diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9c4808e81322..3e7124572f49 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,14 @@
+## 16.4.2 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
+* Fix a crash in the server renderer when an attribute is called `hasOwnProperty`. This fix is only available in `react-dom@16.4.2`. ([@gaearon](https://github.com/gaearon) in [#13303](https://github.com/facebook/react/pull/13303))
+
## 16.4.1 (June 13, 2018)
### React
@@ -70,6 +78,12 @@
* The [new host config shape](https://github.com/facebook/react/blob/c601f7a64640290af85c9f0e33c78480656b46bc/packages/react-noop-renderer/src/createReactNoop.js#L82-L285) is flat and doesn't use nested objects. ([@gaearon](https://github.com/gaearon) in [#12792](https://github.com/facebook/react/pull/12792))
+## 16.3.3 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
## 16.3.2 (April 16, 2018)
### React
@@ -179,6 +193,12 @@
* Fix a crash on updates. ([@rmhartog](https://github.com/rmhartog) in [#11955](https://github.com/facebook/react/pull/11955))
+## 16.2.1 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
## 16.2.0 (November 28, 2017)
### React
@@ -203,6 +223,12 @@
* Many tests were rewritten against the public API. Big thanks to [everyone who contributed](https://github.com/facebook/react/issues/11299)!
+## 16.1.2 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
## 16.1.1 (November 13, 2017)
### React
@@ -293,6 +319,12 @@ Starting with 16.1.0, we will no longer be publishing new releases on Bower. You
* First release of the [new experimental package](https://github.com/facebook/react/tree/master/packages/react-call-return) for parent-child communication. ([@gaearon](https://github.com/gaearon) in [#11364](https://github.com/facebook/react/pull/11364))
+## 16.0.1 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
## 16.0.0 (September 26, 2017)
### New JS Environment Requirements
diff --git a/appveyor.yml b/appveyor.yml
index 9b2a74084523..8191e610a95f 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -5,8 +5,9 @@ init:
- git config --global core.autocrlf input
environment:
- nodejs_version: 8
JAVA_HOME: C:\Program Files\Java\jdk1.8.0
+ matrix:
+ - nodejs_version: 10
# Finish on first failed build
matrix:
diff --git a/fixtures/dom/package.json b/fixtures/dom/package.json
index 333c566c7ded..ef92dbfe50e4 100644
--- a/fixtures/dom/package.json
+++ b/fixtures/dom/package.json
@@ -12,7 +12,7 @@
"query-string": "^4.2.3",
"react": "^15.4.1",
"react-dom": "^15.4.1",
- "semver": "^5.3.0"
+ "semver": "^5.5.0"
},
"scripts": {
"start": "react-scripts start",
diff --git a/fixtures/dom/src/components/Fixture.js b/fixtures/dom/src/components/Fixture.js
index ddf8b9723171..3643a65c3675 100644
--- a/fixtures/dom/src/components/Fixture.js
+++ b/fixtures/dom/src/components/Fixture.js
@@ -1,4 +1,4 @@
-const PropTypes = window.PropTypes;
+import PropTypes from 'prop-types';
const React = window.React;
const propTypes = {
diff --git a/fixtures/dom/src/components/Header.js b/fixtures/dom/src/components/Header.js
index c78eaa6abf40..7ce25c6c4d72 100644
--- a/fixtures/dom/src/components/Header.js
+++ b/fixtures/dom/src/components/Header.js
@@ -66,6 +66,7 @@ class Header extends React.Component {
+