You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Merge criteria checked before squash merge:
- Full `gh pr checks 81` list was green: unit-tests, e2e-tests, verify-artifacts, compatibility matrix legs, Dependabot validation, Cursor Bugbot, CodeRabbit, and Greptile passed; advisory Claude/canary jobs were skipped.
- PR was `CLEAN` / `MERGEABLE` and no unresolved review threads or review submissions were present.
- Local validation passed on the release-motion branch: `yarn install --frozen-lockfile`, `yarn verify:artifacts`, `yarn build`, `yarn test`, and `git diff --check`.
- `yarn release:dry-run` read `CHANGELOG.md` and `package.json` as `19.0.5-rc.8`, confirmed prerelease `next`, then stopped before mutation because the worker branch was not `main`.
- Release-state reads showed `19.0.5-rc.8` absent from npm versions, origin tags, and GitHub releases before merge.
This merge only prepares `main` for the 19.0.5-rc.8 release motion. Actual npm publish, git tag push, and GitHub release creation remain maintainer-only through the protected release workflow.
Copy file name to clipboardExpand all lines: CHANGELOG.md
+5-6Lines changed: 5 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,13 +2,11 @@
2
2
3
3
All notable changes to this package will be documented in this file.
4
4
5
-
## [Unreleased]
6
-
7
-
### Changed
8
-
- Ported the webpack RSC plugin from the vendored built JavaScript artifact (`src/react-server-dom-webpack/cjs/react-server-dom-webpack-plugin.js`) to first-class TypeScript source at `src/webpack/RSCWebpackPlugin.ts`, preserving full behavior parity (server manifest emission, CSS/JS chunk scanning, runtime-chunk filtering, dependency-type chunk-group manifest construction with eager-import fallback, duplicate-package runtime detection, and hot-update CSS exclusion). The `./WebpackPlugin`, `./WebpackLoader`, and `./RSCReferenceDiscoveryPlugin` exports are unchanged; the vendored plugin file remains in the package but is no longer used by any export path. ([#87])
5
+
## [19.0.5-rc.8] - 2026-06-13
9
6
10
7
### Fixed
11
-
- Updated the vendored `react-server-dom-webpack` runtime from the React 19.0.4 security level to 19.0.7, applying the upstream React Server Components reply-decoding denial-of-service fixes for CVE-2026-23869 (GHSA-479c-33wc-g2pg) and CVE-2026-23870 (GHSA-rv78-f8rc-xrxh) while preserving the in-repo Flight CSS hint behavior. Note: the upstream CVE-2026-23869 fix changes the reply wire format for nested `FormData`, so client and server must both run the patched runtime (both are shipped together in this package); pairing with a pre-19.0.5 `react-server-dom-webpack` on the other side silently drops nested `FormData` entries. ([#86])
8
+
- Fixed Webpack client manifest generation to bind each client component to the chunk group created by its client-reference dependency, avoiding cross-reference chunk over-preloads while preserving entries for eager-imported client references. ([#54])
9
+
- Updated the vendored `react-server-dom-webpack` runtime from the React 19.0.4 security level to 19.0.7, applying the upstream React Server Components reply-decoding denial-of-service fixes for CVE-2026-23869 (GHSA-479c-33wc-g2pg) and CVE-2026-23870 (GHSA-rv78-f8rc-xrxh) while preserving the in-repo Flight CSS hint behavior. Note: the upstream CVE-2026-23869 fix changes the reply wire format for nested `FormData`, so client and server must both run the patched runtime shipped by this package. ([#86])
12
10
13
11
## [19.0.5-rc.7] - 2026-06-09
14
12
@@ -79,6 +77,7 @@ All notable changes to this package will be documented in this file.
0 commit comments