Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade react-router-dom from 5.0.0 to 6.0.0 #66

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Omrisnyk
Copy link
Owner

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • admin-frontend/package.json
  • admin-frontend/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHTOREGEXP-7925106
  67  
Release notes
Package name: react-router-dom
  • 6.0.0 - 2021-11-03

    React Router v6 is here!

    Please go read our blog post for more information on all the great stuff in v6 including notes about how to upgrade from React Router v5 and Reach Router.

  • 6.0.0-beta.8 - 2021-10-22

    Remember last week when we said

    We anticipate this will be the last beta release before v6 stable next week.

    Yeah, about that … 😅

    We found and squashed a few high-priority bugs that needed to be addressed first. But it's coming very soon, we promise! In the mean time, here's what you'll get from our eight-est and greatest beta release:

    🐛 Bug Fixes

    • We fixed a few bugs in useHref that resulted in the incorrect resolved value in cases where a basename is used on the <Router /> component (See #8133 and #8142 for details).
    • We also fixed a bug in our path ranking algorithm so that splat routes (routes with a * path value) are now correctly ranked ahead of layout routes.

    🗒️ Docs

    We've added lots of goodies to our docs and examples, and there's a lot more yet to come. Take a look and see if you find something that makes your work a little easier! We think the lazy loading and custom query parsing examples are particularly cool! 🤓

  • 6.0.0-beta.7 - 2021-10-15

    In this release we made a small but significant change to how <Link to=".."> works. This is going to help out a lot if you were trying to use links in a * route.

    We have also backed out our blocking/prompt APIs for the stable v6 release. We will revisit this post 6.0 when we have a little more time to get it right.

    ✨ Features

    The major change in this release could also be classified as a bugfix or a breaking change, depending on how you look at it. We essentialy altered the way <Link to=".."> works. See #8086 for the motivation behind this change.

    You'll probably want to reread the section in the v5 => v6 migration guide about <Link to> values (it has been updated), but it basically boils down to this: any leading .. segment in a <Link to> value traverses "up" one route and builds upon that route's path instead of just removing one URL segment. This feature really completes the story of relative routes and links.

    We could consider this a bugfix, since this is how it was always intended to work in the first place. Without it, you'd have a difficult time linking predictably in * routes because your <a href> would be different depending on the number of segments in the current URL.

    The reason this could also be considered a breaking change is that .. now works slightly differently in <Link to> than it would in <a href>. When you have <a href=".."> it operates on the URL pathname, removing one segment of the current URL. However, since many routes really only match a single segment of the URL, there is often no difference between <Link to=".."> and <a href="..">.

    💔 Breaking Changes

    • We removed useBlocker(), usePrompt(), and <Prompt> for now. We will revisit these post 6.0 when we have more time to get it right. But we don't want it to block (see what I did there) the release of all the other awesome stuff we've got in v6.

    🛠 Roadmap

    We anticipate this will be the last beta release before v6 stable next week. Please give it a shot and let us know how it goes!

    👍 Upgrading

    If you're thinking about upgrading to v6, I published a few notes this past week that may help you:

    Both of those posts contain steps you can take today in your v5 app without upgrading to v6.

    We are also developing a backwards compat lib that should help some of you upgrade from v5 to v6. We'll post more about this when it's ready.

    💻 Installing

    Development for v6 has switched from dev to the main branch.

    If you'd like to test it out, install from npm:

    $ npm install history react-router-dom@next
  • 6.0.0-beta.6 - 2021-10-07

    No big enhancements in this release, just squashing bugs and writing lots of tests! Also, we are hard at work on cranking out examples for v6. See the end of this post for an update on our roadmap between here and v6 stable.

    🧰 Examples

    We have begun creating some examples for v6 that we hope will help developers make effective use of all the new features we have. So far, we have examples for the following:

    • Basic Example – A basic client-side app for v6 showing how to use nested routes, layouts, links, and the new <Outlet> API
    • Auth Example – Demonstrates an authentication flow including using the new useNavigate() hook, the <Navigate> element, and location.state
    • Search Params Example – Demonstrates how to build a simple search form that uses the new useSearchParams() hook
    • SSR Example – A server-rendered app that uses <StaticRouter> on the server and uses a <BrowserRouter> with ReactDOM.hydrate() on the client

    Each example includes a button in the README that allows you to instantly launch a running instance on StackBlitz that you can play with. We hope you enjoy exploring!

    🐛 Bugfixes

    • Make <NavLink> match only whole URL segments instead of pieces. This means that <NavLink to="/home/users"> will still be active at /home/users, but not at /home/users2. See #7523
    • Makes "layout routes" (routes with no path) never match unless one of their children do. See #8085
    • Fixes a route matching regression with splat routes that was introduced in beta.5. See #8072 and #8109
    • Fixes matching a nested splat route. See af7d038
    • Provide all parent route params to descendant <Routes>. This reverses a decision that we made in beta.5 to remove them. See #8073

    💔 Breaking Changes

    • Splats in route paths (*) match only after a / in the URL. This means that <Route path="files*"> will always match as if it were <Route path="files/*">. The router will issue a warning if your route path ends with * but not /*

    🛠 Roadmap

    We are very close to a stable release! The last big code changes we need to make are:

    • Fixing "linking up". Currently a <Link to=".."> operates on the URL pathname. However, this makes it difficult to link to the parent route when you're in a splat route. See #8086. This will be a breaking change.
    • We are going to remove useBlocker() and <Prompt> in our initial v6 release, with plans to revisit them and possibly add them back at some point in the future. I still need to write up something here that explains our rationale. This will also be a breaking change.
    • We are going to add some animation primitives (see #8008). The <Routes location> prop will be in v6, but it isn't ideal for animation.

    💻 Installing

    Development for v6 is chugging along on the dev branch.

    If you'd like to test it out, install from npm:

    $ npm install history react-router-dom@next
  • 6.0.0-beta.5 - 2021-09-25

    This week's release adds some much-needed polish to a few niche features of the router: splat routes (a route that uses a * path) and basenames. It also adds a renderMatches API that completes the story for those of you who may have been using react-router-config in v4 and v5.

    🐛 Bugfixes

    • A * in a child route path matches after a slash following its parent route path. This fixes some situations where the * was overly greedy (see #7972)
    • Resolution of <Link to="."> and useResolvedPath(".") values are fixed in splat routes. Previously these resolved relative to the parent route's path. They now resolve relative to the path of the route that rendered them.

    ✨ Enhancements

    This release makes it easier to work with apps that have multiple entry points. Using the <Router basename> prop allows React Router to be easily deployed on only a portion of a larger site by using a portion of the URL pathname (the "basename") to transparently prefix all route paths and link navigations.

    For example, you can deploy one React Router app at the /inbox URL prefix, and another one at the /admin prefix. These base URLs represent two different entry points into your app, each with its own bundles. The rest of your site, including the root / URL could be rendered by something other than React Router, for example by your server framework of choice.

    In the bundle for each entry point, simply initialize React Router with the basename of that entry point.

    <Router basename="/inbox">
      // ...
    </Router>

    Then define your routes and link paths without using the /inbox URL prefix in any of them. The entire app will run relative to that prefix.

    Another improvement in this release is the addition of the renderMatches API, which is the complement of matchRoutes. These APIs are both very low-level and should not normally be needed. But they are sometimes nice to use if you are doing your own data loading using the array of matches that you get back from matchRoutes.

    matchRoutes and renderMatches are the equivalent of the react-router-config package we shipped in v4 and v5, just built directly into the router instead of in a separate package.

    💔 Breaking Changes

    • <Routes basename> has moved to <Router basename>. This prop is also available on all router variants (<BrowserRouter>, <HashRouter>, etc.).
    • useLocation().pathname no longer includes the basename, if present.
    • The basename argument was removed from useRoutes. This reverts the signature to useRoutes(routes, location), same as it was previous to beta.4.
    • Descendant <Routes> do not get the params from their parents. This helps a set of <Routes> to be more portable by decoupling it from the params of its parents and makes it easier to know which params will be returned from useParams(). If you were relying on this behavior previously, you'll need to pass along the params manually to the elements rendered by the descendant <Routes>. See this comment for an example of how this is to be done and for a potential workaround if you really need the old behavior.
    • match.pathname in a splat route now includes the portion of the pathname matched by the *. This makes the * param behave much more like other dynamic :id-style params.
    • Resolution of relative <Link>s in splat routes is changed now because the entire pathname that was matched by that route is now different (see previous bullet). Instead of resolving relative to the portion of the pathname before the *, paths resolve relative to the full pathname that was matched by the route.

    💻 Installing

    Development for v6 is chugging along on the dev branch.

    If you'd like to test it out, install from npm:

    $ npm install history react-router-dom@next
  • 6.0.0-beta.4 - 2021-09-11

    Last week we released a lot of nice little bug features, but we did get a little carried away and let a little bug slip through with relative path resolution. Our bad! That nasty lil' guy is squashed in this week's beta. 🐛

    And there's more! Let's dive in…

    🐛 Bugfixes

    • Path resolution for nested relative routes was broken in the last release and should now be fixed. Nested routes construct their pathname based on the location of their parent, not the current location. This is explained in detail under Relative Routes and Links in our advanced guides, and the issue itself in #8004

    ✨ Enhancements

    • We made some enhancements with the Params type which is now generic, so you can add your own types if you know what to expect from functions that return query parameters. (#8019)
    // before
    let { valid, invalid } = useParams(); // No problems here!

    let match = useMatch("profile/:userId");
    let userId = match?.params.user; // wrong param, but TS doesn't know that!

    // after:
    let { valid, invalid } = useParams<"valid" | "key">(); // Property 'invalid' does not exist on type 'Params<"valid" | "key">'

    let match = useMatch<"userId">("profile/:userId");
    let userId = match?.params.user; // Property 'user' does not exist on type 'Params<"userId">'

    • Absolute nested path support

    There was quite a bit of discussion in #7335 from people who are using constants to define their route paths. In this style, paths are often written as absolute paths from the root / URL. These constants are then able to be used both in <Route path> definitions as well as <Link to> values. It usually looks something like this:

    const USERS_PATH = "/users";
    const USERS_INDEX_PATH = <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-smi">USERS_PATH</span><span class="pl-kos">}</span></span>/;
    const USER_PROFILE_PATH = <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-smi">USERS_PATH</span><span class="pl-kos">}</span></span>/:id;

    function UsersRoutes() {
    return (
    <Routes>
    <Route path={USERS_PATH} element={<UsersLayout />}>
    <Route path={USERS_INDEX_PATH} element={<UsersIndex />} />
    <Route path={USER_PROFILE_PATH} element={<UserProfile />} />
    </Route>
    </Routes>
    );
    }

    This style of use is now fully supported in v6. This is great for people who write their apps like this, but it technically could cause some breakage if you were using absolute paths (that start with /) in nested routes in previous betas. To fix this, simply remove the / from the beginning of any route paths that are meant to be relative. React Router will throw an error if you are using absolute paths that don't match their parent route paths. Hopefully this should help you find them if you are upgrading.

    If you were using <Route path="/"> to indicate an index route, you can now use the new <Route index> prop to accomplish the same thing. The index prop makes it easy to scan a route config to find the index route. It also provides a guarantee that nobody will ever add children to that route.

    Here's the same route config as the one above, but rewritten with relative paths and the index prop:

    function UsersRoutes() {
      return (
        <Routes>
          <Route path="users" element={<UsersLayout />}>
            <Route index element={<UsersIndex />} />
            <Route path=":id" element={<UserProfile />} />
          </Route>
        </Routes>
      );
    }

    A lot of our work on React Router is about doing the least surprising thing for our users. Allowing absolute paths in nested routes gets us a little closer to that goal!

    💔 Breaking Changes

    • Removed the ability for nested route paths to begin with a / and not contain the complete path of their parent routes. This was necessary in order to introduce support for absolute paths in nested routes, described in detail above

    • Removed the createRoutesFromArray utility function. You can now pass your routes directly to useRoutes or matchRoutes without passing it through createRoutesFromArray first

    • Removed the PartialRouteObject type. If you were importing and using this type before, use RouteObject instead, which has been updated to make all properties optional

    • The useRoutes API has changed slightly. Instead of passing a basename as the second argument, you should instead pass it as a named property in an object:

    // Before
    useRoutes([...routes], basename);

    // After
    useRoutes([...routes], { basename });

    • The matchPath function now returns match.pattern instead of match.path, which is a little more descriptive about what it actually is

    💻 Installing

    Development for v6 is chugging along on the dev branch.

    If you'd like to test it out, install from npm:

    $ npm install history react-router-dom@next
  • 6.0.0-beta.3 - 2021-09-03

    Loads of goodies for you this week, as well as a few breaking changes for all of you eager beavers who are brave enough to use beta software in production! 🦫

    (seriously, thank you all for helping us tighten up our APIs and fix nasty bugs)

    💔 Breaking Changes!

    • NavLink no longer supports the activeClassName or activeStyle props. Instead, we provide a more powerful API that allows you to pass functions to either the className or style props to conditionally apply values based on the link's active state. While a bit more verbose in some cases, this offers a nicer experience for folks who use utility class-based CSS. (#7194)
    // Before
    <NavLink className="link" activeClassName="active-link" />
    <NavLink style={{ color: "blue" }} activeStyle={{ color: "green" }} />

    // After
    <NavLink
    className={({ isActive }) =>
    link <span class="pl-s1"><span class="pl-kos">${</span></span></span> <span class="pl-s"><span class="pl-s1"> <span class="pl-s1">isActive</span></span></span> <span class="pl-s"><span class="pl-s1"> ? <span class="pl-s">"active-link"</span></span></span> <span class="pl-s"><span class="pl-s1"> : <span class="pl-c">// Couldn't do this before!</span></span></span> <span class="pl-s"><span class="pl-s1"> <span class="pl-s">"inactive-link"</span></span></span> <span class="pl-s"><span class="pl-s1"> <span class="pl-kos">}</span></span>
    }
    />
    <NavLink style={({ isActive }) => ({ color: isActive ? "green" : "blue" })} />

    Note: You can always abstract over this feature in a custom NavLink if you prefer the old v5 API.

    • The useRoutes API has changed slightly. Instead of passing a basename as the second argument, you should instead pass it as a named property in an object:
    // Before
    useRoutes([...routes], basename);

    // After
    useRoutes([...routes], { basename });

    🐛 Bugfixes

    • The basename prop on Routes is treated as case-insensitive (#7997)
    • useNavigate previously used the incorrect pathname when called from parent routes when the URL matches one of its children. This fix also applies to useSearchParams (#7880)

    ✨ Enhancements

    • Routes and useRoutes now allow you to override the location, which may be useful when building some modal interfaces and route transition animations. We are working hard to update our docs to include examples for advanced patterns where this might be useful, but in the mean time this also brings Routes closer to feature parity with v5's Switch via the location prop. (#7117)
    • Provided new hooks useClickHandler and usePressHandler to make customizing Links a bit easier. (#7998)
      • Please note: with great power comes great responsibility. If you create a custom Link, be sure to render an actual HTML anchor element, otherwise your app will likely be inaccessible without a significant amount of additional work which, I assure you, you don't want to do!

    💻 Installing

    Development for v6 is chugging along on the dev branch.

    If you'd like to test it out, install from npm:

    $ npm install history react-router-dom@next

    🙏 Credits

    Thanks to @ andrelandgraf, @ dhulme, @ fgatti675, @ hugmanrique, @ MeiKatz, @ chaance and @ mjackson for your contributions!

  • 6.0.0-beta.2 - 2021-08-20

    🐛 Bugfixes

    ✨ Enhancements

    💻 Installing

    Development for v6 is chugging along on the dev branch.

    If you'd like to test it out, install from npm:

    $ npm install history react-router-dom@next

    🙏 Credits

    Thanks to @ liho98, @ wojtekmaj, @ cravend, @ chaance and @ mjackson for your contributions!

    Enjoy!

  • 6.0.0-beta.1 - 2021-08-13
  • 6.0.0-beta.0 - 2020-06-19
  • 6.0.0-alpha.5 - 2020-05-15
  • 6.0.0-alpha.4 - 2020-05-05
  • 6.0.0-alpha.3 - 2020-04-04
  • 6.0.0-alpha.2 - 2020-02-22
  • 6.0.0-alpha.1 - 2020-02-01
  • 6.0.0-alpha.0 - 2020-01-31
  • 5.3.4 - 2022-10-02
  • 5.3.3 - 2022-05-18
  • 5.3.2 - 2022-05-17
  • 5.3.1 - 2022-04-17
  • 5.3.0 - 2021-09-03

    This release of react-router-dom adds support for passing a function to either the className or style props to conditionally apply values based on the link's active state.

    This provides similar functionality as the existing activeClassName and activeStyle props, but is a bit more powerful. For example, you can now easily apply styles exclusively to an inactive NavLink as well. This offers a nicer experience for folks who use utility class-based CSS tools such as Tailwind.

    function Comp() {
      return (
        <NavLink
          to="/"
          className={isActive =>
            `px-3 py-2 ${isActive ? 'text-gray-200' : 'text-gray-800'}`
          }
        >
          Home
        </NavLink>
      );
    }

    Note that as of v6.0.0-beta.3, the activeClassName and activeStyle props are removed completely. Adding support for functional className and style props to both v5 and v6 will give v5 users an easier upgrade path.

    Thanks to @ tim-phillips for raising the issue that inspired the change! 🥳

  • 5.2.1 - 2021-08-27

    This release fixes a bug with <Link> so that, when the to location is the same as the current, the history state entry is replaced instead of pushed to the stack. See #5362 for details. 🥳

    Thanks to @ guidobouman for the PR and for everyone else who weighed in for the fix!

  • 5.2.0 - 2020-05-11
  • 5.1.2 - 2019-09-30
  • 5.1.1 - 2019-09-27
  • 5.1.0 - 2019-09-24
  • 5.0.1 - 2019-06-04
  • 5.0.0 - 2019-03-18
from react-router-dom GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

…o reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-PATHTOREGEXP-7925106
@Omrisnyk
Copy link
Owner Author

🎉 Snyk hasn't found any issues so far.

code/snyk check is completed. No issues were found. (View Details)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants