Skip to content

build(deps): Bump react-dom and @types/react-dom #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 24, 2025
Merged

build(deps): Bump react-dom and @types/react-dom #124

merged 1 commit into from
Oct 24, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 20, 2025

Bumps react-dom and @types/react-dom. These dependencies needed to be updated together.
Updates react-dom from 19.1.1 to 19.2.0

Release notes

Sourced from react-dom's releases.

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

React DOM

... (truncated)

Changelog

Sourced from react-dom's changelog.

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

React DOM

... (truncated)

Commits

Updates @types/react-dom from 19.1.7 to 19.2.2

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): Bump react-dom and @types/react-dom
15eb3da 
Bumps [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) and [@types/react-dom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-dom). These dependencies needed to be updated together.

Updates `react-dom` from 19.1.1 to 19.2.0
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.0/packages/react-dom)

Updates `@types/react-dom` from 19.1.7 to 19.2.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react-dom)

---
updated-dependencies:
- dependency-name: react-dom
  dependency-version: 19.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: "@types/react-dom"
  dependency-version: 19.2.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Oct 20, 2025
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Oct 20, 2025

Deploying blinklabs-vpn with  Cloudflare Pages  Cloudflare Pages

Latest commit: 15eb3da
Status: ✅  Deploy successful!
Preview URL: https://c4c98525.blinklabs-vpn.pages.dev
Branch Preview URL: https://dependabot-npm-and-yarn-mult-cmto.blinklabs-vpn.pages.dev

View logs

@fossabot
Copy link

fossabot bot commented Oct 20, 2025
edited
Loading

fossabot is Thinking

@fossabot
Copy link

fossabot bot commented Oct 20, 2025
edited
Loading

Needs Review

I recommend reviewing this upgrade before merging because React 19 introduces breaking changes that require Node.js 18 or newer, and the project currently lacks an explicit Node.js engine specification in package.json. While the codebase already uses modern React APIs (createRoot) and doesn't use deprecated patterns like propTypes or defaultProps, the Node.js version requirement is critical infrastructure change that needs verification. Additionally, the upgrade includes fixes for useDeferredValue, form submission crashes, and Hot Reload issues, but also comes with a medium severity security vulnerability (CVE-2018-6341) that was fixed in version 16.4.2 and should already be resolved in this version. The project should add an engines field to package.json specifying Node.js >= 18 to prevent deployment issues.

What we checked

  • React dependency being upgraded to ^19.1.0, which requires Node.js 18 or newer [1]
  • react-dom dependency being upgraded to ^19.2.0, introducing breaking changes [2]
  • Missing 'engines' field to specify Node.js version requirement - project needs to declare Node.js >= 18 compatibility [3]
  • Application already uses modern createRoot API from react-dom/client, which is compatible with React 19 [4]
  • Build configuration includes react-dom in vendor chunk, confirming it's a critical dependency [5]
  • Breaking change: React 19.2.0 requires Node.js 18 or newer - deployment environments must be verified [6]
  • Official React 19 upgrade guide detailing breaking changes including propTypes removal and defaultProps deprecation - codebase does not use these deprecated patterns [7]
  • Version 19.2.0 includes bug fixes for useDeferredValue, form submission crashes, and Hot Reload stack overflow issues [8]

Dependency Usage

react-dom serves as the critical bridge between React components and the browser DOM across this VPN frontend application. The library is used in the main application entry point to bootstrap the entire React application using the modern concurrent rendering API, and is also integrated into the test infrastructure via @​testing-library/react for component testing. Additionally, the build configuration explicitly separates react-dom into a dedicated vendor chunk for optimized bundle splitting and caching, indicating it's recognized as a foundational dependency throughout the application's architecture.

This code is initializing a React application by creating a root ReactDOM node where the entire application will be mounted and rendered into the DOM.

Other Usages (1)

These usages were analyzed but no breaking changes were detected:

react-dom

Changes

react-dom upgraded with two breaking changes: Node.js 18+ is now required, and flat config becomes the default recommended preset (legacy config moved to recommended-legacy). The update includes 10 new features (notably the <Activity> API for UI/state management and cacheSignal for RSCs), 8 bug fixes addressing issues with useDeferredValue, form submissions, and nested Suspense, plus new ESLint rule violations for use in try/catch blocks and useEffectEvent in closures.

View 44 more changes
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event. (vv19.2.0, release notes)
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over. (vv19.2.0, release notes)
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools (vv19.2.0, release notes)
  • Added resume APIs for partial pre-rendering with Web Streams: (vv19.2.0, release notes)
  • resume: to resume a prerender to a stream. (vv19.2.0, release notes)
  • resumeAndPrerender: to resume a prerender to HTML. (vv19.2.0, release notes)
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs. (vv19.2.0, release notes)
  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics. (vv19.2.0, release notes)
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js (vv19.2.0, release notes)
  • Use underscore instead of : IDs generated by useId (vv19.2.0, release notes)
  • <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others) (vv19.2.0, release notes)
  • Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507) (vv19.2.0, release notes)
  • Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198) (vv19.2.0, release notes)
  • Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (vv19.2.0, release notes)
  • Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (vv19.2.0, release notes)
  • Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (vv19.2.0, release notes)
  • Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900) (vv19.2.0, release notes)
  • Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145) (vv19.2.0, release notes)
  • Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723) (vv19.2.0, release notes)
  • Add cacheSignal (@​sebmarkbage #33557) (vv19.2.0, release notes)
  • Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342) (vv19.2.0, release notes)
  • Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, [Fizz] Block on Suspensey Fonts during reveal facebook/react#33342#33099, #33422) (vv19.2.0, release notes)
  • Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264) (vv19.2.0, release notes)
  • Allow nonce to be used on hoistable styles (@​Andarist #32461) (vv19.2.0, release notes)
  • Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774) (vv19.2.0, release notes)
  • s/HTML/text for for error messages if text hydration mismatches (@​rickhanlonii #32763) (vv19.2.0, release notes)
  • Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (vv19.2.0, release notes)
  • Enable the progressiveChunkSize option for server-side-rendering APIs (@​sebmarkbage #33027) (vv19.2.0, release notes)
  • Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (vv19.2.0, release notes)
  • Avoid hanging when suspending after aborting while rendering (@​gnoff #34192) (vv19.2.0, release notes)
  • Add Node Web Streams to server-side-rendering APIs for Node.js (@​sebmarkbage #33475) (vv19.2.0, release notes)
  • Preload <img> and <link> using hints before they're rendered (@​sebmarkbage #34604) (vv19.2.0, release notes)
  • Log error if production elements are rendered during development (@​eps1lon #34189) (vv19.2.0, release notes)
  • Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (vv19.2.0, release notes)
  • Pass line/column to filterStackFrame (@​eps1lon #33707) (vv19.2.0, release notes)
  • Support Async Modules in Turbopack Server References (@​lubieowoce #34531) (vv19.2.0, release notes)
  • Add support for .mjs file extension in Webpack (@​jennyscript #33028) (vv19.2.0, release notes)
  • Fix a wrong missing key warning (@​unstubbable #34350) (vv19.2.0, release notes)
  • Make console log resolve in predictable order (@​sebmarkbage #33665) (vv19.2.0, release notes)
  • createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs (vv19.2.0, release notes)
  • New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040) (vv19.2.0, release notes)
  • New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@​jbrown215 in #33544) (vv19.2.0, release notes)
  • Handle React.useEffect in addition to useEffect in rules-of-hooks. (@​Ayc0 in #34076) (vv19.2.0, release notes)
  • Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@​jbrown215) in #34497 (vv19.2.0, release notes)
References (8)

[1]: React dependency being upgraded to ^19.1.0, which requires Node.js 18 or newer

vpn-frontend/package.json

Line 22 in 15eb3da

"react": "^19.1.0",

[2]: react-dom dependency being upgraded to ^19.2.0, introducing breaking changes

vpn-frontend/package.json

Line 23 in 15eb3da

"react-dom": "^19.2.0",

[3]: Missing 'engines' field to specify Node.js version requirement - project needs to declare Node.js >= 18 compatibility
https://github.com/blinklabs-io/vpn-frontend/blob/15eb3daa1d039adadd7522e44618e461650f7755/package.json

[4]: Application already uses modern createRoot API from react-dom/client, which is compatible with React 19

vpn-frontend/src/main.tsx

Line 2 in 15eb3da

import { createRoot } from 'react-dom/client'

[5]: Build configuration includes react-dom in vendor chunk, confirming it's a critical dependency

vpn-frontend/vite.config.ts

Line 35 in 15eb3da

vendor: ['react', 'react-dom'],

[6]: Breaking change: React 19.2.0 requires Node.js 18 or newer - deployment environments must be verified (source link)

[7]: Official React 19 upgrade guide detailing breaking changes including propTypes removal and defaultProps deprecation - codebase does not use these deprecated patterns (source link)

[8]: Version 19.2.0 includes bug fixes for useDeferredValue, form submission crashes, and Hot Reload stack overflow issues (source link)

fossabot analyzed this PR using static analysis and dependency research.

@wolf31o2 wolf31o2 merged commit fd3d62e into main Oct 24, 2025
3 checks passed
@wolf31o2 wolf31o2 deleted the dependabot/npm_and_yarn/multi-82db6e5206 branch October 24, 2025 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wolf31o2 wolf31o2 wolf31o2 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wolf31o2