chore(deps): bump react-dom and @types/react-dom

[dependabot]

Bumps react-dom and @types/react-dom. These dependencies needed to be updated together.
Updates react-dom from 18.3.1 to 19.2.4

Release notes

Sourced from react-dom's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

19.2.3 (December 11th, 2025)

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon facebook/react#35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #35289, #35345)

19.2.1 (December 3rd, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

... (truncated)

Changelog

Sourced from react-dom's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

... (truncated)

Commits

• 90ab3f8 Version 19.2.4
• 612e371 Version 19.2.3
• b910fc1 Version 19.2.2
• 053df4e Version 19.2.1
• 8618113 Bump scheduler version (#34671)
• 1bd1f01 Ship partial-prerendering APIs to Canary (#34633)
• 2f0649a [Fizz] Remove nonce option from resume-and-prerender APIs (#34664)
• 5667a41 Bump next prerelease version numbers (#34639)
• e08f53b Match react-dom/static test entrypoints and published entrypoints (#34599)
• 8bb7241 Bump useEffectEvent to Canary (#34610)
• Additional commits viewable in compare view

Updates @types/react-dom from 18.3.7 to 19.2.3

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review: React DOM Dependency Update

This Dependabot PR updates react-dom from v18.3.1 to v19.2.4 and @types/react-dom from v18.3.7 to v19.2.3. Here's my analysis:

✅ Positive Aspects

1. Security Updates: React 19.2.x includes important security hardening for React Server Components and Server Actions (CVE fixes in versions 19.2.1-19.2.4)
2. Type Safety: TypeScript types are updated consistently with the runtime dependency
3. Limited Scope: Changes are isolated to devDependencies in packages/inspector and examples/restaurant-finder
4. Dependency Consistency: The pnpm-lock.yaml correctly reflects the version resolution

⚠️ Potential Issues & Considerations

1. Version Mismatch: React vs React-DOM

Critical Issue: In packages/inspector/package.json:

• react: ^18.3.1 (v18)
• react-dom: ^19.2.4 (v19) ← MAJOR version mismatch

React and React-DOM should always be on the same major version. The lock file shows:

react-dom@19.2.4(react@18.3.1)

This creates a peer dependency warning situation. While React 19 is designed to be backward compatible with React 18 apps, mixing major versions is not recommended and could lead to:

• Runtime warnings/errors
• Unexpected behavior in concurrent features
• Type mismatches between React and ReactDOM APIs

Recommendation: Either:

• Option A (Preferred): Upgrade react to ^19.2.4 in packages/inspector
• Option B: Keep both at v18 until ready for full React 19 migration

2. Breaking Changes in React 19

React 19 includes several breaking changes that may affect the inspector package:

• Changes to useId format (now uses underscore instead of colon separators)
• Suspense boundary reveal batching changes
• New strict mode behaviors
• Updated hydration error handling

Test Coverage Required: The packages/inspector should be thoroughly tested with React 19, especially:

• packages/inspector/src/dashboard/react/main.tsx:14 - Uses createRoot and StrictMode
• Any components using Suspense, transitions, or deferred values
• Server-side rendering paths (if any)

3. PeerDependency Specification

The packages/inspector/package.json:76 correctly specifies:

"peerDependencies": {
  "react": "^18.0.0 || ^19.0.0"
}

This is good - it allows both React 18 and 19. However, the devDependency mismatch (React 18 + ReactDOM 19) means the package is being built/tested in an inconsistent state.

4. Restaurant Finder Example

The examples/restaurant-finder is fully on React 19:

• react: ^19.2.4
• react-dom: ^19.2.4
• @types/react: ^19.2.9
• @types/react-dom: ^19.2.3

This is consistent and correct ✅

🔍 Security Review

• ✅ No injection vectors introduced
• ✅ Updates include DOS mitigation patches (19.2.1-19.2.4)
• ✅ No new external dependencies

📊 Performance Considerations

React 19.2 includes:

• Suspense boundary reveal batching optimizations
• Performance tracking improvements
• Scheduler updates (v0.23.2 → v0.27.0)

These should improve performance, but benchmarking recommended for the inspector dashboard.

🧪 Test Coverage

• ⚠️ Action Required: Repository policy mandates running pnpm build && pnpm test && pnpm lint && pnpm typecheck (per AGENTS.md:53)
• The CI checks show test-and-lint is pending - this must pass before merge
• Recommend adding specific test cases for React 19 compatibility if upgrading React to v19

📝 Recommendations

Before merging this PR:

1. Fix version mismatch in packages/inspector/package.json:

   "devDependencies": {
     "react": "^19.2.4",           // ← Upgrade to match react-dom
     "react-dom": "^19.2.4",
     "@types/react": "^19.2.9",   // ← Also needs upgrade
     "@types/react-dom": "^19.2.3"
   }

2. Run full test suite: Ensure all tests pass with React 19

3. Manual testing: Test the inspector dashboard UI thoroughly

4. Update MEMORY.md (if issues found): Document any React 19 migration gotchas

📚 Additional Context

Per AGENTS.md:

• Repo uses strict TypeScript (no any, etc.)
• 50% coverage thresholds enforced
• All changes must pass build + test + lint + typecheck

Verdict: ⚠️ Needs fixes before merge - The React version mismatch in packages/inspector must be resolved. Once fixed, this is a valuable security and feature update.

[claude]

PR Review: Dependency Updates - React DOM v19.2.4

Summary

This Dependabot PR updates react-dom from 18.3.1 to 19.2.4 and @types/react-dom from 18.3.7 to 19.2.3 in the packages/inspector package, and updates @types/react-dom to 19.2.3 in the examples/restaurant-finder package.

Code Quality ✅

Positive aspects:

• Clean dependency version bumps with no code changes required
• Follows semantic versioning principles
• Automated by Dependabot, ensuring consistent updates

Potential Issues ⚠️

1. Version Mismatch: React vs React-DOM

The packages/inspector/package.json now has a concerning mismatch:

• react: ^18.3.1 (React 18)
• react-dom: ^19.2.4 (React 19)
• @types/react: ^18.2.0 (React 18 types)
• @types/react-dom: ^19.2.3 (React 19 types)

Issue: React and React-DOM should always be on the same major version. Using React 18 with React-DOM 19 creates a version mismatch that may lead to:

• Runtime errors and unexpected behavior
• Type mismatches between packages
• Incompatibilities with React 19-specific features in react-dom
• Potential breaking changes in how the virtual DOM reconciliation works

Location: packages/inspector/package.json:67-71

2. Inconsistent Type Definitions

The @types/react-dom@19.2.3 expects React 19 types, but @types/react@18.2.0 provides React 18 types. This creates TypeScript compilation issues.

Evidence from the diff: The peer dependency for @types/react-dom@19.2.3 requires compatible React types, but the inspector package still uses React 18 types.

Performance Considerations ✅

React 19.2.4 includes:

• Improved Server Components performance
• Better suspense boundary batching
• DoS mitigations for Server Actions

These are all positive improvements with no performance regressions expected.

Security Concerns ✅

Positive security updates:

• React 19.2.1-19.2.4 include multiple security patches for React Server Components
• Addresses DoS vulnerabilities (#35632, #35351)
• Patches Promise cycles and toString vulnerabilities in Server Functions (#35289, #35345)

The security updates are critical and should be applied, but the version alignment issue must be fixed first.

Test Coverage ⚠️

Recommendation: This PR should include:

1. Verification that all existing tests pass with the new versions
2. Manual smoke testing of the inspector dashboard
3. Type-checking to ensure no TypeScript errors from the version mismatch

The repository policy (from AGENTS.md) requires running:

pnpm build && pnpm test && pnpm lint && pnpm typecheck

Recommended Actions 🔧

Option 1: Upgrade React to v19 in inspector package (Recommended)

Update packages/inspector/package.json:

"devDependencies": {
  "@types/react": "^19.2.9",
  "@types/react-dom": "^19.2.3",
  "react": "^19.2.4",
  "react-dom": "^19.2.4"
}

This aligns with the existing pattern in other packages (ui-react, ui-react-builder) and examples.

Option 2: Keep React v18 consistently

If React 18 compatibility is required, downgrade:

"devDependencies": {
  "@types/react": "^18.2.0",
  "@types/react-dom": "^18.3.7",
  "react": "^18.3.1",
  "react-dom": "^18.3.1"
}

However, this loses the security fixes in React-DOM 19.

Conclusion

Status: ❌ Changes Requested

While the security updates in React-DOM 19.2.4 are valuable, this PR introduces a version mismatch between React and React-DOM in the inspector package. This must be resolved before merging.

Recommendation:

1. Update to React 19 consistently across both packages (Option 1 above)
2. Run the full test suite to verify compatibility
3. Ensure TypeScript compilation succeeds
4. Consider testing the inspector dashboard manually to verify UI functionality

The peer dependencies already allow React 19 (^18.0.0 || ^19.0.0), so upgrading to React 19 is a natural progression for this package.

---

Review Checklist:

• ✅ Security updates are beneficial
• ⚠️ Version mismatch needs resolution
• ⚠️ Tests should be run before merge
• ✅ No code changes required (once versions aligned)
• ✅ Follows repository conventions