Bump react-dom from 19.2.5 to 19.2.6

[dependabot]

Bumps react-dom from 19.2.5 to 19.2.6.

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency bump limited to react-dom (and corresponding lockfile updates); primary risk is minor runtime/rendering behavior changes from the upstream patch release.

Overview
Updates the frontend dependency react-dom from 19.2.5 to 19.2.6 in package.json.

Refreshes package-lock.json to the new react-dom tarball and peer range, and also pulls react to 19.2.6 in the lockfile to stay in sync.

^{Reviewed by Cursor Bugbot for commit acdf132. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	react@​19.2.5 ⏵ 19.2.6
	react-dom@​19.2.5 ⏵ 19.2.6

View full report

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the dependency update and lockfile changes for supply-chain risk.
Verdict: benign

Summary: Patch bump from the official facebook/react monorepo (19.2.5 → 19.2.6), resolved to registry.npmjs.org with a normal sha512 integrity entry. No signs of compromise in this PR’s scope.

Checklist (high signal)

Category	Assessment
Classic obfuscation / exfil / spawn	No obfuscated payloads, unexpected network hosts, credential theft, or install-time scripts. Upstream packages/react-dom/package.json at eaf3e95 has no scripts field (no preinstall/postinstall).
Invisible Unicode / GlassWorm	Scanner: 0 unicode, confusable, and IOC findings.
Dependency integrity	Legitimate patch; tags resolve 23f4f9f..eaf3e95. Lock resolves react-dom@19.2.6 with unchanged single dependency (scheduler@^0.27.0). No new transitive packages. Package name/repo unchanged (facebook/react).
Dependabot context	Expected touchpoints only: package.json / package-lock.json. No .github/workflows/ changes. Malware scan: 0 changed lockfiles/node vendor paths in the published tarball sense; upstream scan covered 20 React monorepo source files (normal for a coordinated release).

Scanner vs interpretation

Malware scan status warn with 3 heuristic hits — all are false positives, not disagreement with a malicious verdict:

1. shell_process_spawn on RegExp.exec(secondFrame) in ReactFlightReplyClient.js — substring match on .exec, not child_process / shell spawn.
2. obfuscation_indicator on the word base64 inside a human-readable error string in scripts/error-codes/codes.json, not runtime decoding logic.
3. Upstream code diff is consistent with release notes: RSC FormData prefix/marker handling and related server-client flight reply changes (~240 lines across known React packages), plus version bumps — not smuggled minified bundles or lifecycle malware.

Local PR note (non-security): package.json still lists react@^19.2.5 while the lockfile already has react@19.2.6 (peer of react-dom@19.2.6). Worth aligning in a follow-up for version parity, not a supply-chain red flag.

Action: Safe to merge from a supply-chain perspective after CI passes. Optional: bump react to ^19.2.6 in the same or a companion PR so declared and installed versions match.

Compatibility Analysis

Analyzing react-dom usage and compatibility for this patch bump.

Compatibility & adoption analysis — react-dom 19.2.5 → 19.2.6

1) Where it’s used

Layer	Usage
Direct	Declared in package.json / package-lock.json only. No import … from 'react-dom' in repo source.
App code	Imports from react only (Runnable.tsx, Quiz.tsx, stringify.ts).
Transitive	Pulled in by Docusaurus 3 (@docusaurus/core, preset-classic), @mdx-js/react, prism-react-renderer, react-simple-code-editor, react-icons, etc. Docusaurus owns client mount/SSR during docusaurus build.

This is a Docusaurus static docs site with custom MDX components — not a Next.js App Router / RSC app.

2) Intersection with changed APIs

Release notes call out React Server Components: Flight Reply “type hardening and performance improvements” (#36425).

Upstream diff (v19.2.5 → v19.2.6):

• packages/react-dom / react-dom-bindings: version bump only (no runtime source changes in those packages).
• Functional change: ReactFlightReplyClient.js, ReactFlightReplyServer.js, new ReactFlightReplyBackingFormData.js — internal RSC / Server Actions FormData reply handling (prefix marker change, backing FormData refactor).

Overlap with this repo: None meaningful. App code does not use RSC, "use server", or Flight reply APIs. Docusaurus does not exercise those paths in normal static-site usage.

3) Risks / unknowns

Risk	Severity
RSC / Server Actions behavior change	Negligible for this project
DOM / createRoot API changes	None in this patch
Peer dependency: react-dom@19.2.6 expects react@^19.2.6; package.json still declares "react": "^19.2.5"	Low — lockfile already resolves react@19.2.6; fresh installs may peer-dep warn until react range is bumped
react / react-dom patch skew if only one is updated later	Low — keep them on the same patch

4) Recommendation

Merge (optionally merge-with-caveats if you want zero peer warnings: bump react to ^19.2.6 in the same PR or immediately after).

Smoke test: npm ci && npm run build (and npm start if you want a quick interactive check of Runnable / Quiz MDX widgets). No targeted regression surface beyond a normal Docusaurus build.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 20
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 23f4f9f30da9e9af2108c18bb197bae75ab584ea..eaf3e95ca92be7a23d3c9cc8ffd6f199a40be401
• Resolved refs: from=23f4f9f30da9e9af2108c18bb197bae75ab584ea to=eaf3e95ca92be7a23d3c9cc8ffd6f199a40be401
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 3

Top findings

• packages/react-client/src/ReactFlightReplyClient.js:1390 shell_process_spawn :: let parsed = v8FrameRegExp.exec(secondFrame);
• packages/react-client/src/ReactFlightReplyClient.js:1392 shell_process_spawn :: parsed = jscSpiderMonkeyFrameRegExp.exec(secondFrame);
• scripts/error-codes/codes.json:461 obfuscation_indicator :: "473": "React doesn't accept base64 encoded file uploads because we don't except form data passed from a browser to ever encode data that way. If that's the wrong assumption, we can easily fix it.",