[Snyk] Upgrade @reduxjs/toolkit from 2.7.0 to 2.11.0

[DavidUmunna]

Snyk has created this PR to upgrade @reduxjs/toolkit from 2.7.0 to 2.11.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 9 versions ahead of your current version.

• The recommended version was released 23 days ago.

Release notes

Package name: @reduxjs/toolkit

• 2.11.0 - 2025-11-23
  

  This feature release upgrades our Immer dependency to v11 to pick up the additional recent performance optimizations, adds a new refetchCachedPages option to allow only fetching the first cached page, and fixes an issue with regex ignore paths in the immutability middleware.

  Changelog

  Immer v11 Performance Improvements

  As described in the release notes for v2.10.0, we recently put significant effort into profiling Immer, and contributed several PRs that aimed to optimize its update performance.

  v2.10.0 updated to use Immer 10.2.0, which added the first smaller set of perf updates. That included a new Immer option to disable "strict iteration" to speed up iterating copied objects, and we specifically applied that change in RTK under the assumption that standard plain JS objects as Redux state shouldn't have unusual keys anyway. Overall, this appears to boost Immer update perf by ~+20% over v10.1 depending on update scenario.

  Immer v11.0.0 was just released and contains the second perf PR, a major internal architectural rewrite to change the update finalization implementation from a recursive tree traversal to a set of targeted updates based on accessed and updated fields. Based on the benchmarks in the PR, this adds another ~+5% perf boost over the improvements in v10.2, again with variations depending on update scenario. In practice, the actual improvement may be better than that - the benchmarks list includes some array update cases which actually got a bit slower (and thus drag down the overall average), and a majority of update scenarios show anywhere from +25% to +60% faster than Immer v10.1!

  As a practical example, we have an RTK Query stress test benchmark where we mount 1000 components with query hooks at once, unmount, then remount them. We ran the same benchmark steps for RTK 2.9 and Immer 10.1, and then RTK 2.10+ and Immer 11. The overall scripting time dropped by about 30% (3330ms -> 2350ms), and the amount of time spent in Immer methods and the RTK reducers dropped significantly:

  

  Based on this, it appears to be a major improvement overall.

  As with the instructions in v2.10.0: if by some chance your Redux app state relies on non-string keys, you can still manually call setUseStrictIteration(true) in your app code to retain compatibility there, but we don't expect that standard Redux apps will have to worry about that.

  There are still two outstanding Immer perf PRs that may offer further improvements: one that adds an optional plugin to override array methods to avoid proxy creation overhead, and another experimental tweak to shallow copying that may be better with larger object sizes.

  New refetchCachedPages Option

  RTK Query's infinite query API was directly based on React Query's approach, including the pages cache structure and refetching behavior. By default, that means that when you trigger a refetch, both R-Q and RTKQ will try to sequentially refetch all pages currently in that cache entry. So, if there were 5 pages cached for an entry, they will try to fetch pages 0...4, in turn.

  Some users have asked for the ability to only refetch the first page. This can be accomplished somewhat manually by directly updating the cache entry to eliminate the old pages and then triggering a refetch, but that's admittedly not very ergonomic.

  We've merged a contributed PR that adds a new refetchCachedPages flag. This can be defined as part of infinite query endpoints, passed as an option to infinite query hooks, or passed as an option in initiate() calls or hook refetch() methods. If set to refetchCachedPages: false, it will only refetch the first page in the cache and not the remaining pages, thus shrinking the cache from N pages to 1 page.

  Other Fixes

  We merged a fix to the immutability dev middleware where it was treating ignoredPath regexes as strings and not actually testing them correctly.

  What's Changed

  • Update Immer to v11 for better update performance by @ markerikson in #5141
  • fix: compare paths against Regex instances in ignoredPaths by @ johnste in #5124
  • Add refetchCachedPages option for infinite query by @ rossmartin in #5016

  Full Changelog: v2.10.1...v2.11.0

• 2.10.1 - 2025-11-04
  

  This bugfix release fixes an issue with window access breaking in SSR due to the byte-shaving work in 2.10.

  What's Changed

  • Fix window SSR breakage by @ markerikson in #5132

  Full Changelog: v2.10.0...v2.10.1

• 2.10.0 - 2025-11-04
  

  This feature release updates our Immer dep to 10.2 to pick up its performance improvements, has additional byte-shaving and internal performance updates, and fixes a combineSlices type issue.

  Changelog

  Immer Performance Improvements

  Redux Toolkit has been built around Immer since the very first prototype in 2018. Use of Immer as the default in createSlice directly eliminated accidental mutations as a class of errors in Redux apps, and drastically simplified writing immutable updates in reducers.

  We've had various issues filed over the years asking to make Immer optional, or raising concerns about Immer's perf. Immer is indeed slower than writing immutable updates by hand, but our stance has always been that Immer's DX is absolutely worth whatever modest perf cost it might incur, and that reducers are usually not the bottleneck in Redux apps anyway - it's usually the cost of updating the UI that's more expensive.

  However, a year ago an issue was filed with some specific complaints about Immer perf being very slow. We investigated, ran benchmarks, and filed an Immer issue confirming that it had gotten noticeably slower over time. Immer author Michel Weststrate agreed, and said there were some potential tweaks and architectural changes that could be made, but didn't have time to look into them himself.

  A couple months ago, we started investigating possible Immer perf improvements ourselves, including profiling various scenarios and comparing implementations of other similar immutable update libraries. After extensive research and development, we were able to file several PRs to improve Immer's perf: a set of smaller tweaks around iteration and caching, a couple much larger architectural changes, and a potential change to copying objects.

  Immer 10.2.0 contains the first set of smaller perf improvements, and this RTK release updates our dependency to 10.2 to pick up those changes.

  One important behavior note here: Earlier versions of Immer (8, 9, 10.1) added more handling for edge cases like symbol keys in objects. These changes made sense for correctness, but also contributed to the slowdown. Immer 10.2 now includes a new setUseStrictIteration option to allow only copying string keys in objects (using Object.keys() instead of Reflect.ownKeys()), but keeps the option as strict: true for compatibility with its own users. That default will likely change in Immer 11.

  For RTK 2.10.0, we specifically import and call setUseStrictIteration(false), under the assumption that standard Redux state usage only involves string keys in plain JS objects! This should provide a ~10% speedup for Immer update operations. Given that expectation, we believe this is a reasonable feature change and only needs a minor version bump.

  If by some chance you are using symbol keys in your Redux state, or in other Immer-powered updates in your Redux app, you can easily revert to the previous behavior by calling setUseStrictIteration(true) in your own app code.

  Based on discussions with Michel, Immer v11 should come out in the near future with additional architectural changes for better perf, including optional support for faster array methods that would be available as an Immer plugin adding ~2KB bundle size. We will likely not turn that plugin on by default, but recommend that users enable it if they do frequent array ops in reducers.

  We're happy to have contributed these perf improvements to Immer, and that they will benefit not just RTK users but all Immer users everywhere!

  You can follow the additional discussion and progress updates in the main Immer perf update tracking issue.

  Additional RTK Perf Improvements

  We've tweaked some places where we were doing repeated filter().map().map() calls to micro-optimize those loops.

  RTKQ tag invalidation was always reading from proxy-wrapped arrays when rewriting provided tags. It now reads from the plain arrays instead, providing a modest speedup.

  We previously found that ESBuild wasn't deduplicating imports from the same libraries in separate files bundled together (ie import { useEffect as useEffect2/3/4/ } from 'react'). We've restructured our internals to ensure all external imports are only pulled in once.

  We've done some extensive byte-shaving in various places in the codebase. The byte-shaving and import deduplication saves about 0.6K min from the RTKQ core, and 0.2K min from the RTKQ React bundle.

  Other Changes

  combineSlices now better handles cases where PreloadedState might not match the incoming type, such as persisted values.

  What's Changed

  • Improve perf for internal map/filter ops by @ markerikson in #5126
  • Update Immer dep to 10.2 and disable strict iteration for perf by @ markerikson in #5127
  • Deduplicate imports by @ markerikson in #5128
  • Byte-shave various chunks of code by @ markerikson in #5129
  • fix(combineSlices): Infer PreloadedState properly from provided slice by @ EskiMojo14 in #5125

  Full Changelog: v2.9.2...v2.10.0

• 2.9.2 - 2025-10-22
  

  This bugfix release fixes a potential internal data leak in SSR environments, improves handling of headers in fetchBaseQuery, improves retry handling for unexpected errors and request aborts, and fixes a longstanding issue with prefetch leaving an unused subscription. We've also shipped a new graphqlRequestBaseQuery release with updated dependencies and better error handling.

  Changelog

  Internal Subscription Handling

  We had a report that a Redux SSR app had internal subscription data showing up across different requests. After investigation, this was a bug introduced by the recent RTKQ perf optimizations, where the internal subscription fields were hoisted outside of the middleware setup and into createApi itself. This meant they existed outside of the per-store-instance lifecycle. We've reworked the logic to ensure the data is per-store again. We also fixed another issue that miscalculated when there was an active request while checking for cache entry cleanup.

  Note that no actual app data was leaked in this case, just the internal subscription IDs that RTKQ uses in its own middleware to track the existence of subscriptions per cache entry.

  fetchBaseQuery Headers

  We've updated fetchBaseQuery to avoid setting content-type in cases where a non-JSONifiable value like FormData is being passed as the request body, so that the browser can set that content type itself. It also now sets the accept header based on the selected responseHandler (JSON or text).

  retry Behavior and Cleanup

  The retry util now respects the maxRetries option when catching unknown errors in addition to the existing known errors logic. It also now checks the request's AbortSignal and will stop retrying if aborted.

  In conjunction with that, dispatching resetApiState will now abort all in-flight requests.

  The prefetch util and usePrefetch hook had a long-standing issue where they would create a subscription for a cache entry, but there was no way to clean up that subscription. This meant that the cache entry was effectively permanent. They now initiate the request without adding a subscription. This will fetch the cache entry and leave it in the store for the keepUnusedDataFor period as intended, giving your app time to actually subscribe to the value (such as prefetching the cache entry in a route handler, and then subscribing in a component).

  graphqlRequestBaseQuery

  We've published @ rtk-query/graphql-request-base-query v2.3.2, which updates the graphql-request dep to ^7. We also fixed an issue where the error handling rethrew unknown errors - it now returns {error} as a base query is supposed to.

  What's Changed

  • Fix potential subscription leakage in SSR environments by @ markerikson in #5111
  • Improve fetchBaseQuery default headers handling by @ markerikson in #5112
  • Respect maxRetries for unexpected errors by @ markerikson in #5113
  • fix: update graphql-request dependency to include version ^7.0.0 by @ eyesfocus in #4987
  • Add retry abort handling and abort on resetApiState by @ markerikson in #5114
  • Don't create subscriptions for prefetch calls by @ markerikson in #5116

  Full Changelog: v2.9.1...v2.9.2

• 2.9.1 - 2025-10-17
  

  This bugfix release fixes how sorted entity adapters handle duplicate IDs, tweaks the TS types for RTKQ query state cache entries to improve how the data field is handled, and adds better cleanup for long-running listener middleware effects.

  What's Changed

  • fix(entityAdapter): ensure sorted addMany keeps first occurrence of duplicate ids by @ demyanm in #5097
  • fix(entityAdapter): ensure sorted setMany keeps just unique IDs in state.ids by @ demyanm in #5107
  • fix(types): ensure non-undefined data on isSuccess with exactOptionalPropertyTypes by @ CO0Ki3 in #5088
  • Allow executing effects that have become unsubscribed to be canceled by listenerMiddleware.clearListeners by @ chris-chambers in #5102

  Full Changelog: v2.9.0...v2.9.1

• 2.9.0 - 2025-09-03
  

  This feature release rewrites RTK Query's internal subscription and polling systems and the useStableQueryArgs hook for better perf, adds automatic AbortSignal handling to requests still in progress when a cache entry is removed, fixes a bug with the transformResponse option for queries, adds a new builder.addAsyncThunk method, and fixes assorted other issues.

  Changelog

  RTK Query Performance Improvements

  We had reports that RTK Query could get very slow when there were thousands of subscriptions to the same cache entry. After investigation, we found that the internal polling logic was attempting to recalculate the minimum polling time after every new subscription was added. This was highly inefficient, as most subscriptions don't change polling settings, and it required repeated O(n) iteration over the growing list of subscriptions. We've rewritten that logic to debounce the update check and ensure a max of one polling value update per tick for the entire API instance.

  Related, while working on the request abort changes, testing showed that use of plain Records to hold subscription data was inefficient because we have to iterate keys to check size. We've rewritten the subscription handling internals to use Maps instead, as well as restructuring some additional checks around in-flight requests.

  These two improvements drastically improved runtime perf for the thousands-of-subscriptions-one-cache-entry repro, eliminating RTK methods as visible hotspots in the perf profiles. It likely also improves perf for general usage as well.

  We've also changed the implementation of our internal useStableQueryArgs hook to avoid calling serializeQueryArgs on its value, which can avoid potential perf issues when a query takes a very large object as its cache key.

  Note

  The internal logic switched from serializing the query arg to doing reference checks on nested values. This means that if you are passing a non-POJO value in a query arg, such as useSomeQuery({a: new Set()}), and you have refetchOnMountOrArgChange enabled, this will now trigger refeteches each time as the Set references are now considered different based on equality instead of serialization.

  Abort Signal Handling on Cleanup

  We've had numerous requests over time for various forms of "abort in-progress requests when the data is no longer needed / params change / component unmounts / some expensive request is taking too long". This is a complex topic with multiple potential use cases, and our standard answer has been that we don't want to abort those requests - after all, cache entries default to staying in memory for 1 minute after the last subscription is removed, so RTKQ's cache can still be updated when the request completes. That also means that it doesn't make sense to abort a request "on unmount".

  However, it does then make sense to abort an in-progress request if the cache entry itself is removed. Given that, we've updated our cache handling to automatically call the existing resPromise.abort() method in that case, triggering the AbortSignal attached to the baseQuery. The handling at that point depends on your app - fetchBaseQuery should handle that, a custom baseQuery or queryFn would need to listen to the AbortSignal.

  We do have an open issue asking for further discussions of potential abort / cancelation use cases and would appreciate further feedback.

  New Options

  The builder callback used in createReducer and createSlice.extraReducers now has builder.addAsyncThunk available, which allows handling specific actions from a thunk in the same way that you could define a thunk inside createSlice.reducers:

          const slice = createSlice({
            name: 'counter',
            initialState: {
              loading: false,
              errored: false,
              value: 0,
            },
            reducers: {},
            extraReducers: (builder) =>
              builder.addAsyncThunk(asyncThunk, {
                pending(state) {
                  state.loading = true
                },
                fulfilled(state, action) {
                  state.value = action.payload
                },
                rejected(state) {
                  state.errored = true
                },
                settled(state) {
                  state.loading = false
                },
              }),
          })

  createApi and individual endpoint definitions now accept a skipSchemaValidation option with an array of schema types to skip, or true to skip validation entirely (in case you want to use a schema for its types, but the actual validation is expensive).

  Bug Fixes

  The infinite query implementation accidentally changed the query internals to always run transformResponse if provided, including if you were using upsertQueryData(), which then broke. It's been fixed to only run on an actual query request.

  The internal changes to the structure of the state.api.provided structure broke our handling of extractRehydrationInfo - we've updated that to handle the changed structure.

  The infinite query status fields like hasNextPage are now a looser type of boolean initially, rather than strictly false.

  TS Types

  We now export Immer's WritableDraft type to fix another non-portable types issue.

  We've added an api.endpoints.myEndpoint.types.RawResultType types-only field to match the other available fields.

  What's Changed

  • Add RawResultType as a type-only property on endpoints by @ EskiMojo14 in #5037
  • allow passing an array of specific schemas to skip by @ EskiMojo14 in #5042
  • fix(types): re-exporting WritableDraft from immer by @ marinsokol5 in #5015
  • Remove Serialisation from useStableQueryArgs by @ riqts in #4996
  • add addAsyncThunk method to reducer map builder by @ EskiMojo14 in #5007
  • Only run transformResponse when a query is used by @ markerikson in #5049
  • Assorted bugfixes for 2.8.3 by @ markerikson in #5060
  • Abort pending requests if the cache entry is removed by @ markerikson in #5061
  • Update TS CI config by @ markerikson in #5065
  • Rewrite subscription handling and polling calculations for better perf by @ markerikson in #5064

  Full Changelog: v2.8.2...v2.9.0

• 2.8.2 - 2025-05-14
• 2.8.1 - 2025-05-08
• 2.8.0 - 2025-05-06
• 2.7.0 - 2025-04-16

from @reduxjs/toolkit GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
procurement-admin-panel	Ready	Preview, Comment	Dec 17, 2025 8:33am

[netlify]

❌ Deploy Preview for resourceman failed. Why did it fail? →

Name	Link
🔨 Latest commit	f8c9af8
🔍 Latest deploy log	https://app.netlify.com/projects/resourceman/deploys/69426a7b8d2f7c0008e25f23