Skip to content

feat(security): update react monorepo to v19 #1031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
renovate wants to merge 1 commit into from
Closed

feat(security): update react monorepo to v19 #1031

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions example/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@
"express": "5.2.1",
"html-react-parser": "6.0.1",
"jsonwebtoken": "9.0.3",
"react": "18.3.1",
"react-dom": "18.3.1",
"react": "19.2.6",
"react-dom": "19.2.6",
"react-flagpack": "2.0.6",
"react-syntax-highlighter": "16.1.1",
"typescript": "6.0.3"
Expand Down
4 changes: 2 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,8 +85,8 @@
"dist"
],
"peerDependencies": {
"react": "^18.3.1",
"react-dom": "^18.3.1"
"react": "^19.2.6",
"react-dom": "^19.2.6"

@cursor cursor Bot May 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Peer dependency range too restrictive for library consumers

High Severity

The peerDependencies for react and react-dom are set to ^19.2.6, which requires >=19.2.6 <20.0.0. This excludes all consumers on React 19.0.x, 19.1.x, and 19.2.0–19.2.5. Since the library code uses no APIs specific to React 19.2.6, the range is needlessly restrictive. For a published npm library consumed by external partners, this will cause peer dependency warnings or install failures. The range would more appropriately be ^19.0.0.

Fix in Cursor Fix in Web

Triggered by project rule: Code Review Guidelines

Reviewed by Cursor Bugbot for commit fcbc738. Configure here.

@cursor cursor Bot May 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Breaking peer dependency change without major version bump

High Severity

Dropping React 18 from peerDependencies (changing from ^18.3.1 to ^19.2.6) is a breaking change for all consumers currently on React 18. The project rules require semver compliance and BREAKING CHANGE: in the commit for such changes. The PR title feat(security): would only trigger a minor version bump, but this change requires a major version bump since it removes support for the previously accepted peer dependency range.

Fix in Cursor Fix in Web

Triggered by project rule: Code Review Guidelines

Reviewed by Cursor Bugbot for commit fcbc738. Configure here.

},
"dependencies": {
"@hookform/resolvers": "5.2.2",
Expand Down
Loading