Bump react from 19.2.5 to 19.2.6#494
Conversation
Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react) from 19.2.5 to 19.2.6. - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react) --- updated-dependencies: - dependency-name: react dependency-version: 19.2.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
Changed
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 3f60d44. Configure here.
| "clvm-lib": "^1.0.1", | ||
| "prism-react-renderer": "^2.4.1", | ||
| "react": "^19.2.5", | ||
| "react": "^19.2.6", |
There was a problem hiding this comment.
react and react-dom version mismatch
High Severity
react is bumped to ^19.2.6 but react-dom remains at ^19.2.5. The lockfile resolves them to 19.2.6 and 19.2.5 respectively. These packages should always be the same version; a mismatch can cause runtime errors. react-dom should be bumped to ^19.2.6 as well.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 3f60d44. Configure here.
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing the dependency update and upstream changes for supply-chain risk. Supply-chain review (concise)
Upstream change (matches release notes) Scanner vs manual judgment Non-security note (optional follow-up) Recommendation: Approve from a supply-chain perspective. Run your usual CI ( Compatibility AnalysisAnalyzing React usage in the repo and upstream 19.2.6 changes for compatibility. Compatibility & Adoption Analysis —
|
| Layer | Usage |
|---|---|
| Direct dependency | package.json — react@^19.2.6 (PR); react-dom still ^19.2.5 |
| App components | src/components/Runnable.tsx — hooks (useState, useEffect, useMemo), hydration guard; used heavily in MDX docs |
src/components/Quiz.tsx — useReducer, useMemo (defined but not referenced in docs today) |
|
src/utils/stringify.ts — Children, isValidElement, type utilities |
|
| MDX / Docusaurus | Docs import <Runnable> from @site/src/components/Runnable.tsx; Docusaurus 3.10 + @mdx-js/react provide the React runtime for all pages |
| Transitive | react-icons, react-simple-code-editor, prism-react-renderer, @docusaurus/*, @docsearch/react |
Standard client-side React SPA/SSR site — no use server, no App Router, no direct RSC imports.
2) Intersection with changed upstream APIs
What actually changed in 19.2.6: one functional commit — [FlightReply] type hardening and performance (#36425) — touching:
packages/react-client/src/ReactFlightReplyClient.jspackages/react-server/src/ReactFlightReplyServer.js- New
ReactFlightReplyBackingFormData.js
These are React Server Components Flight Reply internals (FormData serialization for server actions). Sibling packages (react-dom, react-server-dom-*, etc.) got version bumps only.
The react npm package itself has no source changes — only package.json version.
Overlap with this repo: none. Usage is limited to public client APIs (hooks, Children, JSX). Docusaurus does not ship or invoke RSC/Flight Reply code paths.
3) Risks / unknowns
| Risk | Severity | Notes |
|---|---|---|
| RSC/Flight Reply behavior change | Negligible | Not used by Docusaurus or this codebase |
react / react-dom version skew |
Low | Lock resolves react@19.2.6, react-dom@19.2.5. Peer dep ^19.2.5 is satisfied. React publishes these as a set; aligning react-dom to 19.2.6 is good hygiene but not blocking |
| Public API / hook breakage | Negligible | No public API changes in react package |
| Build/runtime | Low | Patch bump; verify with npm run build |
| Malware scan heuristic hits on upstream | None | False positives (.exec() on regex stack-frame parsing in Flight Reply client) |
4) Recommendation: merge
Safe to merge. This is a patch release whose only functional change is internal RSC Flight Reply plumbing that this Docusaurus docs site does not use. The react package artifact is effectively a version-only bump.
Optional follow-up (not a blocker): bump react-dom to ^19.2.6 in the same PR or a companion Dependabot PR to keep the React stack aligned.
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
20 - Resolution strategy:
tag_range - Changed node/vendor paths:
0 - Changed lockfiles:
0 - Resolved upstream range:
23f4f9f30da9e9af2108c18bb197bae75ab584ea..eaf3e95ca92be7a23d3c9cc8ffd6f199a40be401 - Resolved refs: from=
23f4f9f30da9e9af2108c18bb197bae75ab584eato=eaf3e95ca92be7a23d3c9cc8ffd6f199a40be401 - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
3
Top findings
packages/react-client/src/ReactFlightReplyClient.js:1390shell_process_spawn ::let parsed = v8FrameRegExp.exec(secondFrame);packages/react-client/src/ReactFlightReplyClient.js:1392shell_process_spawn ::parsed = jscSpiderMonkeyFrameRegExp.exec(secondFrame);scripts/error-codes/codes.json:461obfuscation_indicator ::"473": "React doesn't accept base64 encoded file uploads because we don't except form data passed from a browser to ever encode data that way. If that's the wrong assumption, we can easily fix it.",
Bumps react from 19.2.5 to 19.2.6.
Release notes
Sourced from react's releases.
Commits
eaf3e95Version 19.2.6Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Low risk dependency-only update; behavior changes are limited to React internals and should surface primarily via build/runtime regressions if any.
Overview
Updates the React dependency from
19.2.5to19.2.6inpackage.jsonand refreshespackage-lock.jsonto the corresponding resolved artifact and integrity hash.Reviewed by Cursor Bugbot for commit 3f60d44. Bugbot is set up for automated code reviews on this repo. Configure here.