the package-lock.json and package.json files, which are straightforward to review.
🧪 Relevant tests	No
⚡ Possible issues	No
🔒 Security concerns	No

[penify-dev]

PR Code Suggestions ✨

Category	Suggestion	Score
Security	Verify the integrity hash for the new version to ensure security Review the integrity hash for solid-js to ensure it matches the expected hash for the new version to prevent potential security issues. frameworks/hello-world-solidjs/webview-ui/package-lock.json [1387] -"integrity": "sha512-ogI3DaFcyn6UhYhrgcyRAMbu/buBJitYQASZz5WzfQVPP10RD2AbCoRZ517psnezrasyCbWzIxZ6kVqet768xw==" +"integrity": "sha512-<new_hash_here>==" Suggestion importance[1-10]: 8 Why: Verifying the integrity hash is crucial for security, especially when upgrading dependencies, making this a significant suggestion.	8
Best practice	Lock the version of the dependency to avoid unexpected updates Consider locking the version of solid-js to a specific version instead of using a caret (^) to prevent unexpected breaking changes in future updates. frameworks/hello-world-solidjs/webview-ui/package-lock.json [12] -"solid-js": "^1.9.5" +"solid-js": "1.9.5" Suggestion importance[1-10]: 7 Why: Locking the version can prevent unexpected updates, which is a good practice for maintaining stability, but it may limit flexibility in receiving minor updates.	7
Maintainability	Assess the necessity of new dependencies to keep the project lightweight Check if the new dependencies introduced with the upgrade (like csstype and seroval) are necessary for your project to avoid unnecessary bloat. frameworks/hello-world-solidjs/webview-ui/package-lock.json [1390-1392] -"dependencies": { - "csstype": "^3.1.0", - "seroval": "^1.1.0", - "seroval-plugins": "^1.1.0" -} +// Review if these dependencies are needed Suggestion importance[1-10]: 6 Why: Assessing the necessity of new dependencies is important for maintainability, but the suggestion lacks specificity on how to evaluate their necessity.	6
Compatibility	Verify compatibility of the new version with existing dependencies Ensure that the version of solid-js being upgraded to is compatible with other dependencies in the project to avoid potential runtime issues. frameworks/hello-world-solidjs/webview-ui/package-lock.json [12] -"solid-js": "^1.9.5" +"solid-js": "^1.9.5" // Ensure compatibility with other dependencies Suggestion importance[1-10]: 5 Why: While ensuring compatibility is important, the suggestion does not provide a concrete action or verification method, making it more of a general guideline than a specific improvement.	5