React 0.11.0 marked a notable shift from version 0.10.0, primarily impacting dependency management. A key difference lies in the handling of envify, a tool often used for environment variable substitution during builds. React 0.10.0 relied on envify as a peer dependency ("envify":"~1.2.0"), meaning developers integrating React were responsible for explicitly installing envify in their projects, typically versions compatible with ~1.2.0. This approach could introduce dependency conflicts if the host project required a different version of envify.
In contrast, React 0.11.0 directly includes envify as a regular dependency ("envify":"^2.0.0"). This means that envify is bundled within the React package itself, simplifying the setup process for developers. The ^2.0.0 declaration indicates compatibility with version 2.0.0 and potentially newer minor/patch releases, offering a bit more flexibility compared to the tilde range of the previous version. This change streamlined the installation by removing the burden of explicitly managing envify, ensuring compatibility within the React ecosystem, and potentially reducing dependency conflicts in larger projects. While both versions serve the core purpose of building user interfaces with React, the updated dependency structure in 0.11.0 provided a smoother experience, especially for developers new to the library or facing complex dependency scenarios.
All the vulnerabilities related to the version 0.11.0 of the package
Cross-Site Scripting in react
Versions of react prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package's createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.
Upgrade to version 0.14.0 or later.
