chore(deps): bump react-dom and @types/react-dom in /app

[dependabot]

Bumps react-dom and @types/react-dom. These dependencies needed to be updated together.
Updates react-dom from 18.3.1 to 19.2.4

Release notes

Sourced from react-dom's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

19.2.3 (December 11th, 2025)

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon facebook/react#35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #35289, #35345)

19.2.1 (December 3rd, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

... (truncated)

Changelog

Sourced from react-dom's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

... (truncated)

Commits

• 90ab3f8 Version 19.2.4
• 612e371 Version 19.2.3
• b910fc1 Version 19.2.2
• 053df4e Version 19.2.1
• 8618113 Bump scheduler version (#34671)
• 1bd1f01 Ship partial-prerendering APIs to Canary (#34633)
• 2f0649a [Fizz] Remove nonce option from resume-and-prerender APIs (#34664)
• 5667a41 Bump next prerelease version numbers (#34639)
• e08f53b Match react-dom/static test entrypoints and published entrypoints (#34599)
• 8bb7241 Bump useEffectEvent to Canary (#34610)
• Additional commits viewable in compare view

Updates @types/react-dom from 18.3.7 to 19.2.3

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[overcut-ai]

Completed Working on "Code Review"

✅ Workflow completed successfully.

---

👉 View complete log

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@types/react-dom	19.2.3	🟢 6.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 23/28 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed
npm/react-dom	19.2.4	🟢 6.4	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/scheduler	0.27.0	🟢 6.4	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• app/package-lock.json

[overcut-ai]

Final Review Summary

Findings by importance

• 2 BLOCKER
• 1 MAJOR
• 0 CRITICAL, 0 MINOR, 0 SUGGESTION, 0 PRAISE

Total: 3 comments across 2 files.

Key themes

1. React runtime version alignment issue: react-dom was upgraded to 19.x while react remains on 18.x, creating an unsupported peer dependency pairing.
2. Type ecosystem mismatch: @types/react-dom 19.x is incompatible with @types/react 18.x, risking TypeScript/lint failures.
3. Lockfile reproducibility risk: lockfile now encodes incompatible peer requirements, which can break clean installs in stricter environments.

Recommended next steps

• Upgrade react and @types/react to compatible 19.x versions in the same PR and regenerate the lockfile.
• If a React 19 migration is not intended yet, revert react-dom and @types/react-dom to 18.x.
• Re-run dependency install and CI checks after version alignment to confirm peer dependency consistency.

[overcut-ai]

[blocker]: This change upgrades react-dom to 19.2.4 while keeping react at 18.3.1, violating react-dom’s peer requirement and creating an unsupported runtime pairing that can fail installs under strict peer resolution and cause runtime incompatibilities.

Upgrade react to a matching 19.x version in the same PR (and validate app behavior), or keep react-dom on 18.x until a coordinated migration is done.

[overcut-ai]

[blocker]: The lockfile resolves @types/react-dom@19.2.3, which peers on @types/react ^19.2.0, while the project remains on @types/react ^18.3.23. This creates an incompatible type graph that can break TypeScript/lint in CI and editor tooling.

Upgrade @types/react to a compatible 19.x version alongside @types/react-dom, or pin @types/react-dom back to 18.x until the React 19 migration is complete.

[overcut-ai]

[major]: The lockfile now records react-dom@19.2.4 requiring react@^19.2.4 while the app remains on react@^18.3.1. This inconsistent graph can fail clean installs under peer enforcement and reduce reproducibility across environments.

Regenerate the lockfile only after aligning react and react-dom to compatible versions (same major/minor line) so peer dependencies are satisfied.