[Snyk] Upgrade: react, react-dom #2740
Open
+1,370
−587
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)
Snyk has created this PR to upgrade multiple dependencies.
👯 The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
react
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
⚠️ This is a major version upgrade, and may be a breaking change | a month ago
from 16.8.6 to 18.3.1 | 644 versions ahead of your current version
on 2024-04-26
react-dom
from 16.8.6 to 18.3.1 | 644 versions ahead of your current version
on 2024-04-26
The recommended version fixes:
SNYK-JS-RAMDA-1582370
Why? CVSS 5.3
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: react
act
fromreact
f1338fThis release is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19.
Read the React 19 Upgrade Guide for more info.
React
this.refs
to support string ref codemod 909071findDOMNode
outside StrictMode c3b283test-utils
methods d4ea75defaultProps
for function components #25699key
#25697act
fromtest-utils
d4ea75React DOM
unmountComponentAtNode
8a015brenderToStaticNodeStream
#28874React DOM
onRecoverableError
. (@ gnoff in #24591)document
causing a blank page on mismatch. (@ gnoff in #24523)setState
in Safari when adding an iframe. (@ gaearon in #24459)React DOM Server
<title>
elements to match the browser constraints. (@ gnoff in #24679)highWaterMark
to0
. (@ jplhomer in #24641)Server Components (Experimental)
useId()
inside Server Components. (@ gnoff) in #24172React DOM
react-dom/client
when using UMD bundle. (@ alireza-molaee in #24274)suppressHydrationWarning
to work in production too. (@ gaearon in #24271)componentWillUnmount
firing twice inside of Suspense. (@ acdlite in #24308)useDeferredValue
causing an infinite loop when passed an unmemoized value. (@ acdlite in #24247)setState
loop inuseEffect
. (@ gaearon in #24298)setState
inuseInsertionEffect
. (@ gaearon in #24295)React DOM Server
bootstrapScriptContent
contents. (@ gnoff in #24385)renderToPipeableStream
. (@ gnoff in #24291)ESLint Plugin: React Hooks
Use Subscription
use-sync-external-store
shim. (@ gaearon in #24289)Below is a list of all new features, APIs, deprecations, and breaking changes.
Read React 18 release post and React 18 upgrade guide for more information.
New Features
React
useId
is a new hook for generating unique IDs on both the client and server, while avoiding hydration mismatches. It is primarily useful for component libraries integrating with accessibility APIs that require unique IDs. This solves an issue that already exists in React 17 and below, but it’s even more important in React 18 because of how the new streaming server renderer delivers HTML out-of-order.startTransition
anduseTransition
let you mark some state updates as not urgent. Other state updates are considered urgent by default. React will allow urgent state updates (for example, updating a text input) to interrupt non-urgent state updates (for example, rendering a list of search results).useDeferredValue
lets you defer re-rendering a non-urgent part of the tree. It is similar to debouncing, but has a few advantages compared to it. There is no fixed time delay, so React will attempt the deferred render right after the first render is reflected on the screen. The deferred render is interruptible and doesn't block user input.useSyncExternalStore
is a new hook that allows external stores to support concurrent reads by forcing updates to the store to be synchronous. It removes the need foruseEffect
when implementing subscriptions to external data sources, and is recommended for any library that integrates with state external to React.useInsertionEffect
is a new hook that allows CSS-in-JS libraries to address performance issues of injecting styles in render. Unless you’ve already built a CSS-in-JS library we don’t expect you to ever use this. This hook will run after the DOM is mutated, but before layout effects read the new layout. This solves an issue that already exists in React 17 and below, but is even more important in React 18 because React yields to the browser during concurrent rendering, giving it a chance to recalculate layout.React DOM Client
These new APIs are now exported from
react-dom/client
:createRoot
: New method to create a root torender
orunmount
. Use it instead ofReactDOM.render
. New features in React 18 don't work without it.hydrateRoot
: New method to hydrate a server rendered application. Use it instead ofReactDOM.hydrate
in conjunction with the new React DOM Server APIs. New features in React 18 don't work without it.Both
createRoot
andhydrateRoot
accept a new option calledonRecoverableError
in case you want to be notified when React recovers from errors during rendering or hydration for logging. By default, React will usereportError
, orconsole.error
in the older browsers.React DOM Server
These new APIs are now exported from
react-dom/server
and have full support for streaming Suspense on the server:renderToPipeableStream
: for streaming in Node environments.renderToReadableStream
: for modern edge runtime environments, such as Deno and Cloudflare workers.The existing
renderToString
method keeps working but is discouraged.Deprecations
react-dom
:ReactDOM.render
has been deprecated. Using it will warn and run your app in React 17 mode.react-dom
:ReactDOM.hydrate
has been deprecated. Using it will warn and run your app in React 17 mode.react-dom
:ReactDOM.unmountComponentAtNode
has been deprecated.react-dom
:ReactDOM.renderSubtreeIntoContainer
has been deprecated.react-dom/server
:ReactDOMServer.renderToNodeStream
has been deprecated.Breaking Changes
React
flushSync
.<Suspense>
boundary in the tree. This ensures the hydrated tree is consistent and avoids potential privacy and security holes that can be caused by hydration mismatches.Promise
,Symbol
, andObject.assign
. If you support older browsers and devices such as Internet Explorer which do not provide modern browser features natively or have non-compliant implementations, consider including a global polyfill in your bundled application.Scheduler (Experimental)
scheduler/tracing
APINotable Changes
React
undefined
: React no longer throws if you returnundefined
from a component. This makes the allowed component return values consistent with values that are allowed in the middle of a component tree. We suggest to use a linter to prevent mistakes like forgetting areturn
statement before JSX.act
warnings are now opt-in: If you're running end-to-end tests, theact
warnings are unnecessary. We've introduced an opt-in mechanism so you can enable them only for unit tests where they are useful and beneficial.setState
on unmounted components: Previously, React warned about memory leaks when you callsetState
on an unmounted component. This warning was added for subscriptions, but people primarily run into it in scenarios where setting state is fine, and workarounds make the code worse. We've removed this warning.React DOM Server
renderToString
: Will no longer error when suspending on the server. Instead, it will emit the fallback HTML for the closest<Suspense>
boundary and then retry rendering the same content on the client. It is still recommended that you switch to a streaming API likerenderToPipeableStream
orrenderToReadableStream
instead.renderToStaticMarkup
: Will no longer error when suspending on the server. Instead, it will emit the fallback HTML for the closest<Suspense>
boundary and retry rendering on the client.All Changes
React
useTransition
anduseDeferredValue
to separate urgent updates from transitions. (#10426, #10715, #15593, #15272, #15578, #15769, #17058, #18796, #19121, #19703, #19719, #19724, #20672, #20976 by @ acdlite, @ lunaruan, @ rickhanlonii, and @ sebmarkbage)useId
for generating unique IDs. (#17322, #18576, #22644, #22672, #21260 by @ acdlite, @ lunaruan, and @ sebmarkbage)useSyncExternalStore
to help external store libraries integrate with React. (#15022, #18000, #18771, #22211, #22292, #22239, #22347, #23150 by @ acdlite, @ bvaughn, and @ drarmstr)startTransition
as a version ofuseTransition
without pending feedback. (#19696 by @ rickhanlonii)useInsertionEffect
for CSS-in-JS libraries. (#21913 by @ rickhanlonii)