build(deps): Bump react from 19.2.5 to 19.2.6

[dependabot]

Bumps react from 19.2.5 to 19.2.6.

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency bump limited to react with corresponding lockfile update; main risk is unexpected runtime/peer-compat issues with react-dom still pinned to 19.2.5.

Overview
Updates the react dependency from 19.2.5 to 19.2.6 in package.json and refreshes package-lock.json to the new tarball/integrity for react.

^{Reviewed by Cursor Bugbot for commit e434649. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	react@​19.2.5 ⏵ 19.2.6

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit e434649. Configure here.}

[cursor]

react and react-dom version mismatch after bump

Low Severity

react is bumped to ^19.2.6 (resolving to 19.2.6) while react-dom stays at ^19.2.5 (locked to 19.2.5). The React team recommends keeping react and react-dom on the same version to avoid subtle runtime inconsistencies. Dependabot bumped only react, creating a version skew.

Additional Locations (1)

• package-lock.json#L15698-L15708

 

^{Reviewed by Cursor Bugbot for commit e434649. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

I'll review the dependency update against the malware checklist by inspecting lockfile changes, upstream diffs, and the scanner findings.
Verdict: benign

This is a routine patch bump of the official react package from facebook/react with no supply-chain red flags. The malware scanner’s warn status comes entirely from three heuristic false positives; I disagree with treating them as suspicious.

Scanner findings (false positives)

• shell_process_spawn (×2): Matches RegExp.prototype.exec() in stack-frame parsing (v8FrameRegExp.exec(secondFrame)), not child_process.exec or shell spawning. Those lines are unchanged in this release.
• obfuscation_indicator: Matches the word “base64” in a human-readable error string in codes.json. That line was not modified; the only change there is a new error code 599 for Flight Reply compatibility.

Checklist summary

Category	Result
Obfuscation / eval / encoded payloads	None in the diff
Unexpected network / exfiltration / FS persistence	None
Process spawning / shell commands	None (scanner misread .exec())
Unicode / GlassWorm / homoglyphs	0 scanner findings
Typosquatting / suspicious lifecycle scripts	Package is react from npm; react has no dependencies and no install scripts
New transitive deps / lockfile anomalies	Only react 19.2.5→19.2.6; resolved to registry.npmjs.org/react/-/react-19.2.6.tgz with standard integrity hash
Dependabot scope creep	Changes limited to package.json / package-lock.json; no workflow, vendor, or node_modules edits

Upstream change (matches release notes)
Two commits between v19.2.5 and v19.2.6: Flight Reply “type hardening and performance improvements” (#36425) plus the version tag. Substantive code adds a BackingFormData wrapper and adjusts FormData prefix handling for nested RSC payloads—consistent with the stated RSC fix, not malware.

Repo context
chia-docs is a Docusaurus site using client-side React only; it does not appear to use React Server Components directly, so the RSC-internal changes are unlikely to affect runtime here.

Actionable note (non-security): react-dom remains at ^19.2.5 while react moves to ^19.2.6. That mismatch is normal for a partial Dependabot bump and is not a compromise indicator; aligning react-dom in a follow-up is optional hygiene.

Recommendation: Safe to merge from a supply-chain perspective. Treat the scanner warn as noise for this PR.

Compatibility Analysis

I'll analyze how react is used in this repo and compare the 19.2.5→19.2.6 upstream changes against those usage sites.

Compatibility & adoption analysis: react 19.2.5 → 19.2.6

1) Where react is used

Direct dependency: package.json pins react@^19.2.6 (lockfile resolves to 19.2.6).

First-party usage (4 files):

• src/pages/index.js — homepage, Docusaurus Layout
• src/components/HomepageFeatures.js — static feature cards
• src/components/Runnable.tsx — client component using useState, useEffect, useMemo, PropsWithChildren
• src/utils/stringify.ts — Children, isValidElement, ReactNode helpers

Indirect usage via the Docusaurus stack:

• @docusaurus/core / @docusaurus/preset-classic (SSR at build time, client hydration)
• @docsearch/react, @mdx-js/react, prism-react-renderer, react-icons, react-simple-code-editor

Not used: React Server Components, "use client" / "use server", Flight/FormData reply, useActionState, or other RSC APIs. This is a standard Docusaurus 3 static docs site.

---

2) Intersection with 19.2.6 changes

Upstream delta (v19.2.5 → v19.2.6): one functional commit — [FlightReply] Type hardening and performance improvements (#36425), touching:

• packages/react-client/src/ReactFlightReplyClient.js
• packages/react-server/src/ReactFlightReplyServer.js
• new packages/react-server/src/ReactFlightReplyBackingFormData.js

The published react package itself has no source changes — only a version bump in packages/react/package.json.

Conclusion: No overlap with this repo’s usage. All app code uses standard client React APIs (hooks, JSX, Children). The RSC/FlightReply changes live in separate monorepo packages that are not direct dependencies here.

---

3) Risks / unknowns

Risk	Severity
No runtime API change in react package	None — effectively a no-op for this consumer
react / react-dom version skew (react@19.2.6, react-dom@19.2.5)	Low — within peer range (react-dom requires ^19.2.5); align in a follow-up PR for hygiene
Malware scan heuristics on upstream ReactFlightReplyClient.js (RegExp.exec)	False positive — not in the installed react tarball
Build verification	Unknown until CI/npm run build runs — standard smoke test

---

4) Recommendation: merge

Patch bump with no changes to the react package consumers actually import. Usage is limited to classic client React through Docusaurus; release-note RSC changes do not apply.

Optional follow-up: bump react-dom to 19.2.6 in the same or next Dependabot PR to keep versions aligned.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 20
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 23f4f9f30da9e9af2108c18bb197bae75ab584ea..eaf3e95ca92be7a23d3c9cc8ffd6f199a40be401
• Resolved refs: from=23f4f9f30da9e9af2108c18bb197bae75ab584ea to=eaf3e95ca92be7a23d3c9cc8ffd6f199a40be401
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 3

Top findings

• packages/react-client/src/ReactFlightReplyClient.js:1390 shell_process_spawn :: let parsed = v8FrameRegExp.exec(secondFrame);
• packages/react-client/src/ReactFlightReplyClient.js:1392 shell_process_spawn :: parsed = jscSpiderMonkeyFrameRegExp.exec(secondFrame);
• scripts/error-codes/codes.json:461 obfuscation_indicator :: "473": "React doesn't accept base64 encoded file uploads because we don't except form data passed from a browser to ever encode data that way. If that's the wrong assumption, we can easily fix it.",