[Snyk] Upgrade react-dom from 19.1.0 to 19.2.3

[orbuskila]

Snyk has created this PR to upgrade react-dom from 19.1.0 to 19.2.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 147 versions ahead of your current version.

• The recommended version was released a month ago.

Release notes

Package name: react-dom

• 19.2.3 - 2025-12-11
  

  React Server Components

  • Add extra loop protection to React Server Functions (@ sebmarkbage #35351)
• 19.2.2 - 2025-12-11
  

  React Server Components

  • Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@ eps1lon #35290)
  • Patch Promise cycles and toString on Server Functions (@ sebmarkbage, @ unstubbable #35289, #35345)
• 19.2.1 - 2025-12-03
  

  React Server Components

  • Bring React Server Component fixes to Server Actions (@ sebmarkbage #35277)
• 19.2.0 - 2025-10-01
  

  Below is a list of all new features, APIs, and bug fixes.

  Read the React 19.2 release post for more information.

  New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

  New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
    • resume: to resume a prerender to a stream.
    • resumeAndPrerender: to resume a prerender to HTML.
  • Added resume APIs for partial pre-rendering with Node Streams:
    • resumeToPipeableStream: to resume a prerender to a stream.
    • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

  Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

  All Changes

  React

  • <Activity /> was developed over many years, starting before ClassComponent.setState (@ acdlite @ sebmarkbage and many others)
  • Stringify context as "SomeContext" instead of "SomeContext.Provider" (@ kassens #33507)
  • Include stack of cause of React instrumentation errors with %o placeholder (@ eps1lon #34198)
  • Fix infinite useDeferredValue loop in popstate event (@ acdlite #32821)
  • Fix a bug when an initial value was passed to useDeferredValue (@ acdlite #34376)
  • Fix a crash when submitting forms with Client Actions (@ sebmarkbage #33055)
  • Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@ sebmarkbage #32900)
  • Avoid stack overflow on wide trees during Hot Reload (@ sophiebits #34145)
  • Improve Owner and Component stacks in various places (@ sebmarkbage, @ eps1lon: #33629, #33724, #32735, #33723)
  • Add cacheSignal (@ sebmarkbage #33557)

  React DOM

  • Block on Suspensey Fonts during reveal of server-side-rendered content (@ sebmarkbage #33342)
  • Use underscore instead of : for IDs generated by useId (@ sebmarkbage, @ eps1lon: #32001, #33342#33099, #33422)
  • Stop warning when ARIA 1.3 attributes are used (@ Abdul-Omira #34264)
  • Allow nonce to be used on hoistable styles (@ Andarist #32461)
  • Warn for using a React owned node as a Container if it also has text content (@ sebmarkbage #32774)
  • s/HTML/text for for error messages if text hydration mismatches (@ rickhanlonii #32763)
  • Fix a bug with React.use inside React.lazy-ed Component (@ hi-ogawa #33941)
  • Enable the progressiveChunkSize option for server-side-rendering APIs (@ sebmarkbage #33027)
  • Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@ gnoff #33467)
  • Avoid hanging when suspending after aborting while rendering (@ gnoff #34192)
  • Add Node Web Streams to server-side-rendering APIs for Node.js (@ sebmarkbage #33475)

  React Server Components

  • Preload <img> and <link> using hints before they're rendered (@ sebmarkbage #34604)
  • Log error if production elements are rendered during development (@ eps1lon #34189)
  • Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@ sebmarkbage #34084, @ denk0403 #33761)
  • Pass line/column to filterStackFrame (@ eps1lon #33707)
  • Support Async Modules in Turbopack Server References (@ lubieowoce #34531)
  • Add support for .mjs file extension in Webpack (@ jennyscript #33028)
  • Fix a wrong missing key warning (@ unstubbable #34350)
  • Make console log resolve in predictable order (@ sebmarkbage #33665)

  React Reconciler

  • createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs

  eslint-plugin-react-hooks@6.1.0

  Note: Version 6.0.0 was mistakenly released and immediately deprecated and untagged on npm. This is the first official 6.x major release and includes breaking changes.

  • Breaking: Require Node.js 18 or newer. (@ michaelfaith in #32458)
  • Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@ michaelfaith in #32457)
  • New Violations: Disallow calling use within try/catch blocks. (@ poteto in #34040)
  • New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@ jbrown215 in #33544)
  • Handle React.useEffect in addition to useEffect in rules-of-hooks. (@ Ayc0 in #34076)
  • Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@ jbrown215) in #34497
• 19.2.0-canary-fa3feba6-20250623 - 2025-06-23
• 19.2.0-canary-f9ae0a4c-20250527 - 2025-05-27
• 19.2.0-canary-f7396427-20250501 - 2025-05-02
• 19.2.0-canary-f508edc8-20250818 - 2025-08-18
• 19.2.0-canary-f3a80361-20250911 - 2025-09-11
• 19.2.0-canary-f1e70b5e-20250811 - 2025-08-11
• 19.2.0-canary-f1222f76-20250812 - 2025-08-13
• 19.2.0-canary-ef8b6fa2-20250702 - 2025-07-03
• 19.2.0-canary-ef889445-20250930 - 2025-09-30
• 19.2.0-canary-edac0dde-20250723 - 2025-07-23
• 19.2.0-canary-eaee5308-20250728 - 2025-07-28
• 19.2.0-canary-ea05b750-20250408 - 2025-04-09
• 19.2.0-canary-e9db3cc2-20250501 - 2025-05-01
• 19.2.0-canary-e9638c33-20250721 - 2025-07-21
• 19.2.0-canary-e6dc25da-20250709 - 2025-07-09
• 19.2.0-canary-e5dd82a7-20250401 - 2025-04-01
• 19.2.0-canary-e2332183-20250924 - 2025-09-24
• 19.2.0-canary-dffacc7b-20250717 - 2025-07-17
• 19.2.0-canary-df38ac9a-20250926 - 2025-09-26
• 19.2.0-canary-de5a1b20-20250905 - 2025-09-05
• 19.2.0-canary-d92056ef-20250627 - 2025-06-27
• 19.2.0-canary-d85f86cf-20250514 - 2025-05-14
• 19.2.0-canary-d85ec5f5-20250716 - 2025-07-16
• 19.2.0-canary-d415fd3e-20250919 - 2025-09-19
• 19.2.0-canary-d15d7fd7-20250929 - 2025-09-29
• 19.2.0-canary-cee7939b-20250625 - 2025-06-25
• 19.2.0-canary-c498bfce-20250426 - 2025-04-28
• 19.2.0-canary-c4676e72-20250520 - 2025-05-20
• 19.2.0-canary-c44e4a25-20250409 - 2025-04-10
• 19.2.0-canary-c260b38d-20250731 - 2025-07-31
• 19.2.0-canary-c129c242-20250505 - 2025-05-05
• 19.2.0-canary-c0464aed-20250523 - 2025-05-26
• 19.2.0-canary-befc1246-20250708 - 2025-07-08
• 19.2.0-canary-be11cb5c-20250804 - 2025-08-04
• 19.2.0-canary-bdb4a96f-20250801 - 2025-08-01
• 19.2.0-canary-bc6184dd-20250417 - 2025-04-18
• 19.2.0-canary-bbc13fa1-20250624 - 2025-06-24
• 19.2.0-canary-bb6f0c8d-20250901 - 2025-09-01
• 19.2.0-canary-b9cfa0d3-20250505 - 2025-05-05
• 19.2.0-canary-b9a04536-20250904 - 2025-09-04
• 19.2.0-canary-b94603b9-20250513 - 2025-05-13
• 19.2.0-canary-b7e2de63-20250611 - 2025-06-11
• 19.2.0-canary-b6c0aa88-20250609 - 2025-06-09
• 19.2.0-canary-b4477d38-20250605 - 2025-06-05
• 19.2.0-canary-b1b0955f-20250901 - 2025-09-01
• 19.2.0-canary-b10cb4c0-20250403 - 2025-04-03
• 19.2.0-canary-b0c1dc01-20250925 - 2025-09-25
• 19.2.0-canary-b07717d8-20250528 - 2025-05-28
• 19.2.0-canary-b04254fd-20250415 - 2025-04-16
• 19.2.0-canary-ac7820a9-20250811 - 2025-08-11
• 19.2.0-canary-ab859e31-20250606 - 2025-06-06
• 19.2.0-canary-aad7c664-20250829 - 2025-08-29
• 19.2.0-canary-a96a0f39-20250815 - 2025-08-15
• 19.2.0-canary-a7a11657-20250708 - 2025-07-08
• 19.2.0-canary-a00ca6f6-20250611 - 2025-06-11
• 19.2.0-canary-9be531cd-20250729 - 2025-07-29
• 19.2.0-canary-99efc627-20250523 - 2025-05-23
• 19.2.0-canary-97cdd5d3-20250710 - 2025-07-11
• 19.2.0-canary-9784cb37-20250730 - 2025-07-30
• 19.2.0-canary-96c61b7f-20250709 - 2025-07-10
• 19.2.0-canary-93d7aa69-20250912 - 2025-09-12
• 19.2.0-canary-914319ae-20250423 - 2025-04-23
• 19.2.0-canary-8e60cb7e-20250902 - 2025-09-02
• 19.2.0-canary-8d7b5e49-20250827 - 2025-08-28
• 19.2.0-canary-8ce15b0f-20250522 - 2025-05-22
• 19.2.0-canary-8bb7241f-20250926 - 2025-09-26
• 19.2.0-canary-8a8e9a7e-20250912 - 2025-09-12
• 19.2.0-canary-89a803fc-20250828 - 2025-08-28
• 19.2.0-canary-886b3d36-20250910 - 2025-09-10
• 19.2.0-canary-873f7112-20250821 - 2025-08-21
• 19.2.0-canary-86181134-20251001 - 2025-10-01
• 19.2.0-canary-84af9085-20250917 - 2025-09-18
• 19.2.0-canary-83c88ad4-20250923 - 2025-09-23
• 19.2.0-canary-7deda941-20250804 - 2025-08-05
• 19.2.0-canary-7a2c7045-20250506 - 2025-05-06
• 19.2.0-canary-79d9aed7-20250620 - 2025-06-20
• 19.2.0-canary-7513996f-20250722 - 2025-07-22
• 19.2.0-canary-73aa744b-20250702 - 2025-07-02
• 19.2.0-canary-7216c0f0-20250630 - 2025-07-01
• 19.2.0-canary-72135096-20250421 - 2025-04-22
• 19.2.0-canary-6eda5347-20250918 - 2025-09-19
• 19.2.0-canary-6de32a5a-20250822 - 2025-08-22
• 19.2.0-canary-6b70072c-20250909 - 2025-09-09
• 19.2.0-canary-6a7650c7-20250405 - 2025-04-05
• 19.2.0-canary-67a44bcd-20250915 - 2025-09-15
• 19.2.0-canary-66f09bd0-20250806 - 2025-08-06
• 19.2.0-canary-65c4decb-20250630 - 2025-06-30
• 19.2.0-canary-63779030-20250328 - 2025-03-31
• 19.2.0-canary-60b5271a-20250709 - 2025-07-09
• 19.2.0-canary-5e0c951b-20250916 - 2025-09-16
• 19.2.0-canary-5dc00d6b-20250428 - 2025-04-28
• 19.2.0-canary-5d87cd22-20250704 - 2025-07-04
• 19.2.0-canary-56408a5b-20250610 - 2025-06-10
• 19.2.0-canary-548235db-20251001 - 2025-10-01
• 19.2.0-canary-540cd652-20250403 - 2025-04-04
• 19.2.0-canary-534bed5f-20250813 - 2025-08-13
• 19.2.0-canary-526dd340-20250602 - 2025-06-02
• 19.2.0-canary-4db4b21c-20250626 - 2025-06-26
• 19.2.0-canary-4a45ba92-20250515 - 2025-05-15
• 19.2.0-canary-4a36d3ea-20250416 - 2025-04-17
• 19.2.0-canary-462d08f9-20250517 - 2025-05-19
• 19.2.0-canary-4448b187-20250515 - 2025-05-16
• 19.2.0-canary-4123f6b7-20250826 - 2025-08-26
• 19.2.0-canary-408d055a-20250430 - 2025-04-30
• 19.2.0-canary-3fbfb9ba-20250409 - 2025-04-09
• 19.2.0-canary-3fb190f7-20250908 - 2025-09-08
• 19.2.0-canary-3d14fcf0-20250724 - 2025-07-24
• 19.2.0-canary-39cad7af-20250411 - 2025-04-14
• 19.2.0-canary-3958d5d8-20250807 - 2025-08-07
• 19.2.0-canary-38ef6550-20250508 - 2025-05-08
• 19.2.0-canary-3820740a-20250509 - 2025-05-12
• 19.2.0-canary-379a083b-20250813 - 2025-08-14
• 19.2.0-canary-37054867-20250604 - 2025-06-04
• 19.2.0-canary-33a1095d-20250827 - 2025-08-27
• 19.2.0-canary-33661467-20250407 - 2025-04-07
• 19.2.0-canary-3302d1f7-20250903 - 2025-09-03
• 19.2.0-canary-2f0e7e57-20250715 - 2025-07-15
• 19.2.0-canary-280ff6fe-20250606 - 2025-06-06
• 19.2.0-canary-2805f0ed-20250903 - 2025-09-03
• 19.2.0-canary-23884812-20250520 - 2025-05-21
• 19.2.0-canary-223f81d8-20250707 - 2025-07-07
• 19.2.0-canary-21fdf308-20250508 - 2025-05-09
• 19.2.0-canary-1eca9a27-20250922 - 2025-09-22
• 19.2.0-canary-1dc3bdea-20250812 - 2025-08-12
• 19.2.0-canary-1d6c8168-20250411 - 2025-04-11
• 19.2.0-canary-1bd1f01f-20251001 - 2025-10-01
• 19.2.0-canary-1ae0a845-20250603 - 2025-06-03
• 19.2.0-canary-19baee81-20250725 - 2025-07-25
• 19.2.0-canary-197d6a04-20250424 - 2025-04-24
• 19.2.0-canary-143d3e1b-20250425 - 2025-04-25
• 19.2.0-canary-14094f80-20250529 - 2025-05-29
• 19.2.0-canary-12bc60f5-20250613 - 2025-06-13
• 19.2.0-canary-128abcfa-20250917 - 2025-09-17
• 19.2.0-canary-0ff1d13b-20250507 - 2025-05-07
• 19.2.0-canary-0bdb9206-20250818 - 2025-08-19
• 19.2.0-canary-06e89951-20250620 - 2025-06-20
• 19.2.0-canary-040f8286-20250402 - 2025-04-02
• 19.2.0-canary-03fda05d-20250820 - 2025-08-20
• 19.2.0-canary-0038c501-20250429 - 2025-04-29
• 19.1.4 - 2025-12-11
• 19.1.3 - 2025-12-11
  

  React Server Components

  • Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@ eps1lon #35290)
  • Patch Promise cycles and toString on Server Functions (@ sebmarkbage, @ unstubbable #35289, #35345)
• 19.1.2 - 2025-12-03
  

  React Server Components

  • Bring React Server Component fixes to Server Actions (@ sebmarkbage #35277)
• 19.1.1 - 2025-07-28
  

  React

  • Fixed Owner Stacks to work with ES2015 function.name semantics (#33680 by @ hoxyq)
• 19.1.0 - 2025-03-28

from react-dom GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Copilot]

Pull request overview

This pull request upgrades react-dom from 19.1.0 to 19.2.3, a minor version update that includes bug fixes and improvements to React Server Components. The upgrade includes 147 versions ahead of the current version, with the latest version released approximately one month ago (December 11, 2025).

Changes:

• Updated react-dom dependency from ^19.0.0 to ^19.2.3 in package.json
• Updated package-lock.json to reflect the new react-dom version (19.2.3) and its dependencies
• Updated scheduler dependency from 0.26.0 to 0.27.0 (required by react-dom 19.2.3)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
llama_stack/ui/package.json	Updated react-dom version from ^19.0.0 to ^19.2.3; react version remains at ^19.0.0
llama_stack/ui/package-lock.json	Updated resolved versions for react (19.2.3), react-dom (19.2.3), and scheduler (0.27.0) with corresponding integrity hashes

Files not reviewed (1)

• llama_stack/ui/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The package.json file is missing the corresponding update to the react package. The package-lock.json shows that react has been upgraded to version 19.2.3 (which is required by react-dom 19.2.3's peer dependency), but the package.json still specifies react: ^19.0.0. Both packages should be upgraded together to maintain consistency between package.json and package-lock.json.

Update the react version in package.json to match the version in package-lock.json.

Suggested change

	"react": "^19.0.0",
	"react": "^19.2.3",

[Copilot]

The root package dependencies section in package-lock.json shows an inconsistency with the actual resolved versions. Line 23 still references react: ^19.0.0 while line 24 references react-dom: ^19.2.3. This mirrors the same issue in package.json and indicates that the react package version should also be updated to ^19.2.3 in package.json, which would then be reflected here when the lockfile is regenerated.

Suggested change

	"react": "^19.0.0",
	"react": "^19.2.3",