chore(deps): bump react-dom from 19.2.3 to 19.2.4 in /apps/frontend

[dependabot]

Bumps react-dom from 19.2.3 to 19.2.4.

Release notes

Sourced from react-dom's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[fingertips18]

@coderabbitai Are there any breaking changes in this dependency update? Is it safe to merge?

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🌐 Web query:

React 19.2.4 release breaking changes issues

💡 Result:

React 19.2.4 (released January 26, 2026) is a patch release and does not introduce new “breaking changes” for typical client-rendered apps; it’s primarily a security hardening release for React Server Components / Server Actions (“Flight” / Server Functions). [1]

What changed (and what might “break”)

If you use React Server Components and/or Server Functions/Server Actions, 19.2.4 adds additional DoS mitigations and hardens request deserialization paths. Apps that previously (intentionally or accidentally) accepted unusual/invalid Server Function payloads may now see those requests rejected/failed instead of being processed. [1][2][3]

Issues addressed (why upgrade)

The React team advises upgrading because earlier patches were found incomplete; 19.2.4 is listed as a safe version for newly disclosed RSC vulnerabilities, including:

• High severity DoS (crafted requests can cause infinite loops / hangs, high CPU, OOM, or crashes) [2]
• Medium severity source code exposure in certain vulnerable Server Function scenarios [2]

Practical guidance

• If you do not use RSC/Server Functions: this release is unlikely to affect you (beyond normal patch-level risk). [2]
• If you do use RSC/Server Functions: upgrade to 19.2.4 to get the mitigations, and ensure your RSC-related packages are updated consistently with your framework/bundler’s guidance. [1][2]

Sources: React GitHub releases (19.2.4) [1], React security advisory (updated Jan 26, 2026) [2], PR #35632 referenced by the release notes [3].

---

🏁 Script executed:

#!/bin/bash
# Check if the codebase uses React Server Components or Server Actions
echo "=== Checking for React Server Components usage ==="
rg -n --type=tsx --type=ts --type=jsx --type=js -C2 '"use server"' apps/frontend/ || echo "No 'use server' directive found"

echo -e "\n=== Checking for Server Actions/Components imports ==="
rg -n --type=tsx --type=ts --type=jsx --type=js -C2 'server.*action|serverAction' apps/frontend/ || echo "No server action patterns found"

echo -e "\n=== Checking framework setup (Next.js app router check) ==="
fd -t f 'next.config' apps/frontend/ -x cat {} || echo "No Next.js config found"

echo -e "\n=== Checking package.json for framework ==="
cat apps/frontend/package.json | grep -A5 -B5 '"react"'

Length of output: 675

---

@fingertips18: No breaking changes — this update is safe to merge. ✅

Summary

React 19.2.4 is a patch release that does not introduce breaking changes for typical client-rendered apps. Your frontend application uses React Router (client-side routing) and doesn't use React Server Components or Server Actions, so the security hardening changes won't affect your app's functionality.

What Changed

This release adds DoS mitigations and hardens Server Components/Server Actions, addressing:

• High severity DoS vulnerabilities (crafted requests causing infinite loops, high CPU, OOM, or crashes)
• Medium severity source code exposure in certain Server Function scenarios

Recommendation

Merge this PR to stay current with security patches. Since you're not using the affected features (Server Components/Server Actions), there's no risk of functionality changes — only improved security in the React runtime.