build(deps-dev): bump react from 18.3.1 to 19.2.6#394
Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4e312c1. Configure here.
| "prettier": "^3.3.3", | ||
| "prop-types": "^15.7.2", | ||
| "react": "^18.0.0", | ||
| "react": "^19.2.6", |
There was a problem hiding this comment.
React 19 requires matching react-dom version
High Severity
Bumping react to ^19.2.6 while leaving react-dom at ^18.0.0 will cause an immediate runtime error. React 19 added an explicit version check that throws if react and react-dom versions don't match. The react-test-renderer at ^18.0.0 and @types/react at ^18.0.3 are also incompatible with React 19.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4e312c1. Configure here.
4e312c1 to
e54d03d
Compare
Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react) from 18.3.1 to 19.2.6. - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react) --- updated-dependencies: - dependency-name: react dependency-version: 19.2.6 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
e54d03d to
dbf1eab
Compare
|
Superseded by #409. |
…icy (#411) **Requirements** - [x] I have added test coverage for new or changed functionality (existing suite validates the build/runtime; this change is dev-tooling + config only) - [x] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions **Related issues** Replaces the currently open Dependabot PRs (#374, #377, #388, #392, #393, #394), all of which are major-version bumps. **Describe the solution you've provided** This consolidates dependency maintenance into a single, tested PR and codifies a safer Dependabot policy. 1. **Dependency update (`package.json`)** — bumps the `esbuild` devDependency `^0.24.0` → `^0.28.1` to resolve the moderate advisory GHSA-67mh-4wv8-2f99 (esbuild `<=0.24.2` dev server request). `npm audit` now reports **0 vulnerabilities**. esbuild `0.28.1` was released 2026-06-11 (~25 days ago), satisfying a 7-day quarantine. This is the only actionable update under the new same-major policy: `npm outdated` shows every other outstanding update is a major bump with no security justification, and everything else is already at the latest version within its current major. 2. **Dependabot policy (`.github/dependabot.yml`)** — for both the `npm` and `github-actions` ecosystems: - `cooldown: { default-days: 7 }` enforces the dependency quarantine (only adopt releases ≥7 days old) going forward. - `ignore` on `dependency-name: "*"` with `update-types: ["version-update:semver-major"]` restricts version-update PRs to the current major. Per GitHub's docs, `update-types` does not affect security updates, so Dependabot will still open a major-version PR when required to resolve a vulnerability. Validated locally: `npm run build`, `npm run lint`, `tsc`, and the full `jest` suite (93 tests) all pass, and `npm audit` is clean. **Describe alternatives you've considered** - Adopting the open React 19 devDependency bumps (react, react-dom, react-test-renderer and their `@types`) and `actions/setup-node` v6. These are all major bumps with no security driver, so they are intentionally excluded under the new same-major policy. They can be pursued separately as deliberate, tested major upgrades if desired. - A global `semver-major` ignore alone (without noting the security exemption): documented behavior confirms security updates are unaffected by `update-types`, so the security-major path remains open. **Additional context** The 7-day quarantine and same-major restriction reduce exposure to supply-chain risk from freshly published or major releases while keeping security fixes flowing. Link to Devin session: https://app.devin.ai/sessions/9a6e6afb929646c3b9d14c4f13a17601 Requested by: @kinyoklion <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > DevDependency and Dependabot config only; no changes to the published SDK runtime or consumer-facing APIs. > > **Overview** > Bumps the **esbuild** devDependency from `^0.24.0` to `^0.28.1` to address moderate advisory GHSA-67mh-4wv8-2f99 (dev-server request handling in older esbuild). This is a build-time-only change. > > Updates **`.github/dependabot.yml`** for both **npm** and **github-actions**: documents the existing 7-day **cooldown** quarantine and adds a global **`ignore`** for **`version-update:semver-major`**, so routine Dependabot PRs stay on the current major. Security-driven updates can still propose major bumps per GitHub’s rules. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 503cc1f. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>


Bumps react from 18.3.1 to 19.2.6.
Release notes
Sourced from react's releases.
... (truncated)
Changelog
Sourced from react's changelog.
... (truncated)
Commits
eaf3e95Version 19.2.623f4f9f19.2.590ab3f8Version 19.2.4612e371Version 19.2.3b910fc1Version 19.2.2053df4eVersion 19.2.15667a41Bump next prerelease version numbers (#34639)8bb7241Bump useEffectEvent to Canary (#34610)e3c9656Ensure Performance Track are Clamped and Don't overlap (#34509)68f00c9Release Activity in Canary (#34374)Note
Medium Risk
Major React major bump in devDependencies can surface test/runtime incompatibilities; mismatched react vs react-dom versions in dev may mask or cause false CI signals.
Overview
Bumps the devDependency
reactinpackage.jsonfrom^18.0.0to^19.2.6so local builds and tests run against React 19.2.x. No application source changes;peerDependenciesalready allow React 19.react-domandreact-test-rendererremain on ^18.0.0, so the dev toolchain may mix React 19 core with React 18 DOM/test packages until those are aligned.Reviewed by Cursor Bugbot for commit dbf1eab. Bugbot is set up for automated code reviews on this repo. Configure here.