Bump mithril from 1.1.6 to 2.0.4

[dependabot]

Bumps mithril from 1.1.6 to 2.0.4.

Release notes

Sourced from mithril's releases.

v2.0.4

• Fix double-rendering of trusted content within contenteditable elements (#2516 @isiahmeadows)
• Fix error on m.trust updating (#2516 @isiahmeadows)

v2.0.3

• Ensure vnodes are removed correctly in the face of onbeforeremove resolving after new nodes are added (#2492 @isiahmeadows)
• Fix prototype pollution vulnerability in m.parseQueryString (#2494 @isiahmeadows)

v2.0.2 was skipped as it had a critical flaw and was immediately unpublished.

v2.0.1

This is really what v2.0.0 was supposed to be, but the npm upload got botched the first time around.

Breaking changes

• API: Component vnode children are not normalized into vnodes on ingestion; normalization only happens if and when they are ingested by the view (#2155 (thanks to @magikstm for related optimization #2064))
• API: m.redraw() is always asynchronous (#1592)
• API: m.mount() will only render its own root when called, it will not trigger a redraw() (#1592)
• API: Assigning to vnode.state (as in vnode.state = ...) is no longer supported. Instead, an error is thrown if vnode.state changes upon the invocation of a lifecycle hook.
• API: m.request will no longer reject the Promise on server errors (eg. status >= 400) if the caller supplies an extract callback. This gives applications more control over handling server responses.
• hyperscript: when attributes have a null or undefined value, they are treated as if they were absent. #1773 (#2174)
• API: m.request errors no longer copy response fields to the error, but instead assign the parsed JSON response to error.response and the HTTP status code error.code.
• hyperscript: when an attribute is defined on both the first and second argument (as a CSS selector and an attrs field, respectively), the latter takes precedence, except for class attributes that are still added together. #2172 (#2174)
• cast className using toString (#2309)
• render: call attrs' hooks last, with express exception of onbeforeupdate to allow attrs to block components from even diffing (#2297)
• API: m.withAttr removed. (#2317)
• request: data has now been split to params and body and useBody has been removed in favor of just using body. (#2361)
• route, request: Interpolated arguments are URL-escaped (and for declared routes, URL-unescaped) automatically. If you want to use a raw route parameter, use a variadic parameter like in /asset/:path.../view. This was previously only available in m.route route definitions, but it's now usable in both that and where paths are accepted. (#2361)
• route, request: Interpolated arguments are not appended to the query string. This means m.request({url: "/api/user/:id/get", params: {id: user.id}}) would result in a request like GET /api/user/1/get, not one like GET /api/user/1/get?id=1. If you really need it in both places, pass the same value via two separate parameters with the non-query-string parameter renamed, like in m.request({url: "/api/user/:urlID/get", params: {id: user.id, urlID: user.id}}). (#2361)
• route, request: m.route.set, m.request, and m.jsonp all use the same path template syntax now, and vary only in how they receive their parameters. Furthermore, declared routes in m.route shares the same syntax and semantics, but acts in reverse as if via pattern matching. (#2361)
• request: options.responseType now defaults to "json" if extract is absent, and deserialize receives the parsed response, not the raw string. If you want the old behavior, use responseType: "text". (#2335)
• request: set Content-Type: application/json; charset=utf-8 for all XHR methods by default, provided they have a body that's != null (#2361, #2421)
  • This can cause CORS issues when issuing GET with bodies, but you can address them through configuring CORS appropriately.
  • Previously, it was only set for all non-GET methods and only when useBody: true was passed (the default), and it was always set for them. Now it's automatically omitted when no body is present, so the hole is slightly broadened.
• route: query parameters in hash strings are no longer supported (#2448 @isiahmeadows)
  • It's technically invalid in hashes, so I'd rather push people to keep in line with spec.
• render: validate all elements are either keyed or unkeyed, and treat null/undefined/booleans as strictly unkeyed (#2452 @isiahmeadows)
  • Gives a nice little perf boost with keyed fragments.
  • Minor, but imperceptible impact (within the margin of error) with unkeyed fragments.
  • Also makes the model a lot more consistent - all values are either keyed or unkeyed.
• vnodes: normalize boolean children to null/undefined at the vnode level, always stringify non-object children that aren't holes (#2452 @isiahmeadows)
  • Previously, true was equivalent to "true" and false was equivalent to "".
  • Previously, numeric children weren't coerced. Now, they are.
  • Unlikely to break most components, but it could break some users.
  • This increases consistency with how booleans are handled with children, so it should be more intuitive.
• route: key parameter for routes now only works globally for components (#2458 @isiahmeadows)
  • Previously, it worked for route resolvers, too.
  • This lets you ensure global layouts used in render still render by diff.
• redraw: mithril/redraw now just exposes the m.redraw callback (#2458 @isiahmeadows)
  • The .schedule, .unschedule, and .render properties of the former redrawService are all removed.

Commits

• caef6a8 v2.0.4
• 4c15e25 Preparing for release
• 22e6d37 Refactor the scripts to work as advertised
• 30ad45c Unbreak m.trust (#2516)
• bcf427a Fix ospec --require with relative paths (#2511)
• d3826c3 Fix typo (#2504)
• 720cccf update webpack babel config for webpack 4.x | babel-loader 8.x… (#2497)
• 615a936 Remember to close file handle [skip ci]
• 0d10dc2 v2.0.3
• e58e918 Take 2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isiahmeadows, a new releaser for mithril since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.