Immer versions 7.0.9 and 7.0.8 represent minor updates to this popular JavaScript library designed to simplify immutable state management. Both versions share the same core purpose: enabling developers to work with immutable data structures by allowing them to directly "mutate" state, while Immer handles the behind-the-scenes creation of a new, immutable copy. This facade simplifies development, particularly in Redux-like architectures, promoting a more intuitive coding experience.
Reviewing the provided data, the core functionality and the array of devDependencies remain consistent between the two versions. The key differences lie within the dist object, specifically the "unpackedSize" and "releaseDate" fields. Version 7.0.9 has an unpacked size of 818608 bytes, a slight increase from version 7.0.8's 817305 bytes. This suggests minor code adjustments, bug fixes, or performance improvements in the newer version, albeit subtle ones, impacting production and optimization processes.. More evidently, the library maintainance is regularly done with version 7.0.9 released on September 9, 2020, after version 7.0.8 being released on August 25, 2020.
For developers, the upgrade from 7.0.8 to 7.0.9 is likely a safe and recommended procedure. While the core API remains the same, and the changelog should specifically be consulted, any incremental changes improving stability or optimizing the library would warrant updating to the latest patch. Immer provides an excellent solution for managing immutable data, a concept pivotal in creating predictable and maintainable applications and user interfaces.
All the vulnerabilities related to the version 7.0.9 of the package
Prototype Pollution in immer
Affected versions of immer are vulnerable to Prototype Pollution.
const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);
Version 8.0.1 contains a fix for this vulnerability, updating is recommended.
Prototype Pollution in immer
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
Prototype Pollution in immer
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').