Skip to content

build(deps): Bump react and @types/react #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

build(deps): Bump react and @types/react #120

wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 20, 2025
edited
Loading

Bumps react and @types/react. These dependencies needed to be updated together.
Updates react from 19.1.1 to 19.2.0

Release notes

Sourced from react's releases.

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

React DOM

... (truncated)

Changelog

Sourced from react's changelog.

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

React DOM

... (truncated)

Commits

Updates @types/react from 19.1.13 to 19.2.2

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Oct 20, 2025
@fossabot
Copy link

fossabot bot commented Oct 20, 2025
edited
Loading

fossabot is Thinking

@fossabot
Copy link

fossabot bot commented Oct 20, 2025
edited
Loading

Needs Review

I recommend reviewing this upgrade before merging because the upgrade introduces two breaking changes requiring Node.js 18 or newer and changes to ESLint configuration defaults. However, the codebase is already using modern React patterns including createRoot, functional components with hooks, and has no deprecated API usage. The project currently has no Node.js version constraints in package.json, which means the Node.js 18+ requirement needs to be enforced. All malicious package warnings in the security alerts refer to typosquatting packages with different names (types-node, @​typescript_eslinter/eslint, vite-plugin-react-extend) that are not present in this project's dependencies. The actual packages used (react, @​types/react) are legitimate and the upgrade includes 10 new features and 8 bug fixes.

What we checked

  • React upgraded to 19.2.0 which requires Node.js 18+, but package.json has no engines field to enforce this requirement [1]
  • @​types/react upgraded to 19.2.2 (legitimate package, not the malicious 'types-node' typosquatting variant mentioned in security alerts) [2]
  • Code already uses modern createRoot API from react-dom/client, compatible with React 19 [3]
  • Components use modern React hooks (useState, useRef, useEffect) which are fully compatible with React 19 [4]
  • Official React 19 upgrade guide documents breaking changes including Node.js 18+ requirement and removal of deprecated APIs [5]
  • React 19.2 introduces new Activity component, useEffectEvent hook, and changes useId prefix from :r: to r [6]

Dependency Usage

React is the core UI framework powering this VPN frontend application, used extensively across all user-facing components including wallet integration, account management, VPN instance selection, navigation, and notifications, with hooks like useState, useEffect, and useRef enabling interactive features throughout the entire application. The framework supports critical business functionality such as wallet connectivity for blockchain authentication, real-time VPN instance polling and monitoring, and user account management, following a modern React hooks-based architecture distributed across pages, reusable UI components, custom API hooks, and routing infrastructure. TypeScript type definitions from @​types/react provide type safety across the React codebase, though direct imports are handled implicitly through the TypeScript compilation process rather than explicit import statements.

This code imports StrictMode from React to wrap the application and enable development-only checks that help identify potential problems in the React component tree.

This code is defining a React functional component that displays customizable toast notifications with different message types (success, error, or info).

View 10 more usages

This code imports the useEffect hook from React to enable side effects (like responding to URL changes detected by useLocation) in the Navigation component.

This code is setting up a React component that imports hooks (useState, useEffect) and types (ReactNode) from React to build an interactive tooltip guide system with styled tooltips.

This code is importing and preparing to use React's state management (useState), ref handling (useRef), and side effect management (useEffect) hooks to build a wallet connection component with navigation capabilities.

This code is setting up a React component that manages wallet state and client data by combining multiple hooks for state management, side effects, and performance optimization through memoization.

  • react:

    vpn-frontend/src/pages/DocsFaqs.tsx

    Line 2 in a8d3c6d

    import { useState } from "react";
    - This code is creating a collapsible FAQ component that uses React's useState hook to manage which FAQ items are currently expanded or collapsed.
  • react:

    vpn-frontend/src/pages/HowItWorks.tsx

    Line 2 in a8d3c6d

    import { useState, useEffect, useRef } from 'react'
    - This code is setting up a React component that manages UI state for a "How It Works" page, tracking which section is active and whether the device is mobile using the useState hook.
  • react:

    vpn-frontend/src/test/utils.tsx

    Line 1 in a8d3c6d

    import type { ReactElement } from 'react'
    - # One Sentence Description

This code is setting up a test utilities file that imports React's ReactElement type and testing library components to create a custom render function for testing React components with React Query integration.

  • react:

    vpn-frontend/src/api/hooks/useClientPolling.ts

    Line 1 in a8d3c6d

    import { useState, useEffect, useRef, useCallback } from 'react'
    - This code is setting up a custom React hook that uses state, effects, refs, and callbacks to implement polling functionality for checking client availability and updating query cache data.
Other Usages (12)

These usages were analyzed but no breaking changes were detected:

react

Changes

React updated with two breaking changes: Node.js 18+ is now required, and the default ESLint config changed to flat config format (legacy config moved to recommended-legacy). The update includes 8 bug fixes addressing useDeferredValue infinite loops, Server Component crashes, and Suspense rendering issues, plus 10 new features including the <Activity> component for UI/state management, useEffectEvent hook for non-reactive Effect logic, and Node.js Web Streams support in server-side rendering APIs.

View 44 more changes
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event. (vv19.2.0, release notes)
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over. (vv19.2.0, release notes)
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools (vv19.2.0, release notes)
  • Added resume APIs for partial pre-rendering with Web Streams: (vv19.2.0, release notes)
  • resume: to resume a prerender to a stream. (vv19.2.0, release notes)
  • resumeAndPrerender: to resume a prerender to HTML. (vv19.2.0, release notes)
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs. (vv19.2.0, release notes)
  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics. (vv19.2.0, release notes)
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js (vv19.2.0, release notes)
  • Use underscore instead of : IDs generated by useId (vv19.2.0, release notes)
  • <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others) (vv19.2.0, release notes)
  • Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507) (vv19.2.0, release notes)
  • Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198) (vv19.2.0, release notes)
  • Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (vv19.2.0, release notes)
  • Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (vv19.2.0, release notes)
  • Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (vv19.2.0, release notes)
  • Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900) (vv19.2.0, release notes)
  • Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145) (vv19.2.0, release notes)
  • Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723) (vv19.2.0, release notes)
  • Add cacheSignal (@​sebmarkbage #33557) (vv19.2.0, release notes)
  • Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342) (vv19.2.0, release notes)
  • Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, [Fizz] Block on Suspensey Fonts during reveal facebook/react#33342#33099, #33422) (vv19.2.0, release notes)
  • Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264) (vv19.2.0, release notes)
  • Allow nonce to be used on hoistable styles (@​Andarist #32461) (vv19.2.0, release notes)
  • Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774) (vv19.2.0, release notes)
  • s/HTML/text for for error messages if text hydration mismatches (@​rickhanlonii #32763) (vv19.2.0, release notes)
  • Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (vv19.2.0, release notes)
  • Enable the progressiveChunkSize option for server-side-rendering APIs (@​sebmarkbage #33027) (vv19.2.0, release notes)
  • Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (vv19.2.0, release notes)
  • Avoid hanging when suspending after aborting while rendering (@​gnoff #34192) (vv19.2.0, release notes)
  • Add Node Web Streams to server-side-rendering APIs for Node.js (@​sebmarkbage #33475) (vv19.2.0, release notes)
  • Preload <img> and <link> using hints before they're rendered (@​sebmarkbage #34604) (vv19.2.0, release notes)
  • Log error if production elements are rendered during development (@​eps1lon #34189) (vv19.2.0, release notes)
  • Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (vv19.2.0, release notes)
  • Pass line/column to filterStackFrame (@​eps1lon #33707) (vv19.2.0, release notes)
  • Support Async Modules in Turbopack Server References (@​lubieowoce #34531) (vv19.2.0, release notes)
  • Add support for .mjs file extension in Webpack (@​jennyscript #33028) (vv19.2.0, release notes)
  • Fix a wrong missing key warning (@​unstubbable #34350) (vv19.2.0, release notes)
  • Make console log resolve in predictable order (@​sebmarkbage #33665) (vv19.2.0, release notes)
  • createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs (vv19.2.0, release notes)
  • New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040) (vv19.2.0, release notes)
  • New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@​jbrown215 in #33544) (vv19.2.0, release notes)
  • Handle React.useEffect in addition to useEffect in rules-of-hooks. (@​Ayc0 in #34076) (vv19.2.0, release notes)
  • Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@​jbrown215) in #34497 (vv19.2.0, release notes)
References (6)

[1]: React upgraded to 19.2.0 which requires Node.js 18+, but package.json has no engines field to enforce this requirement

vpn-frontend/package.json

Line 22 in a8d3c6d

"react": "^19.2.0",

[2]: @​types/react upgraded to 19.2.2 (legitimate package, not the malicious 'types-node' typosquatting variant mentioned in security alerts)

vpn-frontend/package.json

Line 37 in a8d3c6d

"@types/react": "^19.2.2",

[3]: Code already uses modern createRoot API from react-dom/client, compatible with React 19

vpn-frontend/src/main.tsx

Line 2 in a8d3c6d

import { createRoot } from 'react-dom/client'

[4]: Components use modern React hooks (useState, useRef, useEffect) which are fully compatible with React 19

vpn-frontend/src/components/WalletConnection.tsx

Line 5 in a8d3c6d

import { useState, useRef, useEffect } from 'react'

[5]: Official React 19 upgrade guide documents breaking changes including Node.js 18+ requirement and removal of deprecated APIs (source link)

[6]: React 19.2 introduces new Activity component, useEffectEvent hook, and changes useId prefix from :r: to r (source link)

fossabot analyzed this PR using static analysis and dependency research.

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Oct 20, 2025
edited
Loading

Deploying blinklabs-vpn with  Cloudflare Pages  Cloudflare Pages

Latest commit: c0e03e1
Status: ✅  Deploy successful!
Preview URL: https://b5b21acc.blinklabs-vpn.pages.dev
Branch Preview URL: https://dependabot-npm-and-yarn-mult-jpyj.blinklabs-vpn.pages.dev

View logs

@dependabot
build(deps): Bump react and @types/react
c0e03e1 
Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react) and [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react). These dependencies needed to be updated together.

Updates `react` from 19.1.1 to 19.2.0
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.0/packages/react)

Updates `@types/react` from 19.1.13 to 19.2.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

---
updated-dependencies:
- dependency-name: react
  dependency-version: 19.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: "@types/react"
  dependency-version: 19.2.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-c808d207fc branch from a8d3c6d to c0e03e1 Compare October 23, 2025 03:02
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 24, 2025

Looks like these dependencies are up-to-date now, so this is no longer needed.

@dependabot dependabot bot closed this Oct 24, 2025
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/multi-c808d207fc branch October 24, 2025 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant