[Snyk] Upgrade knockout from 3.4.0 to 3.5.1 #166

snyk-bot · 2020-06-17T22:24:39Z

Snyk has created this PR to upgrade knockout from 3.4.0 to 3.5.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 7 versions ahead of your current version.
The recommended version was released 7 months ago, on 2019-11-05.

The recommended version fixes:

Severity	Issue	Exploit Maturity
	Cross-site Scripting (XSS) npm:knockout:20180213	No Known Exploit

Release notes

Package name: knockout

3.5.1 - 2019-11-05
This release fixes a few regression bugs in 3.5.0:
- Empty template with if option throws an error #2446
- IE error from inserting a node before itself #2450
- Problem with initial value binding on <select> when the options are generated via a foreach binding #2452
- Missing arrayChange notifications when using deferred updates #2454
- Template binding removes <script> template contents #2484
3.5.1 also fixes some issues with and expands 3.5.0's TypeScript definitions.
3.5.0 - 2019-02-21
Knockout 3.5.0 includes a few new bindings and new ways to interact with observables and bindings. The full list is detailed under 3.5.0 Beta, 3.5.0 RC, and 3.5.0 RC2.

The final 3.5.0 release includes fixes for a few regressions in the pre-production releases:
- Fix performance issue with nested if bindings (#2414)
- Fix exception with foreach and beforeRemove (#2419)
- Fix misplaced nodes with foreach and Punches plugin (#2433)
- Fix duplicated nodes with foreach and if (#2439)
3.5.0-rc2 - 2018-09-08
This release includes a number of fixes for regressions in the previous 3.5.0 release candidate. Given the time since the RC, we also decided to include a few small improvements.
- Fix to maintain an element's focus when it's moved by the foreach binding.
- Fix changes to style binding to correctly append px.
- Fix regression to ko.contextFor when used after ko.applyBindingsToNode.
- Revert changes in ko.utils to use native array methods.
- Remove global createChildContextWithAs option and add noChildContext binding option. The default behavior for as matches previous releases.
- Fix the interaction of descendantsComplete and if/ifnot/with bindings.
- Add an option for if/ifnot/with bindings: completeOn: "render" will have the binding wait to trigger descendantsComplete until it is rendered.
- Throw an error for unbalanced virtual elements.
- ko.applyBindings throws an error if a non-Node is given as the second parameter.
- Support an options objects as a parameter to createChildContext.
- Support a custom rate-limit function as the method parameter to the rateLimit extender.
- Support setting custom CSS properties with the style binding.
- Optimize how many elements are moved by foreach.
- Update TypeScript declarations.
3.5.0-rc - 2018-04-26
Changes since 3.5.0 Beta:
- Expand descendantsComplete to include bindings other than component, such as if, with, etc.
- ko.when will return a Promise if called without a callback function.
- Include TypeScript declarations.
- A few minor bug fixes.
3.5.0-beta - 2018-01-12
Knockout 3.5.0 beta release notes

Full list of issues: https://github.com/knockout/knockout/milestone/9?closed=1

Important: This release includes some minor breaking changes to the foreach binding to improve performance and clarify features. These changes can be turned off using global options.
- When using the as option with the foreach binding, Knockout will set the named value for each item in the array but won't create a child context. In other words, when using as, you will have to use the named value in bindings: text: item.property rather than text: property. This can be controlled by setting ko.options.createChildContextWithAs = true. (See #907)
- To improve performance when array changes are from a known, single operation, such as push, the foreach binding no longer filters out destroyed items by default. To turn this off and filter out destroyed items, you can set includeDestroyed: false in the foreach binding or set ko.options.foreachHidesDestroyed = true to use the previous behavior by default. (See #2324)
Other enhancements
- You can react to the completion of bindings such as if and with using the new childrenComplete binding or subscribing to the childrenComplete binding event.
  (See #2310)
- You can react to the completion of components, including nested components, by including a koDescendantsComplete method in the component viewmodel or subscribing to the descendantsComplete binding event. (See #2319)
- Binding strings can include template literals (backticks) and C++ and C-style comments.
- Observable arrays include sorted and reversed methods that return a modified copy of the array. This is in contrast to sort and reverse that modify the array itself.
- The new class binding supports dynamic class strings. This allows you to use the css and class bindings together to support both methods of setting CSS classes.
- The new using binding, similarly to with, binds its descendant elements in the context of the child viewmodel. Unlike with, which re-renders its contents when the viewmodel changes, using will just trigger each descendant binding to update.
- The new hidden binding works oppositely to visible.
- The new let binding allows you to set values that can be used in all descendant element bindings, regardless of context.
- Similarly to let, you can set such values at the root context by providing a function as the third parameter to ko.applyBindings. (See #2024)
- Performance improvement: String templates are no longer parsed each time they are referenced. Instead the parsed nodes are cached and cloned.
- Observables notify a new spectate event whenever their value changes. Unlike the standard change event, this new event isn't necessarily delayed by rate-limiting or deferred updates. You can subscribe to the event without waking a sleeping pure computed; the computed will notify the event if it is accessed with a new value.
- Computed observables include a getDependencies method that returns an array of the observables that the computed is currently watching.
- The attr binding supports namespaced attributes such as xlink:href in svg elements.
- The ko.when function allows you to run code once when an observable or condition becomes true.
- The ko.isObservableArray function can be used to check if something is a ko.observableArray.
- The style binding will use jQuery if present. Even without jQuery, the binding now supports standard style names, such as background-color, and automatically appends px if needed to styles that expect it.
- Knockout will throw an error if it finds an unmatched closing virtual element ().
Fixes

30 or so separate fixes are included in this release,
3.4.2 - 2017-03-06
This release fixes a number of bugs related to deferred updates and computed observables.
- stop infinite loop from dirty events in circular computeds (#1943)
- only update a computed if dependency has actually changed; not if it was just dirty (#2174)
- only notify subscriptions that exist when a change occurs; don't notify future subscribers (#2163)
- notify dependent computed of change in reverted observable if the computed previously read a different intermediate value (#1835)
- update a pure computed if a dependency has changed and notification is pending (#2197)
3.4.1 - 2016-11-08
Fixed:
- pureComputed sometimes doesn't pick up a change in a dependency (#1975 and #1992)
- Knockout observable arrays leak memory when resubscribing to arrayChange events (#1973 and #1974)
- $rawData within with bindings and rendered templates (#1415)
- Export computed._latestValue in debug mode (b3f24b1)
3.4.0 - 2015-11-17
New features and bug fixes
- Improves performance of components, templates, computeds, and observables.
- Includes a native version of deferred updates, along with a microtask queue (ko.tasks).
- Calls a ko.onError handler, if defined, for errors from asynchronous code.
- ko.options.useOnlyNativeEvents can be set to tell Knockout to use only native (not jQuery) events.
- Includes ko.isPureComputed().
The 3.4.0 RC release notes has the full list of issues and pull requests included in this release. The final release fixes two regression bugs found in the RC:
- #1903 - New beforeRemove behavior can break retained items.
- #1905 - Endless recursion possible with ko.computed.
Possible compatibility issues
1. Components now use microtasks to perform updates asynchronously instead of setTimeout. Since microtasks are run before the browser repaints the page, all loaded components will be initialized and displayed in a single repaint. Although this reduces the overall time needed to display components, it could result in a longer delay before anything is displayed.
2. The new, native deferred updates feature has a slightly different API and is implemented differently than the Deferred Updates plugin. Migrating from the plugin will generally require some code changes (full details to come soon).
3. ko.observable and ko.computed no longer use a closure when defining their methods, such as dispose and valueHasMutated. These functions expect this to be set correctly and so can't be used directly as a callback. Instead you'll need to use bind, such as obs.dispose.bind(obs).