chore(deps): bump the production-dependencies group with 13 updates

[dependabot]

Bumps the production-dependencies group with 13 updates:

Package	From	To
@supabase/supabase-js	2.89.0	2.90.1
@vitejs/plugin-react-swc	3.11.0	4.2.2
dotenv	16.6.1	17.2.3
express	4.22.1	5.2.1
framer-motion	12.23.26	12.26.1
lucide-react	0.344.0	0.562.0
openai	4.104.0	6.16.0
react	18.3.1	19.2.3
react-dom	18.3.1	19.2.3
react-markdown	9.1.0	10.1.0
react-router-dom	7.11.0	7.12.0
react-syntax-highlighter	15.6.6	16.1.0
resend	4.8.0	6.7.0

Updates @supabase/supabase-js from 2.89.0 to 2.90.1

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.90.1

2.90.1 (2026-01-08)

🩹 Fixes

• postgrest: prevent shared state between query builder operations (#1978)
• realtime: validate table filter in postgres_changes event dispatch (#1999)

❤️ Thank You

• Vaibhav @​7ttp

v2.90.1-canary.1

2.90.1-canary.1 (2026-01-08)

🩹 Fixes

• postgrest: prevent shared state between query builder operations (#1978)

❤️ Thank You

• Vaibhav @​7ttp

v2.90.1-canary.0

2.90.1-canary.0 (2026-01-07)

🩹 Fixes

• realtime: validate table filter in postgres_changes event dispatch (#1999)

❤️ Thank You

• Vaibhav @​7ttp

v2.90.0

2.90.0 (2026-01-07)

🚀 Features

• realtime: expose heartbeat latency on heartbeat callback (#1982)

🩹 Fixes

• auth: add banned_until property to user type (#1989)
• auth: add last_challenged_at property to factor type (#1990)
• auth: clear initial setTimeout in stopAutoRefresh (#1993)
• auth: preserve session when magic link is clicked twice (#1996)
• auth: add configurable lock acquisition timeout to prevent deadlocks (#1962)
• functions: auto-stringify object body when custom Content-Type header is provided (#1988)
• postgrest: use post with return minimal for rpc head requests with object args (#1994)

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.90.1 (2026-01-08)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.90.0 (2026-01-07)

🩹 Fixes

• supabase: avoid edge runtime warnings in next.js (#1998)
• supabase: inline string literal in databasewithoutinternals type (#1986)
• supabase: split type-only exports to avoid unused import warnings (#1979)

❤️ Thank You

• Nico Kempe @​nicokempe
• Vaibhav @​7ttp

Commits

• 1b8410a chore(release): version 2.90.0 changelogs (#2003)
• d3d05f8 fix(supabase): avoid edge runtime warnings in next.js (#1998)
• 9bfac7f fix(supabase): inline string literal in databasewithoutinternals type (#1986)
• 30f9600 fix(supabase): split type-only exports to avoid unused import warnings (#1979)
• 636f1e9 test(supabase): run build in integration tests (#1969)
• 9e747ce chore(release): version 2.89.0 changelogs (#1971)
• See full diff in compare view

Updates @vitejs/plugin-react-swc from 3.11.0 to 4.2.2

Release notes

Sourced from @​vitejs/plugin-react-swc's releases.

plugin-react-swc@4.2.2

Update code to support newer rolldown-vite (#978)

rolldown-vite will remove optimizeDeps.rollupOptions in favor of optimizeDeps.rolldownOptions soon. This plugin now uses optimizeDeps.rolldownOptions to support newer rolldown-vite. Please update rolldown-vite to the latest version if you are using an older version.

plugin-react@4.2.1

Remove generic parameter on Plugin to avoid type error with Rollup 4/Vite 5 and skipLibCheck: false.

I expect very few people to currently use this feature, but if you are extending the React plugin via api object, you can get back the typing of the hook by importing ViteReactPluginApi:

import type { Plugin } from 'vite'
import type { ViteReactPluginApi } from '@vitejs/plugin-react'
export const somePlugin: Plugin = {
name: 'some-plugin',
api: {
reactBabel: (babelConfig) => {
babelConfig.plugins.push('some-babel-plugin')
},
} satisfies ViteReactPluginApi,
}

plugin-react-swc@4.2.1

Fix @vitejs/plugin-react-swc/preamble on build (#962)

plugin-react@4.2.0

Update peer dependency range to target Vite 5

There were no breaking change that impacted this plugin, so any combination of React plugins and Vite core version will work.

Align jsx runtime for optimized dependencies

This will only affect people using internal libraries that contains untranspiled JSX. This change aligns the optimizer with the source code and avoid issues when the published source don't have React in the scope.

Reminder: While being partially supported in Vite, publishing TS & JSX outside of internal libraries is highly discouraged.

plugin-react-swc@4.2.0

Add @vitejs/plugin-react-swc/preamble virtual module for SSR HMR (#890)

SSR applications can now initialize HMR runtime by importing @vitejs/plugin-react-swc/preamble at the top of their client entry instead of manually calling transformIndexHtml. This simplifies SSR setup for applications that don't use the transformIndexHtml API.

Use SWC when useAtYourOwnRisk_mutateSwcOptions is provided (#951)

Previously, this plugin did not use SWC if plugins were not provided even if useAtYourOwnRisk_mutateSwcOptions was provided. This is now fixed.

plugin-react@4.1.1

• Enable retainLines to get correct line numbers for jsxDev (fix #235)

... (truncated)

Changelog

Sourced from @​vitejs/plugin-react-swc's changelog.

4.2.2 (2025-11-12)

Update code to support newer rolldown-vite (#978)

rolldown-vite will remove optimizeDeps.rollupOptions in favor of optimizeDeps.rolldownOptions soon. This plugin now uses optimizeDeps.rolldownOptions to support newer rolldown-vite. Please update rolldown-vite to the latest version if you are using an older version.

4.2.1 (2025-11-05)

Fix @vitejs/plugin-react-swc/preamble on build (#962)

4.2.0 (2025-10-24)

Add @vitejs/plugin-react-swc/preamble virtual module for SSR HMR (#890)

SSR applications can now initialize HMR runtime by importing @vitejs/plugin-react-swc/preamble at the top of their client entry instead of manually calling transformIndexHtml. This simplifies SSR setup for applications that don't use the transformIndexHtml API.

Use SWC when useAtYourOwnRisk_mutateSwcOptions is provided (#951)

Previously, this plugin did not use SWC if plugins were not provided even if useAtYourOwnRisk_mutateSwcOptions was provided. This is now fixed.

4.1.0 (2025-09-17)

Set SWC cacheRoot options

This is set to {viteCacheDir}/swc and override the default of .swc.

Perf: simplify refresh wrapper generation (#835)

4.0.1 (2025-08-19)

Set optimizeDeps.rollupOptions.transform.jsx instead of optimizeDeps.rollupOptions.jsx for rolldown-vite (#735)

optimizeDeps.rollupOptions.jsx is going to be deprecated in favor of optimizeDeps.rollupOptions.transform.jsx.

4.0.0 (2025-08-07)

4.0.0-beta.0 (2025-07-28)

Require Node 20.19+, 22.12+

This plugin now requires Node 20.19+ or 22.12+.

Commits

• 5e600a3 release: plugin-react-swc@4.2.2
• bcc7db0 chore: add changelog for #976 and #978
• 17fdcc8 fix(react-swc,react-oxc): use rolldownOptions instead of deprecated rollupOpt...
• fc76c72 chore(deps): update dependency @​types/node to v24 (#970)
• 41cb823 fix(deps): update all non-major dependencies (#968)
• 51160f3 release: plugin-react-swc@4.2.1
• 0f5c8b4 chore(react-swc): add changelog (#963)
• 897a3be fix(react-swc): fix @vitejs/plugin-react-swc/preamble on build (#962)
• 9cabe27 fix(deps): update all non-major dependencies (#960)
• b5f471f chore(deps): update swc monorepo (#954)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​vitejs/plugin-react-swc since your current version.

Updates dotenv from 16.6.1 to 17.2.3

Changelog

Sourced from dotenv's changelog.

17.2.3 (2025-09-29)

Changed

• Fixed typescript error definition (#912)

17.2.2 (2025-09-02)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (2025-07-24)

Changed

• Fix clickable tip links by removing parentheses (#897)

17.2.0 (2025-07-09)

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

# .env
DOTENV_CONFIG_QUIET=true
HELLO="World"

// index.js
require('dotenv').config()
console.log(`Hello ${process.env.HELLO}`)

$ node index.js
Hello World
or
$ DOTENV_CONFIG_QUIET=true node index.js

17.1.0 (2025-07-07)

Added

• Add additional security and configuration tips to the runtime log (#884)
• Dim the tips text from the main injection information text

... (truncated)

Commits

• affe113 17.2.3
• db1ff1f changelog 🪵
• 7063f16 Merge pull request #913 from motdotla/new-tips
• 0bbe72c test against expected tips
• 017951b only run .js tests
• 39eda1f add space back
• fcc030e update tips
• b6c7a0d updated tips - as Dotenvx Radar has been renamed Dotenvx Ops
• b3c8b16 remove unnecessary call to npx
• d6e4c17 Merge pull request #912 from adjerbetian/fix/typescript-error-definition
• Additional commits viewable in compare view

Updates express from 4.22.1 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 5.2.1 by @​UlisesGascon in expressjs/express#6933

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @​dependabot[bot] in expressjs/express#6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @​Ayoub-Mabrouk in expressjs/express#6137
• increased code coverage of utils.js file by @​ashish3011 in expressjs/express#6386
• chore: remove duplicate word by @​dufucun in expressjs/express#6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @​dependabot[bot] in expressjs/express#6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @​dependabot[bot] in expressjs/express#6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @​dependabot[bot] in expressjs/express#6496
• ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6504
• ci: update codeql config by @​Phillip9587 in expressjs/express#6488
• chore: wider range for query test skip by @​jonchurch in expressjs/express#6512
• chore: fix typos in test by @​noritaka1166 in expressjs/express#6535
• ci: disable credential persistence for checkout actions by @​mertssmnoglu in expressjs/express#6522
• ci: allow manual triggering of workflow by @​shivarm in expressjs/express#6515
• test: add coverage for app.listen() variants by @​kgarg1 in expressjs/express#6476
• docs: move documentation and charters to the discussions and .github … by @​bjohansebas in expressjs/express#6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @​dependabot[bot] in expressjs/express#6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/express#6548
• chore: enforce explicit Buffer import and add lint rule by @​shivarm in expressjs/express#6525
• chore: use node protocol for querystring by @​shivarm in expressjs/express#6520
• chore: fix typo by @​mountdisk in expressjs/express#6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @​dependabot[bot] in expressjs/express#6618
• add deprecation warnings for redirect arguments undefined by @​bjohansebas in expressjs/express#6405
• ci: run CI when the markdown changes by @​bjohansebas in expressjs/express#6632
• doc: fix CONTRIBUTING link by @​jonchurch in expressjs/express#6653
• doc: update contributing guidelines and code of conduct links by @​ShubhamOulkar in expressjs/express#6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @​dependabot[bot] in expressjs/express#6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @​dependabot[bot] in expressjs/express#6678
• lint: add --fix flag to automatic fix linting issue by @​shivarm in expressjs/express#6644
• chore: ignore yarn.lock file and update example by @​shivarm in expressjs/express#6588
• lib: use req.socket over deprecated req.connection by @​bjohansebas in expressjs/express#6705
• doc: update express app example by @​shivarm in expressjs/express#6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in expressjs/express#6675
• Remove history.md from being packaged on publish by @​sheplu in expressjs/express#6780

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: server-static@2.2.0
• deps: type-is@2.0.1

5.0.1 / 2024-10-08

• Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@1.0.0

... (truncated)

Commits

• dbac741 5.2.1
• 697547c Revert "sec: security patch for CVE-2024-51999"
• 4007ad1 Release: 5.2.0 (#6920)
• 2f64f68 sec: security patch for CVE-2024-51999
• ed0ba3f build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
• 8eace46 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
• 30bae81 build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
• 758d435 deps: body-parser@^2.2.1 (#6922)
• 77bcd52 docs: update emeritus triagers (#6890)
• f33caf1 Nominate to @​efekrskl for triage team (#6888)
• Additional commits viewable in compare view

Updates framer-motion from 12.23.26 to 12.26.1

Changelog

Sourced from framer-motion's changelog.

[12.26.1] 2026-01-12

Fixed

• Improve overload selection for useTransform.

[12.26.0] 2026-01-12

Added

• Support for multiple output value maps with useTransform.

[12.25.0] 2026-01-09

Added

• Support for auto-scrolling when a Reorder.Item reaches the edges of its parent scrollable container.

[12.24.12] 2026-01-08

Fixed

• Draggable elements now track pointer during page and element scroll.

[12.24.11] 2026-01-08

Fixed

• Fixed time sampling of GPU animations under heavy CPU load.

[12.24.10] 2026-01-07

Fixed

• Fixing missing import from motion-dom.

[12.24.9] 2026-01-07

Fixed

• Fixing Radix Dialog with AnimatePresence.
• Ensure drag constraints animation resumes after press interruption.
• Prevent drag gesture from triggering when pressing focusable elements.

[12.24.8] 2026-01-07

Fixed

• Perform unit conversion when animating to/from calc() values.

... (truncated)

Commits

• e4141d2 v12.26.1
• e7a5d9f Updating useTransform types
• 564ab94 Updating changelog
• 05334c6 v12.26.0
• 7177727 Updating changelog
• 0f8a3f9 Updating changelog
• b23c87b Merge pull request #3466 from motiondivision/claude/add-usetransform-signatur...
• a1404a8 Remove stable values test and fix scale(1) assertion
• c64be26 Fix test assertions for output map useTransform
• 69bb605 Fix TypeScript errors in useTransform tests
• Additional commits viewable in compare view

Updates lucide-react from 0.344.0 to 0.562.0

Release notes

Sourced from lucide-react's releases.

Version 0.562.0

What's Changed

• fix(icons): changed paint-bucket icon by @​jguddas in lucide-icons/lucide#3880
• fix(site): Fix and unify color-picker font-size by @​taimar in lucide-icons/lucide#3889
• fix(react-native-web): only add className prop to parent Icon component by @​jguddas in lucide-icons/lucide#3892
• fix(lucide-react-native): remove icons namespace export to enable tree-shaking by @​jtomaszewski in lucide-icons/lucide#3868
• feat(icons): added toolbox icon by @​karsa-mistmere in lucide-icons/lucide#3871

New Contributors

• @​taimar made their first contribution in lucide-icons/lucide#3889
• @​jtomaszewski made their first contribution in lucide-icons/lucide#3868

Full Changelog: lucide-icons/lucide@0.561.0...0.562.0

Version 0.561.0

What's Changed

• fix(site): Small adjustments color picker and add clear button search bar by @​ericfennis in lucide-icons/lucide#3851
• feat(icons): added stone icon by @​Alportan in lucide-icons/lucide#3850

Full Changelog: lucide-icons/lucide@0.560.0...0.561.0

Version 0.560.0

What's Changed

• feat(icons): added cannabis-off icon by @​NickVeles in lucide-icons/lucide#3748

New Contributors

• @​NickVeles made their first contribution in lucide-icons/lucide#3748

Full Changelog: lucide-icons/lucide@0.559.0...0.560.0

Version 0.559.0

What's Changed

• feat(icons): added fishing-hook icon by @​7ender in lucide-icons/lucide#3837

New Contributors

• @​7ender made their first contribution in lucide-icons/lucide#3837

Full Changelog: lucide-icons/lucide@0.558.0...0.559.0

Version 0.558.0

What's Changed

• feat(icons): added hd icon by @​jamiemlaw in lucide-icons/lucide#2958

Full Changelog: lucide-icons/lucide@0.557.0...0.558.0

Version 0.557.0

What's Changed

• fix(github/workflows/ci): fixes linting issues by @​karsa-mistmere in lucide-icons/lucide#3858

... (truncated)

Commits

• 076e0bb chore(dependencies): Update dependencies (#3809)
• 80d6f73 fix(icons): Rename fingerprint icon to fingerprint-pattern (#3767)
• 1cfb3ff chore(deps-dev): bump vite from 6.3.5 to 6.3.6 (#3611)
• e71198d chore: icon alias improvements (#2861)
• 3e644fd chore(scripts): Refactor scripts to typescript (#3316)
• 19fa01b build(deps-dev): bump vite from 6.3.2 to 6.3.4 (#3181)
• 03eb862 use implicit return in react package (#2325)
• 0fccc27 Bump dependencies (#3096)
• 7b95480 Added periods (#3065)
• e4988bc build(deps-dev): bump vite from 5.4.15 to 5.4.17 (#2993)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for lucide-react since your current version.

Updates openai from 4.104.0 to 6.16.0

Release notes

Sourced from openai's releases.

v6.16.0

6.16.0 (2026-01-09)

Full Changelog: v6.15.0...v6.16.0

Features

• api: add new Response completed_at prop (ca40534)
• ci: add breaking change detection workflow (a6f3dea)

Chores

• break long lines in snippets into multiline (80dee2f)
• internal: codegen related update (b2fac3e)

v6.15.0

6.15.0 (2025-12-19)

Full Changelog: v6.14.0...v6.15.0

Bug Fixes

• rebuild (5627b41)

v6.14.0

6.14.0 (2025-12-16)

Full Changelog: v6.13.0...v6.14.0

Features

• api: gpt-image-1.5 (6c1ac1d)

v6.13.0

6.13.0 (2025-12-15)

Full Changelog: v6.12.0...v6.13.0

Features

• api: api update (bc759dc)
• api: fix grader input list, add dated slugs for sora-2 (6b2a38f)

v6.12.0

6.12.0 (2025-12-11)

Full Changelog: v6.11.0...v6.12.0

Features

... (truncated)

Changelog

Sourced from openai's changelog.

6.16.0 (2026-01-09)

Full Changelog: v6.15.0...v6.16.0

Features

• api: add new Response completed_at prop (ca40534)
• ci: add breaking change detection workflow (a6f3dea)

Chores

• break long lines in snippets into multiline (80dee2f)
• internal: codegen related update (b2fac3e)

6.15.0 (2025-12-19)

Full Changelog: v6.14.0...v6.15.0

Bug Fixes

• rebuild (5627b41)

6.14.0 (2025-12-16)

Full Changelog: v6.13.0...v6.14.0

Features

• api: gpt-image-1.5 (6c1ac1d)

6.13.0 (2025-12-15)

Full Changelog: v6.12.0...v6.13.0

Features

• api: api update (bc759dc)
• api: fix grader input list, add dated slugs for sora-2 (6b2a38f)

6.12.0 (2025-12-11)

Full Changelog: v6.11.0...v6.12.0

Features

• api: gpt 5.2 (7000ddb)

6.11.0 (2025-12-10)

... (truncated)

Commits

• 44b7ac2 Merge pull request #1731 from openai/release-please--branches--master--change...
• e3059f7 release: 6.16.0
• ca40534 feat(api): add new Response completed_at prop
• 80dee2f chore: break long lines in snippets into multiline
• a6f3dea feat(ci): add breaking change detection workflow
• f8828b7 Merge pull request #728 from stainless-sdks/cameron/detect-agents-breaks
• 8568b31 Merge branch 'next' into cameron/detect-agents-breaks
• b2fac3e chore(internal): codegen related update
• cb3987b release: 6.15.0
• 1c94f92 codegen metadata
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by apcha-oai, a new releaser for openai since your current version.

Updates react from 18.3.1 to 19.2.3

Release notes

Sourced from react's releases.

19.2.3 (December 11th, 2025)

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon facebook/react#35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #35289, #35345)

19.2.1 (December 3rd, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)

... (truncated)

Changelog

Sourced from react's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

• Bring React Server Component fixes to Server Actions (@​sebmarkbage #35277)

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629,

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	react-router-dom@​7.11.0 ⏵ 7.12.0
	@​types/​react-dom@​18.3.7 ⏵ 19.2.3
	@​types/​react@​18.3.27 ⏵ 19.2.8
	react@​18.3.1 ⏵ 19.2.3
	react-markdown@​9.1.0 ⏵ 10.1.0			+1
	react-syntax-highlighter@​15.6.6 ⏵ 16.1.0	+3		+1
	dotenv@​16.6.1 ⏵ 17.2.3	-1
	express@​4.22.1 ⏵ 5.2.1	+1
	@​vitejs/​plugin-react-swc@​3.11.0 ⏵ 4.2.2	+1			+2
	react-dom@​18.3.1 ⏵ 19.2.3	+1		+1
	lucide-react@​0.344.0 ⏵ 0.562.0			-5
	framer-motion@​12.23.26 ⏵ 12.26.1			+1	+1
	openai@​4.104.0 ⏵ 6.16.0			+1
	resend@​4.8.0 ⏵ 6.7.0
	@​supabase/​supabase-js@​2.89.0 ⏵ 2.90.1	+1

View full report

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.