Skip to content

build(deps-dev): bump react from 18.3.1 to 19.2.6#394

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/react-19.2.6
Closed

build(deps-dev): bump react from 18.3.1 to 19.2.6#394
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/react-19.2.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 29, 2026

Copy link
Copy Markdown
Contributor

Bumps react from 18.3.1 to 19.2.6.

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

19.2.4 (January 26th, 2026)

React Server Components

19.2.3 (December 11th, 2025)

React Server Components

19.2.2 (December 11th, 2025)

React Server Components

19.2.1 (December 3rd, 2025)

React Server Components

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:

... (truncated)

Changelog

Sourced from react's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

... (truncated)

Commits


Note

Medium Risk
Major React major bump in devDependencies can surface test/runtime incompatibilities; mismatched react vs react-dom versions in dev may mask or cause false CI signals.

Overview
Bumps the devDependency react in package.json from ^18.0.0 to ^19.2.6 so local builds and tests run against React 19.2.x. No application source changes; peerDependencies already allow React 19.

react-dom and react-test-renderer remain on ^18.0.0, so the dev toolchain may mix React 19 core with React 18 DOM/test packages until those are aligned.

Reviewed by Cursor Bugbot for commit dbf1eab. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 29, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 29, 2026 16:19
@dependabot dependabot Bot added javascript Pull requests that update Javascript code dependencies Pull requests that update a dependency file labels May 29, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 4e312c1. Configure here.

Comment thread package.json
"prettier": "^3.3.3",
"prop-types": "^15.7.2",
"react": "^18.0.0",
"react": "^19.2.6",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

React 19 requires matching react-dom version

High Severity

Bumping react to ^19.2.6 while leaving react-dom at ^18.0.0 will cause an immediate runtime error. React 19 added an explicit version check that throws if react and react-dom versions don't match. The react-test-renderer at ^18.0.0 and @types/react at ^18.0.3 are also incompatible with React 19.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 4e312c1. Configure here.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/react-19.2.6 branch from 4e312c1 to e54d03d Compare May 29, 2026 20:13
Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react) from 18.3.1 to 19.2.6.
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react)

---
updated-dependencies:
- dependency-name: react
  dependency-version: 19.2.6
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/react-19.2.6 branch from e54d03d to dbf1eab Compare May 29, 2026 20:33
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #409.

@dependabot dependabot Bot closed this Jul 6, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/react-19.2.6 branch July 6, 2026 20:05
kinyoklion added a commit that referenced this pull request Jul 6, 2026
…icy (#411)

**Requirements**

- [x] I have added test coverage for new or changed functionality
(existing suite validates the build/runtime; this change is dev-tooling
+ config only)
- [x] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [x] I have validated my changes against all supported platform
versions

**Related issues**

Replaces the currently open Dependabot PRs (#374, #377, #388, #392,
#393, #394), all of which are major-version bumps.

**Describe the solution you've provided**

This consolidates dependency maintenance into a single, tested PR and
codifies a safer Dependabot policy.

1. **Dependency update (`package.json`)** — bumps the `esbuild`
devDependency `^0.24.0` → `^0.28.1` to resolve the moderate advisory
GHSA-67mh-4wv8-2f99 (esbuild `<=0.24.2` dev server request). `npm audit`
now reports **0 vulnerabilities**. esbuild `0.28.1` was released
2026-06-11 (~25 days ago), satisfying a 7-day quarantine. This is the
only actionable update under the new same-major policy: `npm outdated`
shows every other outstanding update is a major bump with no security
justification, and everything else is already at the latest version
within its current major.

2. **Dependabot policy (`.github/dependabot.yml`)** — for both the `npm`
and `github-actions` ecosystems:
- `cooldown: { default-days: 7 }` enforces the dependency quarantine
(only adopt releases ≥7 days old) going forward.
- `ignore` on `dependency-name: "*"` with `update-types:
["version-update:semver-major"]` restricts version-update PRs to the
current major. Per GitHub's docs, `update-types` does not affect
security updates, so Dependabot will still open a major-version PR when
required to resolve a vulnerability.

Validated locally: `npm run build`, `npm run lint`, `tsc`, and the full
`jest` suite (93 tests) all pass, and `npm audit` is clean.

**Describe alternatives you've considered**

- Adopting the open React 19 devDependency bumps (react, react-dom,
react-test-renderer and their `@types`) and `actions/setup-node` v6.
These are all major bumps with no security driver, so they are
intentionally excluded under the new same-major policy. They can be
pursued separately as deliberate, tested major upgrades if desired.
- A global `semver-major` ignore alone (without noting the security
exemption): documented behavior confirms security updates are unaffected
by `update-types`, so the security-major path remains open.

**Additional context**

The 7-day quarantine and same-major restriction reduce exposure to
supply-chain risk from freshly published or major releases while keeping
security fixes flowing.


Link to Devin session:
https://app.devin.ai/sessions/9a6e6afb929646c3b9d14c4f13a17601
Requested by: @kinyoklion

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> DevDependency and Dependabot config only; no changes to the published
SDK runtime or consumer-facing APIs.
> 
> **Overview**
> Bumps the **esbuild** devDependency from `^0.24.0` to `^0.28.1` to
address moderate advisory GHSA-67mh-4wv8-2f99 (dev-server request
handling in older esbuild). This is a build-time-only change.
> 
> Updates **`.github/dependabot.yml`** for both **npm** and
**github-actions**: documents the existing 7-day **cooldown** quarantine
and adds a global **`ignore`** for **`version-update:semver-major`**, so
routine Dependabot PRs stay on the current major. Security-driven
updates can still propose major bumps per GitHub’s rules.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
503cc1f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants