[Snyk] Upgrade redux from 3.7.2 to 5.0.1 #7
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade redux from 3.7.2 to 5.0.1.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 28 versions ahead of your current version.
The recommended version was released on 9 months ago.
Release notes
Package name: redux
This patch release adjusts the
isPlainObject
util to allow objects created viaObject.create(null)
, and fixes a type issue which accidentally made the store state type non-nullable.What's Changed
Store['getState']
by @ exuanbo in #4638Full Changelog: v5.0.0...v5.0.1
This major release:
action.type
must be a stringcreateStore
as deprecatedAnyAction
type in favor of anUnknownAction
type that is used everywherePreloadedState
type in favor of a new generic argument for theReducer
type.This release has breaking changes.
This release is part of a wave of major versions of all the Redux packages: Redux Toolkit 2.0, Redux core 5.0, React-Redux 9.0, Reselect 5.0, and Redux Thunk 3.0.
For full details on all of the breaking changes and other significant changes to all of those packages, see the "Migrating to RTK 2.0 and Redux 5.0" migration guide in the Redux docs.
Note
The Redux core, Reselect, and Redux Thunk packages are included as part of Redux Toolkit, and RTK users do not need to manually upgrade them - you'll get them as part of the upgrade to RTK 2.0. (If you're not using Redux Toolkit yet, please start migrating your existing legacy Redux code to use Redux Toolkit today!)
npm install @ reduxjs/toolkit
yarn add @ reduxjs/toolkit
# Standalone
npm install redux
yarn add redux
Changelog
ESM/CJS Package Compatibility
The biggest theme of the Redux v5 and RTK 2.0 releases is trying to get "true" ESM package publishing compatibility in place, while still supporting CJS in the published package.
The primary build artifact is now an ESM file,
dist/redux.mjs
. Most build tools should pick this up. There's also a CJS artifact, and a second copy of the ESM file namedredux.legacy-esm.js
to support Webpack 4 (which does not recognize theexports
field inpackage.json
). Additionally, all of the build artifacts now live under./dist/
in the published package.Modernized Build Output
We now publish modern JS syntax targeting ES2020, including optional chaining, object spread, and other modern syntax. If you need to
Build Tooling
We're now building the package using https://github.com/egoist/tsup. We also now include sourcemaps for the ESM and CJS artifacts.
Dropping UMD Builds
Redux has always shipped with UMD build artifacts. These are primarily meant for direct import as script tags, such as in a CodePen or a no-bundler build environment.
We've dropped those build artifacts from the published package, on the grounds that the use cases seem pretty rare today.
There's now a
redux.browser.mjs
file in the package that can be loaded from a CDN like Unpkg.If you have strong use cases for us continuing to include UMD build artifacts, please let us know!
createStore
Marked DeprecatedIn Redux 4.2.0, we marked the original
createStore
method as@ deprecated
. Strictly speaking, this is not a breaking change, nor is it new in 5.0, but we're documenting it here for completeness.This deprecation is solely a visual indicator that is meant to encourage users to migrate their apps from legacy Redux patterns to use the modern Redux Toolkit APIs.
The deprecation results in a visual strikethrough when imported and used, like
, but with no runtime errors or warnings.createStore
createStore
will continue to work indefinitely, and will not ever be removed. But, today we want all Redux users to be using Redux Toolkit for all of their Redux logic.To fix this, there are three options:
configureStore
legacy_createStore
API that is now exported, which is the exact same function but with no@ deprecated
tag. The simplest option is to do an aliased import rename, likeimport { legacy_createStore as createStore } from 'redux'
Action types must be strings
We've always specifically told our users that actions and state must be serializable, and that
action.type
should be a string. This is both to ensure that actions are serializable, and to help provide a readable action history in the Redux DevTools.store.dispatch(action)
now specifically enforces thataction.type
must be a string and will throw an error if not, in the same way it throws an error if the action is not a plain object.In practice, this was already true 99.99% of the time and shouldn't have any effect on users (especially those using Redux Toolkit and
createSlice
), but there may be some legacy Redux codebases that opted to use Symbols as action types.TypeScript Changes
We've dropped support for TS 4.6 and earlier, and our support matrix is now TS 4.7+.
Typescript rewrite
In 2019, we began a community-powered conversion of the Redux codebase to TypeScript. The original effort was discussed in #3500: Port to TypeScript, and the work was integrated in PR #3536: Convert to TypeScript.
However, the TS-converted code sat around in the repo for several years, unused and unpublished, due to concerns about possible compatibility issues with the existing ecosystem (as well as general inertia on our part).
Redux core v5 is now built from that TS-converted source code. In theory, this should be almost identical in both runtime behavior and types to the 4.x build, but it's very likely that some of the changes may cause types issues.
Please report any unexpected compatibility issues!!
AnyAction
deprecated in favour ofUnknownAction
The Redux TS types have always exported an
AnyAction
type, which is defined to have{type: string}
and treat any other field asany
. This makes it easy to write uses likeconsole.log(action.whatever)
, but unfortunately does not provide any meaningful type safety.We now export an
UnknownAction
type, which treats all fields other thanaction.type
asunknown
. This encourages users to write type guards that check the action object and assert its specific TS type. Inside of those checks, you can access a field with better type safety.UnknownAction
is now the default any place in the Redux source that expects an action object.AnyAction
still exists for compatibility, but has been marked as deprecated.Note that Redux Toolkit's action creators have a
.match()
method that acts as a useful type guard:You can also use the new
isAction
util to check if an unknown value is some kind of action object.Middleware
type changed - Middlewareaction
andnext
are typed asunknown
Previously, the
next
parameter is typed as theD
type parameter passed, andaction
is typed as theAction
extracted from the dispatch type. Neither of these are a safe assumption:next
would be typed to have all of the dispatch extensions, including the ones earlier in the chain that would no longer apply.next
as the default Dispatch implemented by the base redux store, however this would causenext(action)
to error (as we cannot promiseaction
is actually anAction
) - and it wouldn't account for any following middlewares that return anything other than the action they're given when they see a specific action.action
is not necessarily a known action, it can be literally anything - for example a thunk would be a function with no.type
property (soAnyAction
would be inaccurate)We've changed
next
to be(action: unknown) => unknown
(which is accurate, we have no idea whatnext
expects or will return), and changed theaction
parameter to beunknown
(which as above, is accurate).In order to safely interact with values or access fields inside of the
action
argument, you must first do a type guard check to narrow the type, such asisAction(action)
orsomeActionCreator.match(action)
.This new type is incompatible with the v4
Middleware
type, so if a package's middleware is saying it's incompatible, check which version of Redux it's getting its types from!PreloadedState
type removed in favour ofReducer
genericWe've made tweaks to the TS types to improve type safety and behavior.
First, the
Reducer
type now has aPreloadedState
possible generic:Per the explanation in #4491:
Why the need for this change? When the store is first created by
createStore
/configureStore
, the initial state is set to whatever is passed as thepreloadedState
argument (orundefined
if nothing is passed). That means that the first time that the reducer is called, it is called with thepreloadedState
. After the first call, the reducer is always passed the current state (which isS
).For most normal reducers,
S | undefined
accurately describes what can be passed in for thepreloadedState
. However thecombineReducers
function allows for a preloaded state ofPartial<S> | undefined
.The solution is to have a separate generic that represents what the reducer accepts for its preloaded state. That way
createStore
can then use that generic for itspreloadedState
argument.Previously, this was handled by a
$CombinedState
type, but that complicated things and led to some user-reported issues. This removes the need for$CombinedState
altogether.This change does include some breaking changes, but overall should not have a huge impact on users upgrading in user-land:
Reducer
,ReducersMapObject
, andcreateStore
/configureStore
types/function take an additionalPreloadedState
generic which defaults toS
.combineReducers
are removed in favor of a single function definition that takes theReducersMapObject
as its generic parameter. Removing the overloads was necessary with these changes, since sometimes it was choosing the wrong overload.Other Changes
Internal Listener Implementation
The Redux store has always used an array to track listener callbacks, and used
listeners.findIndex
to remove listeners on unsubscribe. As we found in React-Redux, that can have perf issues when many listeners are unsubscribing at once.In React-Redux, we fixed that with a more sophisticated linked list approach. Here, we've updated the
listeners
to be stored in aMap
instead, which has better delete performance than an array.In practice this shouldn't have any real effect, because React-Redux sets up a subscription in
<Provider>
, and all nested components subscribe to that. But, nice to fix it here as well.isAction
PredicateWe recently added an
isAction
predicate to RTK, then realized it's better suited for the Redux core. This can be used anywhere you have a value that could be a Redux action object, and you need to check if it is actually an action. This is specifically useful for use with the updated Redux middleware TS types, where the default value is nowunknown
and you need to use a type guard to tell TS that the current value is actually an action:We've also exported the
isPlainObject
util that's been in the Redux codebase for years as well.What's Changed
Entirely too many PRs to list here, as it's been a few years since 4.2 was released :) See the diff below.
Full Changelog: v4.2.1...v5.0.0
This release candidate adds a new
isAction
predicate that can be used as a TS type guard, and exports the existing internalisPlainObject
util.Note that we hope to release Redux Toolkit 2.0, Redux core 5.0, and React-Redux 9.0 by the start of December! (If we don't hit that, we'll aim for January, after the holidays.)
See the preview Redux Toolkit 2.0 + Redux core 5.0 Migration Guide for an overview of breaking changes in RTK 2.0 and Redux core.
Full Changelog: v5.0.0-rc.0...v5.0.0-rc.1
This release candidate has no actual source code changes since the previous
v5.0.0-beta.0
release.Note that we hope to release Redux Toolkit 2.0, Redux core 5.0, and React-Redux 9.0 by the start of December! (If we don't hit that, we'll aim for January, after the holidays.)
See the preview Redux Toolkit 2.0 + Redux core 5.0 Migration Guide for an overview of breaking changes in RTK 2.0 and Redux core.
This beta release alters our TS types to add and use a new
UnknownAction
type where possible for better type safety, and includes all prior changes from the 5.0 alphas. This release has breaking changes from 4.x.We recommend that users should prefer using Redux Toolkit for Redux development, and use the RTK 2.0 beta that depends on this core release, rather than using the Redux core library directly
.match()
method that acts as a useful type guard:Earlier Alpha Changes
Summarizing changes from the earlier
5.0-alpha
releases:createStore
deprecation tag portedisMinified
checkSet
Reducer
type accepts aPreloadedState
genericaction
andnext
are typed asunknown
action.type
field must be a stringWhat's Changed
Full Changelog: v5.0.0-alpha.6...v5.0.0-beta.0
This is an alpha release for Redux 5.0, and has breaking changes. It changes
store.dispatch
to require thataction.type
must always be a string.Changelog
Action Types Must Be Strings
We've always specifically told our users that actions and state must be serializable, and that
action.type
should be a string. This is both to ensure that actions are serializable, and to help provide a readable action history in the Redux DevTools.store.dispatch(action)
now specifically enforces thataction.type
must be a string and will throw an error if not, in the same way it throws an error if the action is not a plain object.In practice, this was already true 99.99% of the time and shouldn't have any effect on users (especially those using Redux Toolkit and
createSlice
), but there may be some legacy Redux codebases that opted to use Symbols as action types.TS Support Updated
We've updated our supported TS version matrix to be TS 4.7 and higher.
What's Changed
Full Changelog: v5.0.0-alpha.5...v5.0.0-alpha.6
This is an alpha release for Redux 5.0. This release has has breaking types changes.
Per the explanation in #4491 :
Why the need for this change? When the store is first created by
createStore
, the initial state is set to whatever is passed as thepreloadedState
argument (orundefined
if nothing is passed). That means that the first time that the reducer is called, it is called with thepreloadedState
. After the first call, the reducer is always passed the current state (which isS
).For most normal reducers,
S | undefined
accurately describes what can be passed in for thepreloadedState
. However thecombineReducers
function allows for a preloaded state ofPartial<S> | undefined
.The solution is to have a separate generic that represents what the reducer accepts for its preloaded state. That way
createStore
can then use that generic for itspreloadedState
argument.Previously, this was handled by a
$CombinedState
type, but that complicated things and led to some user-reported issues. This removes the need for$CombinedState
altogether.This change does include some breaking changes, but overall should not have a huge impact on users upgrading in user-land:
Reducer
,ReducersMapObject
, andcreateStore
types/function take an additionalPreloadedState
generic which defaults toS
.combineReducers
are removed in favor of a single function definition that takes theReducersMabObject
as its generic parameter. Removing the overloads was necessary with these changes, since sometimes it was choosing the wrong overload.Middleware
action
andnext
are typed asunknown
Currently, the
next
parameter is typed as theD
type parameter passed, andaction
is typed as theAction
extracted from the dispatch type. Neither of these are a safe assumption:next
would be typed to have all of the dispatch extensions, including the ones earlier in the chain that would no longer apply.next
as the default Dispatch implemented by the base redux store, however this would causenext(action)
to error (as we cannot promiseaction
is actually anAction
) - and it wouldn't account for any following middlewares that return anything other than the action they're given when they see a specific action.action
is not necessarily a known action, it can be literally anything - for example a thunk would be a function with no .type property (soAnyAction
would be inaccurate)We've changed
next
to be(action: unknown) => unknown
(which is accurate, we have no idea whatnext
expects or will return), and changes theaction
parameter to beunknown
(which as above, is accurate).What's Changed
Full Changelog: v5.0.0-alpha.4...v5.0.0-alpha.5
This is an alpha release for Redux 5.0. This release has many changes to our build setup and published package contents, and has breaking changes.
Earlier alphas made changes to the
package.json
contents and published build artifacts in an attempt to get ESM+CJS compat working correctly, but those alphas had several varying compat issues.We've set up a battery of example applications in the RTK repo that use a variety of build tools (currently CRA4, CRA5, Next 13, and Vite, Node CJS mode, and Node ESM mode), to verify that Redux and Redux Toolkit compile, import, and run correctly with both TS and various bundlers. We've also set up a check using a custom CLI wrapper around https://arethetypeswrong.github.io to check for potential packaging incompatibilities.
This release changes the names and contents of the published build artifacts, and the various
exports/module/main
fields inpackage.json
to point to those.The primary build artifact is now an ESM file,
dist/redux.mjs
. Most build tools should pick this up. There's also a CJS artifact, and a second copy of the ESM file namedredux.legacy-esm.js
to support Webpack 4 (which does not recognize theexports
field inpackage.json
).As of this release, we think we have ESM+CJS compat working correctly, but we ask that the community try out the alphas in your apps and let us know of any compat problems!
Build Tooling
We're now building the package using https://github.com/egoist/tsup . It looks like the output is effectively equivalent, but please let us know if there's any issues.
We also now include sourcemaps for the ESM and CJS artifacts.
Dropping UMD Builds
Redux has always shipped with UMD build artifacts. These are primarily meant for direct import as script tags, such as in a CodePen or a no-bundler build environment.
For now, we're dropping those build artifacts from the published package, on the grounds that the use cases seem pretty rare today.
We do have a browser-ready ESM build artifact included at
dist/redux.browser.mjs
, which can be loaded via a script tag that points to that file on Unpkg.If you have strong use cases for us continuing to include UMD build artifacts, please let us know!
What's Changed
Full Changelog: v5.0.0-alpha.2...v5.0.0-alpha.4
Release 5.0.0-alpha.3
This is an alpha release for Redux 5.0. This release has types changes, an internal implementation tweak, and many changes to our build and test setup.
Changelog
Store Enhancer TS Types Changes
The TS conversion in 2019 had made some changes to the definition of the
StoreEnhancer
TS type around replacing reducers. Some time later, we concluded that the enhancer types changes needed to be reverted, but that fell by the wayside. We've finally merged that reversion. This earlier type was never actually released publicly.We also made an additional change to improve the typing of the
next
arg in enhancers.Internal Listener Implementation
The Redux store has always used an array to track listener callbacks, and used
listeners.findIndex
to remove listeners on unsubscribe. As we found in React-Redux, that can have perf issues when many listeners are unsubscribing at once.In React-Redux, we fixed that with a more sophisticated linked list approach. Here, we've updated the
listeners
to be stored in aMap
instead, which has better delete performance than an array.In practice this shouldn't have any real effect, because React-Redux sets up a subscription in
<Provider>
, and all nested components subscribe to that. But, nice to fix it here as well.Build Tooling Updates
We made numerous updates to our build tooling, including switching package management to Yarn 3, running tests directly from
src
locally instead of building first, actually running the TS typetests we'd added years ago, testing our types against a matrix of TS versions, and running tests in CI against a built copy of the library.What's Changed
Full Changelog: v5.0.0-alpha.1...v5.0.0-alpha.2
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: