chore(deps): update dependency react-dom to v16.4.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
react-dom (source)	16.4.0 → 16.4.2

GitHub Vulnerability Alerts

CVE-2018-6341

Affected versions of react-dom are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to:

• be a server-side React app
• be rendered to HTML using ReactDOMServer
• include an attribute name from user input in an HTML tag

Recommendation

If you are using react-dom 16.0.x, upgrade to 16.0.1 or later.
If you are using react-dom 16.1.x, upgrade to 16.1.2 or later.
If you are using react-dom 16.2.x, upgrade to 16.2.1 or later.
If you are using react-dom 16.3.x, upgrade to 16.3.3 or later.
If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.

---

Release Notes

facebook/react (react-dom)

v16.4.2

Compare Source

React DOM Server

• Fix a potential XSS vulnerability when the attacker controls an attribute name (CVE-2018-6341). This fix is available in the latest react-dom@16.4.2, as well as in previous affected minor versions: react-dom@16.0.1, react-dom@16.1.2, react-dom@16.2.1, and react-dom@16.3.3. (@​gaearon in #​13302)

• Fix a crash in the server renderer when an attribute is called hasOwnProperty. This fix is only available in react-dom@16.4.2. (@​gaearon in #​13303)

v16.4.1

Compare Source

React

• You can now assign propTypes to components returned by React.ForwardRef. (@​bvaughn in #​12911)

React DOM

• Fix a crash when the input type changes from some other types to text. (@​spirosikmd in #​12135)
• Fix a crash in IE11 when restoring focus to an SVG element. (@​ThaddeusJiang in #​12996)
• Fix a range input not updating in some cases. (@​Illu in #​12939)
• Fix input validation triggering unnecessarily in Firefox. (@​nhunzaker in #​12925)
• Fix an incorrect event.target value for the onChange event in IE9. (@​nhunzaker in #​12976)
• Fix a false positive error when returning an empty <React.Fragment /> from a component. (@​philipp-spiess in #​12966)

React DOM Server

• Fix an incorrect value being provided by new context API. (@​ericsoderberghp in #​12985, @​gaearon in #​13019)

React Test Renderer

• Allow multiple root children in test renderer traversal API. (@​gaearon in #​13017)
• Fix getDerivedStateFromProps() in the shallow renderer to not discard the pending state. (@​fatfisz in #​13030)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

(node:911) [DEP0060] DeprecationWarning: The `util._extend` API is deprecated. Please use Object.assign() instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
npm ERR! Cannot read properties of undefined (reading 'match')

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-02-03T07_38_09_371Z-debug.log