deps: bump the dependencies-minor group across 1 directory with 13 updates

[dependabot]

Bumps the dependencies-minor group with 13 updates in the / directory:

Package	From	To
@fontsource-variable/figtree	5.2.9	5.2.10
@fontsource/ibm-plex-mono	5.2.6	5.2.7
@oddbird/css-anchor-positioning	0.6.1	0.7.0
next	15.5.3	15.5.4
react	19.1.1	19.2.0
@types/react	19.1.13	19.2.2
react-dom	19.1.1	19.2.0
@types/react-dom	19.1.9	19.2.1
react-hook-form	7.62.0	7.64.0
zod	4.1.8	4.1.12
@playwright/test	1.55.0	1.56.0
sass	1.92.1	1.93.2
typescript	5.9.2	5.9.3

Updates @fontsource-variable/figtree from 5.2.9 to 5.2.10

Commits

• See full diff in compare view

Updates @fontsource/ibm-plex-mono from 5.2.6 to 5.2.7

Commits

• See full diff in compare view

Updates @oddbird/css-anchor-positioning from 0.6.1 to 0.7.0

Release notes

Sourced from @​oddbird/css-anchor-positioning's releases.

v0.7.0

What's Changed

• 🚀 Work with anchor and target inside same shadow root by @​wkillerud in oddbird/css-anchor-positioning#353
• 🏠 INTERNAL: Upgrade dependencies

New Contributors

• @​wkillerud made their first contribution in oddbird/css-anchor-positioning#353

Full Changelog: oddbird/css-anchor-positioning@v0.6.1...v0.7.0

Commits

• 40f3a89 v0.7.0
• db16313 Work with anchor and target inside same shadow root (#353)
• b18b8ed Merge pull request #352 from oddbird/dependabot/npm_and_yarn/dev-9d451710aa
• ea505c5 Merge pull request #351 from oddbird/dependabot/npm_and_yarn/prod-8404f4c51f
• d4bbb67 chore(deps-dev): Bump the dev group with 13 updates
• ae3512f chore(deps): Bump the prod group with 2 updates
• 2f9b4c5 Merge pull request #348 from oddbird/dependabot/npm_and_yarn/npm_and_yarn-f5c...
• 98ccee3 chore(deps-dev): Bump vite in the npm_and_yarn group across 1 directory
• 15ebcc0 Merge pull request #346 from oddbird/dependabot/github_actions/actions/setup-...
• 2cc99a6 Merge pull request #347 from oddbird/dependabot/github_actions/actions/setup-...
• Additional commits viewable in compare view

Updates next from 15.5.3 to 15.5.4

Release notes

Sourced from next's releases.

v15.5.4

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: ensure onRequestError is invoked when otel enabled (#83343)
• fix: devtools initial position should be from next config (#83571)
• [devtool] fix overlay styles are missing (#83721)
• Turbopack: don't match dynamic pattern for node_modules packages (#83176)
• Turbopack: don't treat metadata routes as RSC (#82911)
• [turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (#83357)
• Turbopack: throw large static metadata error earlier (#82939)
• fix: error overlay not closing when backdrop clicked (#83981)
• Turbopack: flush Node.js worker IPC on error (#84077)

Misc Changes

• [CNA] use linter preference (#83194)
• CI: use KV for test timing data (#83745)
• docs: september improvements and fixes (#83997)

Credits

Huge thanks to @​yiminghe, @​huozhi, @​devjiwonchoi, @​mischnic, @​lukesandberg, @​ztanner, @​icyJoseph, @​leerob, @​fufuShih, @​dwrth, @​aymericzip, @​obendev, @​molebox, @​OoMNoO, @​pontasan, @​styfle, @​HondaYt, @​ryuapp, @​lpalmes, and @​ijjk for helping!

Commits

• 40f1d78 v15.5.4
• cb30f0a [backport] docs: september improvements and fixes (#83997)
• b6a32bb [backport] [CNA] use linter preference (#83194) (#84087)
• 26d61f1 [backport] Turbopack: flush Node.js worker IPC on error (#84079)
• e11e87a [backport] fix: error overlay not closing when backdrop clicked (#83981) (#83...
• 0a29888 [backport] fix: devtools initial position should be from next config (#83571)...
• 7a53950 [backport] Turbopack: don't treat metadata routes as RSC (#83804)
• 050bdf1 [backport] Turbopack: throw large static metadata error earlier (#83816)
• 1f6ea09 [backport] Turbopack: Improve handling of symlink resolution errors (#83805)
• c7d1855 [backport] CI: use KV for test timing data (#83860)
• Additional commits viewable in compare view

Updates react from 19.1.1 to 19.2.0

Release notes

Sourced from react's releases.

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, facebook/react#33342#33099, #33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264)
• Allow nonce to be used on hoistable styles (@​Andarist #32461)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774)

... (truncated)

Changelog

Sourced from react's changelog.

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, facebook/react#33342#33099, #33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264)
• Allow nonce to be used on hoistable styles (@​Andarist #32461)

... (truncated)

Commits

• 5667a41 Bump next prerelease version numbers (#34639)
• 8bb7241 Bump useEffectEvent to Canary (#34610)
• e3c9656 Ensure Performance Track are Clamped and Don't overlap (#34509)
• 68f00c9 Release Activity in Canary (#34374)
• 0e10ee9 [Reconciler] Set ProfileMode for Host Root Fiber by default in dev (#34432)
• 3bf8ab4 Add missing Activity export to development mode (#34439)
• 1549bda [Flight] Only assign _store in dev mode when creating lazy types (#34354)
• bb6f0c8 [Flight] Fix wrong missing key warning when static child is blocked (#34350)
• 05addfc Update Flow to 0.266 (#34271)
• ec5dd0a Update Flow to 0.257 (#34253)
• Additional commits viewable in compare view

Updates @types/react from 19.1.13 to 19.2.2

Commits

• See full diff in compare view

Updates react-dom from 19.1.1 to 19.2.0

Release notes

Sourced from react-dom's releases.

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, facebook/react#33342#33099, #33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264)
• Allow nonce to be used on hoistable styles (@​Andarist #32461)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774)

... (truncated)

Changelog

Sourced from react-dom's changelog.

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, facebook/react#33342#33099, #33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264)
• Allow nonce to be used on hoistable styles (@​Andarist #32461)

... (truncated)

Commits

• 8618113 Bump scheduler version (#34671)
• 1bd1f01 Ship partial-prerendering APIs to Canary (#34633)
• 2f0649a [Fizz] Remove nonce option from resume-and-prerender APIs (#34664)
• 5667a41 Bump next prerelease version numbers (#34639)
• e08f53b Match react-dom/static test entrypoints and published entrypoints (#34599)
• 8bb7241 Bump useEffectEvent to Canary (#34610)
• 83c88ad Handle fabric root level fragment with compareDocumentPosition (#34533)
• 68f00c9 Release Activity in Canary (#34374)
• 3168e08 [flags] enable opt-in for enableDefaultTransitionIndicator (#34373)
• 3434ff4 Add scrollIntoView to fragment instances (#32814)
• Additional commits viewable in compare view

Updates @types/react-dom from 19.1.9 to 19.2.1

Commits

• See full diff in compare view

Updates react-hook-form from 7.62.0 to 7.64.0

Release notes

Sourced from react-hook-form's releases.

Version 7.64.0

🚏 Support optional array fields in PathValueImpl type (#13057) 🐞 fix: preserve Controller's defaultValue with shouldUnregister prop (#13063) ✂ chore: remove unused field ids ref in useFieldArray (#13066)

thanks to @​MPrieur-chaps, @​gynekolog & @​uk960214

Version 7.63.0

🥢 feat: extract form values by form state (#12936)

getValues(undefined, { dirtyFields: true }); // return only dirty fields 
getValues(undefined, { touchedFields: true });  // return only touched fields 

🦍 feat: improve get dirty fields logic (#13049) 🐿️ chore: remove duplicated function isMessage (#13050) 🐞 fix: use field name to update isValidating fields (#13000) 🐞 fix: unregister previous field when switching conditional Controllers (#13041) 🐞 fix: only excuse trigger function when deps has a valid array (#13056)

thanks to @​candymask0712, @​GorkemKir, @​kimtaejin3, @​m2na7 & @​abnud11

Commits

• 87d8b77 7.64.0
• 6c3b8f7 🥃 chore: upgrade dev deps (#13076)
• 23c699a ✂ chore: remove unused field ids ref in useFieldArray (#13066)
• 37f51ac 🐞 fix: preserve Controller's defaultValue with shouldUnregister prop (#13063)
• 8d61561 🚏 Support optional array fields in PathValueImpl type (#13057)
• b5b7329 7.63.0
• 86a7fb3 🐞 fix: only excuse trigger function when deps has a valid array (#13056)
• 4bfd420 🏔️ chore: major dev deps upgrade (#13053)
• 66b7daf 🔩 chore: lib dev deps upgrade (#13051)
• 62b26d8 🐿️ chore: remove duplicated function isMessage (#13050)
• Additional commits viewable in compare view

Updates zod from 4.1.8 to 4.1.12

Release notes

Sourced from zod's releases.

v4.1.12

Commits:

• 0b109c37c6b0b10e3901b56bcccb72e29a0b846f docs(ecosystem): add bupkis to the ecosystem section (#5237)
• d22ec0d26fab27151b0f1d1f98bffeaf8b011f57 docs(ecosystem): add upfetch (#5238)
• c56a4f6fab42c542b191228af61974b2328dc52f docs(ecosystem): add eslint-plugin-zod-x (#5261)
• a0abcc02900a4293dd4f30cd81580efcdd5230bb docs(metadata.mdx): fix a mistake in an example output (#5248)
• 62bf4e439e287e55c843245b49f8d34b1ad024ee fix(ZodError): prevent flatten() from crashing on 'toString' key (#5266)
• 02a584010ac92ac8a351632ae5aea3983a6f17d8 refac(errors): Unify code structure and improve types (#5278)
• 4b1922ad714e12dafaa83a40ec03275a39ac980c docs(content/v4/index): fix zod version (#5289)
• 3fcb20ff348e49aec70f45e0dca3de8a61450e77 Add frrm to ecosystem (#5292)
• fda4c7c2afbd7649261be1e7954f8c4d4de24a07 Make docs work without token
• af447384379faef28aa857fb53ef1da702c6d408 Fix lint
• 77c3c9f069a4cf168c0cbc58432803de887a6b1b Export bg.ts
• 3b946107b6c94b2ac8ff9fb451160c34dc4dd794 v4.1.12

v4.1.11

Commits:

• 2bed4b39760d8e4d678203b5c8fcaf24c182fc9f 4.1.11

v4.1.10

Commits:

• 7ffedd00169d8dc2e7cb7c6d878f29b03e05b3a3 Fix shape caching (#5263)
• 82cd717a0e7ee4e1737a783c7be278fa93fd8104 v4.1.10

v4.1.9

Commits:

• a78716d91da7649a61016b81c27f49fd9e79a81e Update zshy (#5249)
• 923af801fde9f033cfd7e0e753b421a554fe3be8 Publish [email protected]

Commits

• 3b94610 v4.1.12
• 77c3c9f Export bg.ts
• af44738 Fix lint
• fda4c7c Make docs work without token
• 3fcb20f Add frrm to ecosystem (#5292)
• 4b1922a docs(content/v4/index): fix zod version (#5289)
• 02a5840 refac(errors): Unify code structure and improve types (#5278)
• 62bf4e4 fix(ZodError): prevent flatten() from crashing on 'toString' key (#5266)
• a0abcc0 docs(metadata.mdx): fix a mistake in an example output (#5248)
• c56a4f6 docs(ecosystem): add eslint-plugin-zod-x (#5261)
• Additional commits viewable in compare view

Updates @playwright/test from 1.55.0 to 1.56.0

Release notes

Sourced from @​playwright/test's releases.

v1.56.0

Playwright Agents

Introducing Playwright Agents, three custom agent definitions designed to guide LLMs through the core process of building a Playwright test:

• 🎭 planner explores the app and produces a Markdown test plan
• 🎭 generator transforms the Markdown plan into the Playwright Test files
• 🎭 healer executes the test suite and automatically repairs failing tests

Run npx playwright init-agents with your client of choice to generate the latest agent definitions:

# Generate agent files for each agentic loop
# Visual Studio Code
npx playwright init-agents --loop=vscode
# Claude Code
npx playwright init-agents --loop=claude
# opencode
npx playwright init-agents --loop=opencode

[!NOTE] VS Code v1.105 (currently on the VS Code Insiders channel) is needed for the agentic experience in VS Code. It will become stable shortly, we are a bit ahead of times with this functionality!

Learn more about Playwright Agents

New APIs

• New methods page.consoleMessages() and page.pageErrors() for retrieving the most recent console messages from the page
• New method page.requests() for retrieving the most recent network requests from the page
• Added --test-list and --test-list-invert to allow manual specification of specific tests from a file

UI Mode and HTML Reporter

• Added option to 'html' reporter to disable the "Copy prompt" button
• Added option to 'html' reporter and UI Mode to merge files, collapsing test and describe blocks into a single unified list
• Added option to UI Mode mirroring the --update-snapshots options
• Added option to UI Mode to run only a single worker at a time

Breaking Changes

• Event browserContext.on('backgroundpage') has been deprecated and will not be emitted. Method browserContext.backgroundPages() will return an empty list

Miscellaneous

• Aria snapshots render and compare input placeholder
• Added environment variable PLAYWRIGHT_TEST to Playwright worker processes to allow discriminating on testing status

Browser Versions

• Chromium 141.0.7390.37
• Mozilla Firefox 142.0.1
• WebKit 26.0

v1.55.1

... (truncated)

Commits

• b6af258 cherry-pick(#37727): devops: fix NPM release step (#37728)
• d2ef7bb chore: mark v1.56.0 (#37722)
• 1621d0b cherry-pick(#37715): chore: disable RenderDocument feature (#37718)
• ffbf82b cherry-pick(#37687): docs: v1.56 release notes (#37687) (#37720)
• 2c5e33d cherry-pick(#37703): docs: pageErrors should return strings in Java and C#
• 0a91ecf cherry-pick(#37694): chore: move best practices into the journal
• a5c4437 cherry-pick(#37693): docs: use VS Code images for test agents
• 6d13fbe cherry-pick(#37690): Revert "fix(trace): survive sw restart"
• d2c267c cherry-pick(#37689): Revert "fix(trace): should survive ping as the first com...
• d1fdd81 fix(snapshot): draw a minimum size browser window for small snapshots (#37640)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​playwright/test since your current version.

Updates @types/react from 19.1.13 to 19.2.2

Commits

• See full diff in compare view

Updates @types/react-dom from 19.1.9 to 19.2.1

Commits

• See full diff in compare view

Updates sass from 1.92.1 to 1.93.2

Release notes

Sourced from sass's releases.

Dart Sass 1.93.2

To install Sass 1.93.2, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• No user-visible changes.

JavaScript API

• Fix another error in the release process for @sass/types.

See the full changelog for changes in earlier releases.

Dart Sass 1.93.1

To install Sass 1.93.1, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• No user-visible changes.

JavaScript API

• Fix an error in the release process for @sass/types.

See the full changelog for changes in earlier releases.

Dart Sass 1.93.0

To install Sass 1.93.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Fix a crash when a style rule contains a nested @import, and the loaded file @uses a user-defined module as well as @includes a top-level mixin which emits top-level decla...

  Description has been truncated

[fossabot]

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because it includes a critical security vulnerability fix and potential breaking changes. The upgrade addresses CVE-2025-29927 (authorization bypass in Next.js middleware) and updates React to version 19.2.0 which changes the useId prefix format and requires Node.js 18+. While the project already meets the Node.js 18 requirement (specified as >=20 in package.json line 18), and the codebase doesn't appear to use deprecated React APIs or the useId hook, the middleware implementation should be reviewed to ensure it properly handles the security fix and the upgrade should be tested thoroughly to verify compatibility with Next.js 15.5.4 and React 19.2.0.

What we checked

• Next.js upgraded to 15.5.4 which includes a fix for CVE-2025-29927, a critical authorization bypass vulnerability where attackers could skip middleware using the x-middleware-subrequest header ^[1]
• Middleware implementation uses nosecone.createMiddleware which may be affected by the Next.js security fix - requires testing to ensure middleware continues to properly protect routes ^[2]
• React upgraded to 19.2.0 which changes useId prefix from :r: to r for View Transitions and XML compliance - may affect component hydration if useId is used ^[3]
• Project requires Node.js >=20 which satisfies React 19.2.0's requirement of Node.js 18+, avoiding breaking change impact ^[4]
• Dockerfile uses Node 24 which is compatible with the upgraded dependencies ^[5]
• React 19 migration guide documents removal of propTypes, defaultProps, Legacy Context, and string refs - codebase review shows no usage of these deprecated APIs ^[6]
• React 19.2.0 release notes document useId prefix change which could affect server-side rendering hydration if useId is used in the codebase ^[7]

Dependency Usage

• next: app/layout.tsx:1 - This code is importing the Metadata type from Next.js, which is typically used to define metadata for a page or layout, such as title, description, and other SEO-related properties in a Next.js application.
• next: app/layout.tsx:2 - This code snippet is importing various Next.js built-in components and assets (like Image, Link, Script) and SVG logo images for use in the application's layout, which helps with optimizing and structuring the page's rendering and navigation.

View 44 more usages

• next:

  example-nextjs-c24a0/app/layout.tsx

  Line 3 in c86a6af

  import Link from "next/link";

  - This code snippet is importing various Next.js built-in components and modules (Metadata, Image, Link, Script) and SVG assets (LogoDark, LogoLight) to be used in the application's layout, which helps manage page structure, metadata, and media rendering in a Next.js project.
• next:

  example-nextjs-c24a0/app/layout.tsx

  Line 4 in c86a6af

  import Script from "next/script";

  - This code is importing various Next.js components and image assets (Link, Image, Script) and SVG logo files (LogoDark and LogoLight) that will likely be used for creating layout or navigation elements in a Next.js application.
• next:

  example-nextjs-c24a0/app/page.tsx

  Line 1 in c86a6af

  import Link from "next/link";

  - This code is importing a Link component from Next.js for client-side navigation and a WhatNext component, and defining an IndexPage component that appears to be accessing an environment variable related to Arcjet, which is likely used for site configuration or authentication.
• next:

  example-nextjs-c24a0/components/EmailForm.tsx

  Line 4 in c86a6af

  import { useRouter } from "next/navigation";

  - The code is using Next.js's useRouter hook from the next/navigation module to enable programmatic navigation or routing within a React component, likely for handling form submission redirects or navigation after a specific action.
• next:

  example-nextjs-c24a0/components/NavLink.tsx

  Line 3 in c86a6af

  import Link from "next/link";

  - This code appears to be creating a custom NavLink component in a Next.js application that likely uses the Link component from Next.js and the usePathname hook to potentially add active state styling or navigation tracking, with the "use client" directive indicating it's a client-side component.
• next:

  example-nextjs-c24a0/components/NavLink.tsx

  Line 4 in c86a6af

  import { usePathname } from "next/navigation";

  - This code is importing the usePathname hook from Next.js navigation to likely help determine the current route/page path for navigation or active link styling purposes in a custom NavLink component.
• next:

  example-nextjs-c24a0/components/SuppportForm.tsx

  Line 4 in c86a6af

  import { useRouter } from "next/navigation";

  - The code is using Next.js's useRouter hook from the next/navigation module to enable programmatic navigation within a React component, likely for handling form submissions or redirecting users after certain actions.
• next:

  example-nextjs-c24a0/app/attack/page.tsx

  Line 1 in c86a6af

  import type { Metadata } from "next";

  - This code snippet is importing various Next.js and custom components for a page in a web application, likely setting up metadata and preparing to render a dashboard-related page with navigation and routing capabilities.
• next:

  example-nextjs-c24a0/app/attack/page.tsx

  Line 2 in c86a6af

  import { headers } from "next/headers";

  - In this code snippet, the headers() function from next/headers is being imported, which allows server-side components in Next.js to access incoming HTTP headers during server-side rendering or server-side data fetching.
• next:

  example-nextjs-c24a0/app/attack/page.tsx

  Line 3 in c86a6af

  import Link from "next/link";

  - Based on the snippet, this code appears to be importing and setting up metadata and routing components in a Next.js page for an "attack" route, likely preparing to render a page related to dashboard visits with metadata and navigation capabilities.
• next:

  example-nextjs-c24a0/app/bots/page.tsx

  Line 1 in c86a6af

  import type { Metadata } from "next";

  - This code snippet is importing the Metadata type from Next.js, which is typically used to define and configure metadata for a page in a Next.js application, such as setting page titles, descriptions, and other SEO-related properties.
• next:

  example-nextjs-c24a0/app/bots/page.tsx

  Line 2 in c86a6af

  import { headers } from "next/headers";

  - The headers() function from next/headers is being imported and likely used to access HTTP headers server-side in a Next.js page or component, which allows retrieving request-specific information during server-side rendering or server components.
• next:

  example-nextjs-c24a0/app/bots/page.tsx

  Line 3 in c86a6af

  import Link from "next/link";

  - This code snippet appears to be setting up a Next.js page for managing bots, importing various Next.js and custom components like metadata, headers, and a VisitDashboard component, which suggests preparing a page for displaying or interacting with bot-related functionality.
• next:

  example-nextjs-c24a0/app/rate-limiting/page.tsx

  Line 1 in c86a6af

  import type { Metadata } from "next";

  - This code snippet appears to be importing the Metadata type from Next.js, which is typically used to define metadata for a page or component in a Next.js application, such as setting page titles, descriptions, and other SEO-related information.
• next:

  example-nextjs-c24a0/app/rate-limiting/page.tsx

  Line 2 in c86a6af

  import Link from "next/link";

  - Based on the context, this appears to be a Next.js page component for rate limiting, importing necessary components and types, likely setting up a page that includes a form (RLForm) and potentially a sign-in mechanism, with metadata and navigation support from Next.js.
• next:

  example-nextjs-c24a0/app/sensitive-info/page.tsx

  Line 1 in c86a6af

  import type { Metadata } from "next";

  - This code is importing the Metadata type from Next.js, which is typically used to define page-level metadata for SEO and other page-related information in a Next.js application.
• next:

  example-nextjs-c24a0/app/sensitive-info/page.tsx

  Line 2 in c86a6af

  import Link from "next/link";

  - This code is importing essential Next.js components and custom components for a page in a Next.js application, preparing to render a page that likely involves navigation links, dashboard visualization, and potentially a "what's next" section.
• next:

  example-nextjs-c24a0/app/signup/page.tsx

  Line 1 in c86a6af

  import type { Metadata } from "next";

  - This code is importing metadata from Next.js, which allows you to define and customize the metadata (such as page title, description, and other SEO-related information) for a specific page in a Next.js application.
• next:

  example-nextjs-c24a0/app/signup/page.tsx

  Line 2 in c86a6af

  import Link from "next/link";

  - This code snippet is importing metadata type definition, a Next.js link component, and two custom composition components (VisitDashboard and WhatNext) that are likely used for rendering specific parts of a signup page in a Next.js application.
• next:

  example-nextjs-c24a0/components/compositions/VisitDashboard.tsx

  Line 1 in c86a6af

  import Link from "next/link";

  - This code snippet is importing the Next.js Link component, which allows for client-side navigation between pages in a Next.js application, enabling efficient and fast page transitions without full page reloads.
• next:

  example-nextjs-c24a0/components/compositions/WhatNext.tsx

  Line 1 in c86a6af

  import Link from "next/link";

  - This code snippet appears to be a React component in TypeScript using Next.js's Link component, defining a WhatNext component that conditionally renders content based on a deployed prop, with the intent of showing what steps or actions might come next in a user interface.
• next:

  example-nextjs-c24a0/app/attack/test/route.ts

  Line 1 in c86a6af

  import { type NextRequest, NextResponse } from "next/server";

  - This code is configuring a Next.js route to dynamically generate responses by disabling static caching and preparing to import Arcjet middleware for potential request protection or validation.
• next:

  example-nextjs-c24a0/app/bots/test/route.ts

  Line 1 in c86a6af

  import { type NextRequest, NextResponse } from "next/server";

  - This code is configuring a Next.js API route to be dynamically rendered (not cached) and likely preparing to use Arcjet for bot detection and rate limiting.
• next:

  example-nextjs-c24a0/app/rate-limiting/test/route.ts

  Line 3 in c86a6af

  import { type NextRequest, NextResponse } from "next/server";

  - This code is importing and setting up rate limiting functionality in a Next.js route using Arcjet, specifically preparing to manage request rate limits with a fixed window algorithm.
• next:

  example-nextjs-c24a0/app/sensitive-info/test/route.ts

  Line 1 in c86a6af

  import { type NextRequest, NextResponse } from "next/server";

  - This code is importing Next.js server-side routing utilities (NextRequest and NextResponse) along with a schema and Arcjet security middleware, likely preparing to handle a route with validation and protection for sensitive information.
• next:

  example-nextjs-c24a0/app/signup/test/route.ts

  Line 1 in c86a6af

  import { type NextRequest, NextResponse } from "next/server";

  - This code is importing Next.js server-side request handling utilities (NextRequest and NextResponse) along with a custom schema and Arcjet protection middleware, likely preparing to set up a protected signup route with validation and security rules.
• next: https://github.com/Jobayer071/example-nextjs-c24a0/blob/c86a6af88c68be41ee41c1b2779e5e2d6d94b932/app/api/auth/[...nextauth]/route.ts#L3 - This code snippet appears to be setting up authentication and potentially bot/rate limiting middleware for a Next.js API route using Arcjet, which provides security protections for web applications.
• react:

  example-nextjs-c24a0/components/NavLink.tsx

  Line 5 in c86a6af

  import type { ComponentProps } from "react";

  - This code is importing the ComponentProps type from React to potentially use as a type for extracting the props of the Next.js Link component, though the comment suggests the type extraction might be incomplete or not fully utilized in this context.
• react:

  example-nextjs-c24a0/components/PopoverTarget.tsx

  Line 3 in c86a6af

  import { type ComponentProps, useEffect, useRef } from "react";

  - This code snippet appears to be setting up a client-side React component that is preparing to use CSS anchor positioning, likely for creating a popover or tooltip, by importing necessary React hooks and defining a unique symbol for a polyfill related to anchor positioning.
• react:

  example-nextjs-c24a0/components/RLForm.tsx

  Line 4 in c86a6af

  import { useState } from "react";

  - This code is importing and setting up React's useState hook alongside Zod schema validation and React Hook Form for managing form state and validation in a type-safe manner.
• react:

  example-nextjs-c24a0/components/brand/LogoMarkSpark.tsx

  Line 4 in c86a6af

  import { forwardRef, useEffect, useState } from "react";

  - This code snippet appears to be the beginning of a React component that uses forwardRef, useEffect, and useState hooks, and is importing the useTheme hook from next-themes, likely to create a dynamic logo or brand mark that can adapt to light and dark themes.
• react:

  example-nextjs-c24a0/components/compositions/VisitDashboard.tsx

  Line 2 in c86a6af

  import * as React from "react";

  - Based on the context, this code snippet appears to be importing React and its memo function, along with other components and hooks, likely preparing to create a memoized React component for a Visit Dashboard with various imported elements like a logo and potentially a link component.
• react:

  example-nextjs-c24a0/components/compositions/VisitDashboard.tsx

  Line 3 in c86a6af

  import { memo } from "react";

  - The code is using React's memo higher-order component to create a memoized version of a component, which helps optimize performance by preventing unnecessary re-renders when the component's props haven't changed.
• react:

  example-nextjs-c24a0/components/icons/ArrowExternal.tsx

  Line 1 in c86a6af

  import { forwardRef } from "react";

  - This code defines a React functional component called ArrowExternal that uses forwardRef to create an SVG icon component which can receive a ref and optional CSS classes, allowing the icon to be passed a reference and have additional styling applied.
• react-hook-form:

  example-nextjs-c24a0/components/EmailForm.tsx

  Line 5 in c86a6af

  import { useForm } from "react-hook-form";

  - The code is using react-hook-form's useForm hook with Zod validation to create a form with type-safe validation and form management, likely for handling email or contact form submissions.
• react-hook-form:

  example-nextjs-c24a0/components/RLForm.tsx

  Line 5 in c86a6af

  import { useForm } from "react-hook-form";

  - This code is using react-hook-form's useForm hook with Zod schema validation to create a form management system that handles form state, validation, and submission in a React component.
• react-hook-form:

  example-nextjs-c24a0/components/SuppportForm.tsx

  Line 5 in c86a6af

  import { useForm } from "react-hook-form";

  - This code is using react-hook-form's useForm hook with Zod validation to create a form management system, likely for handling form state, validation, and submission in a type-safe manner.
• zod:

  example-nextjs-c24a0/components/EmailForm.tsx

  Line 6 in c86a6af

  import { z } from "zod";

  - In this context, the code is likely using Zod (z) to define and validate the schema for form input validation, specifically for a signup or email form, ensuring that the submitted data meets predefined structural and type requirements before processing.
• zod:

  example-nextjs-c24a0/components/RLForm.tsx

  Line 6 in c86a6af

  import { z } from "zod";

  - In this code snippet, z from Zod is likely being imported to define or validate a form schema (validation rules) for form data, specifically referencing emptyFormSchema from a separate schema file.
• zod:

  example-nextjs-c24a0/components/SuppportForm.tsx

  Line 6 in c86a6af

  import { z } from "zod";

  - In this context, z from Zod is likely being used to define or validate the schema (formSchema) for form input validation, ensuring that the data entered into the support form meets specific type and constraint requirements before submission.
• zod:

  example-nextjs-c24a0/app/sensitive-info/schema.ts

  Line 1 in c86a6af

  import { z } from "zod";

  - This code is importing the Zod library to define a schema for client-side form field validation, with a note that server-side validation will also be performed for added security.
• zod:

  example-nextjs-c24a0/app/signup/schema.ts

  Line 1 in c86a6af

  import { z } from "zod";

  - This code is importing the Zod library to define a schema for validating form input fields on the client-side, providing a type-safe way to ensure data integrity before submission.
• @​playwright/test:

  example-nextjs-c24a0/playwright.config.ts

  Line 1 in c86a6af

  import { defineConfig, devices } from "@playwright/test";

  - This Playwright configuration file is setting up test directory, project configurations, and potentially defining different browser environments (via devices) for running cross-browser automated tests, allowing you to specify where tests are located and how they should be executed across multiple browser contexts.
• @​playwright/test:

  example-nextjs-c24a0/tests/screenshots.test.ts

  Line 1 in c86a6af

  import { expect, test } from "@playwright/test";

  - This code is importing the expect assertion and test function from Playwright's test library, which are typically used to write and run test cases for web application testing, likely focusing on screenshot or routing-related tests in a Next.js application.

Other Usages (46)

These usages were analyzed but no breaking changes were detected:

next

• example-nextjs-c24a0/app/layout.tsx

  Line 1 in c86a6af

  import { Metadata } from "next";

• example-nextjs-c24a0/app/layout.tsx

  Line 2 in c86a6af

  import Image from "next/image";

• example-nextjs-c24a0/app/layout.tsx

  Line 3 in c86a6af

  import Link from "next/link";

• example-nextjs-c24a0/app/layout.tsx

  Line 4 in c86a6af

  import Script from "next/script";

• example-nextjs-c24a0/app/page.tsx

  Line 1 in c86a6af

  import Link from "next/link";

• ...and 24 more

react

• example-nextjs-c24a0/components/NavLink.tsx

  Line 5 in c86a6af

  import type { ComponentProps } from "react";

• example-nextjs-c24a0/components/PopoverTarget.tsx

  Line 3 in c86a6af

  import { type ComponentProps, useEffect, useRef } from "react";

• example-nextjs-c24a0/components/RLForm.tsx

  Line 4 in c86a6af

  import { useState } from "react";

• example-nextjs-c24a0/components/brand/LogoMarkSpark.tsx

  Line 4 in c86a6af

  import { forwardRef, useEffect, useState } from "react";

• example-nextjs-c24a0/components/compositions/VisitDashboard.tsx

  Line 2 in c86a6af

  import * as React from "react";

• ...and 2 more

react-hook-form

• example-nextjs-c24a0/components/EmailForm.tsx

  Line 5 in c86a6af

  import { useForm } from "react-hook-form";

• example-nextjs-c24a0/components/RLForm.tsx

  Line 5 in c86a6af

  import { useForm } from "react-hook-form";

• example-nextjs-c24a0/components/SuppportForm.tsx

  Line 5 in c86a6af

  import { useForm } from "react-hook-form";

zod

• example-nextjs-c24a0/components/EmailForm.tsx

  Line 6 in c86a6af

  import { z } from "zod";

• example-nextjs-c24a0/components/RLForm.tsx

  Line 6 in c86a6af

  import { z } from "zod";

• example-nextjs-c24a0/components/SuppportForm.tsx

  Line 6 in c86a6af

  import { z } from "zod";

• example-nextjs-c24a0/app/sensitive-info/schema.ts

  Line 1 in c86a6af

  import { z } from "zod";

• example-nextjs-c24a0/app/signup/schema.ts

  Line 1 in c86a6af

  import { z } from "zod";

@​playwright/test

• example-nextjs-c24a0/playwright.config.ts

  Line 1 in c86a6af

  import { defineConfig, devices } from "@playwright/test";

• example-nextjs-c24a0/tests/screenshots.test.ts

  Line 1 in c86a6af

  import { expect, test } from "@playwright/test";

Changes

React and React DOM upgraded with breaking changes requiring Node.js 18+ and migrating from legacy to flat ESLint config, while introducing new APIs including <Activity> component and useEffectEvent hook. Playwright Test added AI-driven test planning and healing agents, Next.js resolved multiple devtool overlay and OpenTelemetry integration issues, and React Hook Form fixed Controller field registration bugs affecting conditional rendering with shouldUnregister.

• Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458) (vv19.2.0, release notes)
• Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457) (vv19.2.0, release notes)
• Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458) (vv19.2.0, release notes)

View 170 more changes

• 🚀 Work with anchor and target inside same shadow root by @​wkillerud in Work with anchor and target inside same shadow root oddbird/css-anchor-positioning#353 (vv0.7.0, release notes)
• 🏠 INTERNAL: Upgrade dependencies (vv0.7.0, release notes)
• @​wkillerud made their first contribution in Work with anchor and target inside same shadow root oddbird/css-anchor-positioning#353 (vv0.7.0, release notes)
• ensure onRequestError is invoked when otel enabled (#83343) (vv15.5.4, release notes)
• devtools initial position should be from next config (#83571) (vv15.5.4, release notes)
• [devtool] fix overlay styles are missing (#83721) (vv15.5.4, release notes)
• Turbopack: don't match dynamic pattern for node_modules packages (#83176) (vv15.5.4, release notes)
• Turbopack: don't treat metadata routes as RSC (#82911) (vv15.5.4, release notes)
• [turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (#83357) (vv15.5.4, release notes)
• Turbopack: throw large static metadata error earlier (#82939) (vv15.5.4, release notes)
• error overlay not closing when backdrop clicked (#83981) (vv15.5.4, release notes)
• Turbopack: flush Node.js worker IPC on error (#84077) (vv15.5.4, release notes)
• [CNA] use linter preference (#83194) (vv15.5.4, release notes)
• CI: use KV for test timing data (#83745) (vv15.5.4, release notes)
• docs: september improvements and fixes (#83997) (vv15.5.4, release notes)
• <Activity>: A new API to hide and restore the UI and internal state of its children. (vv19.2.0, release notes)
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event. (vv19.2.0, release notes)
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over. (vv19.2.0, release notes)
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools (vv19.2.0, release notes)
• Added resume APIs for partial pre-rendering with Web Streams: (vv19.2.0, release notes)
• resume: to resume a prerender to a stream. (vv19.2.0, release notes)
• resumeAndPrerender: to resume a prerender to HTML. (vv19.2.0, release notes)
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs. (vv19.2.0, release notes)
• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics. (vv19.2.0, release notes)
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js (vv19.2.0, release notes)
• Use underscore instead of : IDs generated by useId (vv19.2.0, release notes)
• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others) (vv19.2.0, release notes)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507) (vv19.2.0, release notes)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198) (vv19.2.0, release notes)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (vv19.2.0, release notes)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (vv19.2.0, release notes)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (vv19.2.0, release notes)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900) (vv19.2.0, release notes)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145) (vv19.2.0, release notes)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723) (vv19.2.0, release notes)
• Add cacheSignal (@​sebmarkbage #33557) (vv19.2.0, release notes)
• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342) (vv19.2.0, release notes)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, [Fizz] Block on Suspensey Fonts during reveal facebook/react#33342#33099, #33422) (vv19.2.0, release notes)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264) (vv19.2.0, release notes)
• Allow nonce to be used on hoistable styles (@​Andarist #32461) (vv19.2.0, release notes)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774) (vv19.2.0, release notes)
• s/HTML/text for for error messages if text hydration mismatches (@​rickhanlonii #32763) (vv19.2.0, release notes)
• Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (vv19.2.0, release notes)
• Enable the progressiveChunkSize option for server-side-rendering APIs (@​sebmarkbage #33027) (vv19.2.0, release notes)
• Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (vv19.2.0, release notes)
• Avoid hanging when suspending after aborting while rendering (@​gnoff #34192) (vv19.2.0, release notes)
• Add Node Web Streams to server-side-rendering APIs for Node.js (@​sebmarkbage #33475) (vv19.2.0, release notes)
• Preload <img> and <link> using hints before they're rendered (@​sebmarkbage #34604) (vv19.2.0, release notes)
• Log error if production elements are rendered during development (@​eps1lon #34189) (vv19.2.0, release notes)
• Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (vv19.2.0, release notes)
• Pass line/column to filterStackFrame (@​eps1lon #33707) (vv19.2.0, release notes)
• Support Async Modules in Turbopack Server References (@​lubieowoce #34531) (vv19.2.0, release notes)
• Add support for .mjs file extension in Webpack (@​jennyscript #33028) (vv19.2.0, release notes)
• Fix a wrong missing key warning (@​unstubbable #34350) (vv19.2.0, release notes)
• Make console log resolve in predictable order (@​sebmarkbage #33665) (vv19.2.0, release notes)
• createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs (vv19.2.0, release notes)
• New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040) (vv19.2.0, release notes)
• New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@​jbrown215 in #33544) (vv19.2.0, release notes)
• Handle React.useEffect in addition to useEffect in rules-of-hooks. (@​Ayc0 in #34076) (vv19.2.0, release notes)
• Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@​jbrown215) in #34497 (vv19.2.0, release notes)
• <Activity>: A new API to hide and restore the UI and internal state of its children. (vv19.2.0, release notes)
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event. (vv19.2.0, release notes)
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over. (vv19.2.0, release notes)
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools (vv19.2.0, release notes)
• Added resume APIs for partial pre-rendering with Web Streams: (vv19.2.0, release notes)
• resume: to resume a prerender to a stream. (vv19.2.0, release notes)
• resumeAndPrerender: to resume a prerender to HTML. (vv19.2.0, release notes)
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs. (vv19.2.0, release notes)
• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics. (vv19.2.0, release notes)
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js (vv19.2.0, release notes)
• Use underscore instead of : IDs generated by useId (vv19.2.0, release notes)
• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others) (vv19.2.0, release notes)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507) (vv19.2.0, release notes)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198) (vv19.2.0, release notes)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (vv19.2.0, release notes)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (vv19.2.0, release notes)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (vv19.2.0, release notes)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900) (vv19.2.0, release notes)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145) (vv19.2.0, release notes)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723) (vv19.2.0, release notes)
• Add cacheSignal (@​sebmarkbage #33557) (vv19.2.0, release notes)
• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342) (vv19.2.0, release notes)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, [Fizz] Block on Suspensey Fonts during reveal facebook/react#33342#33099, #33422) (vv19.2.0, release notes)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264) (vv19.2.0, release notes)
• Allow nonce to be used on hoistable styles (@​Andarist #32461) (vv19.2.0, release notes)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774) (vv19.2.0, release notes)
• s/HTML/text for for error messages if text hydration mismatches (@​rickhanlonii #32763) (vv19.2.0, release notes)
• Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (vv19.2.0, release notes)
• Enable the progressiveChunkSize option for server-side-rendering APIs (@​sebmarkbage #33027) (vv19.2.0, release notes)
• Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (vv19.2.0, release notes)
• Avoid hanging when suspending after aborting while rendering (@​gnoff #34192) (vv19.2.0, release notes)
• Add Node Web Streams to server-side-rendering APIs for Node.js (@​sebmarkbage #33475) (vv19.2.0, release notes)
• Preload <img> and <link> using hints before they're rendered (@​sebmarkbage #34604) (vv19.2.0, release notes)
• Log error if production elements are rendered during development (@​eps1lon #34189) (vv19.2.0, release notes)
• Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (vv19.2.0, release notes)
• Pass line/column to filterStackFrame (@​eps1lon #33707) (vv19.2.0, release notes)
• Support Async Modules in Turbopack Server References (@​lubieowoce #34531) (vv19.2.0, release notes)
• Add support for .mjs file extension in Webpack (@​jennyscript #33028) (vv19.2.0, release notes)
• Fix a wrong missing key warning (@​unstubbable #34350) (vv19.2.0, release notes)
• Make console log resolve in predictable order (@​sebmarkbage #33665) (vv19.2.0, release notes)
• createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs (vv19.2.0, release notes)
• Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457) (vv19.2.0, release notes)
• New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040) (vv19.2.0, release notes)
• New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@​jbrown215 in #33544) (vv19.2.0, release notes)
• Handle React.useEffect in addition to useEffect in rules-of-hooks. (@​Ayc0 in #34076) (vv19.2.0, release notes)
• Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@​jbrown215) in #34497 (vv19.2.0, release notes)
• Add support for optional array fields in PathValueImpl type (vv7.64.0, release notes)
• Fix preservation of Controller's defaultValue when shouldUnregister prop is used (vv7.64.0, release notes)
• Remove unused field ids reference in useFieldArray (vv7.64.0, release notes)
• Extract form values directly from form state in react-hook-form (vv7.63.0, release notes)
• Added support for dirtyFields: true option in getValues() to return only dirty fields (vv7.63.0, release notes)
• Added support for touchedFields: true option in getValues() to return only touched fields (vv7.63.0, release notes)
• Improve logic for identifying dirty fields (vv7.63.0, release notes)
• Remove duplicated function named "isMessage" (vv7.63.0, release notes)
• Update isValidating fields using field name (vv7.63.0, release notes)
• Fix unregistering previous field when switching conditional Controllers (vv7.63.0, release notes)
• Only trigger function when dependencies are a valid array (vv7.63.0, release notes)
• 0b109c37c6b0b10e3901b56bcccb72e29a0b846f docs(ecosystem): add bupkis to the ecosystem section (#5237) (vv4.1.12, release notes)
• d22ec0d26fab27151b0f1d1f98bffeaf8b011f57 docs(ecosystem): add upfetch (#5238) (vv4.1.12, release notes)
• c56a4f6fab42c542b191228af61974b2328dc52f docs(ecosystem): add eslint-plugin-zod-x (#5261) (vv4.1.12, release notes)
• a0abcc02900a4293dd4f30cd81580efcdd5230bb docs(metadata.mdx): fix a mistake in an example output (#5248) (vv4.1.12, release notes)
• 62bf4e439e287e55c843245b49f8d34b1ad024ee fix(ZodError): prevent flatten() from crashing on 'toString' key (#5266) (vv4.1.12, release notes)
• 02a584010ac92ac8a351632ae5aea3983a6f17d8 refac(errors): Unify code structure and improve types (#5278) (vv4.1.12, release notes)
• 4b1922ad714e12dafaa83a40ec03275a39ac980c docs(content/v4/index): fix zod version (#5289) (vv4.1.12, release notes)
• 3fcb20ff348e49aec70f45e0dca3de8a61450e77 Add frrm to ecosystem (#5292) (vv4.1.12, release notes)
• fda4c7c2afbd7649261be1e7954f8c4d4de24a07 Make docs work without token (vv4.1.12, release notes)
• af447384379faef28aa857fb53ef1da702c6d408 Fix lint (vv4.1.12, release notes)
• 77c3c9f069a4cf168c0cbc58432803de887a6b1b Export bg.ts (vv4.1.12, release notes)
• 3b946107b6c94b2ac8ff9fb451160c34dc4dd794 v4.1.12 (vv4.1.12, release notes)
• 2bed4b39760d8e4d678203b5c8fcaf24c182fc9f 4.1.11 (vv4.1.11, release notes)
• 7ffedd00169d8dc2e7cb7c6d878f29b03e05b3a3 Fix shape caching (#5263) (vv4.1.10, release notes)
• 82cd717a0e7ee4e1737a783c7be278fa93fd8104 v4.1.10 (vv4.1.10, release notes)
• a78716d91da7649a61016b81c27f49fd9e79a81e Update zshy (#5249) (vv4.1.9, release notes)
• 923af801fde9f033cfd7e0e753b421a554fe3be8 Publish zod@​4.1.9 (vv4.1.9, release notes)
• Introduced Playwright Agents, a new feature with three custom agent definitions (vv1.56.0, release notes)
• Designed to guide Large Language Models (LLMs) through the process of building a Playwright test (vv1.56.0, release notes)
• 🎭 planner explores the app and produces a Markdown test plan (vv1.56.0, release notes)
• 🎭 generator transforms the Markdown plan into the Playwright Test files (vv1.56.0, release notes)
• 🎭 healer executes the test suite and automatically repairs failing tests (vv1.56.0, release notes)
• Added new command npx playwright init-agents to generate the latest agent definitions (vv1.56.0, release notes)
• Allows initializing agents with a client of choice (vv1.56.0, release notes)
• Added new CLI command npx playwright init-agents with a --loop option specifically for Claude (vv1.56.0, release notes)
• Added npx playwright init-agents command with --loop=opencode option for initializing agents (vv1.56.0, release notes)
• New methods page.consoleMessages() and page.pageErrors() for retrieving the most recent console messages from the page (vv1.56.0, release notes)
• New method page.requests() for retrieving the most recent network requests from the page (vv1.56.0, release notes)
• Added --test-list and --test-list-invert to allow manual specification of specific tests from a file (vv1.56.0, release notes)
• Added option to 'html' reporter to disable the "Copy prompt" button (vv1.56.0, release notes)
• Added option to 'html' reporter and UI Mode to merge files, collapsing test and describe blocks into a single unified list (vv1.56.0, release notes)
• Added option to UI Mode mirroring the --update-snapshots options (vv1.56.0, release notes)
• Added option to UI Mode to run only a single worker at a time (vv1.56.0, release notes)
• Event browserContext.on('backgroundpage') has been deprecated and will not be emitted. Method browserContext.backgroundPages() will return an empty list (vv1.56.0, release notes)
• Aria snapshots render and compare input placeholder (vv1.56.0, release notes)
• Added environment variable PLAYWRIGHT_TEST to Playwright worker processes to allow discriminating on testing status (vv1.56.0, release notes)
• Chromium 141.0.7390.37 (vv1.56.0, release notes)
• Mozilla Firefox 142.0.1 (vv1.56.0, release notes)
• WebKit 26.0 (vv1.56.0, release notes)
• Upgrade Chromium to version 140.0.7339.186 (vv1.55.1, release notes)
• Fix internal error related to step id not being found (vv1.55.1, release notes)
• Fix HTML reporter broken chip link when no projects exist (vv1.55.1, release notes)
• Revert previous change tracking inert elements as hidden (vv1.55.1, release notes)
• Remove usage of -k option in some context (vv1.55.1, release notes)
• Chromium 140.0.7339.186 (vv1.55.1, release notes)
• Mozilla Firefox 141.0 (vv1.55.1, release notes)
• Google Chrome 139 (vv1.55.1, release notes)
• Microsoft Edge 139 (vv1.55.1, release notes)
• Fix a bug where variable definitions from one imported, forwarded module would not be passed as implicit configuration to a later imported, forwarded module. (v1.92.1, changelog)
• No user-visible changes. (v1.93.2, changelog)
• Fix another error in the release process for @​sass/types. (v1.93.2, changelog)
• Fix a crash when a style rule contains a nested @​import, and the loaded file @​uses a user-defined module as well as @​includes a top-level mixin which emits top-level declarations. (v1.93.0, release notes)
• Release a @​sass/types package which contains the type annotations used by both the sass and sass-embedded package without any additional code or dependencies. (v1.93.0, release notes)

References (7)

[1]: Next.js upgraded to 15.5.4 which includes a fix for CVE-2025-29927, a critical authorization bypass vulnerability where attackers could skip middleware using the x-middleware-subrequest header

example-nextjs-c24a0/package.json

Line 39 in c86a6af

"next": "15.5.4",

[2]: Middleware implementation uses nosecone.createMiddleware which may be affected by the Next.js security fix - requires testing to ensure middleware continues to properly protect routes

example-nextjs-c24a0/middleware.ts

Line 40 in c86a6af

const noseconeMiddleware = nosecone.createMiddleware(

[3]: React upgraded to 19.2.0 which changes useId prefix from :r: to r for View Transitions and XML compliance - may affect component hydration if useId is used

example-nextjs-c24a0/package.json

Line 42 in c86a6af

"react": "19.2.0",

[4]: Project requires Node.js >=20 which satisfies React 19.2.0's requirement of Node.js 18+, avoiding breaking change impact

example-nextjs-c24a0/package.json

Line 18 in c86a6af

"node": ">=20"

[5]: Dockerfile uses Node 24 which is compatible with the upgraded dependencies

example-nextjs-c24a0/Dockerfile

Line 1 in c86a6af

FROM node:24-bookworm

[6]: React 19 migration guide documents removal of propTypes, defaultProps, Legacy Context, and string refs - codebase review shows no usage of these deprecated APIs (source link)

[7]: React 19.2.0 release notes document useId prefix change which could affect server-side rendering hydration if useId is used in the codebase (source link)

---

fossabot analyzed this PR using static analysis and dependency research.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​react-dom@​19.1.9 ⏵ 19.2.1	+1		+1	+6
	@​types/​react@​19.1.13 ⏵ 19.2.2				+2
	@​fontsource-variable/​figtree@​5.2.9 ⏵ 5.2.10				+3
	next@​15.5.3 ⏵ 15.5.4	+1		+1
	react@​19.1.1 ⏵ 19.2.0	+1		+1
	@​fontsource/​ibm-plex-mono@​5.2.6 ⏵ 5.2.7	+1		+2	+7
	typescript@​5.9.2 ⏵ 5.9.3			+1
	react-dom@​19.1.1 ⏵ 19.2.0	+1		+1
	@​oddbird/​css-anchor-positioning@​0.6.1 ⏵ 0.7.0	+2		+1	+6
	react-hook-form@​7.62.0 ⏵ 7.64.0	+1		+1
	zod@​4.1.8 ⏵ 4.1.12
	sass@​1.92.1 ⏵ 1.93.2				+1
	@​playwright/​test@​1.55.0 ⏵ 1.56.0

View full report

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.