fix: update react and nextjs

[PierreCrb]

🔒 Security: React & Next.js patch updates

This PR updates both React and Next.js to their latest security-patched versions following the newly disclosed RSC vulnerabilities.

Updated packages

• react: 19.2.2
• react-dom: 19.2.2
• next: 19.0.9

These versions include fixes for the vulnerabilities detailed in the React and Next.js security advisories published on December 11, 2025.

References:
React: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Next.js: https://nextjs.org/blog/security-update-2025-12-11
https://x.com/reactjs/status/1999217365628903739
https://x.com/nextjs/status/1999224298591092929

Summary by CodeRabbit

• Chores
  • Bumped React and React DOM to latest patch releases across example projects and the main package.
  • Updated corresponding TypeScript React type packages to match React 19.
  • Applied minor Next.js version bumps in several React examples to their latest patch releases.
  • No functional or behavioral changes; only dependency/version updates.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6a03f0f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Batched dependency version bumps across example projects and the root manifest: React and React-DOM were upgraded (multiple examples to ^19.0.3 or ^19.2.3), several Next.js example manifests moved from ^16.0.7 → ^16.0.10, and some dev-type packages (@types/react, @types/react-dom, vite) were updated. No code logic changed.

Changes

Cohort / File(s)	Summary
React ^19.0.0 → ^19.0.3 examples examples/react/algolia/package.json, examples/react/basic-graphql-request/package.json, examples/react/basic/package.json, examples/react/chat/package.json, examples/react/default-query-function/package.json, examples/react/devtools-panel/package.json, examples/react/eslint-legacy/package.json, examples/react/offline/package.json, examples/react/playground/package.json, examples/react/react-native/package.json, examples/react/react-router/package.json, examples/react/rick-morty/package.json, examples/react/shadow-dom/package.json, examples/react/simple/package.json, examples/react/star-wars/package.json, examples/react/suspense/package.json	Updated react / react-dom from ^19.0.0 → ^19.0.3; several dev @types/* bumped to ^19.0.3 (where present).
Next.js ^16.0.7 → ^16.0.10 & React ^19.2.1 → ^19.2.3 examples examples/react/auto-refetching/package.json, examples/react/infinite-query-with-max-pages/package.json, examples/react/load-more-infinite-scroll/package.json, examples/react/nextjs-app-prefetching/package.json, examples/react/nextjs-suspense-streaming/package.json, examples/react/nextjs/package.json, examples/react/optimistic-updates-cache/package.json, examples/react/optimistic-updates-ui/package.json, examples/react/pagination/package.json, examples/react/prefetching/package.json	Updated next from ^16.0.7 → ^16.0.10 and react / react-dom from ^19.2.1 → ^19.2.3.
Single-file / misc manifest edits examples/react/react-router/package.json	Also added/updated devDependency vite and bumped @types/* to ^19.0.3.
Root package.json package.json	Updated devDependencies react and react-dom from ^19.2.1 → ^19.2.3.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Spot-check example manifests with Next.js bumps for peer-dep implications.
• Verify the react-router example's added/updated vite entry and @types alignment.

Possibly related PRs

• chore(deps): update all non-major dependencies #9712 — Overlapping dependency bumps for examples (React/react-dom/@types) touching same files.
• docs(examples): update star-wars and rick-morty examples #9696 — Similar example package.json updates (star-wars, rick-morty, etc.).
• feat(react-query-next-experimental): support Next.js 16 #9868 — Related Next.js / React example dependency version upgrades.

Suggested labels

dependencies

Suggested reviewers

• TkDodo
• dagamo

Poem

🐰 I hopped through manifests, nimbly and quick,

nudged React and Next with a tiny tick.
Versions aligned, examples ready to run—
a carrot for devs, a job neatly done. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides detailed context about security vulnerabilities and includes references to official advisories, but does not follow the required template structure with the specified sections.	Reformat the description to include the required template sections: '## 🎯 Changes', '## ✅ Checklist', and '## 🚀 Release Impact' as specified in the repository template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: update react and nextjs' accurately describes the main change of updating React and Next.js dependencies across multiple examples and root package.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f56d411 and 6a03f0f.

📒 Files selected for processing (5)

• examples/react/algolia/package.json (1 hunks)
• examples/react/basic/package.json (1 hunks)
• examples/react/eslint-legacy/package.json (1 hunks)
• examples/react/react-router/package.json (1 hunks)
• examples/react/shadow-dom/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• examples/react/basic/package.json
• examples/react/shadow-dom/package.json
• examples/react/eslint-legacy/package.json
• examples/react/algolia/package.json

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-08-19T03:18:18.303Z

Learnt from: oscartbeaumont
Repo: TanStack/query PR: 9564
File: packages/solid-query-devtools/src/production.tsx:2-3
Timestamp: 2025-08-19T03:18:18.303Z
Learning: In the solid-query-devtools package, the codebase uses a pattern of type-only default imports combined with typeof for component type annotations (e.g., `import type SolidQueryDevtoolsComp from './devtools'` followed by `typeof SolidQueryDevtoolsComp`). This pattern is consistently used across index.tsx and production.tsx files, and the maintainers prefer consistency over changing this approach.

Applied to files:

• examples/react/react-router/package.json

📚 Learning: 2025-09-02T17:57:33.184Z

Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.

Applied to files:

• examples/react/react-router/package.json

🔇 Additional comments (1)

examples/react/react-router/package.json (1)

15-16: React / ReactDOM / @types are now correctly in lockstep.
This resolves the common “React 19 runtime + React 18 types” mismatch and should avoid TS/JSX typing fallout.

Also applies to: 23-24

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

examples/react/optimistic-updates-ui/package.json (1)

13-15: Duplicate: Verify Next.js version discrepancy (see previous comment for context).

This file shows the same pattern as the prior example: next ^16.0.9 instead of the 19.0.9 mentioned in PR objectives. Ensure consistency across all updated files and confirm compatibility.

examples/react/prefetching/package.json (1)

13-15: Duplicate: Verify Next.js version discrepancy (see previous comment for context).

Consistent with files 1 and 2: next shows ^16.0.9 rather than 19.0.9 from PR objectives. Verify this is intentional across the repository.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f15b7fc and b09bc3a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (27)

• examples/react/algolia/package.json (1 hunks)
• examples/react/auto-refetching/package.json (1 hunks)
• examples/react/basic-graphql-request/package.json (1 hunks)
• examples/react/basic/package.json (1 hunks)
• examples/react/chat/package.json (1 hunks)
• examples/react/default-query-function/package.json (1 hunks)
• examples/react/devtools-panel/package.json (1 hunks)
• examples/react/eslint-legacy/package.json (1 hunks)
• examples/react/infinite-query-with-max-pages/package.json (1 hunks)
• examples/react/load-more-infinite-scroll/package.json (1 hunks)
• examples/react/nextjs-app-prefetching/package.json (1 hunks)
• examples/react/nextjs-suspense-streaming/package.json (1 hunks)
• examples/react/nextjs/package.json (1 hunks)
• examples/react/offline/package.json (1 hunks)
• examples/react/optimistic-updates-cache/package.json (1 hunks)
• examples/react/optimistic-updates-ui/package.json (1 hunks)
• examples/react/pagination/package.json (1 hunks)
• examples/react/playground/package.json (1 hunks)
• examples/react/prefetching/package.json (1 hunks)
• examples/react/react-native/package.json (1 hunks)
• examples/react/react-router/package.json (1 hunks)
• examples/react/rick-morty/package.json (1 hunks)
• examples/react/shadow-dom/package.json (1 hunks)
• examples/react/simple/package.json (1 hunks)
• examples/react/star-wars/package.json (1 hunks)
• examples/react/suspense/package.json (1 hunks)
• package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-02T17:57:33.184Z

Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.

Applied to files:

• examples/react/nextjs/package.json
• examples/react/nextjs-suspense-streaming/package.json
• examples/react/rick-morty/package.json
• examples/react/playground/package.json
• examples/react/auto-refetching/package.json
• examples/react/default-query-function/package.json
• examples/react/optimistic-updates-ui/package.json
• examples/react/nextjs-app-prefetching/package.json
• examples/react/algolia/package.json
• examples/react/star-wars/package.json
• examples/react/shadow-dom/package.json
• examples/react/chat/package.json
• examples/react/infinite-query-with-max-pages/package.json
• examples/react/suspense/package.json
• examples/react/devtools-panel/package.json
• examples/react/basic-graphql-request/package.json
• examples/react/pagination/package.json
• examples/react/eslint-legacy/package.json
• examples/react/offline/package.json
• examples/react/basic/package.json
• examples/react/optimistic-updates-cache/package.json
• examples/react/prefetching/package.json
• examples/react/load-more-infinite-scroll/package.json
• examples/react/react-router/package.json
• examples/react/simple/package.json

📚 Learning: 2025-08-19T03:18:18.303Z

Learnt from: oscartbeaumont
Repo: TanStack/query PR: 9564
File: packages/solid-query-devtools/src/production.tsx:2-3
Timestamp: 2025-08-19T03:18:18.303Z
Learning: In the solid-query-devtools package, the codebase uses a pattern of type-only default imports combined with typeof for component type annotations (e.g., `import type SolidQueryDevtoolsComp from './devtools'` followed by `typeof SolidQueryDevtoolsComp`). This pattern is consistently used across index.tsx and production.tsx files, and the maintainers prefer consistency over changing this approach.

Applied to files:

• examples/react/shadow-dom/package.json

🔇 Additional comments (25)

examples/react/rick-morty/package.json (1)

13-14: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.0.2) or exact versions (19.0.2) to prevent unintended upgrades until tested.

examples/react/star-wars/package.json (1)

13-14: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.0.2) or exact versions (19.0.2) to prevent unintended upgrades until tested.

examples/react/pagination/package.json (1)

13-15: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities affecting Next.js RSC, consider using tilde ranges (~16.0.9, ~19.2.2) or exact versions to prevent unintended upgrades until tested.

examples/react/basic-graphql-request/package.json (1)

15-16: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.0.2) or exact versions (19.0.2) to prevent unintended upgrades until tested.

examples/react/devtools-panel/package.json (1)

13-14: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.0.2) or exact versions (19.0.2) to prevent unintended upgrades until tested.

examples/react/nextjs-suspense-streaming/package.json (1)

14-16: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities affecting Next.js RSC streaming, consider using tilde ranges (~16.0.9, ~19.2.2) or exact versions to prevent unintended upgrades until tested.

examples/react/nextjs/package.json (1)

13-15: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities affecting Next.js RSC, consider using tilde ranges (~16.0.9, ~19.2.2) or exact versions to prevent unintended upgrades until tested.

package.json (1)

66-67: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.2.2) or exact versions (19.2.2) to prevent unintended upgrades until tested.

examples/react/infinite-query-with-max-pages/package.json (1)

13-15: Verify version alignment across all examples.

This file updates React/React-DOM to ^19.2.2 (matching the PR objective), but other example files in the PR are updating to ^19.0.2 instead. Additionally, the PR objective states "next: 19.0.9" but this file (and others) are at ^16.0.9.

Please confirm whether:

1. The split between ^19.0.2 and ^19.2.2 for React is intentional (e.g., examples with Next.js use ^19.2.2, others use ^19.0.2).
2. The PR objective's "next: 19.0.9" is a typo and should be "next: 16.0.9".
3. All examples that should be at ^19.2.2 have been updated (or if some should remain at ^19.0.2).

examples/react/shadow-dom/package.json (1)

13-14: Verify whether this example should be at React ^19.2.2 instead of ^19.0.2.

The PR objective targets React/React-DOM 19.2.2, but this file is only being updated to 19.0.2. Please confirm if this is intentional (e.g., example-specific constraints) or if it should match the other Next.js examples at 19.2.2.

examples/react/react-router/package.json (1)

15-16: Check TypeScript type definitions compatibility.

React is being bumped to ^19.0.2, but @types/react remains at ^18.2.79 (line 23). Ensure that React 18.x types are compatible with React 19.0.x runtime, or consider updating types to ^19.x if needed.

examples/react/eslint-legacy/package.json (1)

16-17: Check TypeScript type definitions compatibility.

React is being bumped to ^19.0.2, but @types/react remains at ^18.2.79 (line 21). Ensure compatibility between React 18.x types and React 19.0.x runtime.

examples/react/optimistic-updates-cache/package.json (1)

13-15: LGTM.

Version updates are consistent with other Next.js examples and the PR objective (Next.js ^16.0.9, React/React-DOM ^19.2.2). Type definitions are appropriately aligned at 19.2.x.

examples/react/basic/package.json (1)

16-17: Check TypeScript type definitions compatibility.

React is being bumped to ^19.0.2, but @types/react remains at ^18.2.79 (line 21). Ensure compatibility between React 18.x types and React 19.0.x runtime.

examples/react/simple/package.json (1)

13-14: LGTM.

Minor patch version bump for non-Next.js example is consistent with the PR pattern. No type definition concerns in this simplified example.

examples/react/default-query-function/package.json (1)

13-14: LGTM.

Minor patch version bump for non-Next.js example follows the established pattern. No type definition concerns.

examples/react/algolia/package.json (1)

14-15: Verify React version branch is intentional.

Like other examples, this file uses ^19.0.2 while some examples use ^19.2.2. Confirm whether this version split is intentional or if all examples should target the same React security patch version.

examples/react/suspense/package.json (1)

14-15: Verify React version branch is intentional.

This example uses ^19.0.2, but some examples use ^19.2.2. Ensure this version split across Vite-based and Next.js-based examples is intentional.

examples/react/offline/package.json (1)

17-18: Verify React version branch is intentional.

This example uses ^19.0.2, but some examples use ^19.2.2. Ensure this version split is intentional across the repository.

examples/react/react-native/package.json (1)

22-22: Verify React version branch is intentional.

This example uses ^19.0.2, which is consistent with other non-Next.js examples. Confirm this version branch intentionally differs from ^19.2.2 used in Next.js examples.

examples/react/playground/package.json (1)

13-14: Verify React version branch is intentional.

This example uses ^19.0.2, consistent with other non-Next.js examples. Confirm this is intentional and addresses the same RSC vulnerability as ^19.2.2 versions in other examples.

examples/react/nextjs-app-prefetching/package.json (1)

13-15: The package.json versions are correct. Next.js 19.0.9 does not exist—Next.js is currently at 16.x releases. The version ^16.0.9 properly addresses the RSC vulnerability (CVE-2025-66478), which was patched starting in 16.0.7. No "PR objectives" requiring 19.0.9 are documented in the repository. No action needed.

Likely an incorrect or invalid review comment.

examples/react/chat/package.json (1)

13-14: The versions specified (^19.0.2) are correct and address the RSC vulnerabilities. React 19.0.2 is one of the officially patched versions released following the December 2025 security advisories (CVE-2025-55182, CVE-2025-55183, CVE-2025-55184). No change needed here.

examples/react/optimistic-updates-ui/package.json (1)

17-21: Inconsistent type definition updates.

File 1 (load-more-infinite-scroll) includes updates to @types/react (^19.2.7) and @types/react-dom (^19.2.3), but this file does not. Given the runtime dependency updates to React 19.2.2, consider aligning type definitions across all examples.

examples/react/load-more-infinite-scroll/package.json (1)

13-15: No changes needed. Next.js 16.0.9 fully supports React 19.2.2 and includes RSC vulnerability fixes from December 2025 (CVE-2025-66478, patched in 16.0.7 and included in 16.0.9). The version specifications are correct and compatible.

[PierreCrb]

React released an additional fix for an incomplete DoS patch (CVE-2025-67779).
Updated React to 19.0.3 / 19.2.3, as 19.0.2 / 19.2.2 are still vulnerable.

Next.js was also updated to include the patched React versions:

• next: 16.0.9 → 16.0.10
• react: 19.2.2 → 19.2.3
• react-dom: 19.2.2 → 19.2.3

Refs:
https://x.com/reactjs/status/1999267418846449786

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b09bc3a and f56d411.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (27)

• examples/react/algolia/package.json (1 hunks)
• examples/react/auto-refetching/package.json (1 hunks)
• examples/react/basic-graphql-request/package.json (1 hunks)
• examples/react/basic/package.json (1 hunks)
• examples/react/chat/package.json (1 hunks)
• examples/react/default-query-function/package.json (1 hunks)
• examples/react/devtools-panel/package.json (1 hunks)
• examples/react/eslint-legacy/package.json (1 hunks)
• examples/react/infinite-query-with-max-pages/package.json (1 hunks)
• examples/react/load-more-infinite-scroll/package.json (1 hunks)
• examples/react/nextjs-app-prefetching/package.json (1 hunks)
• examples/react/nextjs-suspense-streaming/package.json (1 hunks)
• examples/react/nextjs/package.json (1 hunks)
• examples/react/offline/package.json (1 hunks)
• examples/react/optimistic-updates-cache/package.json (1 hunks)
• examples/react/optimistic-updates-ui/package.json (1 hunks)
• examples/react/pagination/package.json (1 hunks)
• examples/react/playground/package.json (1 hunks)
• examples/react/prefetching/package.json (1 hunks)
• examples/react/react-native/package.json (1 hunks)
• examples/react/react-router/package.json (1 hunks)
• examples/react/rick-morty/package.json (1 hunks)
• examples/react/shadow-dom/package.json (1 hunks)
• examples/react/simple/package.json (1 hunks)
• examples/react/star-wars/package.json (1 hunks)
• examples/react/suspense/package.json (1 hunks)
• package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (14)

• examples/react/optimistic-updates-cache/package.json
• examples/react/eslint-legacy/package.json
• examples/react/load-more-infinite-scroll/package.json
• examples/react/star-wars/package.json
• examples/react/nextjs-app-prefetching/package.json
• examples/react/nextjs-suspense-streaming/package.json
• examples/react/infinite-query-with-max-pages/package.json
• examples/react/pagination/package.json
• examples/react/basic-graphql-request/package.json
• examples/react/nextjs/package.json
• examples/react/auto-refetching/package.json
• examples/react/shadow-dom/package.json
• examples/react/suspense/package.json
• examples/react/algolia/package.json

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-02T17:57:33.184Z

Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.

Applied to files:

• examples/react/default-query-function/package.json
• examples/react/rick-morty/package.json
• examples/react/simple/package.json
• examples/react/devtools-panel/package.json
• examples/react/optimistic-updates-ui/package.json
• examples/react/offline/package.json
• examples/react/basic/package.json
• examples/react/chat/package.json
• examples/react/prefetching/package.json
• examples/react/playground/package.json
• examples/react/react-router/package.json

🔇 Additional comments (11)

examples/react/rick-morty/package.json (1)

13-14: Approved: Security patch update for React 19.0.3.

The version bumps to ^19.0.3 address CVE-2025-67779 in React Server Components. The caret versioning allows patch-level updates within the 19.0.x range, which is appropriate for security patches.

examples/react/default-query-function/package.json (1)

13-14: Approved: Security patch update for React 19.0.3.

The version bumps address CVE-2025-67779. No TypeScript type definitions are present in this project, so no type compatibility concerns.

examples/react/optimistic-updates-ui/package.json (1)

13-15: Approved: Security patch updates for React 19.2.3 and Next.js 16.0.10.

The version bumps address CVE-2025-67779 in React Server Components and Next.js. TypeScript definitions are correctly aligned (lines 18–19: @types/react@^19.2.7, @types/react-dom@^19.2.3), matching the React 19.2.3 upgrade.

examples/react/playground/package.json (1)

13-14: Approved: Security patch update for React 19.0.3.

The version bumps address CVE-2025-67779. No React TypeScript definitions are declared in this project's devDependencies.

examples/react/offline/package.json (1)

17-18: Approved: Security patch update for React 19.0.3.

The version bumps address CVE-2025-67779. No React TypeScript definitions are declared in this project's devDependencies.

examples/react/chat/package.json (1)

13-14: Approved: Security patch update for React 19.0.3.

The version bumps address CVE-2025-67779. No React TypeScript definitions are declared in this project's devDependencies.

examples/react/simple/package.json (1)

13-14: Security patch: Update react and react-dom to 19.0.3.

The update from ^19.0.0 to ^19.0.3 applies security patches for React Server Components vulnerabilities (CVE-2025-67779).

Verify that react@19.0.3 and react-dom@19.0.3 exist and contain the documented security fixes.

examples/react/devtools-panel/package.json (1)

13-14: Security patch: Update react and react-dom to 19.0.3.

The update applies security fixes for React Server Components vulnerabilities, specifically addressing CVE-2025-67779 (Denial-of-Service via unsafe deserialization) and related follow-up issues (CVE-2025-55184, CVE-2025-55183) as documented in the React security advisory published December 11, 2025. These patches are essential for production systems using React Server Components.

examples/react/react-native/package.json (1)

22-22: Security patch: Update react to 19.0.3.

The update from ^19.0.0 to ^19.0.3 applies security patches for React Server Components vulnerabilities, including the critical CVE-2025-55182 (React2Shell RCE, CVSS 10.0) and additional RSC issues (CVE-2025-55183 and CVE-2025-55184) disclosed in December 2025. The absence of react-dom is correct for React Native, which does not depend on react-dom.

package.json (1)

66-67: Revert react and react-dom versions: 19.2.3 does not exist.

React 19.2.3 and react-dom 19.2.3 are not released versions. The latest stable versions addressing CVE-2025-67779 are 19.2.2. Update to "react": "^19.2.2" and "react-dom": "^19.2.2" instead, or use the appropriate backported patch for your version line (19.0.2, 19.1.3, or 19.2.2).

Likely an incorrect or invalid review comment.

examples/react/prefetching/package.json (1)

13-15: Security patch: Update next, react, and react-dom to patched versions.

The updates address security vulnerabilities across the Next.js and React stack:

• next: ^16.0.7 → ^16.0.10 (patched Dec 12, 2025 for React Server Components vulnerabilities)
• react: ^19.2.1 → ^19.2.3 (addresses CVE-2025-67779 DoS in RSC implementations)
• react-dom: ^19.2.1 → ^19.2.3 (addresses CVE-2025-67779 DoS in RSC implementations)

See Next.js security advisory (https://nextjs.org/blog/security-update-2025-12-11) for details on patched releases.