New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency immer to v9 [SECURITY] - abandoned #302

Open

renovate wants to merge 1 commit into master from renovate/npm-immer-vulnerability

renovate bot commented Jan 30, 2021 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
immer	`1.8.0` -> `9.0.6`

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2020-28477

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

CVE-2021-23436

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

CVE-2021-3757

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

Release Notes

immerjs/immer

`v9.0.6`

Bug Fixes

security: Follow up on CVE-2020-28477 where path: [["__proto__"], "x"] could still pollute the prototype (fa671e5)

`v9.0.5`

Bug Fixes

release missing dist/ folder (bfb8dec)

`v9.0.4`

Bug Fixes

#791 return 'nothing' should produce undefined patch (5412c9f)
#807 new undefined properties should end up in result object (dc3f66c)
Better applyPatches type (#810) (09ac097), closes #809

`v9.0.3`

Bug Fixes

isPlainObject: add quick comparison between input and Object to short-circuit taxing Function.toString invocations (#805) (07575f3)

`v9.0.2`

Bug Fixes

#785 fix type inference for produce incorrectly inferring promise (#786) (6555173)

`v9.0.1`

Bug Fixes

#768 immerable field being lost during patch value cloning (#771) (e0b7c01)

`v9.0.0`

feature

Improved typescript types (2c2f30e), closes #720

BREAKING CHANGES

It is no longer allowed to return nothing from a recipe if the target state doesn't accept undefined.
It is no longer allowed to return arbitrary things from a recipe. Recipes should either return nothing, or something that is assignable to the original state type. This will catch mistakes with accidental returns earlier.

`v8.0.4`

Bug Fixes

make sure isPlainObject checks support objects send accross frames. Fixes #766 / #405 (5ae3547)

`v8.0.3`

Bug Fixes

new Immer().produce now has the same type as produce. Fixes #749 (f8b77d1)

`v8.0.2`

Bug Fixes

Add a type-checking fast path for primitive types (#755) (d395efe)
Ignore equal reference assignments. Fixes #648 (3b4286d)

`v8.0.1`

Bug Fixes

Fixed security issue #738: prototype pollution possible when applying patches CVE-2020-28477 (da2bd4f)

`v8.0.0`

feature

Always freeze by default (#702) (a406c8f)

BREAKING CHANGES

always freeze by default, even in production mode. Use setAutoFreeze(process.env.NODE_ENV !== 'production') for the old behavior. See https://github.com/immerjs/immer/issues/687#issuecomment-728881754 for the rationale. Fixes #649, #681, #687

`v7.0.15`

Bug Fixes

make plugin loading idempotent, fixes #692 (754331b)

`v7.0.14`

Bug Fixes

build issue. Fixes #685 (?) (9007be0)

`v7.0.13`

Bug Fixes

reconcile if the original value is assigned after creating a draft. Fixes #659 (c0e6749)

`v7.0.12`

Bug Fixes

undraftable values should not be cloned for patches, fixes #676 (1b70ad5)

`v7.0.11`

Bug Fixes

skip ReadonlyMap and ReadonlySet types when not available (#653). Fixes #624 (12f4cf8)

`v7.0.10`

Bug Fixes

Clearing empty Set&Map should be noop (#682). Fixes #680 (33a305b)

`v7.0.9`

Bug Fixes

clear map creates invalid patches, fixes #663 (bacc1e0)

`v7.0.8`

Bug Fixes

Use a named type for Draft object for smaller type declaration files (a1a0da0)
use Array.prototype.slice() for copying arrays. Fixes #650 (bf90358)
use Array.prototype.slice() for copying arrays. Fixes #650 (bb40c36)

`v7.0.7`

Bug Fixes

made NOTHING and IMMERABLE shared symbols. Fixes #632 (b1c6a8e)
make sure changing an undefined value to undefined is not picked up as change. Fixes #646 (5521527)
out of range assignments were broken in ES5 mode. Fixes #638 (0fe9132)
Set finalization can get stuck in a loop, fixes #628 (b12e5c9)
Trigger setters with the correct context, fixes #604 (2697430)

`v7.0.6`

Bug Fixes

flow: added types for produceWithPatches (b355838)

`v7.0.5`

Bug Fixes

Fixed regression in Object.frozen for IE11. Fixes #600 (6371d05)

`v7.0.4`

Bug Fixes

Flow: Add tests for Map and Set and fix base type (9022672)
new map keys were not added if value is undefined (4a1bd65)

`v7.0.3`

Bug Fixes

getOwnPropertyDescriptors is not available in Internet Explorer and Hermes. Fixes #626 (c7a47e2)

`v7.0.2`

Bug Fixes

Fixed #620: Symbolic properties were not drafted or finalized correctly (91915cf)

`v7.0.1`

Bug Fixes

Add missing type current for pre-TS 3.7 types (7d6b57b)

`v7.0.0`

Introduced current, which takes a snapshot of the current state of a draft and finalizes it (but without freezing). Current is a great utility to print the current state during debugging (no Proxies in the way), and the output of current can also be safely leaked outside the producer. Implements #441, #591
[BREAKING CHANGE] getters and setters are now handled consistently: own getters and setters will always by copied into fields (like Object.assign does), inherited getters and setters will be left as-is. This should allow using Immer directly on objects that trap their fields, like done in Vue or MobX. Fixes #584, #439, #593, #558
[BREAKING CHANGE] produce no longer accepts non-draftable objects as first argument
[BREAKING CHANGE] original can only be called on drafts and will throw otherwise (fixes #605)
[BREAKING CHANGE] non-enumerable and symbolic fields will never be frozen
[BREAKING CHANGE] the patches for arrays are now computed differently to fix some scenarios in which they were incorrect. In some cases they will be more optimal now, in other cases less. Especially splicing / unshifting items into an existing array might result in a lot of patches. Fixes #468
Improved documentation in several areas, there is now a page for typical update patterns and a separate page on how to work with classes. And additional performance tips have been included. Fixes #457, #115, #462
Fixed #462: All branches of the produced state should be frozen
Fixed #588: Inconsistent behavior with nested produce
Fixed #577: Immer might not work with polyfilled symbols
Fixed #514, #609: Explicitly calling useProxies(false) shouldn’t check for the presence of Proxy.

`v6.0.9`

Bug Fixes

typo in feature.md (sovled > solved) (3445168)

`v6.0.8`

Bug Fixes

Make sure Immer works correctly when Symbol is polyfilled, fixes #577 (2b40aec)

`v6.0.7`

Bug Fixes

fixed issue where new items in Set where not recorded after iterating. Fixes #586 (169db77)

`v6.0.6`

Bug Fixes

Object.isFrozen dies on non objects in Internet Explorer. Fixes #600 (974bd70)

`v6.0.5`

Bug Fixes

Don't recurse into non-enumerable members when freezing tree. Fixes #590 (497d1a0)
Don't recurse into non-enumerable members when freezing tree. Fixes #590 (d64c2bd)

`v6.0.4`

Bug Fixes

added flow typings for new API's introduced in v6. Fixes #570 (0ddddfc)
Ensure values in patches are never a draft, fixes #559 (33ecbd6)
improve flow types (427040c)

`v6.0.3`

Bug Fixes

copy flow types to where flow can find them (6247c03)
Flow failed to find the Immer typings (c2ae050)

`v6.0.2`

Bug Fixes

change Full error url (2778ce8)
fixed broken minimized error url (issue#550) (949960f)

`v6.0.1`

Bug Fixes

rename compat index.d.ts to immer.d.ts (ed6ba6d)

`v6.0.0`

Merge pull request #536 from immerjs/multi-bundle (0d87fc8), closes #536
Adding large data sets to a draft has been optimized (in case autofreeze is disabled)
Added compatibility typing support for TypeScript versions pre 3.7

BREAKING CHANGES

Support for ES5, patches and Map/Set collections has to be explicitly enable now: https://immerjs.github.io/immer/docs/installation
Custom serialization hooks are no longer supported

`v5.3.6`

Bug Fixes

mark immer as sideEffect free module (although effects will be limited for now) (21c1597)

`v5.3.5`

Bug Fixes

consistent naming for castDraft, fixup 2d27f33 (70b44a7)

`v5.3.4`

Bug Fixes

attempt to fix locally not reproducible build issue (f91bcbb)

`v5.3.3`

Bug Fixes

Set inside patches were not correctly cloned. Fixes #521 (9d8d995)
Fixed issue where drafts from nested producers were frozen. Fixes #522, #524 (acc5e54)
incorrect patches generated for array if property was deleted inside (1e451a3)
patches when delete object property in array (fb5c316)

`v5.3.2`

`v5.3.0`

Bug Fixes

#506 original should not rely on Drafted (3711dec)

Features

general typing improvements for TS 3.7 and up (f930ce1)

`v5.2.1`

Bug Fixes

#502 (8d4f723)
Map and Set instantions won't work on certain environments, fixes #502 (9f4711a)

`v5.2.0`

Features

rewrote Map and Set implementation, code base cleanup (1913fe8), closes #472 #466 #449 #492

`v5.1.0`

Features

convert Immer to TypeScript (52c9914)

`v5.0.2`

Bug Fixes

#482 object spread breaks IE (8bc21c8)
Merge branch 'oriSomething-fix-472' (7a8e4e4)

`v5.0.1`

Bug Fixes

Fixed #477, Immer crashes without an Object.assign polyfill (4895824)

`v5.0.0`

❤ immer? 👉 https://opencollective.com/immer

This release introduces first class support for Maps and Sets!

BREAKING CHANGE: Maps and Sets are treated differently now; they will no longer directly mutated when updated inside a draft

Some things to keep in mind:

Example: https://immerjs.github.io/immer/docs/complex-objects
Inside recipes, you can directly modify Maps and Sets with methods like add, set, delete and clear
Those methods do mutate draft Maps and Sets, but won't actually change their originals!
Immer does not polyfill Map and Set automatically in environments where those aren't available out of the box
Maps and Sets are supported both in ES5 and Proxy mode
If autoFreeze is enabled, the maps and sets returned from a producer will be artificially frozen by making their mutative APIs unusable
Non primitive keys for Maps, and non primitive values for Sets are supported. However, we strongly recommend to not combine non-primitive keys to Maps with patches, for reasons expressed below.

Open questions

TypeScript support for storing immutable types inside Maps and Sets, and converting them to Draft's, is limited, see #448 for details
Since JSON-patch standard doesn't offer support for Sets or Maps, it is not entirely clear how mutations to those are best described by patches, so this might be refined in the future. See also #450

Credits to @runnez, @aigoncharov and @aleclarson for making this happen!

`v4.0.2`

Bug Fixes

add immerable Flow typedef (c8c9fcd)

`v4.0.1`

Bug Fixes

Don't use proxies if Proxy.revocable is not defined. Fixes #435 (c84aa53)

`v4.0.0`

Features

In development mode, any new value stored in a tree will be deeply frozen. (cb1c6dd)

BREAKING CHANGES

any value returned from produce will be deeply frozen in DEV, even when it wasn't frozen before the producer started. Fixes #412 #363 #260 #230 #313 #229 through #417

`v3.3.0`

Features

Always use remove command in generateArrayPatches() (d483334), closes #208

`v3.2.1`

Bug Fixes

ensure patches are reusable (49b2e7b)
ensure patches are reusable (c2e69d9)
ensure that patches are reusable. Fixes #411 (af3a59d)

`v3.2.0`

Features

introduced produceWithPatches. Implements #400 (86be737)

`v3.1.4`

Bug Fixes

don't unnecessary modify draft if replaying patches results in a new state anyway (96f2b2e)
If a property is added, then deleted, don't produce a patch (7cd2dc1)

`v3.1.3`

Bug Fixes

build: add unpkg and jsdelivr fields to package.json (#384) (fa1f5e6)

`v3.1.2`

Bug Fixes

ensure Symbol.for exists before calling it (#366) (c8ecbad), closes #365

`v3.1.1`

Got ahead of myself with Map support (see here: https://github.com/immerjs/immer/pull/353)

Bug Fixes

revert Map support (47529d3)

`v3.0.0`

Bug Fixes

ts: Immutable / read-only arrays in TS 3.4+ (2c27133)

Features

ts: improve curried producers (3cb0fb3)
ts: Improve type inference based on the first arg of the recipe function (acf8a57)
ts: Support typescript 3.4 (2868065)
Immer now has it's own Github org, immerjs (17d69c3)

BREAKING CHANGES

ts: typescript@3.4.0 is now the minimum required version
this in recipe is no longer the draft, but unbound (3f40298)
Dropped node 6 support (eecc773)

`v2.1.5`

Bug Fixes

test: missing "expect" devDependency (fb12428)
remove pointless assignments (366943c)
unnecessary draft creation (ec00ee4), closes #343

`v2.1.4`

Bug Fixes

build: publish source files (fb92884), closes #335

`v2.1.3`

Bug Fixes

build: use .module.js instead of .mjs for esm bundle (#332) (8b33b98)

`v2.1.2`

Bug Fixes

es5: delete then set an existing property (6963420), closes #328
ts: --target=es5 compatibility (0e5ecc9), closes #321

`v2.1.1`

Bug Fixes

share internal symbols between immer installations (02fed2c), closes #322

`v2.1.0`

Features

improved array patches (cb5707f)

`v2.0.0`

Bug Fixes

es5: throw if a modified child draft is returned (eabe9db)
Async recipes (#307) (0f76f98), closes #307 #302

BREAKING CHANGES

added migration guide: Promises returned from producer will be evaluated

`v1.12.1`

Bug Fixes

applyPatches should mutate drafts (d41be77), closes #301

`v1.12.0`

Features

export isDraftable (c89d47d)

`v1.11.1`

Bug Fixes

use getOwnPropertySymbols only when it exists (d57433b)

`v1.11.0`

Bug Fixes

es5: account for drafts in prepareCopy (1e3e425)
comparison typo (48b371c)
draft as base state (9a2e756)
Object.getPrototypeOf with a draft (d5d07e8)
property descriptor edge cases (afaa737)
throw on circular references (9c6603e)
es5: onDelete hook (46cc6a1)
ts: Immer class options and ImmerState types (5ff645c)

Features

limited class support (9877d64)

`v1.10.5`

Bug Fixes

ts: produce() return type (b52b45e)
ts: use base type as default produce() return type (3aa1c4a)

Reverts

ts: deeply immutable produce() return type (06c8f6f), closes #289 #290

`v1.10.4`

Bug Fixes

ts: reorder generic parameters of IProduce (05157af)

`v1.10.3`

Bug Fixes

ts: ensure produce returns an immutable type (dd25143)
ts: return type of produce() (03ec620)

`v1.10.2`

Bug Fixes

ts: base type of curried producer (b357e54)

`v1.10.1`

Bug Fixes

ts: parameter types of curried producers (89f6443), closes #288

`v1.10.0`

Features

passing drafts to produce (9c53415)

`v1.9.3`

Bug Fixes

ts: improve Draft with generics (cc08cb7), closes #272
ts: improve IProduce (8666d32), closes #273 #274 #275
ts: return undefined from produce (d60db14), closes #276

`v1.9.2`

Bug Fixes

ts: produce function (fa5bf5d), closes #270

`v1.9.1`

Bug Fixes

revert .d.ts and .js.flow module names (44cf843)
test: faulty .flowconfig (e8fe4ba)
test: use dist/immer.js in __tests__/types.ts (603664b)

Performance Improvements

proxy: avoid has where possible (4b9b637)

`v1.9.0`

TypeScript users: Please pin your immer version to 1.8 if you use typescript <3.1.1. Thanks!

Bug Fixes

ts: improve IProduce (8a86e7c), closes #205

Features

add Immer class (ecd04dc), closes #254
add hooks to the Immer class (7f50364)
add types for Immer class (f36d329)
drop typescript@2 support (04e3cdf)
drop typescript@3.0 support (66e51e1)

Performance Improvements

proxy: deletion of an undeclared property (c0ce252)

`v1.8.2`

Bug Fixes

ci: build before release (2f2eb9f)

`v1.8.1`

simplify and optimize some areas (3c7f374, 4dd6070, 53e9ce8)
improve tests

Bug Fixes

always use assign polyfill (241a648)
ci: install semantic-release on ci only (4a64599)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

vercel bot commented Jan 30, 2021

Deployment failed with the following error:

should NOT have additional property `dotenv`


          Update dependency immer to v9 [SECURITY]

0eab9f6

renovate bot force-pushed the renovate/npm-immer-vulnerability branch from a2621cf to 0eab9f6 Compare

October 18, 2021 16:45

renovate bot changed the title ~~Update dependency immer to v8 [SECURITY]~~ Update dependency immer to v9 [SECURITY]

Author

renovate bot commented Mar 24, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

renovate bot changed the title ~~Update dependency immer to v9 [SECURITY]~~ Update dependency immer to v9 [SECURITY] - abandoned

Author

renovate bot commented Apr 30, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment