[Security] Bump react-dom from 16.4.1 to 16.8.6

[dependabot-preview]

Bumps react-dom from 16.4.1 to 16.8.6. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects react-dom
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected.

This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Affected versions: >= 16.4.0 < 16.4.2

Release notes

Sourced from react-dom's releases.

v16.8.6

16.8.6 (March 27, 2019)

React DOM

• Fix an incorrect bailout in useReducer(). (@​acdlite in #15124)
• Fix iframe warnings in Safari DevTools. (@​renanvalentin in #15099)
• Warn if contextType is set to Context.Consumer instead of Context. (@​aweary in #14831)
• Warn if contextType is set to invalid values. (@​gaearon in #15142)

Artifacts

• react: https://unpkg.com/react@16.8.6/umd/
• react-art: https://unpkg.com/react-art@16.8.6/umd/
• react-dom: https://unpkg.com/react-dom@16.8.6/umd/
• react-is: https://unpkg.com/react-is@16.8.6/umd/
• react-test-renderer: https://unpkg.com/react-test-renderer@16.8.6/umd/
• scheduler: https://unpkg.com/scheduler@0.13.6/umd/

v16.8.5

16.8.5 (March 22, 2019)

React DOM

• Don't set the first option as selected in select tag with size attribute. (@​kulek1 in #14242)
• Improve the useEffect(async () => ...) warning message. (@​gaearon in #15118)
• Improve the error message sometimes caused by duplicate React. (@​jaredpalmer in #15139)

React DOM Server

• Improve the useLayoutEffect warning message when server rendering. (@​gaearon in #15158)

React Shallow Renderer

• Fix setState in shallow renderer to work with Hooks. (@​gaearon in #15120)
• Fix shallow renderer to support React.memo. (@​aweary in #14816)
• Fix shallow renderer to support Hooks inside forwardRef. (@​eps1lon in #15100)

Artifacts

• react: https://unpkg.com/react@16.8.5/umd/
• react-art: https://unpkg.com/react-art@16.8.5/umd/
• react-dom: https://unpkg.com/react-dom@16.8.5/umd/
• react-is: https://unpkg.com/react-is@16.8.5/umd/
• react-test-renderer: https://unpkg.com/react-test-renderer@16.8.5/umd/
• scheduler: https://unpkg.com/scheduler@0.13.5/umd/

v16.8.4

16.8.4 (March 5, 2019)

React DOM and other renderers

... (truncated)

Changelog

Sourced from react-dom's changelog.

16.8.6 (March 27, 2019)

React DOM

• Fix an incorrect bailout in useReducer(). (@​acdlite in #15124)
• Fix iframe warnings in Safari DevTools. (@​renanvalentin in #15099)
• Warn if contextType is set to Context.Consumer instead of Context. (@​aweary in #14831)
• Warn if contextType is set to invalid values. (@​gaearon in #15142)

16.8.5 (March 22, 2019)

React DOM

• Don't set the first option as selected in select tag with size attribute. (@​kulek1 in #14242)
• Improve the useEffect(async () => ...) warning message. (@​gaearon in #15118)
• Improve the error message sometimes caused by duplicate React. (@​jaredpalmer in #15139)

React DOM Server

• Improve the useLayoutEffect warning message when server rendering. (@​gaearon in #15158)

React Shallow Renderer

• Fix setState in shallow renderer to work with Hooks. (@​gaearon in #15120)
• Fix shallow renderer to support React.memo. (@​aweary in #14816)
• Fix shallow renderer to support Hooks inside forwardRef. (@​eps1lon in #15100)

16.8.4 (March 5, 2019)

React DOM and other renderers

• Fix a bug where DevTools caused a runtime error when inspecting a component that used a useContext hook. (@​bvaughn in #14940)

16.8.3 (February 21, 2019)

React DOM

• Fix a bug that caused inputs to behave incorrectly in UMD builds. (@​gaearon in #14914)
• Fix a bug that caused render phase updates to be discarded. (@​gaearon in #14852)

React DOM Server

• Unwind the context stack when a stream is destroyed without completing, to prevent incorrect values during a subsequent render. (@​overlookmotel in #14706)

ESLint Plugin for React Hooks

• Add a new recommended exhaustive-deps rule. (@​gaearon in #14636)

16.8.2 (February 14, 2019)

React DOM

... (truncated)

Commits

• 487f4bf Update versions for 16.8.6
• f00be84 fix(react-dom): access iframe contentWindow instead of contentDocument (#15099)
• e0c2c56 Improve warning for invalid class contextType (#15142)
• aa8736a Warn for Context.Consumer with contextType (#14831)
• 84cc8a3 Release 16.8.5
• fb572af Add more info to invalid hook call error message (#15139)
• b5cb9d3 Link to useLayoutEffect gist in a warning (#15158)
• d822d4b Don't set the first option as selected in select tag with size attribute (...
• d8a73b5 16.8.4 and changelog
• 55cf14f Release 16.8.3
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.