Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: react-redux, redux-saga #1362

Open
wants to merge 1 commit into
base: canary
Choose a base branch
from

Conversation

X-oss-byte
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

react-redux
from 8.0.5 to 8.1.3 | 6 versions ahead of your current version | a year ago
on 2023-10-01
redux-saga
from 1.2.3 to 1.3.0 | 1 version ahead of your current version | 8 months ago
on 2024-01-02

Release notes
Package name: react-redux
  • 8.1.3 - 2023-10-01

    This bugfix release fixes an issue with subscriptions being lost when lazy-loaded components are used with React Suspense, and includes stack traces in useSelector usage warnings .

    What's Changed

    Full Changelog: v8.1.2...v8.1.3

  • 8.1.2 - 2023-07-29

    This version changes imports from the React package to namespace imports so the package can safely be imported in React Server Components as long as you don't actually use it - this is for example important if you want to use the React-specifc createApi function from Redux Toolkit.

    Some other changes:

    • The behaviour of the "React Context Singletons" from 8.1.1 has been adjusted to also work if you have multiple React instances of the same version (those will now be separated) and if you are in an environment without globalThis (in this case it will fall back to the previous behaviour).
    • We do no longer use Proxies, which should help with some very outdated consumers, e.g. smart TVs, that cannot even polyfill Proxies.

    Full Changelog: v8.1.1...v8.1.2

  • 8.1.1 - 2023-06-21

    This bugfix release tweaks the recent lazy context setup logic to ensure a single React context instance per React version, and removes the recently added RTK peerdep to fix an issue with Yarn workspaces.

    Changelog

    React Context Singletons

    React Context has always relied on reference identity. If you have two different copies of React or a library in a page, that can cause multiple versions of a context instance to be created, leading to problems like the infamous "Could not find react-redux context" error.

    In v8.1.0, we reworked the internals to lazily create our single ReactReduxContext instance to avoid issues in a React Server Components environment.

    This release further tweaks that to stash a single context instance per React version found in the page, thus hopefully avoiding the "multiple copies of the same context" error in the future.

    What's Changed

    Full Changelog: v8.1.0...v8.1.1

  • 8.1.0 - 2023-06-13

    This feature release adds new development-mode safety checks for common errors (like poorly-written selectors), adds a workaround to fix crash errors when React-Redux hooks are imported into React Server Component files, and updates our hooks API docs page with improved explanations and updated links.

    Changelog

    Development Mode Checks for useSelector

    We've had a number of users tell us over time that it's common to accidentally write selectors that have bad behavior and cause performance issues. The most common causes of this are either selectors that unconditionally return a new reference (such as state => state.todos.map() without any memoization ), or selectors that actually return the entire root state ( state => state ).

    We've updated useSelector to add safety checks in development mode that warn if these incorrect behaviors are detected:

    • Selectors will be called twice with the same inputs, and useSelector will warn if the results are different references
    • useSelector will warn if the selector result is actually the entire root state

    By default, these checks only run once the first time useSelector is called. This should provide a good balance between detecting possible issues, and keeping development mode execution performant without adding many unnecessary extra selector calls.

    If you want, you can configure this behavior globally by passing the enum flags directly to <Provider>, or on a per-useSelector basis by passing an options object as the second argument:

    // Example: globally configure the root state "noop" check to run every time
    <Provider store={store} noopCheck="always">
      {children}
    </Provider>
    // Example: configure `useSelector` to specifically run the reference checks differently:
    function Component() {
      // Disable check entirely for this selector
      const count = useSelector(selectCount, { stabilityCheck: 'never' })
      // run once (default)
      const user = useSelector(selectUser, { stabilityCheck: 'once' })
      // ...
    }

    This goes along with the similar safety checks we've added to Reselect v5 alpha as well.

    Context Changes

    We're still trying to work out how to properly use Redux and React Server Components together. One possibility is using RTK Query's createApi to define data fetching endpoints, and using the generated thunks to fetch data in RSCs, but it's still an open question.

    However, users have reported that merely importing any React-Redux API in an RSC file causes a crash, because React.createContext is not defined in RSC files. RTKQ's React-specific createApi entry point imports React-Redux, so it's been unusable in RSCs.

    This release adds a workaround to fix that issue, by using a proxy wrapper around our singleton ReactReduxContext instance and lazily creating that instance on demand. In testing, this appears to both continue to work in all unit tests, and fixes the import error in an RSC environment. We'd appreciate further feedback in case this change does cause any issues for anyone!

    We've also tweaked the internals of the hooks to do checks for correct <Provider> usage when using a custom context, same as the default context checks.

    Docs Updates

    We've cleaned up some of the Hooks API reference page, and updated links to the React docs.

    What's Changed

    • check for Provider even when using custom context by @ EskiMojo14 in #1990
    • Add a stability check, to see if selector returns stable result when called with same parameters. by @ EskiMojo14 in #2000
    • Add an E2E-ish test that verifies behavior when imported into RSCs by @ markerikson in #2030
    • lazily create Context for RSC compat by @ phryneas in #2025
    • Add warning for selectors that return the entire state by @ EskiMojo14 in #2022

    Full Changelog: v8.0.7...v8.1.0

  • 8.0.7 - 2023-05-31

    This release updates the peer dependencies to accept Redux Toolkit, and accept the ongoing RTK and Redux core betas as valid peer deps.

    Note: These changes were initially in 8.0.6, but that had a typo in the peer deps that broke installation. Sorry!

    What's Changed

    Full Changelog: v8.0.5...v8.0.7

  • 8.0.6 - 2023-05-30

    This release updates the peer dependencies to accept Redux Toolkit, and accept the ongoing RTK and Redux core betas as valid peer deps.

    This release has a peer deps typo that breaks installation - please use 8.0.7 instead !

    What's Changed

    • Bump Redux peer deps to accept 5.0 betas, and bump RTK dev dep by @ markerikson in #2017

    Full Changelog: v8.0.5...v8.0.6

  • 8.0.5 - 2022-11-04

    This release fixes a few minor TS issues.

    What's Changed

    Full Changelog: v8.0.4...v8.0.5

from react-redux GitHub release notes
Package name: redux-saga from redux-saga GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade:
  - react-redux from 8.0.5 to 8.1.3.
    See this package in npm: https://www.npmjs.com/package/react-redux
  - redux-saga from 1.2.3 to 1.3.0.
    See this package in npm: https://www.npmjs.com/package/redux-saga

See this project in Snyk:
https://app.snyk.io/org/sammytezzy/project/a731eb14-28e2-441c-8d24-bb782f32fa5f?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

vercel bot commented Sep 5, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
next-js-next-plugin-storybook ❌ Failed (Inspect) Sep 5, 2024 7:13pm
next-js-next-plugin-storybook-g5dx ❌ Failed (Inspect) Sep 5, 2024 7:13pm
next-js-next-plugin-storybook-y5ka ❌ Failed (Inspect) Sep 5, 2024 7:13pm
next-x-storybook ❌ Failed (Inspect) Sep 5, 2024 7:13pm

Copy link

stackblitz bot commented Sep 5, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

Copy link

changeset-bot bot commented Sep 5, 2024

⚠️ No Changeset found

Latest commit: eed5f10

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link

vercel bot commented Sep 5, 2024

Deployment failed with the following error:

Could not parse File as JSON: vercel.json

Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
  • We don't review packaging changes - Let us know if you'd like us to change this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants