chore(deps): [security] bump react-dom from 16.4.1 to 16.8.2

[dependabot-preview]

Bumps react-dom from 16.4.1 to 16.8.2. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects react-dom
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected.

This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Affected versions: >= 16.4.0 < 16.4.2

Release notes

Sourced from react-dom's releases.

v16.8.2

16.8.2 (February 14, 2019)

React DOM

• Fix ReactDOM.render being ignored inside useEffect. (@​gaearon in #14799)
• Fix a crash when unmounting empty portals. (@​gaearon in #14820)
• Fix useImperativeHandle to work correctly when no deps are specified. (@​gaearon in #14801)
• Fix crossOrigin attribute to work in SVG image elements. (@​aweary in #14832)
• Fix a false positive warning when using Suspense with Hooks. (@​gaearon in #14821)

React Test Utils and React Test Renderer

• Include component stack into the act() warning. (@​threepointone in #14855)

v16.8.1

16.8.1 (February 6, 2019)

React DOM and React Test Renderer

• Fix a crash when used together with an older version of React. (@​bvaughn in #14770)

React Test Utils

• Fix a crash in Node environment. (@​threepointone in #14768)

v16.8.0

React

• Add Hooks — a way to use state and other React features without writing a class. (@​acdlite et al. in #13968)
• Improve the useReducer Hook lazy initialization API. (@​acdlite in #14723)

React DOM

• Bail out of rendering on identical values for useState and useReducer Hooks. (@​acdlite in #14569)
• Use Object.is algorithm for comparing useState and useReducer values. (@​Jessidhia in #14752)
• Don’t compare the first argument passed to useEffect/useMemo/useCallback Hooks. (@​acdlite in #14594)
• Support synchronous thenables passed to React.lazy(). (@​gaearon in #14626)
• Render components with Hooks twice in Strict Mode (DEV-only) to match class behavior. (@​gaearon in #14654)
• Warn about mismatching Hook order in development. (@​threepointone in #14585 and @​acdlite in #14591)
• Effect clean-up functions must return either undefined or a function. All other values, including null, are not allowed. @​acdlite in #14119

React Test Renderer and Test Utils

• Support Hooks in the shallow renderer. (@​trueadm in #14567)
• Fix wrong state in shouldComponentUpdate in the presence of getDerivedStateFromProps for Shallow Renderer. (@​chenesan in #14613)
• Add ReactTestRenderer.act() and ReactTestUtils.act() for batching updates so that tests more closely match real behavior. (@​threepointone in #14744)

... (truncated)

Changelog

Sourced from react-dom's changelog.

16.8.2 (February 14, 2019)

React DOM

• Fix ReactDOM.render being ignored inside useEffect. (@​gaearon in #14799)
• Fix a crash when unmounting empty portals. (@​gaearon in #14820)
• Fix useImperativeHandle to work correctly when no deps are specified. (@​gaearon in #14801)
• Fix crossOrigin attribute to work in SVG image elements. (@​aweary in #14832)
• Fix a false positive warning when using Suspense with Hooks. (@​gaearon in #14821)

React Test Utils and React Test Renderer

• Include component stack into the act() warning. (@​threepointone in #14855)

16.8.1 (February 6, 2019)

React DOM and React Test Renderer

• Fix a crash when used together with an older version of React. (@​bvaughn in #14770)

React Test Utils

• Fix a crash in Node environment. (@​threepointone in #14768)

16.8.0 (February 6, 2019)

React

• Add Hooks — a way to use state and other React features without writing a class. (@​acdlite et al. in #13968)
• Improve the useReducer Hook lazy initialization API. (@​acdlite in #14723)

React DOM

• Bail out of rendering on identical values for useState and useReducer Hooks. (@​acdlite in #14569)
• Use Object.is algorithm for comparing useState and useReducer values. (@​Jessidhia in #14752)
• Don’t compare the first argument passed to useEffect/useMemo/useCallback Hooks. (@​acdlite in #14594)
• Support synchronous thenables passed to React.lazy(). (@​gaearon in #14626)
• Render components with Hooks twice in Strict Mode (DEV-only) to match class behavior. (@​gaearon in #14654)
• Warn about mismatching Hook order in development. (@​threepointone in #14585 and @​acdlite in #14591)
• Effect clean-up functions must return either undefined or a function. All other values, including null, are not allowed. @​acdlite in #14119

React Test Renderer and Test Utils

• Support Hooks in the shallow renderer. (@​trueadm in #14567)
• Fix wrong state in shouldComponentUpdate in the presence of getDerivedStateFromProps for Shallow Renderer. (@​chenesan in #14613)
• Add ReactTestRenderer.act() and ReactTestUtils.act() for batching updates so that tests more closely match real behavior. (@​threepointone in #14744)

ESLint Plugin: React Hooks

... (truncated)

Commits

• dfabb77 Include another change in 16.8.2
• c555c00 Include component stack in 'act(...)' warning (#14855)
• ff188d6 Add React 16.8.2 changelog (#14851)
• c4d8ef6 Fix typo in code comment (#14836)
• 08e9554 Statically enable suspense/partial hydration flag in www (#14842)
• 0e4135e Revert "[ShallowRenderer] Queue/rerender on dispatched action after render co...
• 6d4038f [ShallowRenderer] Queue/rerender on dispatched action after render component ...
• fa6205d Special case crossOrigin for SVG image elements (#14832)
• c6bee76 Remove false positive warning and add TODOs about current being non-null (#...
• 3ae94e1 Fix ignored sync work in passive effects (#14799)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #18.