deps: bump the dependencies-minor group across 1 directory with 14 updates

[dependabot]

Bumps the dependencies-minor group with 14 updates in the / directory:

Package	From	To
@fontsource-variable/figtree	5.2.8	5.2.10
@fontsource/ibm-plex-mono	5.2.6	5.2.7
@hookform/resolvers	5.1.1	5.2.2
@oddbird/css-anchor-positioning	0.6.1	0.7.0
next	15.5.2	15.5.4
react	19.1.0	19.2.0
@types/react	19.1.8	19.2.2
react-dom	19.1.0	19.2.0
@types/react-dom	19.1.6	19.2.1
react-hook-form	7.60.0	7.64.0
zod	4.1.11	4.1.12
@playwright/test	1.55.1	1.56.0
sass	1.89.2	1.93.2
typescript	5.8.3	5.9.3

Updates @fontsource-variable/figtree from 5.2.8 to 5.2.10

Commits

• See full diff in compare view

Updates @fontsource/ibm-plex-mono from 5.2.6 to 5.2.7

Commits

• See full diff in compare view

Updates @hookform/resolvers from 5.1.1 to 5.2.2

Release notes

Sourced from @​hookform/resolvers's releases.

v5.2.2

5.2.2 (2025-09-14)

Bug Fixes

• zod: fix output type for Zod 4 resolver (#803) (e95721d)

v5.2.1

5.2.1 (2025-07-29)

Bug Fixes

• discriminated union for zod v4 mini (#784) (49a0d7b)
• zod v4 peer deps (#798) (2d28e6a)
• zod: fix output type for Zod 4 resolver (#801) (bc09647)

v5.2.0

5.2.0 (2025-07-25)

Features

• ajv: add ajv-formats for ajvResolver (#797) (f040039)

Commits

• e95721d fix(zod): fix output type for Zod 4 resolver (#803)
• 49a0d7b fix: discriminated union for zod v4 mini (#784)
• bc09647 fix(zod): fix output type for Zod 4 resolver (#801)
• 2d28e6a fix: zod v4 peer deps (#798)
• f040039 feat(ajv): add ajv-formats for ajvResolver (#797)
• See full diff in compare view

Updates @oddbird/css-anchor-positioning from 0.6.1 to 0.7.0

Release notes

Sourced from @​oddbird/css-anchor-positioning's releases.

v0.7.0

What's Changed

• 🚀 Work with anchor and target inside same shadow root by @​wkillerud in oddbird/css-anchor-positioning#353
• 🏠 INTERNAL: Upgrade dependencies

New Contributors

• @​wkillerud made their first contribution in oddbird/css-anchor-positioning#353

Full Changelog: oddbird/css-anchor-positioning@v0.6.1...v0.7.0

Commits

• 40f3a89 v0.7.0
• db16313 Work with anchor and target inside same shadow root (#353)
• b18b8ed Merge pull request #352 from oddbird/dependabot/npm_and_yarn/dev-9d451710aa
• ea505c5 Merge pull request #351 from oddbird/dependabot/npm_and_yarn/prod-8404f4c51f
• d4bbb67 chore(deps-dev): Bump the dev group with 13 updates
• ae3512f chore(deps): Bump the prod group with 2 updates
• 2f9b4c5 Merge pull request #348 from oddbird/dependabot/npm_and_yarn/npm_and_yarn-f5c...
• 98ccee3 chore(deps-dev): Bump vite in the npm_and_yarn group across 1 directory
• 15ebcc0 Merge pull request #346 from oddbird/dependabot/github_actions/actions/setup-...
• 2cc99a6 Merge pull request #347 from oddbird/dependabot/github_actions/actions/setup-...
• Additional commits viewable in compare view

Updates next from 15.5.2 to 15.5.4

Release notes

Sourced from next's releases.

v15.5.4

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: ensure onRequestError is invoked when otel enabled (#83343)
• fix: devtools initial position should be from next config (#83571)
• [devtool] fix overlay styles are missing (#83721)
• Turbopack: don't match dynamic pattern for node_modules packages (#83176)
• Turbopack: don't treat metadata routes as RSC (#82911)
• [turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (#83357)
• Turbopack: throw large static metadata error earlier (#82939)
• fix: error overlay not closing when backdrop clicked (#83981)
• Turbopack: flush Node.js worker IPC on error (#84077)

Misc Changes

• [CNA] use linter preference (#83194)
• CI: use KV for test timing data (#83745)
• docs: september improvements and fixes (#83997)

Credits

Huge thanks to @​yiminghe, @​huozhi, @​devjiwonchoi, @​mischnic, @​lukesandberg, @​ztanner, @​icyJoseph, @​leerob, @​fufuShih, @​dwrth, @​aymericzip, @​obendev, @​molebox, @​OoMNoO, @​pontasan, @​styfle, @​HondaYt, @​ryuapp, @​lpalmes, and @​ijjk for helping!

v15.5.3

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: validation return types of pages API routes (#83069)
• fix: relative paths in dev in validator.ts (#83073)
• fix: remove satisfies keyword from type validation to preserve old TS compatibility (#83071)

Credits

Huge thanks to @​bgub for helping!

Commits

• 40f1d78 v15.5.4
• cb30f0a [backport] docs: september improvements and fixes (#83997)
• b6a32bb [backport] [CNA] use linter preference (#83194) (#84087)
• 26d61f1 [backport] Turbopack: flush Node.js worker IPC on error (#84079)
• e11e87a [backport] fix: error overlay not closing when backdrop clicked (#83981) (#83...
• 0a29888 [backport] fix: devtools initial position should be from next config (#83571)...
• 7a53950 [backport] Turbopack: don't treat metadata routes as RSC (#83804)
• 050bdf1 [backport] Turbopack: throw large static metadata error earlier (#83816)
• 1f6ea09 [backport] Turbopack: Improve handling of symlink resolution errors (#83805)
• c7d1855 [backport] CI: use KV for test timing data (#83860)
• Additional commits viewable in compare view

Updates react from 19.1.0 to 19.2.0

Release notes

Sourced from react's releases.

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, facebook/react#33342#33099, #33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264)
• Allow nonce to be used on hoistable styles (@​Andarist #32461)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774)

... (truncated)

Changelog

Sourced from react's changelog.

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, facebook/react#33342#33099, #33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264)
• Allow nonce to be used on hoistable styles (@​Andarist #32461)

... (truncated)

Commits

• 5667a41 Bump next prerelease version numbers (#34639)
• 8bb7241 Bump useEffectEvent to Canary (#34610)
• e3c9656 Ensure Performance Track are Clamped and Don't overlap (#34509)
• 68f00c9 Release Activity in Canary (#34374)
• 0e10ee9 [Reconciler] Set ProfileMode for Host Root Fiber by default in dev (#34432)
• 3bf8ab4 Add missing Activity export to development mode (#34439)
• 1549bda [Flight] Only assign _store in dev mode when creating lazy types (#34354)
• bb6f0c8 [Flight] Fix wrong missing key warning when static child is blocked (#34350)
• 05addfc Update Flow to 0.266 (#34271)
• ec5dd0a Update Flow to 0.257 (#34253)
• Additional commits viewable in compare view

Updates @types/react from 19.1.8 to 19.2.2

Commits

• See full diff in compare view

Updates react-dom from 19.1.0 to 19.2.0

Release notes

Sourced from react-dom's releases.

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, facebook/react#33342#33099, #33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264)
• Allow nonce to be used on hoistable styles (@​Andarist #32461)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774)

... (truncated)

Changelog

Sourced from react-dom's changelog.

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723)
• Add cacheSignal (@​sebmarkbage #33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, facebook/react#33342#33099, #33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264)
• Allow nonce to be used on hoistable styles (@​Andarist #32461)

... (truncated)

Commits

• 8618113 Bump scheduler version (#34671)
• 1bd1f01 Ship partial-prerendering APIs to Canary (#34633)
• 2f0649a [Fizz] Remove nonce option from resume-and-prerender APIs (#34664)
• 5667a41 Bump next prerelease version numbers (#34639)
• e08f53b Match react-dom/static test entrypoints and published entrypoints (#34599)
• 8bb7241 Bump useEffectEvent to Canary (#34610)
• 83c88ad Handle fabric root level fragment with compareDocumentPosition (#34533)
• 68f00c9 Release Activity in Canary (#34374)
• 3168e08 [flags] enable opt-in for enableDefaultTransitionIndicator (#34373)
• 3434ff4 Add scrollIntoView to fragment instances (#32814)
• Additional commits viewable in compare view

Updates @types/react-dom from 19.1.6 to 19.2.1

Commits

• See full diff in compare view

Updates react-hook-form from 7.60.0 to 7.64.0

Release notes

Sourced from react-hook-form's releases.

Version 7.64.0

🚏 Support optional array fields in PathValueImpl type (#13057) 🐞 fix: preserve Controller's defaultValue with shouldUnregister prop (#13063) ✂ chore: remove unused field ids ref in useFieldArray (#13066)

thanks to @​MPrieur-chaps, @​gynekolog & @​uk960214

Version 7.63.0

🥢 feat: extract form values by form state (#12936)

getValues(undefined, { dirtyFields: true }); // return only dirty fields 
getValues(undefined, { touchedFields: true });  // return only touched fields 

🦍 feat: improve get dirty fields logic (#13049) 🐿️ chore: remove duplicated function isMessage (#13050) 🐞 fix: use field name to update isValidating fields (#13000) 🐞 fix: unregister previous field when switching conditional Controllers (#13041) 🐞 fix: only excuse trigger function when deps has a valid array (#13056)

thanks to @​candymask0712, @​GorkemKir, @​kimtaejin3, @​m2na7 & @​abnud11

Version 7.62.0

👨‍🔧 prevent onBlur for readOnly fields (#12971) 🐞 fix #12988 sync two defaultValues after reset with new defaultValues (#12990) 🐞 fix: do not override prototype of data in cloneObject (#12985) 🐞 fix field name type conflict in nested FieldErrors (#12972)

thanks to @​candymask0712, @​Adityapradh, @​Ty3uK & @​kichikawa57

Version 7.61.1

Revert "⌨️ fix: watch return type based on defaultValue (#12896)"

Version 7.61.0

🧮 feat: compute prop for useWatch subscription (#12503)

• subscribe to the entire form but only return updated value with certain condition

type FormValue = {
  test: string;
}
const watchedValue = useWatch({
control: methods.control,
compute: (data: FormValue) => {
if (data.test?.length) {
return data.test;
}
</tr></table>

... (truncated)

Commits

• 87d8b77 7.64.0
• 6c3b8f7 🥃 chore: upgrade dev deps (#13076)
• 23c699a ✂ chore: remove unused field ids ref in useFieldArray (#13066)
• 37f51ac 🐞 fix: preserve Controller's defaultValue with shouldUnregister prop (#13063)
• 8d61561 🚏 Support optional array fields in PathValueImpl type (#13057)
• b5b7329 7.63.0
• 86a7fb3 🐞 fix: only excuse trigger function when deps has a valid array (#13056)
• 4bfd420 🏔️ chore: major dev deps upgrade (#13053)
• 66b7daf 🔩 chore: lib dev deps upgrade (#13051)
• 62b26d8 🐿️ chore: remove duplicated function isMessage (#13050)
• Additional commits viewable in compare view

Updates zod from 4.1.11 to 4.1.12

Release notes

Sourced from zod's releases.

v4.1.12

Commits:

• 0b109c37c6b0b10e3901b56bcccb72e29a0b846f docs(ecosystem): add bupkis to the ecosystem section (#5237)
• d22ec0d26fab27151b0f1d1f98bffeaf8b011f57 docs(ecosystem): add upfetch (#5238)
• c56a4f6fab42c542b191228af61974b2328dc52f docs(ecosystem): add eslint-plugin-zod-x (#5261)
• a0abcc02900a4293dd4f30cd81580efcdd5230bb docs(metadata.mdx): fix a mistake in an example output (#5248)
• 62bf4e439e287e55c843245b49f8d34b1ad024ee fix(ZodError): prevent flatten() from crashing on 'toString' key (#5266)
• 02a584010ac92ac8a351632ae5aea3983a6f17d8 refac(errors): Unify code structure and improve types (#5278)
• 4b1922ad714e12dafaa83a40ec03275a39ac980c docs(content/v4/index): fix zod version (#5289)
• 3fcb20ff348e49aec70f45e0dca3de8a61450e77 Add frrm to ecosystem (#5292)
• fda4c7c2afbd7649261be1e7954f8c4d4de24a07 Make docs work without token
• af447384379faef28aa857fb53ef1da702c6d408 Fix lint
• 77c3c9f069a4cf168c0cbc58432803de887a6b1b Export bg.ts
• 3b946107b6c94b2ac8ff9fb451160c34dc4dd794 v4.1.12

Commits

• 3b94610 v4.1.12
• 77c3c9f Export bg.ts
• af44738 Fix lint
• fda4c7c Make docs work without token
• 3fcb20f Add frrm to ecosystem (#5292)
• 4b1922a docs(content/v4/index): fix zod version (#5289)
• 02a5840 refac(errors): Unify code structure and improve types (#5278)
• 62bf4e4 fix(ZodError): prevent flatten() from crashing on 'toString' key (#5266)
• a0abcc0 docs(metadata.mdx): fix a mistake in an example output (#5248)
• c56a4f6 docs(ecosystem): add eslint-plugin-zod-x (#5261)
• Additional commits viewable in compare view

Updates @playwright/test from 1.55.1 to 1.56.0

Release notes

Sourced from @​playwright/test's releases.

v1.56.0

Playwright Agents

Introducing Playwright Agents, three custom agent definitions designed to guide LLMs through the core process of building a Playwright test:

• 🎭 planner explores the app and produces a Markdown test plan
• 🎭 generator transforms the Markdown plan into the Playwright Test files
• 🎭 healer executes the test suite and automatically repairs failing tests

Run npx playwright init-agents with your client of choice to generate the latest agent definitions:

# Generate agent files for each agentic loop
# Visual Studio Code
npx playwright init-agents --loop=vscode
# Claude Code
npx playwright init-agents --loop=claude
# opencode
npx playwright init-agents --loop=opencode

[!NOTE] VS Code v1.105 (currently on the VS Code Insiders channel) is needed for the agentic experience in VS Code. It will become stable shortly, we are a bit ahead of times with this functionality!

Learn more about Playwright Agents

New APIs

• New methods page.consoleMessages() and page.pageErrors() for retrieving the most recent console messages from the page
• New method page.requests() for retrieving the most recent network requests from the page
• Added --test-list and --test-list-invert to allow manual specification of specific tests from a file

UI Mode and HTML Reporter

• Added option to 'html' reporter to disable the "Copy prompt" button
• Added option to 'html' reporter and UI Mode to merge files, collapsing test and describe blocks into a single unified list
• Added option to UI Mode mirroring the --update-snapshots options
• Added option to UI Mode to run only a single worker at a time

Breaking Changes

• Event browserContext.on('backgroundpage') has been deprecated and will not be emitted. Method browserContext.backgroundPages() will return an empty list

Miscellaneous

• Aria snapshots render and compare input placeholder
• Added environment variable PLAYWRIGHT_TEST to Playwright worker processes to allow discriminating on testing status

Browser Versions

• Chromium 141.0.7390.37
• Mozilla Firefox 142.0.1
• WebKit 26.0

Commits

• b6af258 cherry-pick(#37727): devops: fix NPM release step (#377...

  Description has been truncated

[netlify]

✅ Deploy Preview for lustrous-cobbler-00e398 ready!

Name	Link
🔨 Latest commit	182b7ee
🔍 Latest deploy log	https://app.netlify.com/projects/lustrous-cobbler-00e398/deploys/68e59385bcf2cc00089c1bf8
😎 Deploy Preview	https://deploy-preview-11--lustrous-cobbler-00e398.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because it includes a critical security vulnerability fix in Next.js (CVE-2025-29927) that addresses authorization bypass in middleware, breaking changes requiring Node.js 18+ (while the project requires Node.js 20+), and Playwright deprecation warnings. The security fix patches a critical vulnerability where attackers could bypass middleware checks using the x-middleware-subrequest header. While the project's Node.js 20+ requirement is already compatible with React 19's Node.js 18+ minimum, the presence of a critical security patch and multiple breaking changes warrants manual review to ensure the middleware implementation properly handles the security fix.

What we checked

• Middleware implementation using nosecone may be affected by CVE-2025-29927 authorization bypass vulnerability in Next.js versions through 15.2.2, now fixed in 15.5.4 ^[1]
• Next.js upgraded to 15.5.4 which includes critical security fix for CVE-2025-29927 (authorization bypass vulnerability) ^[2]
• React upgraded to 19.2.0 which requires Node.js 18+ as a breaking change ^[3]
• Project already requires Node.js 20+ which satisfies React 19's Node.js 18+ requirement, ensuring compatibility ^[4]
• Dockerfile uses Node.js 24 which is compatible with all upgraded package requirements ^[5]
• GitHub Actions uses 'lts/*' which currently maps to Node.js 20.x, compatible with package requirements ^[6]
• Playwright upgraded to 1.56.0 which includes deprecation warning for backgroundpage API ^[7]
• CVE-2025-29927: Critical authorization bypass vulnerability in Next.js allowing requests to skip middleware checks via x-middleware-subrequest header, fixed in version 15.5.4 ^[8]

Dependency Usage

• @​hookform/resolvers: components/EmailForm.tsx:3 - The code is using zodResolver from @​hookform/resolvers/zod to validate form inputs by integrating Zod schema validation with React Hook Form's form handling mechanism.
• @​hookform/resolvers: components/RLForm.tsx:3 - The code is using the zodResolver from @​hookform/resolvers/zod to validate form inputs by integrating Zod schema validation with React Hook Form, enabling type-safe and schema-based form validation.

View 47 more usages

• @​hookform/resolvers:

  example-nextjsyy/components/SuppportForm.tsx

  Line 3 in 182b7ee

  import { zodResolver } from "@hookform/resolvers/zod";

  - The zodResolver from @​hookform/resolvers/zod is being used to validate form inputs by converting a Zod schema into a format that React Hook Form can use for form validation and error handling.
• next:

  example-nextjsyy/app/layout.tsx

  Line 1 in 182b7ee

  import { Metadata } from "next";

  - This code snippet is importing the Metadata type from Next.js, which is used to define and configure metadata for a page or layout in a Next.js application, allowing you to set SEO-related properties, page titles, and other metadata-related settings.
• next:

  example-nextjsyy/app/layout.tsx

  Line 2 in 182b7ee

  import Image from "next/image";

  - This code is importing various Next.js components and assets, specifically importing metadata for page configuration, image and link components for rendering, a script component for external scripts, and SVG logo assets for the application's dark and light themes.
• next:

  example-nextjsyy/app/layout.tsx

  Line 3 in 182b7ee

  import Link from "next/link";

  - This code is importing various Next.js built-in components and utilities (such as Metadata, Image, Link, and Script) along with local SVG assets for logos, which are commonly used for structuring and enhancing the layout and metadata of a Next.js application.
• next:

  example-nextjsyy/app/layout.tsx

  Line 4 in 182b7ee

  import Script from "next/script";

  - This code is importing various Next.js components (Image, Link, Script) and SVG logo assets (LogoDark and LogoLight) to be used in the application's layout, leveraging Next.js's built-in optimization and routing features.
• next:

  example-nextjsyy/app/page.tsx

  Line 1 in 182b7ee

  import Link from "next/link";

  - This code is defining the main landing page (IndexPage) for a Next.js application, importing a Link component from Next.js and a custom WhatNext component, and attempting to retrieve a site key from environment variables.
• next:

  example-nextjsyy/components/EmailForm.tsx

  Line 4 in 182b7ee

  import { useRouter } from "next/navigation";

  - The useRouter from Next.js's next/navigation is being imported and likely used to programmatically navigate or redirect the user after form submission in this React component.
• next:

  example-nextjsyy/components/NavLink.tsx

  Line 3 in 182b7ee

  import Link from "next/link";

  - This code is importing and preparing to create a custom navigation link component in Next.js, likely to add additional functionality like active state tracking using the usePathname hook, with the "use client" directive indicating it's a client-side component.
• next:

  example-nextjsyy/components/NavLink.tsx

  Line 4 in 182b7ee

  import { usePathname } from "next/navigation";

  - This code is importing and preparing to use the usePathname hook from Next.js navigation to potentially determine or compare the current route's pathname within a navigation link component.
• next:

  example-nextjsyy/components/SuppportForm.tsx

  Line 4 in 182b7ee

  import { useRouter } from "next/navigation";

  - The code is importing and likely using the useRouter hook from Next.js navigation to programmatically handle routing or navigation within the application, such as redirecting after form submission or navigating between pages.
• next:

  example-nextjsyy/app/attack/page.tsx

  Line 1 in 182b7ee

  import type { Metadata } from "next";

  - This code snippet appears to be importing various Next.js and custom components for a page in a Next.js application, specifically setting up imports for metadata, headers, linking, and a custom dashboard component.
• next:

  example-nextjsyy/app/attack/page.tsx

  Line 2 in 182b7ee

  import { headers } from "next/headers";

  - This code is importing the headers function from next/headers, which allows server-side access to HTTP request headers in a Next.js application, typically used to retrieve information about the current request within a server component or page.
• next:

  example-nextjsyy/app/attack/page.tsx

  Line 3 in 182b7ee

  import Link from "next/link";

  - This code snippet appears to be importing various Next.js and custom components for a page related to an attack or security-related dashboard, likely preparing metadata, headers, and navigation elements for rendering a specific page in a Next.js application.
• next:

  example-nextjsyy/app/bots/page.tsx

  Line 1 in 182b7ee

  import type { Metadata } from "next";

  - This code snippet is importing metadata and other Next.js-related modules to set up a page component for a bots-related route in a Next.js application, likely preparing to render a dashboard or list of bots with navigation and related functionality.
• next:

  example-nextjsyy/app/bots/page.tsx

  Line 2 in 182b7ee

  import { headers } from "next/headers";

  - The code is importing the headers function from next/headers, which allows server-side access to HTTP headers in a Next.js application, typically used for reading request-specific information during server-side rendering or server components.
• next:

  example-nextjsyy/app/bots/page.tsx

  Line 3 in 182b7ee

  import Link from "next/link";

  - This code appears to be importing metadata, headers, and other components in a Next.js page file (specifically for a bots page), likely preparing to render a dashboard or navigation interface with server-side and client-side elements.
• next:

  example-nextjsyy/app/rate-limiting/page.tsx

  Line 1 in 182b7ee

  import type { Metadata } from "next";

  - This code is importing the Metadata type from Next.js, which is typically used to define metadata for a page in a Next.js application, such as setting the page title, description, and other SEO-related attributes.
• next:

  example-nextjsyy/app/rate-limiting/page.tsx

  Line 2 in 182b7ee

  import Link from "next/link";

  - This code snippet appears to be importing metadata and components for a Next.js page related to rate limiting, specifically preparing to render a page with a rate-limiting form and potentially a "what's next" section with navigation links.
• next:

  example-nextjsyy/app/sensitive-info/page.tsx

  Line 1 in 182b7ee

  import type { Metadata } from "next";

  - This code is importing the Metadata type from Next.js, which is typically used to define metadata for a page, such as title, description, and other SEO-related properties in a Next.js application.
• next:

  example-nextjsyy/app/sensitive-info/page.tsx

  Line 2 in 182b7ee

  import Link from "next/link";

  - This code is importing essential Next.js components and custom components for rendering a page's metadata, creating links, and composing specific dashboard and "what's next" sections in a Next.js application.
• next:

  example-nextjsyy/app/signup/page.tsx

  Line 1 in 182b7ee

  import type { Metadata } from "next";

  - This code is importing the Metadata type from Next.js, which allows you to define and customize metadata for a page, such as title, description, and other SEO-related properties.
• next:

  example-nextjsyy/app/signup/page.tsx

  Line 2 in 182b7ee

  import Link from "next/link";

  - This code is importing metadata type definitions from Next.js, a link component for client-side navigation, and two custom composition components (VisitDashboard and WhatNext) that are likely used in the signup page's layout or functionality.
• next:

  example-nextjsyy/components/compositions/VisitDashboard.tsx

  Line 1 in 182b7ee

  import Link from "next/link";

  - This code snippet appears to be importing Next.js's Link component and other React-related dependencies for a VisitDashboard component, suggesting it's setting up routing and component structure using Next.js's built-in Link component for client-side navigation.
• next:

  example-nextjsyy/components/compositions/WhatNext.tsx

  Line 1 in 182b7ee

  import Link from "next/link";

  - This code snippet is importing the Next.js Link component and defining a React functional component called WhatNext that conditionally renders content based on a deployed prop, likely used to provide navigation or next steps after a deployment.
• next:

  example-nextjsyy/app/attack/test/route.ts

  Line 1 in 182b7ee

  import { type NextRequest, NextResponse } from "next/server";

  - This code snippet is importing Next.js server-related types and configuring a dynamic route that opts out of static caching, likely preparing for implementing request handling or protection middleware using Arcjet.
• next:

  example-nextjsyy/app/bots/test/route.ts

  Line 1 in 182b7ee

  import { type NextRequest, NextResponse } from "next/server";

  - This code is configuring a Next.js API route to dynamically handle requests without caching, likely in preparation for implementing bot detection or rate limiting with the Arcjet library.
• next:

  example-nextjsyy/app/rate-limiting/test/route.ts

  Line 3 in 182b7ee

  import { type NextRequest, NextResponse } from "next/server";

  - This code is importing Next.js server-side types and utilities along with Arcjet rate limiting functionality to potentially set up rate limiting for a Next.js API route or server-side endpoint.
• next:

  example-nextjsyy/app/sensitive-info/test/route.ts

  Line 1 in 182b7ee

  import { type NextRequest, NextResponse } from "next/server";

  - This code appears to be setting up a Next.js route handler with Arcjet for protection, likely preparing to validate and process sensitive information using a predefined schema and security shield.
• next:

  example-nextjsyy/app/signup/test/route.ts

  Line 1 in 182b7ee

  import { type NextRequest, NextResponse } from "next/server";

  - This code is setting up a route handler in Next.js for handling signup form submissions, likely implementing request validation and protection using the Arcjet library to add security rules to the signup process.
• next: https://github.com/Jobayer071/example-nextjsyy/blob/182b7eed8186b986a0206a3bfbf9c0d08b9ab816/app/api/auth/[...nextauth]/route.ts#L3 - This code snippet appears to be importing Next.js server-related types and response utilities (NextRequest, NextResponse) for handling authentication routes in a Next.js application, specifically in the context of Auth.js 5.
• react:

  example-nextjsyy/components/NavLink.tsx

  Line 5 in 182b7ee

  import type { ComponentProps } from "react";

  - This code is importing the ComponentProps type from React to use as a type for props in a custom Next.js navigation link component, likely to leverage and extend the default props of a standard link component.
• react:

  example-nextjsyy/components/PopoverTarget.tsx

  Line 3 in 182b7ee

  import { type ComponentProps, useEffect, useRef } from "react";

  - This code appears to be setting up a React component that is likely implementing a custom popover or anchor positioning mechanism, potentially using a polyfill for CSS anchor positioning, and preparing to use React hooks like useEffect and useRef to manage component behavior.
• react:

  example-nextjsyy/components/RLForm.tsx

  Line 4 in 182b7ee

  import { useState } from "react";

  - This code is importing and using React's useState hook alongside other form-related libraries (react-hook-form and zod) to manage form state and validation in a React component.
• react:

  example-nextjsyy/components/brand/LogoMarkSpark.tsx

  Line 4 in 182b7ee

  import { forwardRef, useEffect, useState } from "react";

  - This code snippet appears to be importing React hooks and the useTheme hook from next-themes, and starting to define a component (likely related to a logo or visual branding) that will use forwarded refs, state management, and theme switching capabilities.
• react:

  example-nextjsyy/components/compositions/VisitDashboard.tsx

  Line 2 in 182b7ee

  import * as React from "react";

  - This code snippet appears to be importing React and Next.js components, along with a custom logo and potentially a custom hook, likely preparing to build a dashboard or navigation-related React component with routing capabilities.
• react:

  example-nextjsyy/components/compositions/VisitDashboard.tsx

  Line 3 in 182b7ee

  import { memo } from "react";

  - The code is using React's memo higher-order component to create a memoized version of a component, which helps optimize performance by preventing unnecessary re-renders when the component's props haven't changed.
• react:

  example-nextjsyy/components/icons/ArrowExternal.tsx

  Line 1 in 182b7ee

  import { forwardRef } from "react";

  - This code is creating a reusable SVG icon component called ArrowExternal using React's forwardRef to allow a ref to be passed to the underlying SVG element, with optional custom CSS classes that can be applied to the icon.
• react-hook-form:

  example-nextjsyy/components/EmailForm.tsx

  Line 5 in 182b7ee

  import { useForm } from "react-hook-form";

  - The code is using react-hook-form's useForm hook to create a form validation and handling mechanism, likely with Zod schema validation (indicated by the zodResolver), for managing form state, validation, and submission in a React component.
• react-hook-form:

  example-nextjsyy/components/RLForm.tsx

  Line 5 in 182b7ee

  import { useForm } from "react-hook-form";

  - This code is using react-hook-form's useForm hook with Zod schema validation (via zodResolver) to create a form management system with type-safe form validation and state handling.
• react-hook-form:

  example-nextjsyy/components/SuppportForm.tsx

  Line 5 in 182b7ee

  import { useForm } from "react-hook-form";

  - This code is using the useForm hook from react-hook-form to create a form with Zod schema validation, likely to manage form state, handle form submissions, and validate input data in a type-safe manner.
• zod:

  example-nextjsyy/components/EmailForm.tsx

  Line 6 in 182b7ee

  import { z } from "zod";

  - In this context, Zod (imported as z) is likely being used to define or validate a form schema that specifies the expected shape and validation rules for email-related form input data.
• zod:

  example-nextjsyy/components/RLForm.tsx

  Line 6 in 182b7ee

  import { z } from "zod";

  - Based on the context, it appears that Zod (imported as z) is likely being used to define or validate a form schema for type-checking and runtime validation of form input data in this React component.
• zod:

  example-nextjsyy/components/SuppportForm.tsx

  Line 6 in 182b7ee

  import { z } from "zod";

  - Based on the context, it appears that Zod (imported as z) is likely being used to define or validate a form schema for type-checking and runtime validation of form input data in this React component.
• zod:

  example-nextjsyy/app/sensitive-info/schema.ts

  Line 1 in 182b7ee

  import { z } from "zod";

  - This code is importing the Zod library to define a schema for validating form fields on the client-side, with a note about additional server-side validation for enhanced security.
• zod:

  example-nextjsyy/app/signup/schema.ts

  Line 1 in 182b7ee

  import { z } from "zod";

  - This code is importing the Zod library to define a schema for validating form input fields on the client-side, providing type checking and runtime validation before data is submitted.
• @​playwright/test:

  example-nextjsyy/playwright.config.ts

  Line 1 in 182b7ee

  import { defineConfig, devices } from "@playwright/test";

  - This code is creating a Playwright test configuration using the defineConfig function from the "@​playwright/test" package, which allows you to specify settings for your test suite such as the directory where tests are located, and potentially other configuration options like test runners, browsers, or project-specific settings.
• @​playwright/test:

  example-nextjsyy/tests/screenshots.test.ts

  Line 1 in 182b7ee

  import { expect, test } from "@playwright/test";

  - This code is importing the expect and test utilities from Playwright's testing framework, which are typically used for writing and executing automated browser-based tests with assertions and test case definitions.

Other Usages (49)

These usages were analyzed but no breaking changes were detected:

@​hookform/resolvers

• example-nextjsyy/components/EmailForm.tsx

  Line 3 in 182b7ee

  import { zodResolver } from "@hookform/resolvers/zod";

• example-nextjsyy/components/RLForm.tsx

  Line 3 in 182b7ee

  import { zodResolver } from "@hookform/resolvers/zod";

• example-nextjsyy/components/SuppportForm.tsx

  Line 3 in 182b7ee

  import { zodResolver } from "@hookform/resolvers/zod";

next

• example-nextjsyy/app/layout.tsx

  Line 1 in 182b7ee

  import { Metadata } from "next";

• example-nextjsyy/app/layout.tsx

  Line 2 in 182b7ee

  import Image from "next/image";

• example-nextjsyy/app/layout.tsx

  Line 3 in 182b7ee

  import Link from "next/link";

• example-nextjsyy/app/layout.tsx

  Line 4 in 182b7ee

  import Script from "next/script";

• example-nextjsyy/app/page.tsx

  Line 1 in 182b7ee

  import Link from "next/link";

• ...and 24 more

react

• example-nextjsyy/components/NavLink.tsx

  Line 5 in 182b7ee

  import type { ComponentProps } from "react";

• example-nextjsyy/components/PopoverTarget.tsx

  Line 3 in 182b7ee

  import { type ComponentProps, useEffect, useRef } from "react";

• example-nextjsyy/components/RLForm.tsx

  Line 4 in 182b7ee

  import { useState } from "react";

• example-nextjsyy/components/brand/LogoMarkSpark.tsx

  Line 4 in 182b7ee

  import { forwardRef, useEffect, useState } from "react";

• example-nextjsyy/components/compositions/VisitDashboard.tsx

  Line 2 in 182b7ee

  import * as React from "react";

• ...and 2 more

react-hook-form

• example-nextjsyy/components/EmailForm.tsx

  Line 5 in 182b7ee

  import { useForm } from "react-hook-form";

• example-nextjsyy/components/RLForm.tsx

  Line 5 in 182b7ee

  import { useForm } from "react-hook-form";

• example-nextjsyy/components/SuppportForm.tsx

  Line 5 in 182b7ee

  import { useForm } from "react-hook-form";

zod

• example-nextjsyy/components/EmailForm.tsx

  Line 6 in 182b7ee

  import { z } from "zod";

• example-nextjsyy/components/RLForm.tsx

  Line 6 in 182b7ee

  import { z } from "zod";

• example-nextjsyy/components/SuppportForm.tsx

  Line 6 in 182b7ee

  import { z } from "zod";

• example-nextjsyy/app/sensitive-info/schema.ts

  Line 1 in 182b7ee

  import { z } from "zod";

• example-nextjsyy/app/signup/schema.ts

  Line 1 in 182b7ee

  import { z } from "zod";

@​playwright/test

• example-nextjsyy/playwright.config.ts

  Line 1 in 182b7ee

  import { defineConfig, devices } from "@playwright/test";

• example-nextjsyy/tests/screenshots.test.ts

  Line 1 in 182b7ee

  import { expect, test } from "@playwright/test";

Changes

This update includes React and React DOM upgrades requiring Node.js 18+ with flat config now default, alongside Next.js patches for error overlay and validation issues. Notable additions include React's new <Activity> API for hiding/restoring UI state, useEffectEvent hook for non-reactive effect logic, and Playwright's test planning agents with new CLI commands for retrieving console messages and network requests.

• Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458) (vv19.2.0, release notes)
• Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457) (vv19.2.0, release notes)
• Breaking: Require Node.js 18 or newer. (@​michaelfaith in #32458) (vv19.2.0, release notes)

View 172 more changes

• zod: fix output type for Zod 4 resolver (#803) (e95721d) (vv5.2.2, release notes)
• discriminated union for zod v4 mini (#784) (49a0d7b) (vv5.2.1, release notes)
• zod v4 peer deps (#798) (2d28e6a) (vv5.2.1, release notes)
• ajv: add ajv-formats for ajvResolver (#797) (f040039) (vv5.2.0, release notes)
• 🚀 Work with anchor and target inside same shadow root by @​wkillerud in Work with anchor and target inside same shadow root oddbird/css-anchor-positioning#353 (vv0.7.0, release notes)
• 🏠 INTERNAL: Upgrade dependencies (vv0.7.0, release notes)
• @​wkillerud made their first contribution in Work with anchor and target inside same shadow root oddbird/css-anchor-positioning#353 (vv0.7.0, release notes)
• ensure onRequestError is invoked when otel enabled (#83343) (vv15.5.4, release notes)
• devtools initial position should be from next config (#83571) (vv15.5.4, release notes)
• [devtool] fix overlay styles are missing (#83721) (vv15.5.4, release notes)
• Turbopack: don't match dynamic pattern for node_modules packages (#83176) (vv15.5.4, release notes)
• Turbopack: don't treat metadata routes as RSC (#82911) (vv15.5.4, release notes)
• [turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (#83357) (vv15.5.4, release notes)
• Turbopack: throw large static metadata error earlier (#82939) (vv15.5.4, release notes)
• error overlay not closing when backdrop clicked (#83981) (vv15.5.4, release notes)
• Turbopack: flush Node.js worker IPC on error (#84077) (vv15.5.4, release notes)
• [CNA] use linter preference (#83194) (vv15.5.4, release notes)
• CI: use KV for test timing data (#83745) (vv15.5.4, release notes)
• docs: september improvements and fixes (#83997) (vv15.5.4, release notes)
• validation return types of pages API routes (#83069) (vv15.5.3, release notes)
• relative paths in dev in validator.ts (#83073) (vv15.5.3, release notes)
• remove satisfies keyword from type validation to preserve old TS compatibility (#83071) (vv15.5.3, release notes)
• <Activity>: A new API to hide and restore the UI and internal state of its children. (vv19.2.0, release notes)
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event. (vv19.2.0, release notes)
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over. (vv19.2.0, release notes)
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools (vv19.2.0, release notes)
• Added resume APIs for partial pre-rendering with Web Streams: (vv19.2.0, release notes)
• resume: to resume a prerender to a stream. (vv19.2.0, release notes)
• resumeAndPrerender: to resume a prerender to HTML. (vv19.2.0, release notes)
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs. (vv19.2.0, release notes)
• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics. (vv19.2.0, release notes)
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js (vv19.2.0, release notes)
• Use underscore instead of : IDs generated by useId (vv19.2.0, release notes)
• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others) (vv19.2.0, release notes)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507) (vv19.2.0, release notes)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198) (vv19.2.0, release notes)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (vv19.2.0, release notes)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (vv19.2.0, release notes)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (vv19.2.0, release notes)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900) (vv19.2.0, release notes)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145) (vv19.2.0, release notes)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723) (vv19.2.0, release notes)
• Add cacheSignal (@​sebmarkbage #33557) (vv19.2.0, release notes)
• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342) (vv19.2.0, release notes)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, [Fizz] Block on Suspensey Fonts during reveal facebook/react#33342#33099, #33422) (vv19.2.0, release notes)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264) (vv19.2.0, release notes)
• Allow nonce to be used on hoistable styles (@​Andarist #32461) (vv19.2.0, release notes)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774) (vv19.2.0, release notes)
• s/HTML/text for for error messages if text hydration mismatches (@​rickhanlonii #32763) (vv19.2.0, release notes)
• Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (vv19.2.0, release notes)
• Enable the progressiveChunkSize option for server-side-rendering APIs (@​sebmarkbage #33027) (vv19.2.0, release notes)
• Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (vv19.2.0, release notes)
• Avoid hanging when suspending after aborting while rendering (@​gnoff #34192) (vv19.2.0, release notes)
• Add Node Web Streams to server-side-rendering APIs for Node.js (@​sebmarkbage #33475) (vv19.2.0, release notes)
• Preload <img> and <link> using hints before they're rendered (@​sebmarkbage #34604) (vv19.2.0, release notes)
• Log error if production elements are rendered during development (@​eps1lon #34189) (vv19.2.0, release notes)
• Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (vv19.2.0, release notes)
• Pass line/column to filterStackFrame (@​eps1lon #33707) (vv19.2.0, release notes)
• Support Async Modules in Turbopack Server References (@​lubieowoce #34531) (vv19.2.0, release notes)
• Add support for .mjs file extension in Webpack (@​jennyscript #33028) (vv19.2.0, release notes)
• Fix a wrong missing key warning (@​unstubbable #34350) (vv19.2.0, release notes)
• Make console log resolve in predictable order (@​sebmarkbage #33665) (vv19.2.0, release notes)
• createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs (vv19.2.0, release notes)
• New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040) (vv19.2.0, release notes)
• New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@​jbrown215 in #33544) (vv19.2.0, release notes)
• Handle React.useEffect in addition to useEffect in rules-of-hooks. (@​Ayc0 in #34076) (vv19.2.0, release notes)
• Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@​jbrown215) in #34497 (vv19.2.0, release notes)
• Fixed Owner Stacks to work with ES2015 function.name semantics (#33680 by @​hoxyq) (vv19.1.1, release notes)
• <Activity>: A new API to hide and restore the UI and internal state of its children. (vv19.2.0, release notes)
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event. (vv19.2.0, release notes)
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over. (vv19.2.0, release notes)
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools (vv19.2.0, release notes)
• Added resume APIs for partial pre-rendering with Web Streams: (vv19.2.0, release notes)
• resume: to resume a prerender to a stream. (vv19.2.0, release notes)
• resumeAndPrerender: to resume a prerender to HTML. (vv19.2.0, release notes)
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs. (vv19.2.0, release notes)
• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics. (vv19.2.0, release notes)
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js (vv19.2.0, release notes)
• Use underscore instead of : IDs generated by useId (vv19.2.0, release notes)
• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others) (vv19.2.0, release notes)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #33507) (vv19.2.0, release notes)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #34198) (vv19.2.0, release notes)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #32821) (vv19.2.0, release notes)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #34376) (vv19.2.0, release notes)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #33055) (vv19.2.0, release notes)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #32900) (vv19.2.0, release notes)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #34145) (vv19.2.0, release notes)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #33629, #33724, #32735, #33723) (vv19.2.0, release notes)
• Add cacheSignal (@​sebmarkbage #33557) (vv19.2.0, release notes)
• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #33342) (vv19.2.0, release notes)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #32001, [Fizz] Block on Suspensey Fonts during reveal facebook/react#33342#33099, #33422) (vv19.2.0, release notes)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #34264) (vv19.2.0, release notes)
• Allow nonce to be used on hoistable styles (@​Andarist #32461) (vv19.2.0, release notes)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #32774) (vv19.2.0, release notes)
• s/HTML/text for for error messages if text hydration mismatches (@​rickhanlonii #32763) (vv19.2.0, release notes)
• Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #33941) (vv19.2.0, release notes)
• Enable the progressiveChunkSize option for server-side-rendering APIs (@​sebmarkbage #33027) (vv19.2.0, release notes)
• Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #33467) (vv19.2.0, release notes)
• Avoid hanging when suspending after aborting while rendering (@​gnoff #34192) (vv19.2.0, release notes)
• Add Node Web Streams to server-side-rendering APIs for Node.js (@​sebmarkbage #33475) (vv19.2.0, release notes)
• Preload <img> and <link> using hints before they're rendered (@​sebmarkbage #34604) (vv19.2.0, release notes)
• Log error if production elements are rendered during development (@​eps1lon #34189) (vv19.2.0, release notes)
• Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #34084, @​denk0403 #33761) (vv19.2.0, release notes)
• Pass line/column to filterStackFrame (@​eps1lon #33707) (vv19.2.0, release notes)
• Support Async Modules in Turbopack Server References (@​lubieowoce #34531) (vv19.2.0, release notes)
• Add support for .mjs file extension in Webpack (@​jennyscript #33028) (vv19.2.0, release notes)
• Fix a wrong missing key warning (@​unstubbable #34350) (vv19.2.0, release notes)
• Make console log resolve in predictable order (@​sebmarkbage #33665) (vv19.2.0, release notes)
• createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs (vv19.2.0, release notes)
• Breaking: Flat config is now the default recommended preset. Legacy config moved to recommended-legacy. (@​michaelfaith in #32457) (vv19.2.0, release notes)
• New Violations: Disallow calling use within try/catch blocks. (@​poteto in #34040) (vv19.2.0, release notes)
• New Violations: Disallow calling useEffectEvent functions in arbitrary closures. (@​jbrown215 in #33544) (vv19.2.0, release notes)
• Handle React.useEffect in addition to useEffect in rules-of-hooks. (@​Ayc0 in #34076) (vv19.2.0, release notes)
• Added react-hooks settings config option that to accept additionalEffectHooks that are used across exhaustive-deps and rules-of-hooks rules. (@​jbrown215) in #34497 (vv19.2.0, release notes)
• Fixed Owner Stacks to work with ES2015 function.name semantics (#33680 by @​hoxyq) (vv19.1.1, release notes)
• Support optional array fields in PathValueImpl type (vv7.64.0, release notes)
• Fix preserving Controller's defaultValue when shouldUnregister prop is used (vv7.64.0, release notes)
• Remove unused field ids reference in useFieldArray (vv7.64.0, release notes)
• Added ability to extract form values directly from form state (vv7.63.0, release notes)
• Added support for returning only dirty fields when calling getValues() with { dirtyFields: true } option (vv7.63.0, release notes)
• Improve logic for identifying dirty fields (vv7.63.0, release notes)
• Remove duplicated isMessage function (vv7.63.0, release notes)
• Use field name when updating isValidating fields (vv7.63.0, release notes)
• Fix unregistering previous field when switching conditional Controllers (vv7.63.0, release notes)
• Only execute trigger function when dependencies are a valid array (vv7.63.0, release notes)
• Prevent onBlur events for read-only fields (vv7.62.0, release notes)
• Synchronize two default values after reset (vv7.62.0, release notes)
• Fix issue with cloning object to prevent prototype override (vv7.62.0, release notes)
• Resolve field name type conflict in nested field errors (vv7.62.0, release notes)
• Added a compute prop for useWatch subscription (vv7.61.0, release notes)
• subscribe to the entire form but only return updated value with certain condition (vv7.61.0, release notes)
• subscribe to a specific form value state (vv7.61.0, release notes)
• Trigger watch callbacks only in response to value changes (vv7.61.0, release notes)
• Track name with setValue subscription callbacks (vv7.61.0, release notes)
• Fix watch return type based on defaultValue (vv7.61.0, release notes)
• Fix subscribing with latest defaultValues (vv7.61.0, release notes)
• Fix handling of explicit "multipart/form-data" encType in Form Component (vv7.61.0, release notes)
• Remove React wildcard import to resolve ESM build issues (vv7.61.0, release notes)
• Improve exclude patterns (vv7.61.0, release notes)
• Remove unused omit function (vv7.61.0, release notes)
• 0b109c37c6b0b10e3901b56bcccb72e29a0b846f docs(ecosystem): add bupkis to the ecosystem section (#5237) (vv4.1.12, release notes)
• d22ec0d26fab27151b0f1d1f98bffeaf8b011f57 docs(ecosystem): add upfetch (#5238) (vv4.1.12, release notes)
• c56a4f6fab42c542b191228af61974b2328dc52f docs(ecosystem): add eslint-plugin-zod-x (#5261) (vv4.1.12, release notes)
• a0abcc02900a4293dd4f30cd81580efcdd5230bb docs(metadata.mdx): fix a mistake in an example output (#5248) (vv4.1.12, release notes)
• 62bf4e439e287e55c843245b49f8d34b1ad024ee fix(ZodError): prevent flatten() from crashing on 'toString' key (#5266) (vv4.1.12, release notes)
• 02a584010ac92ac8a351632ae5aea3983a6f17d8 refac(errors): Unify code structure and improve types (#5278) (vv4.1.12, release notes)
• 4b1922ad714e12dafaa83a40ec03275a39ac980c docs(content/v4/index): fix zod version (#5289) (vv4.1.12, release notes)
• 3fcb20ff348e49aec70f45e0dca3de8a61450e77 Add frrm to ecosystem (#5292) (vv4.1.12, release notes)
• fda4c7c2afbd7649261be1e7954f8c4d4de24a07 Make docs work without token (vv4.1.12, release notes)
• af447384379faef28aa857fb53ef1da702c6d408 Fix lint (vv4.1.12, release notes)
• 77c3c9f069a4cf168c0cbc58432803de887a6b1b Export bg.ts (vv4.1.12, release notes)
• 3b946107b6c94b2ac8ff9fb451160c34dc4dd794 v4.1.12 (vv4.1.12, release notes)
• 🎭 planner explores the app and produces a Markdown test plan (vv1.56.0, release notes)
• 🎭 generator transforms the Markdown plan into the Playwright Test files (vv1.56.0, release notes)
• 🎭 healer executes the test suite and automatically repairs failing tests (vv1.56.0, release notes)
• Added npx playwright init-agents command to generate latest agent definitions (vv1.56.0, release notes)
• Added new CLI command npx playwright init-agents --loop=vscode for initializing agents in VSCode (vv1.56.0, release notes)
• Added new command npx playwright init-agents --loop=claude for initializing agents with Claude support (vv1.56.0, release notes)
• Added a new CLI command npx playwright init-agents --loop=opencode for initializing agents with the OpenCode loop configuration (vv1.56.0, release notes)
• New methods page.consoleMessages() and page.pageErrors() for retrieving the most recent console messages from the page (vv1.56.0, release notes)
• New method page.requests() for retrieving the most recent network requests from the page (vv1.56.0, release notes)
• Added --test-list and --test-list-invert to allow manual specification of specific tests from a file (vv1.56.0, release notes)
• Added option to 'html' reporter to disable the "Copy prompt" button (vv1.56.0, release notes)
• Added option to 'html' reporter and UI Mode to merge files, collapsing test and describe blocks into a single unified list (vv1.56.0, release notes)
• Added option to UI Mode mirroring the --update-snapshots options (vv1.56.0, release notes)
• Added option to UI Mode to run only a single worker at a time (vv1.56.0, release notes)
• Event browserContext.on('backgroundpage') has been deprecated and will not be emitted. Method browserContext.backgroundPages() will return an empty list (vv1.56.0, release notes)
• Aria snapshots render and compare input placeholder (vv1.56.0, release notes)
• Added environment variable PLAYWRIGHT_TEST to Playwright worker processes to allow discriminating on testing status (vv1.56.0, release notes)
• Chromium 141.0.7390.37 (vv1.56.0, release notes)
• Mozilla Firefox 142.0.1 (vv1.56.0, release notes)
• WebKit 26.0 (vv1.56.0, release notes)

References (8)

[1]: Middleware implementation using nosecone may be affected by CVE-2025-29927 authorization bypass vulnerability in Next.js versions through 15.2.2, now fixed in 15.5.4

example-nextjsyy/middleware.ts

Line 40 in 182b7ee

const noseconeMiddleware = nosecone.createMiddleware(

[2]: Next.js upgraded to 15.5.4 which includes critical security fix for CVE-2025-29927 (authorization bypass vulnerability)

example-nextjsyy/package.json

Line 39 in 182b7ee

"next": "15.5.4",

[3]: React upgraded to 19.2.0 which requires Node.js 18+ as a breaking change

example-nextjsyy/package.json

Line 42 in 182b7ee

"react": "19.2.0",

[4]: Project already requires Node.js 20+ which satisfies React 19's Node.js 18+ requirement, ensuring compatibility

example-nextjsyy/package.json

Line 18 in 182b7ee

"node": ">=20"

[5]: Dockerfile uses Node.js 24 which is compatible with all upgraded package requirements

example-nextjsyy/Dockerfile

Line 1 in 182b7ee

FROM node:24-bookworm

[6]: GitHub Actions uses 'lts/*' which currently maps to Node.js 20.x, compatible with package requirements

example-nextjsyy/.github/workflows/playwright.yml

Line 25 in 182b7ee

node-version: lts/*

[7]: Playwright upgraded to 1.56.0 which includes deprecation warning for backgroundpage API

example-nextjsyy/package.json

Line 48 in 182b7ee

"@playwright/test": "1.56.0",

[8]: CVE-2025-29927: Critical authorization bypass vulnerability in Next.js allowing requests to skip middleware checks via x-middleware-subrequest header, fixed in version 15.5.4 (source link)

---

fossabot analyzed this PR using static analysis and dependency research.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​react-dom@​19.1.6 ⏵ 19.2.1	+1		+1	+1
	@​types/​react@​19.1.8 ⏵ 19.2.2				+1
	@​fontsource-variable/​figtree@​5.2.8 ⏵ 5.2.10	+5		+2	+8
	next@​15.5.2 ⏵ 15.5.4	+2		+1	+1
	react@​19.1.0 ⏵ 19.2.0	+1		+1
	@​fontsource/​ibm-plex-mono@​5.2.6 ⏵ 5.2.7	+1		+2	+7
	typescript@​5.8.3 ⏵ 5.9.3	+1		+1
	@​hookform/​resolvers@​5.1.1 ⏵ 5.2.2	+1		+1	+2
	react-dom@​19.1.0 ⏵ 19.2.0	+1		+1
	@​oddbird/​css-anchor-positioning@​0.6.1 ⏵ 0.7.0	+2		+1	+6
	react-hook-form@​7.60.0 ⏵ 7.64.0	+1		+1	+2
	zod@​4.1.11 ⏵ 4.1.12				+1
	sass@​1.89.2 ⏵ 1.93.2	+1
	@​playwright/​test@​1.55.1 ⏵ 1.56.0

View full report

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.