[Snyk] Upgrade react-dom from 19.1.1 to 19.2.0

[snyk-io]

Snyk has created this PR to upgrade react-dom from 19.1.1 to 19.2.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 140 versions ahead of your current version.

• The recommended version was released 23 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	57	Proof of Concept
	Open Redirect SNYK-JS-KOA-10944994	57	Proof of Concept
	Open Redirect SNYK-JS-KOA-12143256	57	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	57	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	57	Proof of Concept
	Symlink Attack SNYK-JS-TMP-11501554	57	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	57	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-KOA-8720152	57	No Known Exploit
	Improper Handling of Unexpected Data Type SNYK-JS-ONHEADERS-10773729	57	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	57	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-KOA-9679272	57	Proof of Concept

Release notes

Package name: react-dom

• 19.2.0 - 2025-10-01
  

  Below is a list of all new features, APIs, and bug fixes.

  Read the React 19.2 release post for more information.

  New React Features

  • <Activity>: A new API to hide and restore the UI and internal state of its children.
  • useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
  • cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
  • React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

  New React DOM Features

  • Added resume APIs for partial pre-rendering with Web Streams:
    • resume: to resume a prerender to a stream.
    • resumeAndPrerender: to resume a prerender to HTML.
  • Added resume APIs for partial pre-rendering with Node Streams:
    • resumeToPipeableStream: to resume a prerender to a stream.
    • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
  • Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

  Notable changes

  • React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
  • Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
  • Use underscore instead of : IDs generated by useId

  All Changes

  React

  • <Activity /> was developed over many years, starting before ClassComponent.setState (@ acdlite @ sebmarkbage and many others)
  • Stringify context as "SomeContext" instead of "SomeContext.Provider" (@ kassens #33507)
  • Include stack of cause of React instrumentation errors with %o placeholder (@ eps1lon #34198)
  • Fix infinite useDeferredValue loop in popstate event (@ acdlite #32821)
  • Fix a bug when an initial value was passed to useDeferredValue (@ acdlite #34376)
  • Fix a crash when submitting forms with Client Actions (@ sebmarkbage #33055)
  • Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@ sebmarkbage #32900)
  • Avoid stack overflow on wide trees during Hot Reload (@ sophiebits #34145)
  • Improve Owner and Component stacks in various places (@ sebmarkbage, @ eps1lon: #33629, #33724, #32735, #33723)
  • Add cacheSignal (@ sebmarkbage #33557)

  React DOM

  • Block on Suspensey Fonts during reveal of server-side-rendered content (@ sebmarkbage #33342)
  • Use underscore instead of : for IDs generated by useId (@ sebmarkbage, @ eps1lon: #32001, #33342#33099, #33422)
  • Stop warning when ARIA 1.3 attributes are used (@ Abdul-Omira #34264)
  • Allow nonce to be used on hoistable styles (@ Andarist #32461)
  • Warn for using a React owned node as a Container if it also has text content (@ sebmarkbage #32774)
  • s/HTML/text for for error messages if text hydration mismatches (@ rickhanlonii #32763)
  • Fix a bug with React.use inside React.lazy-ed Component (@ hi-ogawa #33941)
  • Enable the progressiveChunkSize option for server-side-rendering APIs (@ sebmarkbage #33027)
  • Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@ gnoff #33467)
  • Avoid hanging when suspending after aborting while rendering (@ gnoff #34192)
  • Add Node Web Streams to server-side-rendering APIs for Node.js (@ sebmarkbage #33475)

  React Server Components

  • Preload <img> and <link> using hints before they're rendered (@ sebmarkbage #34604)
  • Log error if production elements are rendered during development (@ eps1lon #34189)
  • Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@ sebmarkbage #34084, @ denk0403 #33761)
  • Pass line/column to filterStackFrame (@ eps1lon #33707)
  • Support Async Modules in Turbopack Server References (@ lubieowoce #34531)
  • Add support for .mjs file extension in Webpack (@ jennyscript #33028)
  • Fix a wrong missing key warning (@ unstubbable #34350)
  • Make console log resolve in predictable order (@ sebmarkbage #33665)

  React Reconciler

  • createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs

  eslint-plugin-react-hooks@6.1.0

  Note: Version 6.0.0 was mistakenly released and immediately deprecated and untagged on npm. This is the first official 6.x major release and includes breaking changes.

  • Breaking: Require Node.js 18 or newer. (@ michaelfaith in #32458)
  • Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@ michaelfaith in #32457)
  • New Violations: Disallow calling use within try/catch blocks. (@ poteto in #34040)
  • New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@ jbrown215 in #33544)
  • Handle React.useEffect in addition to useEffect in rules-of-hooks. (@ Ayc0 in #34076)
  • Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@ jbrown215) in #34497
• 19.2.0-canary-fa3feba6-20250623 - 2025-06-23
• 19.2.0-canary-f9ae0a4c-20250527 - 2025-05-27
• 19.2.0-canary-f7396427-20250501 - 2025-05-02
• 19.2.0-canary-f508edc8-20250818 - 2025-08-18
• 19.2.0-canary-f3a80361-20250911 - 2025-09-11
• 19.2.0-canary-f1e70b5e-20250811 - 2025-08-11
• 19.2.0-canary-f1222f76-20250812 - 2025-08-13
• 19.2.0-canary-ef8b6fa2-20250702 - 2025-07-03
• 19.2.0-canary-ef889445-20250930 - 2025-09-30
• 19.2.0-canary-edac0dde-20250723 - 2025-07-23
• 19.2.0-canary-eaee5308-20250728 - 2025-07-28
• 19.2.0-canary-ea05b750-20250408 - 2025-04-09
• 19.2.0-canary-e9db3cc2-20250501 - 2025-05-01
• 19.2.0-canary-e9638c33-20250721 - 2025-07-21
• 19.2.0-canary-e6dc25da-20250709 - 2025-07-09
• 19.2.0-canary-e5dd82a7-20250401 - 2025-04-01
• 19.2.0-canary-e2332183-20250924 - 2025-09-24
• 19.2.0-canary-dffacc7b-20250717 - 2025-07-17
• 19.2.0-canary-df38ac9a-20250926 - 2025-09-26
• 19.2.0-canary-de5a1b20-20250905 - 2025-09-05
• 19.2.0-canary-d92056ef-20250627 - 2025-06-27
• 19.2.0-canary-d85f86cf-20250514 - 2025-05-14
• 19.2.0-canary-d85ec5f5-20250716 - 2025-07-16
• 19.2.0-canary-d415fd3e-20250919 - 2025-09-19
• 19.2.0-canary-d15d7fd7-20250929 - 2025-09-29
• 19.2.0-canary-cee7939b-20250625 - 2025-06-25
• 19.2.0-canary-c498bfce-20250426 - 2025-04-28
• 19.2.0-canary-c4676e72-20250520 - 2025-05-20
• 19.2.0-canary-c44e4a25-20250409 - 2025-04-10
• 19.2.0-canary-c260b38d-20250731 - 2025-07-31
• 19.2.0-canary-c129c242-20250505 - 2025-05-05
• 19.2.0-canary-c0464aed-20250523 - 2025-05-26
• 19.2.0-canary-befc1246-20250708 - 2025-07-08
• 19.2.0-canary-be11cb5c-20250804 - 2025-08-04
• 19.2.0-canary-bdb4a96f-20250801 - 2025-08-01
• 19.2.0-canary-bc6184dd-20250417 - 2025-04-18
• 19.2.0-canary-bbc13fa1-20250624 - 2025-06-24
• 19.2.0-canary-bb6f0c8d-20250901 - 2025-09-01
• 19.2.0-canary-b9cfa0d3-20250505 - 2025-05-05
• 19.2.0-canary-b9a04536-20250904 - 2025-09-04
• 19.2.0-canary-b94603b9-20250513 - 2025-05-13
• 19.2.0-canary-b7e2de63-20250611 - 2025-06-11
• 19.2.0-canary-b6c0aa88-20250609 - 2025-06-09
• 19.2.0-canary-b4477d38-20250605 - 2025-06-05
• 19.2.0-canary-b1b0955f-20250901 - 2025-09-01
• 19.2.0-canary-b10cb4c0-20250403 - 2025-04-03
• 19.2.0-canary-b0c1dc01-20250925 - 2025-09-25
• 19.2.0-canary-b07717d8-20250528 - 2025-05-28
• 19.2.0-canary-b04254fd-20250415 - 2025-04-16
• 19.2.0-canary-ac7820a9-20250811 - 2025-08-11
• 19.2.0-canary-ab859e31-20250606 - 2025-06-06
• 19.2.0-canary-aad7c664-20250829 - 2025-08-29
• 19.2.0-canary-a96a0f39-20250815 - 2025-08-15
• 19.2.0-canary-a7a11657-20250708 - 2025-07-08
• 19.2.0-canary-a00ca6f6-20250611 - 2025-06-11
• 19.2.0-canary-9be531cd-20250729 - 2025-07-29
• 19.2.0-canary-99efc627-20250523 - 2025-05-23
• 19.2.0-canary-97cdd5d3-20250710 - 2025-07-11
• 19.2.0-canary-9784cb37-20250730 - 2025-07-30
• 19.2.0-canary-96c61b7f-20250709 - 2025-07-10
• 19.2.0-canary-93d7aa69-20250912 - 2025-09-12
• 19.2.0-canary-914319ae-20250423 - 2025-04-23
• 19.2.0-canary-8e60cb7e-20250902 - 2025-09-02
• 19.2.0-canary-8d7b5e49-20250827 - 2025-08-28
• 19.2.0-canary-8ce15b0f-20250522 - 2025-05-22
• 19.2.0-canary-8bb7241f-20250926 - 2025-09-26
• 19.2.0-canary-8a8e9a7e-20250912 - 2025-09-12
• 19.2.0-canary-89a803fc-20250828 - 2025-08-28
• 19.2.0-canary-886b3d36-20250910 - 2025-09-10
• 19.2.0-canary-873f7112-20250821 - 2025-08-21
• 19.2.0-canary-86181134-20251001 - 2025-10-01
• 19.2.0-canary-84af9085-20250917 - 2025-09-18
• 19.2.0-canary-83c88ad4-20250923 - 2025-09-23
• 19.2.0-canary-7deda941-20250804 - 2025-08-05
• 19.2.0-canary-7a2c7045-20250506 - 2025-05-06
• 19.2.0-canary-79d9aed7-20250620 - 2025-06-20
• 19.2.0-canary-7513996f-20250722 - 2025-07-22
• 19.2.0-canary-73aa744b-20250702 - 2025-07-02
• 19.2.0-canary-7216c0f0-20250630 - 2025-07-01
• 19.2.0-canary-72135096-20250421 - 2025-04-22
• 19.2.0-canary-6eda5347-20250918 - 2025-09-19
• 19.2.0-canary-6de32a5a-20250822 - 2025-08-22
• 19.2.0-canary-6b70072c-20250909 - 2025-09-09
• 19.2.0-canary-6a7650c7-20250405 - 2025-04-05
• 19.2.0-canary-67a44bcd-20250915 - 2025-09-15
• 19.2.0-canary-66f09bd0-20250806 - 2025-08-06
• 19.2.0-canary-65c4decb-20250630 - 2025-06-30
• 19.2.0-canary-63779030-20250328 - 2025-03-31
• 19.2.0-canary-60b5271a-20250709 - 2025-07-09
• 19.2.0-canary-5e0c951b-20250916 - 2025-09-16
• 19.2.0-canary-5dc00d6b-20250428 - 2025-04-28
• 19.2.0-canary-5d87cd22-20250704 - 2025-07-04
• 19.2.0-canary-56408a5b-20250610 - 2025-06-10
• 19.2.0-canary-548235db-20251001 - 2025-10-01
• 19.2.0-canary-540cd652-20250403 - 2025-04-04
• 19.2.0-canary-534bed5f-20250813 - 2025-08-13
• 19.2.0-canary-526dd340-20250602 - 2025-06-02
• 19.2.0-canary-4db4b21c-20250626 - 2025-06-26
• 19.2.0-canary-4a45ba92-20250515 - 2025-05-15
• 19.2.0-canary-4a36d3ea-20250416 - 2025-04-17
• 19.2.0-canary-462d08f9-20250517 - 2025-05-19
• 19.2.0-canary-4448b187-20250515 - 2025-05-16
• 19.2.0-canary-4123f6b7-20250826 - 2025-08-26
• 19.2.0-canary-408d055a-20250430 - 2025-04-30
• 19.2.0-canary-3fbfb9ba-20250409 - 2025-04-09
• 19.2.0-canary-3fb190f7-20250908 - 2025-09-08
• 19.2.0-canary-3d14fcf0-20250724 - 2025-07-24
• 19.2.0-canary-39cad7af-20250411 - 2025-04-14
• 19.2.0-canary-3958d5d8-20250807 - 2025-08-07
• 19.2.0-canary-38ef6550-20250508 - 2025-05-08
• 19.2.0-canary-3820740a-20250509 - 2025-05-12
• 19.2.0-canary-379a083b-20250813 - 2025-08-14
• 19.2.0-canary-37054867-20250604 - 2025-06-04
• 19.2.0-canary-33a1095d-20250827 - 2025-08-27
• 19.2.0-canary-33661467-20250407 - 2025-04-07
• 19.2.0-canary-3302d1f7-20250903 - 2025-09-03
• 19.2.0-canary-2f0e7e57-20250715 - 2025-07-15
• 19.2.0-canary-280ff6fe-20250606 - 2025-06-06
• 19.2.0-canary-2805f0ed-20250903 - 2025-09-03
• 19.2.0-canary-23884812-20250520 - 2025-05-21
• 19.2.0-canary-223f81d8-20250707 - 2025-07-07
• 19.2.0-canary-21fdf308-20250508 - 2025-05-09
• 19.2.0-canary-1eca9a27-20250922 - 2025-09-22
• 19.2.0-canary-1dc3bdea-20250812 - 2025-08-12
• 19.2.0-canary-1d6c8168-20250411 - 2025-04-11
• 19.2.0-canary-1bd1f01f-20251001 - 2025-10-01
• 19.2.0-canary-1ae0a845-20250603 - 2025-06-03
• 19.2.0-canary-19baee81-20250725 - 2025-07-25
• 19.2.0-canary-197d6a04-20250424 - 2025-04-24
• 19.2.0-canary-143d3e1b-20250425 - 2025-04-25
• 19.2.0-canary-14094f80-20250529 - 2025-05-29
• 19.2.0-canary-12bc60f5-20250613 - 2025-06-13
• 19.2.0-canary-128abcfa-20250917 - 2025-09-17
• 19.2.0-canary-0ff1d13b-20250507 - 2025-05-07
• 19.2.0-canary-0bdb9206-20250818 - 2025-08-19
• 19.2.0-canary-06e89951-20250620 - 2025-06-20
• 19.2.0-canary-040f8286-20250402 - 2025-04-02
• 19.2.0-canary-03fda05d-20250820 - 2025-08-20
• 19.2.0-canary-0038c501-20250429 - 2025-04-29
• 19.1.1 - 2025-07-28
  

  React

  • Fixed Owner Stacks to work with ES2015 function.name semantics (#33680 by @ hoxyq)

from react-dom GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
package.json	0% smaller

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for 4057caf.

🟢 All jobs passed!

But CI Insights is watching 👀