🚨 [security] Update redux: 4.0.0 → 4.2.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ redux (4.0.0 → 4.2.1) · Repo · Changelog

Release Notes

4.2.1

This bugfix release removes the isMinified internal check to fix a compat issue with Expo. That check has added in early 2016, soon after Redux 3.0 was released, at a time when it was still less common to use bundlers with proper production build settings. Today that check is irrelevant, so we've removed it.

What's Changed

• Remove minified check by @trajano in #4454

Full Changelog: v4.2.0...v4.2.1

4.2.0

This release marks the original createStore API as @deprecated to encourage users to migrate to Redux Toolkit, and adds a new legacy_createStore API as an alias without the deprecation warning.

Goal

Redux Toolkit (the @reduxjs/toolkit package) is the right way for Redux users to write Redux code today:

https://redux.js.org/introduction/why-rtk-is-redux-today

Unfortunately, many tutorials are still showing legacy "hand-written" Redux patterns, which result in a much worse experience for users. New learners going through a bootcamp or an outdated Udemy course just follow the examples they're being shown, don't know that RTK is the better and recommended approach, and don't even think to look at our docs.

Given that, the goal is to provide them with a visual indicator in their editor, like createStore . When users hover over the createStore import or function call, the doc tooltip recommends using configureStore from RTK instead, and points them to that docs page. We hope that new learners will see the strikethrough, read the tooltip, read the docs page, learn about RTK, and begin using it.

To be extremely clear:

WE ARE NOT GOING TO ACTUALLY REMOVE THE createStore API, AND ALL YOUR EXISTING CODE WILL STILL CONTINUE TO WORK AS-IS!

We are just marking createStore as "deprecated":

"the discouragement of use of some feature or practice, typically because it has been superseded or is no longer considered efficient or safe, without completely removing it or prohibiting its use"

For additional details, see the extensive discussion in #4325 .

Rationale

• RTK provides a vastly improved Redux usage experience, with APIs that simplify standard usage patterns and eliminate common bugs like accidental mutations
• We've had suggestions to merge all of RTK into the redux core package, or fully deprecate the entire redux package and rename it to @reduxjs/core. Unfortunately, those bring up too many complexities:
  • We already had a package rename from redux-starter-kit to @reduxjs/toolkit, and all of our docs and tutorials have pointed to it for the last three years. I don't want to put users through another whiplash package transition for no real benefit
  • Merging or rearranging our packages would effectively require merging all of the Redux repos into a single monorepo. That would require hundreds of hours of effort from us maintainers, including needing to somehow merge all of our docs sites together. We don't have the time to do that.
• I don't want to add runtime warnings that would be really annoying

So, this is the minimum possible approach we can take to reach out to users who otherwise would never know that they are following outdated patterns, while avoiding breaking running user code or having to completely rewrite our package and repo structure.

Results

When a user imports createStore in their editor, they will see a visual strikethrough. Hovering over it will show a doc tooltip that encourages them to use configureStore from RTK, and points to an explanatory docs page:

Again, no broken code, and no runtime warnings.

If users do not want to see that strikethrough, they have three options:

• Follow our suggestion to switch over to Redux Toolkit and configureStore
• Do nothing. It's just a visual strikethrough, and it doesn't affect how your code behaves. Ignore it.
• Switch to using the legacy_createStore API that is now exported, which is the exact same function but with no @deprecation tag. The simplest option is to do an aliased import rename:

What's Changed

• Mark createStore as deprecated, and add legacy_createStore alias by @markerikson in #4336

Full Changelog: v4.1.2...v4.2.0

4.1.2

This release fixes a small specific TS types issue where state types that had a nested unknown field inside would cause compilation failures when used as the preloadedState argument.

What's Changed

• Fix preloaded state type by @phryneas in #4078

Full Changelog: v4.1.1...v4.1.2

4.1.1

Just a small fix for Safari users in development mode.

Changes

• Move miniKindOf out of if scope to fix ES5 compatibility issue (#4090 by @embeddedt)

4.1.0

This release shrinks our bundle size via error message extraction, updates several error messages for clarity, and optimizes our list of runtime dependencies.

Overall, version 4.1 shrinks from 2.6K min+gz to 1.6K min+gz thanks to these changes.

Be sure to check out the Redux Toolkit 1.6 alpha containing our new "RTK Query" data fetching APIs! It also includes Redux 4.1 as a dependency.

Changelog

Error Message Extraction and Improvements

We now extract all of our error messages from production builds in order to save on bundle size, using a technique inspired from React's error code extraction. The error messages will still show as normal in development, but in production they will reference a specific numeric error code and provide a link to a Redux docs page that has the full error message.

An example of this is: https://redux.js.org/errors?code=5 , which shows the "can't subscribe while reducers are executing" error.

The error code extraction saves about 800 bytes out of a production build.

Thanks to @andrewmcgivery for doing all the hard work on implementing the error extraction!

We've also updated many of our error messages to provide additional details at runtime about what happened, especially runtime type checks such as "actions must be plain objects". They now provide a more specific type for the unexpected value, such as indicating promise or function:

    expect(() => store.dispatch(() => {})).toThrow(
      /the actual type was: 'function'/
    )
<span class="pl-en">expect</span><span class="pl-kos">(</span><span class="pl-kos">(</span><span class="pl-kos">)</span> <span class="pl-c1">=&gt;</span> <span class="pl-s1">store</span><span class="pl-kos">.</span><span class="pl-en">dispatch</span><span class="pl-kos">(</span><span class="pl-k">new</span> <span class="pl-v">Date</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">)</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">toThrow</span><span class="pl-kos">(</span>
  <span class="pl-pds"><span class="pl-c1">/</span>the actual type was: 'date'<span class="pl-c1">/</span></span>
<span class="pl-kos">)</span></pre></div>

Dependency Updates
We've updated the list of runtime dependencies for Redux:

We inlined the symbol-observable polyfill. This shrinks bundle size by a few bytes,
We've removed the legacy loose-envify dependency, which was only ever needed by Browserify users. If you still happen to be using Browserify, please review your build settings and see if you need to make any updates.
We now explicitly depend on @babel/runtime to extract some additional helpers out of our bundle. It's likely that your app already is pulling in those helpers anyway, so that removes some potential duplication.

Typing Tweaks
We've merged fixes for a couple edge cases in the 4.x TS typings related to state types.
Changes

Remove symbol-observable and loose-envify deps (#4058 - @markerikson)
Port error extraction setup from master  (#4057 - @markerikson)
Port build dependencies from master into 4.x (#4056 - @markerikson)
Rewrite Redux core error messages (#4055 - @markerikson)
feat: mangle error codes to error indexes (#3920 - @andrewmcgivery)
fix: Declare "EmptyObject" interface to wrap $CombinedState (#4031 - @JacobLey)
Only apply mapped types to un-branded types (#3805 - @invliD)

v4.0.5...v4.1.0

4.0.5

This release includes a memory leak fix, and a fix for removing reducers with replaceReducer and combineReducers.

There are also some TypeScript changes, which require version 3.5 or higher. This also removes our DeepPartial type, which wasn't intended to be a public API. If you need this type, you can find an equivalent of likely higher quality in the utility-types package.

Speaking of TypeScript, we are done with converting the code to TypeScript on master and are looking to get some TS improvements in before launching 5.0. If you're interested in helping, feel free to submit a PR with anything you'd like to contribute.

Changes

• Clear current listeners on store unsubscribe (#3475 by @dmitrysteblyuk)
• Fix for combineReducers when replaceReducers removes a reducer (#3490 by @anubhavgupta)
• TypeScript: Add strict type inference overload for combineReducers (#3484 by @ChrisAckerman)
• TypeScript: Preloaded state is now selectively partial (instead of deeply partial) (#3485 by @ChrisAckerman)

4.0.4

This is a republish of 4.0.3 with an updated version of Babel to fix #3468

Changes

4.0.3

This is a quick revert of a change to our typings that broke compatibility. Apologies for the problems.

Also, if you are experiencing type errors related to [Symbol.observable], please ensure you have the same version of redux installed for all your dependencies with npm ls redux.

Changes

• Reverts the change to combineReducers' type parameters (#3467 by @timdorr)

4.0.2

This is a very minor release with some nice improvements to our TypeScript type definitions. Enjoy!

Changes

• Iterate in combineReducers using for in (#3371 by @pvorona)
• Fix DeepPartial type (#3369 by @OliverJAsh)
• Add types for Observable interface (#3067 by @pinyin)
• Make reducer optional in JSDocs (#3408 by @pingfengafei)
• Infer action types from combineReducers (#3411 by @appden)

4.0.1

A very minor release. We've upgraded to Babel 7 internally and now provide a .mjs file which you can import cleanly into browsers that support ES modules natively. Enjoy!

Changes

• Update mixed NODE_ENV message for Webpack 4 (4a215fb by @timdorr)
• Add unpkg field to package.json (#3003 by @andrewbridge)
• Use same return type for both StoreCreator signatures (#2985 by @reklawnos)
• Mark StoreCreator's preloadedState argument as optional (#3080 by @srittau)
• Add ES browser build (#3143 by @TimvdLippe)
• Throw an error if createStore is passed several enhancers (#3151 by @selbekk)
• Upgrade to Babel 7 (b9ee1cf by @timdorr)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ node-sass (indirect, 4.9.2 → 6.0.1) · Repo · Changelog

Security Advisories 🚨

🚨 Denial of Service in node-sass

Affected versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service.

Recommendation

Upgrade to version 4.13.1 or later

Release Notes

6.0.1

Dependencies

• Remove mkdirp (@jimmywarting, #3108)
• Bump meow to 9.0.0 (@ykolbin, #3125)
• Bump mocha to 9.0.1 (@xzyfer, #3134)

Misc

• Use default Apline version from docker-node (@nschonni, #3121)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 15, 16
OSX	x64	12, 14, 15, 16
Linux*	x64	12, 14, 15, 16
Alpine Linux	x64	12, 14, 15, 16
FreeBSD	i386 amd64	12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

6.0.0

Breaking changes

• Drop support for Node 10 (@nschonni)
• Remove deprecated process.sass API (@xzyfer, #2986)

Features

• Add support for Node 16

Community

• Fix typos in Troubleshooting guide (@independencyinjection, #3051)
• Improve dependabot configuration (@nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	12, 14, 15, 16
OSX	x64	12, 14, 15, 16
Linux*	x64	12, 14, 15, 16
Alpine Linux	x64	12, 14, 15, 16
FreeBSD	i386 amd64	12, 14, 15

*Linux support refers to major distributions like Ubuntu, and Debian

5.0.0

Breaking changes

• Only support LTS and current Node versions (@nschonni)
• Remove deprecated process.sass API (@xzyfer, #2986)

Features

• Add support for Node 15
• New node-gyp version that supports building with Python 3

Community

• More inclusive documentation (@rgeerts, #2944)
• Enabled dependabot (@nschonni)
• Improve release automation (@nschonni)

Fixes

• Bumped many dependencies (@nschonni)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	10, 12, 14, 15
OSX	x64	10, 12, 14, 15
Linux*	x64	10, 12, 14, 15
Alpine Linux	x64	10, 12, 14, 15
FreeBSD	i386 amd64	10, 12, 13

*Linux support refers to major distributions like Ubuntu, and Debian

4.14.1

Community

• Add GitHub Actions for Alpine CI (@nschonni, #2823)

Fixes

• Bump [email protected] (@xzyfer, #2912)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8**, 9**, 10**^, 11**^, 12**^, 13**^, 14**^
Alpine Linux	x64	6, 8, 10, 11, 12, 13, 14
FreeBSD	i386 amd64	10, 12, 13

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Not available on CentOS 5
^ Only available on x64

4.14.0

Features

• Add Node 14 support (@nschonni, #2895)

Fixes

• Reporting wrong LibSass version (@saper, #2621)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8**, 9**, 10**^, 11**^, 12**^, 13**^, 14**^
Alpine Linux	x64	6, 8, 10, 11, 12, 13, 14
FreeBSD	i386 amd64	8, 10, 12, 13

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Not available on CentOS 5
^ Only available on x64

4.13.1

Community

• Fix render example syntax (@ZoranPandovski , #2787)
• Fix sourceMap option inconsistencies (@saper , #2394)
• Fix possible crash in customer importer (@xzyfer, #2816)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8**, 9**, 10**^, 11**^, 12**^, 13**^
Alpine Linux	x64	6, 8, 10, 11, 12, 13
FreeBSD	i386 amd64	6, 8, 10, 12, 13

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Not available on CentOS 5
^ Only available on x64

4.13.0

Features

• Node 13 support (@saper, #2766 #2767)

Community

• Fix broken link to NodeJS docs in README.md (@schwigri, #2753)
• Assorted typo fixes (@XhmikosR , #2726)
• Remove PR template (@nschonni)
• Remove sudo settings from .travis.yml (@abetomo, #2673)
• Add note in PR template about node-gyp 4.0 (@nschonni)
• Change note about Node 12 support (@nschonni)

Dependencies

• lodash@^4.17.15 (@kessenich, #2574)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8**, 9**, 10**^, 11**^, 12**^, 13**^
Alpine Linux	x64	6, 8, 10, 11, 12, 13
FreeBSD	i386 amd64	6, 8, 10, 12, 13

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Not available on CentOS 5
^ Only available on x64

4.12.0

Features

• Node 12 support (@xzyfer, #2632)

Community

• Convert all documentation links to HTTPS (@asottile, #2608)
• Remove out dated documentation (@DerZyklop, #2590)
• Remove @adamyeats from maintainers list (@adamyeats, #2576)
• Update troubleshooting documentation (@nschonni, #2454)
• Clearly document Node version support in README (@nschonni, #2383)

Dependencies

• nan@^2.13.2 (@xzyfer, #2632)
• [email protected] (@cheesestringer, #2574)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8**, 9**, 10**^, 11**^, 12**^
Alpine Linux	x64	6, 8, 10, 11, 12

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Not available on CentOS 5
^ Only available on x64

4.11.0

LibSass 3.5.5

This released updates LibSass to 3.5.5. This update brings

• Stability fixes
• Removes noisey deprecation warning for @import'ing .css files
• Support hex colors with alpha channels

Features

• Update LibSass to 3.5.5 (@xzyfer, #2543)

Fixes

• Revert change that introduced a noisey deprecation warning (@xzyfer, #2362)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8**, 9**, 10**^, 11**
Alpine Linux	x64	4, 6, 7, 8, 9, 10, 11

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Not available on CentOS 5
^ Only available on x64

4.10.0

Features

• Add Node 11 support (@xzyfer, #2521)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8**, 9**, 10**^, 11**
Alpine Linux	x64	4, 6, 7, 8, 9, 10, 11
FreeBSD 10+	amd64	4, 6, 8, 9, 10
FreeBSD 10+	i386	4, 6, 8, 9, 10

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Not available on CentOS 5
^ Only available on x64

4.9.4

Dependencies

• Updated request@^2.88.0 (@Gwerlas, #2496)

Supported Environments

OS	Architecture	Node
Windows	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
OSX	x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Linux*	x86 & x64	0.10, 0.12, 1, 2, 3, 4, 5, 6, 7, 8**, 9**, 10**^
Alpine Linux	x64	4, 6, 7, 8, 9, 10
FreeBSD 10+	amd64	4, 6, 8, 9, 10
FreeBSD 10+	i386	4, 6, 8, 9, 10

*Linux support refers to Ubuntu, Debian, and CentOS 5+
** Node 8 and 9 are not supported on CentOS 5
^ Only available on x64

4.9.3

Community

• Remove Travis Gitter hook (@nschonni, #2453)

Fixes

• Fix typo in documentation (@jorrit, #2462)
• Resolve npm audit warning by bumping node-gyp@^3.8.0 (@nschonni, #2355)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)