[Snyk] Upgrade @reduxjs/toolkit from 2.8.2 to 2.9.2

[miPwn]

Snyk has created this PR to upgrade @reduxjs/toolkit from 2.8.2 to 2.9.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 3 versions ahead of your current version.

• The recommended version was released a month ago.

Release notes

Package name: @reduxjs/toolkit

• 2.9.2 - 2025-10-22
  

  This bugfix release fixes a potential internal data leak in SSR environments, improves handling of headers in fetchBaseQuery, improves retry handling for unexpected errors and request aborts, and fixes a longstanding issue with prefetch leaving an unused subscription. We've also shipped a new graphqlRequestBaseQuery release with updated dependencies and better error handling.

  Changelog

  Internal Subscription Handling

  We had a report that a Redux SSR app had internal subscription data showing up across different requests. After investigation, this was a bug introduced by the recent RTKQ perf optimizations, where the internal subscription fields were hoisted outside of the middleware setup and into createApi itself. This meant they existed outside of the per-store-instance lifecycle. We've reworked the logic to ensure the data is per-store again. We also fixed another issue that miscalculated when there was an active request while checking for cache entry cleanup.

  Note that no actual app data was leaked in this case, just the internal subscription IDs that RTKQ uses in its own middleware to track the existence of subscriptions per cache entry.

  fetchBaseQuery Headers

  We've updated fetchBaseQuery to avoid setting content-type in cases where a non-JSONifiable value like FormData is being passed as the request body, so that the browser can set that content type itself. It also now sets the accept header based on the selected responseHandler (JSON or text).

  retry Behavior and Cleanup

  The retry util now respects the maxRetries option when catching unknown errors in addition to the existing known errors logic. It also now checks the request's AbortSignal and will stop retrying if aborted.

  In conjunction with that, dispatching resetApiState will now abort all in-flight requests.

  The prefetch util and usePrefetch hook had a long-standing issue where they would create a subscription for a cache entry, but there was no way to clean up that subscription. This meant that the cache entry was effectively permanent. They now initiate the request without adding a subscription. This will fetch the cache entry and leave it in the store for the keepUnusedDataFor period as intended, giving your app time to actually subscribe to the value (such as prefetching the cache entry in a route handler, and then subscribing in a component).

  graphqlRequestBaseQuery

  We've published @ rtk-query/graphql-request-base-query v2.3.2, which updates the graphql-request dep to ^7. We also fixed an issue where the error handling rethrew unknown errors - it now returns {error} as a base query is supposed to.

  What's Changed

  • Fix potential subscription leakage in SSR environments by @ markerikson in #5111
  • Improve fetchBaseQuery default headers handling by @ markerikson in #5112
  • Respect maxRetries for unexpected errors by @ markerikson in #5113
  • fix: update graphql-request dependency to include version ^7.0.0 by @ eyesfocus in #4987
  • Add retry abort handling and abort on resetApiState by @ markerikson in #5114
  • Don't create subscriptions for prefetch calls by @ markerikson in #5116

  Full Changelog: v2.9.1...v2.9.2

• 2.9.1 - 2025-10-17
  

  This bugfix release fixes how sorted entity adapters handle duplicate IDs, tweaks the TS types for RTKQ query state cache entries to improve how the data field is handled, and adds better cleanup for long-running listener middleware effects.

  What's Changed

  • fix(entityAdapter): ensure sorted addMany keeps first occurrence of duplicate ids by @ demyanm in #5097
  • fix(entityAdapter): ensure sorted setMany keeps just unique IDs in state.ids by @ demyanm in #5107
  • fix(types): ensure non-undefined data on isSuccess with exactOptionalPropertyTypes by @ CO0Ki3 in #5088
  • Allow executing effects that have become unsubscribed to be canceled by listenerMiddleware.clearListeners by @ chris-chambers in #5102

  Full Changelog: v2.9.0...v2.9.1

• 2.9.0 - 2025-09-03
  

  This feature release rewrites RTK Query's internal subscription and polling systems and the useStableQueryArgs hook for better perf, adds automatic AbortSignal handling to requests still in progress when a cache entry is removed, fixes a bug with the transformResponse option for queries, adds a new builder.addAsyncThunk method, and fixes assorted other issues.

  Changelog

  RTK Query Performance Improvements

  We had reports that RTK Query could get very slow when there were thousands of subscriptions to the same cache entry. After investigation, we found that the internal polling logic was attempting to recalculate the minimum polling time after every new subscription was added. This was highly inefficient, as most subscriptions don't change polling settings, and it required repeated O(n) iteration over the growing list of subscriptions. We've rewritten that logic to debounce the update check and ensure a max of one polling value update per tick for the entire API instance.

  Related, while working on the request abort changes, testing showed that use of plain Records to hold subscription data was inefficient because we have to iterate keys to check size. We've rewritten the subscription handling internals to use Maps instead, as well as restructuring some additional checks around in-flight requests.

  These two improvements drastically improved runtime perf for the thousands-of-subscriptions-one-cache-entry repro, eliminating RTK methods as visible hotspots in the perf profiles. It likely also improves perf for general usage as well.

  We've also changed the implementation of our internal useStableQueryArgs hook to avoid calling serializeQueryArgs on its value, which can avoid potential perf issues when a query takes a very large object as its cache key.

  Note

  The internal logic switched from serializing the query arg to doing reference checks on nested values. This means that if you are passing a non-POJO value in a query arg, such as useSomeQuery({a: new Set()}), and you have refetchOnMountOrArgChange enabled, this will now trigger refeteches each time as the Set references are now considered different based on equality instead of serialization.

  Abort Signal Handling on Cleanup

  We've had numerous requests over time for various forms of "abort in-progress requests when the data is no longer needed / params change / component unmounts / some expensive request is taking too long". This is a complex topic with multiple potential use cases, and our standard answer has been that we don't want to abort those requests - after all, cache entries default to staying in memory for 1 minute after the last subscription is removed, so RTKQ's cache can still be updated when the request completes. That also means that it doesn't make sense to abort a request "on unmount".

  However, it does then make sense to abort an in-progress request if the cache entry itself is removed. Given that, we've updated our cache handling to automatically call the existing resPromise.abort() method in that case, triggering the AbortSignal attached to the baseQuery. The handling at that point depends on your app - fetchBaseQuery should handle that, a custom baseQuery or queryFn would need to listen to the AbortSignal.

  We do have an open issue asking for further discussions of potential abort / cancelation use cases and would appreciate further feedback.

  New Options

  The builder callback used in createReducer and createSlice.extraReducers now has builder.addAsyncThunk available, which allows handling specific actions from a thunk in the same way that you could define a thunk inside createSlice.reducers:

          const slice = createSlice({
            name: 'counter',
            initialState: {
              loading: false,
              errored: false,
              value: 0,
            },
            reducers: {},
            extraReducers: (builder) =>
              builder.addAsyncThunk(asyncThunk, {
                pending(state) {
                  state.loading = true
                },
                fulfilled(state, action) {
                  state.value = action.payload
                },
                rejected(state) {
                  state.errored = true
                },
                settled(state) {
                  state.loading = false
                },
              }),
          })

  createApi and individual endpoint definitions now accept a skipSchemaValidation option with an array of schema types to skip, or true to skip validation entirely (in case you want to use a schema for its types, but the actual validation is expensive).

  Bug Fixes

  The infinite query implementation accidentally changed the query internals to always run transformResponse if provided, including if you were using upsertQueryData(), which then broke. It's been fixed to only run on an actual query request.

  The internal changes to the structure of the state.api.provided structure broke our handling of extractRehydrationInfo - we've updated that to handle the changed structure.

  The infinite query status fields like hasNextPage are now a looser type of boolean initially, rather than strictly false.

  TS Types

  We now export Immer's WritableDraft type to fix another non-portable types issue.

  We've added an api.endpoints.myEndpoint.types.RawResultType types-only field to match the other available fields.

  What's Changed

  • Add RawResultType as a type-only property on endpoints by @ EskiMojo14 in #5037
  • allow passing an array of specific schemas to skip by @ EskiMojo14 in #5042
  • fix(types): re-exporting WritableDraft from immer by @ marinsokol5 in #5015
  • Remove Serialisation from useStableQueryArgs by @ riqts in #4996
  • add addAsyncThunk method to reducer map builder by @ EskiMojo14 in #5007
  • Only run transformResponse when a query is used by @ markerikson in #5049
  • Assorted bugfixes for 2.8.3 by @ markerikson in #5060
  • Abort pending requests if the cache entry is removed by @ markerikson in #5061
  • Update TS CI config by @ markerikson in #5065
  • Rewrite subscription handling and polling calculations for better perf by @ markerikson in #5064

  Full Changelog: v2.8.2...v2.9.0

• 2.8.2 - 2025-05-14
  

  This bugfix release fixes a bundle size regression in RTK Query from the build and packaging changes in v2.8.0.

  If you're using v2.8.0 or v2.8.1, please upgrade to v2.8.2 right away to resolve that bundle size issue!

  Changelog

  RTK Query Bundle Size

  In v2.8.0, we reworked our packaging setup to better support React Native. While there weren't many meaningful code changes, we did alter our bundling build config file. In the process, we lost the config options to externalize the @ reduxjs/toolkit core when building the RTK Query nested entry points. This resulted in a regression where the RTK core code also got bundled directly into the RTK Query artifacts, resulting in a significant size increase.

  This release fixes the build config and restores the previous RTKQ build artifact sizes.

  What's Changed

  • Restructure build config to fix RTKQ externals by @ markerikson in #4985

  Full Changelog: v2.8.1...v2.8.2

from @reduxjs/toolkit GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs