fix(deps): update dependency immer to v8 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
immer	6.0.9 -> 8.0.1

GitHub Vulnerability Alerts

CVE-2020-28477

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

---

Release Notes

immerjs/immer

v8.0.1

Compare Source

Bug Fixes

• Fixed security issue #​738: prototype pollution possible when applying patches CVE-2020-28477 (da2bd4f)

v8.0.0

Compare Source

feature

• Always freeze by default (#​702) (a406c8f)

BREAKING CHANGES

• always freeze by default, even in production mode. Use setAutoFreeze(process.env.NODE_ENV !== 'production') for the old behavior. See Idea: always freeze + freeze export immerjs/immer#687 (comment) for the rationale. Fixes #​649, #​681, #​687

v7.0.15

Compare Source

Bug Fixes

• make plugin loading idempotent, fixes #​692 (754331b)

v7.0.14

Compare Source

Bug Fixes

• build issue. Fixes #​685 (?) (9007be0)

v7.0.13

Compare Source

Bug Fixes

• reconcile if the original value is assigned after creating a draft. Fixes #​659 (c0e6749)

v7.0.12

Compare Source

Bug Fixes

• undraftable values should not be cloned for patches, fixes #​676 (1b70ad5)

v7.0.11

Compare Source

Bug Fixes

• skip ReadonlyMap and ReadonlySet types when not available (#​653). Fixes #​624 (12f4cf8)

v7.0.10

Compare Source

Bug Fixes

• Clearing empty Set&Map should be noop (#​682). Fixes #​680 (33a305b)

v7.0.9

Compare Source

Bug Fixes

• clear map creates invalid patches, fixes #​663 (bacc1e0)

v7.0.8

Compare Source

Bug Fixes

• Use a named type for Draft object for smaller type declaration files (a1a0da0)
• use Array.prototype.slice() for copying arrays. Fixes #​650 (bf90358)
• use Array.prototype.slice() for copying arrays. Fixes #​650 (bb40c36)

v7.0.7

Compare Source

Bug Fixes

• made NOTHING and IMMERABLE shared symbols. Fixes #​632 (b1c6a8e)
• make sure changing an undefined value to undefined is not picked up as change. Fixes #​646 (5521527)
• out of range assignments were broken in ES5 mode. Fixes #​638 (0fe9132)
• Set finalization can get stuck in a loop, fixes #​628 (b12e5c9)
• Trigger setters with the correct context, fixes #​604 (2697430)

v7.0.6

Compare Source

Bug Fixes

• flow: added types for produceWithPatches (b355838)

v7.0.5

Compare Source

Bug Fixes

• Fixed regression in Object.frozen for IE11. Fixes #​600 (6371d05)

v7.0.4

Compare Source

Bug Fixes

• Flow: Add tests for Map and Set and fix base type (9022672)
• new map keys were not added if value is undefined (4a1bd65)

v7.0.3

Compare Source

Bug Fixes

• getOwnPropertyDescriptors is not available in Internet Explorer and Hermes. Fixes #​626 (c7a47e2)

v7.0.2

Compare Source

Bug Fixes

• Fixed #​620: Symbolic properties were not drafted or finalized correctly (91915cf)

v7.0.1

Compare Source

Bug Fixes

• Add missing type current for pre-TS 3.7 types (7d6b57b)

v7.0.0

Compare Source

• Introduced current, which takes a snapshot of the current state of a draft and finalizes it (but without freezing). Current is a great utility to print the current state during debugging (no Proxies in the way), and the output of current can also be safely leaked outside the producer. Implements #​441, #​591

• [BREAKING CHANGE] getters and setters are now handled consistently: own getters and setters will always by copied into fields (like Object.assign does), inherited getters and setters will be left as-is. This should allow using Immer directly on objects that trap their fields, like done in Vue or MobX. Fixes #​584, #​439, #​593, #​558

• [BREAKING CHANGE] produce no longer accepts non-draftable objects as first argument

• [BREAKING CHANGE] original can only be called on drafts and will throw otherwise (fixes #​605)

• [BREAKING CHANGE] non-enumerable and symbolic fields will never be frozen

• [BREAKING CHANGE] the patches for arrays are now computed differently to fix some scenarios in which they were incorrect. In some cases they will be more optimal now, in other cases less. Especially splicing / unshifting items into an existing array might result in a lot of patches. Fixes #​468

• Improved documentation in several areas, there is now a page for typical update patterns and a separate page on how to work with classes. And additional performance tips have been included. Fixes #​457, #​115, #​462

• Fixed #​462: All branches of the produced state should be frozen

• Fixed #​588: Inconsistent behavior with nested produce

• Fixed #​577: Immer might not work with polyfilled symbols

• Fixed #​514, #​609: Explicitly calling useProxies(false) shouldn’t check for the presence of Proxy.

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.