Skip to content

Bump immer from 8.0.4 to 9.0.6 #11364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 22, 2021
Merged

Bump immer from 8.0.4 to 9.0.6 #11364

merged 1 commit into from
Sep 22, 2021

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 3, 2021

Bumps immer from 8.0.4 to 9.0.6.

Release notes

Sourced from immer's releases.

v9.0.6

9.0.6 (2021-08-31)

Bug Fixes

  • security: Follow up on CVE-2020-28477 where path: [["__proto__"], "x"] could still pollute the prototype (fa671e5)

v9.0.5

9.0.5 (2021-07-05)

Bug Fixes

  • release missing dist/ folder (bfb8dec)

v9.0.4

9.0.4 (2021-07-05)

Bug Fixes

  • #791 return 'nothing' should produce undefined patch (5412c9f)
  • #807 new undefined properties should end up in result object (dc3f66c)
  • Better applyPatches type (#810) (09ac097), closes #809

v9.0.3

9.0.3 (2021-06-09)

Bug Fixes

  • isPlainObject: add quick comparison between input and Object to short-circuit taxing Function.toString invocations (#805) (07575f3)

v9.0.2

9.0.2 (2021-04-25)

Bug Fixes

  • #785 fix type inference for produce incorrectly inferring promise (#786) (6555173)

v9.0.1

9.0.1 (2021-03-20)

Bug Fixes

  • #768 immerable field being lost during patch value cloning (#771) (e0b7c01)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump immer from 8.0.4 to 9.0.6
496b976 
Bumps [immer](https://github.com/immerjs/immer) from 8.0.4 to 9.0.6.
- [Release notes](https://github.com/immerjs/immer/releases)
- [Commits](immerjs/immer@v8.0.4...v9.0.6)

---
updated-dependencies:
- dependency-name: immer
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Sep 3, 2021
@raix raix added this to the 5.0 milestone Sep 3, 2021
@PatrickShaw
Copy link

PatrickShaw commented Sep 16, 2021

This will fix #11443 :)

@PatrickShaw PatrickShaw mentioned this pull request Sep 16, 2021
Closed
This was referenced Sep 18, 2021
Closed
Closed
@erbunao erbunao mentioned this pull request Sep 20, 2021
Closed
@KristjanRanna
Copy link

KristjanRanna commented Sep 21, 2021

Could this be merged already, please? It is pretty straightforward change and it is making my build fail.

@mrmckeb mrmckeb merged commit 960b21e into main Sep 22, 2021
@mrmckeb mrmckeb deleted the dependabot/npm_and_yarn/immer-9.0.6 branch September 22, 2021 17:37
@Brycetastic
Copy link

Brycetastic commented Sep 22, 2021

Now this is merge how do I get the update? will react-dev-utils have a version update?

@r-wells
Copy link

r-wells commented Sep 23, 2021

Bumping @Brycetastic's comment, we're getting a high severity vulnerability alert for this (as I'm sure a lot are) and would like to get it resolved. We're on the latest version of react-scripts (4.0.3) and react-dev-utils (11.0.4) but immer is still 8.0.1

@KristjanRanna
Copy link

KristjanRanna commented Sep 28, 2021

Any updates on this?

@keremciu
Copy link

keremciu commented Sep 28, 2021

how about having 4.0.4 with this one?

@erbunao
Copy link

erbunao commented Sep 28, 2021

Out of curiosity, is there anyone we need to tag from the admins to check this out?

@keremciu
Copy link

keremciu commented Oct 7, 2021

maybe @iansu @mrmckeb can help us out for release?

@DaisyyKM
Copy link

DaisyyKM commented Oct 7, 2021

Like everyone above mentioned, this code change is not helping us with the vulnerability issue with immer, I am still getting immer@8.0.1. @iansu @mrmckeb @PatrickShaw @ianschmitz @kentcdodds Please let us know what we need to do to resolve this and get the upgraded version of immer in our repo.

@DaisyyKM DaisyyKM mentioned this pull request Oct 7, 2021
Closed
@tsuz tsuz mentioned this pull request Oct 10, 2021
Open
@fauzanriff
Copy link

fauzanriff commented Oct 11, 2021

PR already merged, but we haven't seen any new patch on npm, it still uses immer@8.0.1. Do we have a plan to publish this?

@KristjanRanna
Copy link

KristjanRanna commented Oct 12, 2021

@mrmckeb Could you please give an update on this?

@ashvin777
Copy link

ashvin777 commented Oct 14, 2021

Facing the same issue, using the latest 11.0.4 but still seeing the immer being installed with version 8.0.1

ashvin777
ashvin777 reviewed Oct 14, 2021
View reviewed changes
packages/react-dev-utils/package.json
"globby": "11.0.1",
"gzip-size": "5.1.1",
"immer": "8.0.4",
"immer": "9.0.6",
Copy link

@ashvin777 ashvin777 Oct 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no change in package.json version that seems to be an issue.

@abahuja
Copy link

abahuja commented Nov 10, 2021

Any updates?

@Arunpandi04
Copy link

Arunpandi04 commented Nov 15, 2021

we are waiting on it please update this?

@felipeplets
Copy link

felipeplets commented Nov 17, 2021

@iansu can we get a patch version released to address this vulnerability?

@adrespi-dev
Copy link

adrespi-dev commented Dec 2, 2021

Any updates on this one?

@snyk-bot snyk-bot mentioned this pull request Dec 15, 2021
Open
This was referenced Apr 12, 2022
Closed
Open
GaryPWhite added a commit to GaryPWhite/gatsby that referenced this pull request Apr 21, 2022
@GaryPWhite
Bump react-dev-utils
3b8d7b0 
downstream, [react-dev-utils v11.x.x](https://www.npmjs.com/package/react-dev-utils/v/11.0.4) is subject to a [vulnerability](GHSA-33f9-j839-rf8h). Since the release of 12.x.x, `immer` [has been bumped up](facebook/create-react-app#11364 (comment)) and should resolve the "critical" security alert if it's adopted into Gatsby.
@GaryPWhite GaryPWhite mentioned this pull request Apr 21, 2022
Merged
@snyk-bot snyk-bot mentioned this pull request May 19, 2022
Open
@snyk-bot snyk-bot mentioned this pull request Jun 24, 2022
Closed
This was referenced Jul 25, 2022
Closed
Open
This was referenced Aug 26, 2022
Closed
Open
@hzhz hzhz mentioned this pull request Oct 26, 2022
Open
@sirinartk sirinartk mentioned this pull request Oct 26, 2022
Closed
@hzhz hzhz mentioned this pull request Nov 5, 2022
Open
@sirinartk sirinartk mentioned this pull request Nov 14, 2022
Closed
@hzhz hzhz mentioned this pull request Nov 16, 2022
Open
This was referenced Nov 29, 2022
Open
Closed
abhiisheek pushed a commit to abhiisheek/create-react-app that referenced this pull request May 24, 2023
@dependabot @abhiisheek
Bump immer from 8.0.4 to 9.0.6 (facebook#11364)
4629a67
@hzhz hzhz mentioned this pull request Jul 4, 2023
Open
@sirinartk sirinartk mentioned this pull request Jul 4, 2023
Open
@lili2311 lili2311 mentioned this pull request Sep 26, 2023
Open
@lili2311 lili2311 mentioned this pull request Nov 24, 2023
Open
@sirinartk sirinartk mentioned this pull request Nov 28, 2023
Open
@sirinartk sirinartk mentioned this pull request May 14, 2024
Open
@hzhz hzhz mentioned this pull request May 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iansu iansu Awaiting requested review from iansu

@mrmckeb mrmckeb Awaiting requested review from mrmckeb

@petetnt petetnt Awaiting requested review from petetnt

3 more reviewers

@ashvin777 ashvin777 ashvin777 left review comments

@jimmywarting jimmywarting jimmywarting approved these changes

@PatrickShaw PatrickShaw PatrickShaw approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

CLA Signed dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

5.0

Development

Successfully merging this pull request may close these issues.