Skip to content

chore(deps-dev): bump react, react-dom and @types/react#253

Merged
egdev6 merged 4 commits into
mainfrom
dependabot/npm_and_yarn/multi-25ad053142
Jun 2, 2026
Merged

chore(deps-dev): bump react, react-dom and @types/react#253
egdev6 merged 4 commits into
mainfrom
dependabot/npm_and_yarn/multi-25ad053142

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026

Bumps react, react-dom and @types/react. These dependencies needed to be updated together.
Updates react from 18.3.1 to 19.2.7

Release notes

Sourced from react's releases.

19.2.7 (June 1st, 2026)

React Server Components

19.2.6 (May 6th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

19.2.4 (January 26th, 2026)

React Server Components

19.2.3 (December 11th, 2025)

React Server Components

19.2.2 (December 11th, 2025)

React Server Components

19.2.1 (December 3rd, 2025)

React Server Components

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

... (truncated)

Changelog

Sourced from react's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.


Updates react-dom from 18.3.1 to 19.2.7

Release notes

Sourced from react-dom's releases.

19.2.7 (June 1st, 2026)

React Server Components

19.2.6 (May 6th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

19.2.4 (January 26th, 2026)

React Server Components

19.2.3 (December 11th, 2025)

React Server Components

19.2.2 (December 11th, 2025)

React Server Components

19.2.1 (December 3rd, 2025)

React Server Components

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

... (truncated)

Changelog

Sourced from react-dom's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.


Updates @types/react from 18.3.18 to 19.2.16

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps-dev): bump react, react-dom and @types/react
75afc26 
Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react), [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) and [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react). These dependencies needed to be updated together.

Updates `react` from 18.3.1 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `react-dom` from 18.3.1 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `@types/react` from 18.3.18 to 19.2.16
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

---
updated-dependencies:
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: "@types/react"
  dependency-version: 19.2.16
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 2, 2026
@dependabot dependabot Bot requested a review from egdev6 as a code owner June 2, 2026 04:06
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 2, 2026
egdev6
egdev6 requested changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@egdev6 egdev6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gracias por el update. El scope está limpio y las validaciones principales pasan, pero no lo podemos mergear todavía.

Hay un bloqueo de compatibilidad en los typings: el PR sube react y react-dom a 19.2.7, y @types/react a 19.2.16, pero deja @types/react-dom en 18.3.5. Para un salto major a React 19, ese paquete también debería moverse a la línea 19.x y regenerar el lockfile.

Además, sigue fallando Security / Dependency audit por vitest <4.1.0 (GHSA-5xrq-8626-4rwp). Ese bloqueo parece repo-wide, no específico de este PR, pero mientras branch protection exija ese check en verde no deberíamos mergear.

Pedido de cambio:

  1. Actualizar @types/react-dom a 19.x, por ejemplo 19.2.3, y regenerar pnpm-lock.yaml.
  2. Rerun CI.
  3. Aportar evidencia de pnpm build o tsc --project tsconfig.build.json, porque este es un upgrade major de React/types y queremos cubrir la generación de declarations.
  4. Resolver o dejar explícitamente aceptado el bloqueo existente de audit por vitest, según la política del repo.

@egdev6 egdev6 requested a review from Copilot June 2, 2026 06:43
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the design system’s development React stack to React 19, aligning react, react-dom, and @types/react versions in package.json and refreshing the lockfile accordingly.

Changes:

  • Bump react and react-dom from 18.3.1 to 19.2.7
  • Bump @types/react from 18.3.18 to 19.2.16
  • Regenerate pnpm-lock.yaml to reflect the new dependency graph

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Updates devDependency versions for react, react-dom, and @types/react.
pnpm-lock.yaml Updates locked React-related packages and transitive dependencies to match the new versions.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
egdev6
egdev6 approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@egdev6 egdev6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cambios verificados en dfb322b.

  • @types/react-dom quedó alineado en 19.2.3 con React 19.
  • vitest y @vitest/coverage-v8 subieron a 4.1.8, resolviendo el bloqueo high/critical del audit repo-wide.
  • Se agregaron ajustes mínimos de tipos para React 19: refs nullable, narrowing de child.props y timeout ref en Select.

Validación local:

  • pnpm audit --audit-level high con pnpm 10.34.1: sin high/critical, quedan solo moderates.
  • pnpm test: 30 files / 538 tests passing con Vitest 4.1.8.
  • pnpm run build: Vite build + tsc --project tsconfig.build.json passing.

CI también quedó verde en audit, tests Ubuntu/Windows, Storybook, a11y y secrets scan.

@egdev6
Copy link
Copy Markdown
Member

egdev6 commented Jun 2, 2026

Sumé los dos hardening que pediste:

  • pnpm queda fijado en packageManager: pnpm@10.34.1 y los workflows usan esa misma versión exacta.
  • verify:package ahora empaqueta el dist real y crea consumidores temporales con React 18 y React 19. Ambos hacen typecheck y smoke de ESM/CJS/styles.

Además el check descubrió un problema real del paquete generado: las declarations salían con imports de aliases internos y con el CSS side-effect import. Agregué scripts/prepare-dist.mjs para limpiar esas declarations post-build, así el paquete publicado se puede consumir correctamente.

Validado localmente con pnpm 10.34.1:

  • pnpm install --frozen-lockfile
  • pnpm audit --audit-level high sin high/critical
  • pnpm test 30 files / 538 tests passing
  • pnpm run verify:package pasando con consumidores React 18 y React 19

@egdev6 egdev6 merged commit 4152eb6 into main Jun 2, 2026
10 checks passed
@egdev6 egdev6 deleted the dependabot/npm_and_yarn/multi-25ad053142 branch June 2, 2026 08:13
@egdev6 egdev6 mentioned this pull request Jun 2, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@egdev6 egdev6 egdev6 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@egdev6