Skip to content

build(deps-dev): bump react-test-renderer from 18.3.1 to 19.2.6#392

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/react-test-renderer-19.2.6
Closed

build(deps-dev): bump react-test-renderer from 18.3.1 to 19.2.6#392
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/react-test-renderer-19.2.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 29, 2026

Copy link
Copy Markdown
Contributor

Bumps react-test-renderer from 18.3.1 to 19.2.6.

Release notes

Sourced from react-test-renderer's releases.

19.2.6 (May 6th, 2026)

React Server Components

19.2.5 (April 8th, 2026)

React Server Components

19.2.4 (January 26th, 2026)

React Server Components

19.2.3 (December 11th, 2025)

React Server Components

19.2.2 (December 11th, 2025)

React Server Components

19.2.1 (December 3rd, 2025)

React Server Components

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:

... (truncated)

Changelog

Sourced from react-test-renderer's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
  • Added resume APIs for partial pre-rendering with Node Streams:
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

All Changes

React

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Single devDependency version bump with no production or SDK API changes; main risk is test/snapshot breakage or React 18 vs test-renderer 19 peer mismatch, which is easy to catch in CI.

Overview
Bumps the devDependency react-test-renderer from ^18.0.0 to ^19.2.6 in package.json (Dependabot major upgrade).

Tests in provider.test.tsx still import create from react-test-renderer for snapshots and provider behavior; runtime react / react-dom remain on ^18.0.0, so reviewers should confirm Jest still passes and that mixing React 18 with the v19 test renderer is acceptable for this repo.

Reviewed by Cursor Bugbot for commit 97ad6b3. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [react-test-renderer](https://github.com/facebook/react/tree/HEAD/packages/react-test-renderer) from 18.3.1 to 19.2.6.
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react-test-renderer)

---
updated-dependencies:
- dependency-name: react-test-renderer
  dependency-version: 19.2.6
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 29, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 29, 2026 16:19
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 29, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 97ad6b3. Configure here.

Comment thread package.json
"react": "^18.0.0",
"react-dom": "^18.0.0",
"react-test-renderer": "^18.0.0",
"react-test-renderer": "^19.2.6",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

React version mismatch between test renderer and core

High Severity

react-test-renderer is bumped to ^19.2.6 while react and react-dom remain at ^18.0.0. The renderer has a peer dependency on react of the same major version, so this mismatch will cause peer dependency conflicts and likely runtime failures in tests. Additionally, @types/react-test-renderer stays at ^18.0.0, which won't match the v19 API surface. All three test files importing from react-test-renderer will be affected.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 97ad6b3. Configure here.

@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #408.

@dependabot dependabot Bot closed this Jul 6, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/react-test-renderer-19.2.6 branch July 6, 2026 20:04
kinyoklion added a commit that referenced this pull request Jul 6, 2026
…icy (#411)

**Requirements**

- [x] I have added test coverage for new or changed functionality
(existing suite validates the build/runtime; this change is dev-tooling
+ config only)
- [x] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [x] I have validated my changes against all supported platform
versions

**Related issues**

Replaces the currently open Dependabot PRs (#374, #377, #388, #392,
#393, #394), all of which are major-version bumps.

**Describe the solution you've provided**

This consolidates dependency maintenance into a single, tested PR and
codifies a safer Dependabot policy.

1. **Dependency update (`package.json`)** — bumps the `esbuild`
devDependency `^0.24.0` → `^0.28.1` to resolve the moderate advisory
GHSA-67mh-4wv8-2f99 (esbuild `<=0.24.2` dev server request). `npm audit`
now reports **0 vulnerabilities**. esbuild `0.28.1` was released
2026-06-11 (~25 days ago), satisfying a 7-day quarantine. This is the
only actionable update under the new same-major policy: `npm outdated`
shows every other outstanding update is a major bump with no security
justification, and everything else is already at the latest version
within its current major.

2. **Dependabot policy (`.github/dependabot.yml`)** — for both the `npm`
and `github-actions` ecosystems:
- `cooldown: { default-days: 7 }` enforces the dependency quarantine
(only adopt releases ≥7 days old) going forward.
- `ignore` on `dependency-name: "*"` with `update-types:
["version-update:semver-major"]` restricts version-update PRs to the
current major. Per GitHub's docs, `update-types` does not affect
security updates, so Dependabot will still open a major-version PR when
required to resolve a vulnerability.

Validated locally: `npm run build`, `npm run lint`, `tsc`, and the full
`jest` suite (93 tests) all pass, and `npm audit` is clean.

**Describe alternatives you've considered**

- Adopting the open React 19 devDependency bumps (react, react-dom,
react-test-renderer and their `@types`) and `actions/setup-node` v6.
These are all major bumps with no security driver, so they are
intentionally excluded under the new same-major policy. They can be
pursued separately as deliberate, tested major upgrades if desired.
- A global `semver-major` ignore alone (without noting the security
exemption): documented behavior confirms security updates are unaffected
by `update-types`, so the security-major path remains open.

**Additional context**

The 7-day quarantine and same-major restriction reduce exposure to
supply-chain risk from freshly published or major releases while keeping
security fixes flowing.


Link to Devin session:
https://app.devin.ai/sessions/9a6e6afb929646c3b9d14c4f13a17601
Requested by: @kinyoklion

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> DevDependency and Dependabot config only; no changes to the published
SDK runtime or consumer-facing APIs.
> 
> **Overview**
> Bumps the **esbuild** devDependency from `^0.24.0` to `^0.28.1` to
address moderate advisory GHSA-67mh-4wv8-2f99 (dev-server request
handling in older esbuild). This is a build-time-only change.
> 
> Updates **`.github/dependabot.yml`** for both **npm** and
**github-actions**: documents the existing 7-day **cooldown** quarantine
and adds a global **`ignore`** for **`version-update:semver-major`**, so
routine Dependabot PRs stay on the current major. Security-driven
updates can still propose major bumps per GitHub’s rules.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
503cc1f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants