fix(deps): update react monorepo

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@types/react (source)	17.0.52 → 17.0.91
@types/react-dom (source)	17.0.17 → 17.0.26
eslint-plugin-react-hooks (source)	4.6.0 → 4.6.2
react-refresh (source)	^0.14.0 → ^0.18.0

---

Release Notes

facebook/react (eslint-plugin-react-hooks)

v4.6.2

Compare Source

v4.6.1

Compare Source

facebook/react (react-refresh)

v0.18.0

Compare Source

v0.17.0

Compare Source

v0.16.0

Compare Source

v0.14.2

Compare Source

React DOM

• Fixed bug with development build preventing events from firing in some versions of Internet Explorer & Edge
• Fixed bug with development build when using es5-sham in older versions of Internet Explorer
• Added support for integrity attribute
• Fixed bug resulting in children prop being coerced to a string for custom elements, which was not the desired behavior
• Moved react from dependencies to peerDependencies to match expectations and align with react-addons-* packages

v0.14.1

Compare Source

React

• Backport support for the new JSX transform to 0.14.x. (@​lunaruan in #​18299 and @​gaearon in #​20024)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

EntelligenceAI PR Summary

This PR upgrades the react-refresh dependency in the CLI package to improve React Fast Refresh functionality during development.

• Bumped react-refresh from ^0.14.0 to ^0.18.0 in packages/cli/package.json
• Minor version upgrade maintains compatibility with patch and minor releases in the 0.x range
• Update includes potential bug fixes, performance improvements, and new features for development hot reloading

---

Confidence Score: 5/5 - Safe to Merge

• No review comments were generated, indicating the code meets quality standards
• All changed files (1/1) were reviewed with full coverage
• No critical, significant, high-risk, medium, or low severity issues detected
• No existing unresolved comments that would block merging

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[entelligence-ai-pr-reviews]

Walkthrough

This pull request updates the react-refresh dependency in the CLI package from version ^0.14.0 to ^0.18.0. This represents a minor version upgrade within the 0.x release range. The react-refresh library provides Fast Refresh functionality for React applications during development, enabling hot module replacement without losing component state. This version bump likely incorporates bug fixes, performance enhancements, and potentially new features that have been released between versions 0.14.0 and 0.18.0. The caret (^) prefix ensures compatibility with future patch and minor releases.

Changes

File(s)	Summary
packages/cli/package.json	Updated react-refresh dependency from version ^0.14.0 to ^0.18.0

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Dev as Developer
    participant CLI as @redwoodjs/cli
    participant RR as react-refresh

    Note over Dev,RR: Dependency Version Update (0.14.0 → 0.18.0)
    
    Dev->>CLI: npm install / yarn install
    CLI->>RR: Install react-refresh@^0.18.0
    RR-->>CLI: Package installed
    
    Note over CLI,RR: Fast Refresh capability available<br/>for development hot reloading
    
    Dev->>CLI: Start development server
    CLI->>RR: Initialize Fast Refresh runtime
    RR-->>CLI: Ready for hot module replacement

Loading

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​material-ui/​core@​4.12.4
	@​material-ui/​styles@​4.11.5
	@​material-ui/​lab@​4.0.0-alpha.61
	@​material-ui/​pickers@​3.3.10
	@​esbuild-kit/​cjs-loader@​2.4.2
	@​gitbeaker/​node@​35.8.1
	@​gitbeaker/​browser@​35.8.1
	@​date-io/​core@​1.3.13
	@​kubernetes-models/​base@​4.0.3
	@​aws-sdk/​util-arn-parser@​3.310.0
	@​aws-sdk/​abort-controller@​3.370.0
	@​graphql-codegen/​typescript-resolvers@​3.2.0
	@​graphql-codegen/​graphql-modules-preset@​3.1.2
	@​graphql-codegen/​typescript@​3.0.3
	@​frsource/​cypress-plugin-visual-regression-diff@​3.3.10
	@​date-io/​luxon@​1.3.13
	@​aws-sdk/​middleware-endpoint@​3.370.0
	@​aws-sdk/​util-stream-node@​3.370.0
	@​aws-sdk/​types@​3.370.0
	@​graphql-tools/​schema@​9.0.19
	@​aws-sdk/​node-http-handler@​3.370.0
	@​aws-sdk/​signature-v4@​3.370.0
	@​graphql-codegen/​cli@​3.3.0
	@​manypkg/​get-packages@​1.1.3
	@​kubernetes-models/​apimachinery@​1.2.1
	@​keyv/​memcache@​1.3.7
	@​apollo/​explorer@​2.0.2
	@​codemirror/​language@​6.8.0
	@​microsoft/​api-documenter@​7.19.27
	@​jest-mock/​express@​2.0.2
See 44 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm typescript under W3C-20150513 License: W3C-20150513 - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt) License: CC-BY-4.0 - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt) License: MIT-Khronos-old - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt) From: ? → npm/@microsoft/api-extractor@7.33.7 → npm/typescript@4.8.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@4.8.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the Backstage CLI’s React tooling dependency used for Fast Refresh.

Changes: Bumps react-refresh in packages/cli/package.json from ^0.14.0 to ^0.18.0 as part of keeping the React monorepo-related deps current.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

This dependency bump likely needs a corresponding lockfile update (e.g., yarn.lock/pnpm-lock.yaml) to keep CI installs deterministic; otherwise frozen-lockfile installs may continue using react-refresh@0.14.x or fail. Can you confirm the lockfile update is included in this PR or intentionally omitted?

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!