[Security] Bump react-dom from 16.4.1 to 16.8.2

[dependabot-preview]

Bumps react-dom from 16.4.1 to 16.8.2. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects react-dom
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected.

This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Affected versions: >= 16.4.0 < 16.4.2

Release notes

Sourced from react-dom's releases.

v16.8.2

16.8.2 (February 14, 2019)

React DOM

• Fix ReactDOM.render being ignored inside useEffect. (@​gaearon in #14799)
• Fix a crash when unmounting empty portals. (@​gaearon in #14820)
• Fix useImperativeHandle to work correctly when no deps are specified. (@​gaearon in #14801)
• Fix crossOrigin attribute to work in SVG image elements. (@​aweary in #14832)
• Fix a false positive warning when using Suspense with Hooks. (@​gaearon in #14821)

React Test Utils and React Test Renderer

• Include component stack into the act() warning. (@​threepointone in #14855)

Artifacts

• react: https://unpkg.com/react@16.8.2/umd/
• react-art: https://unpkg.com/react-art@16.8.2/umd/
• react-dom: https://unpkg.com/react-dom@16.8.2/umd/
• react-is: https://unpkg.com/react-is@16.8.2/umd/
• react-test-renderer: https://unpkg.com/react-test-renderer@16.8.2/umd/
• scheduler: https://unpkg.com/scheduler@0.13.2/umd/

v16.8.1

16.8.1 (February 6, 2019)

React DOM and React Test Renderer

• Fix a crash when used together with an older version of React. (@​bvaughn in #14770)

React Test Utils

• Fix a crash in Node environment. (@​threepointone in #14768)

Artifacts

• react: https://unpkg.com/react@16.8.1/umd/
• react-art: https://unpkg.com/react-art@16.8.1/umd/
• react-dom: https://unpkg.com/react-dom@16.8.1/umd/
• react-is: https://unpkg.com/react-is@16.8.1/umd/
• react-test-renderer: https://unpkg.com/react-test-renderer@16.8.1/umd/
• scheduler: https://unpkg.com/scheduler@0.13.1/umd/

v16.8.0

React

• Add Hooks — a way to use state and other React features without writing a class. (@​acdlite et al. in #13968)
• Improve the useReducer Hook lazy initialization API. (@​acdlite in #14723)

React DOM

... (truncated)

Changelog

Sourced from react-dom's changelog.

16.8.2 (February 14, 2019)

React DOM

• Fix ReactDOM.render being ignored inside useEffect. (@​gaearon in #14799)
• Fix a crash when unmounting empty portals. (@​gaearon in #14820)
• Fix useImperativeHandle to work correctly when no deps are specified. (@​gaearon in #14801)
• Fix crossOrigin attribute to work in SVG image elements. (@​aweary in #14832)
• Fix a false positive warning when using Suspense with Hooks. (@​gaearon in #14821)

React Test Utils and React Test Renderer

• Include component stack into the act() warning. (@​threepointone in #14855)

16.8.1 (February 6, 2019)

React DOM and React Test Renderer

• Fix a crash when used together with an older version of React. (@​bvaughn in #14770)

React Test Utils

• Fix a crash in Node environment. (@​threepointone in #14768)

16.8.0 (February 6, 2019)

React

• Add Hooks — a way to use state and other React features without writing a class. (@​acdlite et al. in #13968)
• Improve the useReducer Hook lazy initialization API. (@​acdlite in #14723)

React DOM

• Bail out of rendering on identical values for useState and useReducer Hooks. (@​acdlite in #14569)
• Use Object.is algorithm for comparing useState and useReducer values. (@​Jessidhia in #14752)
• Don’t compare the first argument passed to useEffect/useMemo/useCallback Hooks. (@​acdlite in #14594)
• Support synchronous thenables passed to React.lazy(). (@​gaearon in #14626)
• Render components with Hooks twice in Strict Mode (DEV-only) to match class behavior. (@​gaearon in #14654)
• Warn about mismatching Hook order in development. (@​threepointone in #14585 and @​acdlite in #14591)
• Effect clean-up functions must return either undefined or a function. All other values, including null, are not allowed. @​acdlite in #14119

React Test Renderer and Test Utils

• Support Hooks in the shallow renderer. (@​trueadm in #14567)
• Fix wrong state in shouldComponentUpdate in the presence of getDerivedStateFromProps for Shallow Renderer. (@​chenesan in #14613)
• Add ReactTestRenderer.act() and ReactTestUtils.act() for batching updates so that tests more closely match real behavior. (@​threepointone in #14744)

ESLint Plugin: React Hooks

... (truncated)

Commits

• dfabb77 Include another change in 16.8.2
• c555c00 Include component stack in 'act(...)' warning (#14855)
• ff188d6 Add React 16.8.2 changelog (#14851)
• c4d8ef6 Fix typo in code comment (#14836)
• 08e9554 Statically enable suspense/partial hydration flag in www (#14842)
• 0e4135e Revert "[ShallowRenderer] Queue/rerender on dispatched action after render co...
• 6d4038f [ShallowRenderer] Queue/rerender on dispatched action after render component ...
• fa6205d Special case crossOrigin for SVG image elements (#14832)
• c6bee76 Remove false positive warning and add TODOs about current being non-null (#...
• 3ae94e1 Fix ignored sync work in passive effects (#14799)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #402.