Bump the npm group across 1 directory with 21 updates by dependabot[bot] · Pull Request #73 · binos30/parking-system

dependabot · 2026-04-23T07:34:50Z

Bumps the npm group with 21 updates in the / directory:

Package	From	To
@hookform/resolvers	`5.1.1`	`5.2.2`
@hotwired/turbo-rails	`8.0.16`	`8.0.23`
autoprefixer	`10.4.21`	`10.5.0`
axios	`1.10.0`	`1.15.2`
bootstrap	`5.3.7`	`5.3.8`
dayjs	`1.11.13`	`1.11.20`
postcss	`8.5.6`	`8.5.10`
react	`19.1.0`	`19.2.5`
@types/react	`19.1.8`	`19.2.14`
react-dom	`19.1.0`	`19.2.5`
react-hook-form	`7.58.1`	`7.73.1`
react-router-dom	`7.6.2`	`7.14.2`
sass	`1.89.2`	`1.99.0`
yup	`1.6.1`	`1.7.1`
@eslint/js	`9.29.0`	`10.0.1`
esbuild	`0.25.5`	`0.28.0`
eslint	`9.29.0`	`10.2.1`
eslint-formatter-gha	`1.5.2`	`2.0.1`
globals	`16.2.0`	`17.5.0`
nodemon	`3.1.10`	`3.1.14`
prettier	`3.5.3`	`3.8.3`

Updates @hookform/resolvers from 5.1.1 to 5.2.2

Release notes

Sourced from @hookform/resolvers's releases.

v5.2.2

5.2.2 (2025-09-14)

Bug Fixes

zod: fix output type for Zod 4 resolver (#803) (e95721d)

v5.2.1

5.2.1 (2025-07-29)

Bug Fixes

discriminated union for zod v4 mini (#784) (49a0d7b)

zod v4 peer deps (#798) (2d28e6a)

zod: fix output type for Zod 4 resolver (#801) (bc09647)

v5.2.0

5.2.0 (2025-07-25)

Features

ajv: add ajv-formats for ajvResolver (#797) (f040039)

Commits

e95721d fix(zod): fix output type for Zod 4 resolver (#803)
49a0d7b fix: discriminated union for zod v4 mini (#784)
bc09647 fix(zod): fix output type for Zod 4 resolver (#801)
2d28e6a fix: zod v4 peer deps (#798)
f040039 feat(ajv): add ajv-formats for ajvResolver (#797)
See full diff in compare view

Updates @hotwired/turbo-rails from 8.0.16 to 8.0.23

Commits

See full diff in compare view

Maintainer changes

This version was pushed to npm by packagethief, a new releaser for @hotwired/turbo-rails since your current version.

Updates autoprefixer from 10.4.21 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

Added mask-position-x and mask-position-y support (by @toporek).

10.4.27

Removed development key from package.json.

10.4.26

Reduced package size.

10.4.25

Fixed broken gradients on CSS Custom Properties (by @serger777).

10.4.24

Made Autoprefixer a little faster (by @Cherry).

10.4.23

Reduced dependencies (by @hyperz111).

10.4.22

Fixed stretch prefixes on new Can I Use database.

Updated fraction.js.

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

Added mask-position-x and mask-position-y support (by @toporek).

10.4.27

Removed development key from package.json.

10.4.26

Reduced package size.

10.4.25

Fixed broken gradients on CSS Custom Properties (by @serger777).

10.4.24

Made Autoprefixer a little faster (by @Cherry).

10.4.23

Reduced dependencies (by @hyperz111).

10.4.22

Fixed stretch prefixes on new Can I Use database.

Updated fraction.js.

Commits

faf456a Release 10.5 version
b841fc5 Update dependencies
47d6e68 Update email
45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
360f2d9 Release 10.4.27 version
ab5260c Update clean-publish
09e9dd1 Release 10.4.26 version
ec75540 Ignore local patches
59601b8 Update c8 and clean-publish
Additional commits viewable in compare view

Updates axios from 1.10.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)

SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)

Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)

HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)

Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)

Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)

buildFullPath: Uses strict equality in the base/relative URL check. (#7252)

AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)

Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)

SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)

Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

5829343 chore(release): prepare release 1.15.2 (#10789)
4709a48 fix: added fix for memory leak in sockets (#10788)
be33360 chore: update changelog (#10781)
4791514 fix: more header pollutions (#10779)
6feafcf fix: socket issue (#10777)
302e273 docs: update docs, add a couple actions etc (#10776)
ac42446 chore(release): prepare release 1.15.1 (#10767)
908f220 docs: update threatmodel (#10765)
f93f815 docs: added docs around potential decompressions bomb (#10763)
1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates bootstrap from 5.3.7 to 5.3.8

Release notes

Sourced from bootstrap's releases.

v5.3.8

What's Changed

Streamline release prep script by @mdo in twbs/bootstrap#41539

Docs: restore local dev port to 9001 by @chalin in twbs/bootstrap#41545

Docs: use Example shortcode instead of divs with only .bd-example class by @julien-deramond in twbs/bootstrap#41556

Docs: fix scss autorecompile in dev mode by @MaxLardenois in twbs/bootstrap#41574

Fix color-contrast() function for WCAG 2.1 compliance by @julien-deramond in twbs/bootstrap#41585

OSSF Scorecard by @mdo in twbs/bootstrap#41571

Workflows: Use SHA-1 for third-party actions by @julien-deramond in twbs/bootstrap#41595

Docs: unminify downloadable example HTML files by @julien-deramond in twbs/bootstrap#41637

Docs: Add tooltips to buttons when <Example> is used, not just <Code> by @louismaximepiton in twbs/bootstrap#41582

Set cursor pointer on input search cancel button by @mdo in twbs/bootstrap#41639

CSS: Prevent spinner distortion in flex containers with multiline content by @julien-deramond in twbs/bootstrap#41654

Migrate MyGet script to GH actions by @supergibbs in twbs/bootstrap#41583

Revert "Attempt to return focus explicitly to dropdown trigger" by @mdo in twbs/bootstrap#41668

docs: Minor range example code optimization by @coliff in twbs/bootstrap#41665

Remove Themes from docs by @mdo in twbs/bootstrap#41671

Release v5.3.8 by @mdo in twbs/bootstrap#41669

Dependencies

Build(deps-dev): Bump the development-dependencies group with 3 updates by @julien-deramond in twbs/bootstrap#41540

Build(deps-dev): Bump the development-dependencies group with 2 updates by @julien-deramond in twbs/bootstrap#41544

Build(deps-dev): Bump stylelint-config-twbs-bootstrap from 16.0.0 to 16.1.0 by @julien-deramond in twbs/bootstrap#41546

Build(deps-dev): Bump the development-dependencies group with 5 updates by @julien-deramond in twbs/bootstrap#41552

Build(deps-dev): Bump the development-dependencies group with 4 updates by @julien-deramond in twbs/bootstrap#41560

Build(deps-dev): Bump the development-dependencies group with 3 updates by @julien-deramond in twbs/bootstrap#41566

Build(deps): Bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot[bot] in twbs/bootstrap#41594

Build(deps-dev): Bump the development-dependencies group with 4 updates by @julien-deramond in twbs/bootstrap#41599

Build(deps-dev): Bump the development-dependencies group with 2 updates by @julien-deramond in twbs/bootstrap#41609

Build(deps): Bump github/codeql-action from 3.29.2 to 3.29.3 by @dependabot[bot] in twbs/bootstrap#41611

Build(deps): Bump streetsidesoftware/cspell-action from 7.1.1 to 7.1.2 by @dependabot[bot] in twbs/bootstrap#41610

Build(deps-dev): Bump the development-dependencies group with 4 updates by @julien-deramond in twbs/bootstrap#41621

Build(deps): Bump streetsidesoftware/cspell-action from 7.1.2 to 7.2.0 by @dependabot[bot] in twbs/bootstrap#41625

Build(deps): Bump actions-cool/issues-helper from 3.6.0 to 3.6.2 by @dependabot[bot] in twbs/bootstrap#41623

Build(deps): Bump github/codeql-action from 3.29.3 to 3.29.4 by @dependabot[bot] in twbs/bootstrap#41624

Build(deps-dev): Bump the development-dependencies group across 1 directory with 3 updates by @dependabot[bot] in twbs/bootstrap#41626

Build(deps): Bump github/codeql-action from 3.29.4 to 3.29.5 by @dependabot[bot] in twbs/bootstrap#41640

Build(deps): Bump tmp from 0.2.3 to 0.2.4 by @dependabot[bot] in twbs/bootstrap#41649

Build(deps): Bump github/codeql-action from 3.29.7 to 3.29.8 by @dependabot[bot] in twbs/bootstrap#41657

Build(deps): Bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in twbs/bootstrap#41655

Build(deps): Bump github/codeql-action from 3.29.8 to 3.29.10 by @dependabot[bot] in twbs/bootstrap#41664

New Contributors

@chalin made their first contribution in twbs/bootstrap#41545

Full Changelog: twbs/bootstrap@v5.3.7...v5.3.8

Commits

25aa8cc Release v5.3.8 (#41669)
122bff5 Remove Themes from docs (#41671)
320f713 docs: Minor range example code optimization (#41665)
ac5f51c Revert "Attempt to return focus explicitly to dropdown trigger (#41365)" (#41...
4bd8b6c Migrate MyGet script to GH actions (#41583)
f50f38b CSS: Fix spinner deformation in flex boxes when content is multiline (#41654)
47c75b8 Set cursor pointer on input search cancel button (#41639)
26c86ba Build(deps): Bump github/codeql-action from 3.29.8 to 3.29.10 (#41664)
099b02b Build(deps-dev): Bump rollup from 4.46.2 to 4.46.3
4b8a2c9 Build(deps-dev): bump dependencies
Additional commits viewable in compare view

Updates dayjs from 1.11.13 to 1.11.20

Release notes

Sourced from dayjs's releases.

v1.11.20

1.11.20 (2026-03-12)

Bug Fixes

Update locale km.js to support meridiem (#3017) (9d2b6a1)

update updateLocale plugin to merge nested object properties instead of replacing (#3012) (99691c5), closes #1118

v1.11.19

1.11.19 (2025-10-31)

Bug Fixes

added usage warnings for diff + updated unit tests (#2948) (269a7a9)

dont instantiate regexes within ar locale functions to avoid performance overhead (#2898) (af5e9f0)

replace italian locale "un' ora fa" with "un'ora fa", add tests for it (#2930) (9e9f76c)

Updated Belarusian locale with relative time (#2656) (1d8746c)

v1.11.18

1.11.18 (2025-08-30)

Bug Fixes

error semantic-release dependency (8cfb313)

v1.11.17

1.11.17 (2025-08-29)

Bug Fixes

[en-AU] locale use the same ordinal as moment (#2878) (1b95ecd)

v1.11.16

1.11.16 (2025-08-29)

Bug Fixes

test release workflow (no code changes) (c38c428)

v1.11.15

1.11.15 (2025-08-28)

Bug Fixes

... (truncated)

Changelog

Sourced from dayjs's changelog.

1.11.20 (2026-03-12)

Bug Fixes

Update locale km.js to support meridiem (#3017) (9d2b6a1)

update updateLocale plugin to merge nested object properties instead of replacing (#3012) (99691c5), closes #1118

1.11.19 (2025-10-31)

Bug Fixes

added usage warnings for diff + updated unit tests (#2948) (269a7a9)

dont instantiate regexes within ar locale functions to avoid performance overhead (#2898) (af5e9f0)

replace italian locale "un' ora fa" with "un'ora fa", add tests for it (#2930) (9e9f76c)

Updated Belarusian locale with relative time (#2656) (1d8746c)

1.11.18 (2025-08-30)

Bug Fixes

error semantic-release dependency (8cfb313)

1.11.17 (2025-08-29)

Bug Fixes

[en-AU] locale use the same ordinal as moment (#2878) (1b95ecd)

1.11.16 (2025-08-29)

Bug Fixes

test release workflow (no code changes) (c38c428)

1.11.15 (2025-08-28)

Bug Fixes

Fix misspellings in Irish or Irish Gaelic [ga] (#2861) (9c14a42)

1.11.14 (2025-08-27)

Bug Fixes

... (truncated)

Commits

af6e1f8 chore(release): 1.11.20 [skip ci]
82babd6 D2M (#3018)
bbe4ab1 chore: fix lint error
99691c5 fix: update updateLocale plugin to merge nested object properties instead of ...
9d2b6a1 fix: Update locale km.js to support meridiem (#3017)
acf21cd chore: update doc
55a64e1 chore: update doc
807face chore: update doc
54f4470 chore: update doc
9ea23c7 chore: update doc
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for dayjs since your current version.

Updates postcss from 8.5.6 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

33b9790 Release 8.5.10 version
536c79e Escape </style> in CSS output (#2074)
afa96b2 Update dependencies (#2073)
effe88b Typo (#2072)
3ee79a2 Thread model (#2071)
2e0683d Create incident response docs (#2070)
fe88ac2 Release 8.5.9 version
c551632 Avoid RegExp when we can use simple JS
89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
6ceb8a4 Create SECURITY.md
Additional commits viewable in compare view

Updates react from 19.1.0 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

Add more cycle protections (#36236 by @eps1lon and @unstubbable)

19.2.4 (January 26th, 2026)

React Server Components

Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @gnoff, @lubieowoce, @sebmarkbage, @unstubbable)

19.2.3 (December 11th, 2025)

React Server Components

Add extra loop protection to React Server Functions (@sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@eps1lon facebook/react#35290)

Patch Promise cycles and toString on Server Functions (@sebmarkbage, @unstubbable #35289, #35345)

19.2.1 (December 3rd, 2025)

React Server Components

Bring React Server Component fixes to Server Actions (@sebmarkbage #35277)

19.2.0 (Oct 1, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

<Activity>: A new API to hide and restore the UI and internal state of its children.

useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.

cacheSignal (for RSCs) lets your know when the cache() lifetime is over.

React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

Added resume APIs for partial pre-rendering with Web Streams:

resume: to resume a prerender to a stream.

resumeAndPrerender: to resume a prerender to HTML.

Added resume APIs for partial pre-rendering with Node Streams:

resumeToPipeableStream: to resume a prerender to a stream.

resumeAndPrerenderToNodeStream: to resume a prerender to HTML.

Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.

... (truncated)

Changelog

Sourced from react's changelog.

19.2.1 (Dec 3, 2025)

React Server Components

Bring React Server Component fixes to Server Actions (@sebmarkbage #35277)

19.2.0 (October 1st, 2025)

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

<Activity>: A new API to hide and restore the UI and internal state of its children.

useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.

cacheSignal (for RSCs) lets your know when the cache() lifetime is over.

React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

Added resume APIs for partial pre-rendering with Web Streams:

resume: to resume a prerender to a stream.

resumeAndPrerender: to resume a prerender to HTML.

Added resume APIs for partial pre-rendering with Node Streams:

resumeToPipeableStream: to resume a prerender to a stream.

resumeAndPrerenderToNodeStream: to resume a prerender to HTML.

Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.

Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js

Use underscore instead of : IDs generated by useId

All Changes

React

<Activity /> was developed over many years, starting before ClassComponent.setState (@acdlite @sebmarkbage and many others)

Stringify context as "SomeContext" instead of "SomeContext.Provider" (@kassens #33507)

Include stack of cause of React instrumentation errors with %o placeholder (@eps1lon #34198)

Fix infinite useDeferredValue loop in popstate event (@acdlite #32821)

Fix a bug when an initial value was passed to useDeferredValue (@acdlite #34376)

Fix a crash when submitting forms with Client Actions (@sebmarkbage #33055)

Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@sebmarkbage #32900)

Avoid stack overflow on wide trees during Hot Reload (@sophiebits #34145)

Improve Owner and Component stacks in various places (@sebmarkbage, @eps1lon: #33629, #33724, #32735, #33723)

Add cacheSignal (@sebmarkbage #33557)

... (truncated)

Commits

23f4f9f 19.2.5
90ab3f8 Version 19.2.4
612e371 Version 19.2.3
b910fc1 Version 19.2.2
053df4e Version 19.2.1
5667a41 Bump next prerelease version numbers (#34639)
8bb7241 Bump useEffectEvent to Canary (#34610)
e3c9656 Ensure Performance Track are Clamped and Don't overlap (#34509)
68f00c9 Release Activity in Canary (#34374)
0e10ee9 [Reconciler] Set ProfileMode for Host Root Fiber by default in dev (#34432)
Additional commits viewable in compare view

Updates @types/react from 19.1.8 to 19.2.14

Commits

See full diff in compare view

Updates react-dom from 19.1.0 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

Add more cycle protections (#36236 by

binos30 · 2026-04-23T07:49:22Z

@dependabot rebase

Bumps the npm group with 21 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@hookform/resolvers](https://github.com/react-hook-form/resolvers) | `5.1.1` | `5.2.2` | | [@hotwired/turbo-rails](https://github.com/hotwired/turbo-rails) | `8.0.16` | `8.0.23` | | [autoprefixer](https://github.com/postcss/autoprefixer) | `10.4.21` | `10.5.0` | | [axios](https://github.com/axios/axios) | `1.10.0` | `1.15.2` | | [bootstrap](https://github.com/twbs/bootstrap) | `5.3.7` | `5.3.8` | | [dayjs](https://github.com/iamkun/dayjs) | `1.11.13` | `1.11.20` | | [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.10` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.1.0` | `19.2.5` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.1.8` | `19.2.14` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.1.0` | `19.2.5` | | [react-hook-form](https://github.com/react-hook-form/react-hook-form) | `7.58.1` | `7.73.1` | | [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `7.6.2` | `7.14.2` | | [sass](https://github.com/sass/dart-sass) | `1.89.2` | `1.99.0` | | [yup](https://github.com/jquense/yup) | `1.6.1` | `1.7.1` | | [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) | `9.29.0` | `10.0.1` | | [esbuild](https://github.com/evanw/esbuild) | `0.25.5` | `0.28.0` | | [eslint](https://github.com/eslint/eslint) | `9.29.0` | `10.2.1` | | [eslint-formatter-gha](https://github.com/sjinks/eslint-gha-formatter) | `1.5.2` | `2.0.1` | | [globals](https://github.com/sindresorhus/globals) | `16.2.0` | `17.5.0` | | [nodemon](https://github.com/remy/nodemon) | `3.1.10` | `3.1.14` | | [prettier](https://github.com/prettier/prettier) | `3.5.3` | `3.8.3` | Updates `@hookform/resolvers` from 5.1.1 to 5.2.2 - [Release notes](https://github.com/react-hook-form/resolvers/releases) - [Commits](react-hook-form/resolvers@v5.1.1...v5.2.2) Updates `@hotwired/turbo-rails` from 8.0.16 to 8.0.23 - [Release notes](https://github.com/hotwired/turbo-rails/releases) - [Commits](https://github.com/hotwired/turbo-rails/commits) Updates `autoprefixer` from 10.4.21 to 10.5.0 - [Release notes](https://github.com/postcss/autoprefixer/releases) - [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md) - [Commits](postcss/autoprefixer@10.4.21...10.5.0) Updates `axios` from 1.10.0 to 1.15.2 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.10.0...v1.15.2) Updates `bootstrap` from 5.3.7 to 5.3.8 - [Release notes](https://github.com/twbs/bootstrap/releases) - [Commits](twbs/bootstrap@v5.3.7...v5.3.8) Updates `dayjs` from 1.11.13 to 1.11.20 - [Release notes](https://github.com/iamkun/dayjs/releases) - [Changelog](https://github.com/iamkun/dayjs/blob/dev/CHANGELOG.md) - [Commits](iamkun/dayjs@v1.11.13...v1.11.20) Updates `postcss` from 8.5.6 to 8.5.10 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.10) Updates `react` from 19.1.0 to 19.2.5 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.5/packages/react) Updates `@types/react` from 19.1.8 to 19.2.14 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.1.0 to 19.2.5 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.5/packages/react-dom) Updates `react-hook-form` from 7.58.1 to 7.73.1 - [Release notes](https://github.com/react-hook-form/react-hook-form/releases) - [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md) - [Commits](react-hook-form/react-hook-form@v7.58.1...v7.73.1) Updates `react-router-dom` from 7.6.2 to 7.14.2 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.14.2/packages/react-router-dom) Updates `sass` from 1.89.2 to 1.99.0 - [Release notes](https://github.com/sass/dart-sass/releases) - [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md) - [Commits](sass/dart-sass@1.89.2...1.99.0) Updates `yup` from 1.6.1 to 1.7.1 - [Release notes](https://github.com/jquense/yup/releases) - [Changelog](https://github.com/jquense/yup/blob/master/CHANGELOG.md) - [Commits](https://github.com/jquense/yup/commits) Updates `@eslint/js` from 9.29.0 to 10.0.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/commits/v10.0.1/packages/js) Updates `@types/react` from 19.1.8 to 19.2.14 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `esbuild` from 0.25.5 to 0.28.0 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2025.md) - [Commits](evanw/esbuild@v0.25.5...v0.28.0) Updates `eslint` from 9.29.0 to 10.2.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v9.29.0...v10.2.1) Updates `eslint-formatter-gha` from 1.5.2 to 2.0.1 - [Release notes](https://github.com/sjinks/eslint-gha-formatter/releases) - [Commits](sjinks/eslint-gha-formatter@v1.5.2...v2.0.1) Updates `globals` from 16.2.0 to 17.5.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](sindresorhus/globals@v16.2.0...v17.5.0) Updates `nodemon` from 3.1.10 to 3.1.14 - [Release notes](https://github.com/remy/nodemon/releases) - [Commits](remy/nodemon@v3.1.10...v3.1.14) Updates `prettier` from 3.5.3 to 3.8.3 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@3.5.3...3.8.3) --- updated-dependencies: - dependency-name: "@hookform/resolvers" dependency-version: 5.2.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@hotwired/turbo-rails" dependency-version: 8.0.23 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: autoprefixer dependency-version: 10.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: axios dependency-version: 1.15.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: bootstrap dependency-version: 5.3.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: dayjs dependency-version: 1.11.20 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: postcss dependency-version: 8.5.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: react dependency-version: 19.2.5 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@types/react" dependency-version: 19.2.14 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: react-dom dependency-version: 19.2.5 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: react-hook-form dependency-version: 7.73.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: react-router-dom dependency-version: 7.14.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: sass dependency-version: 1.99.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: yup dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@eslint/js" dependency-version: 10.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: npm - dependency-name: "@types/react" dependency-version: 19.2.14 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: esbuild dependency-version: 0.28.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: eslint dependency-version: 10.2.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: npm - dependency-name: eslint-formatter-gha dependency-version: 2.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: npm - dependency-name: globals dependency-version: 17.5.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: npm - dependency-name: nodemon dependency-version: 3.1.14 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm - dependency-name: prettier dependency-version: 3.8.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 23, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-01e1662cea branch from 2d3b211 to 4e02bef Compare April 23, 2026 07:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm group across 1 directory with 21 updates#73

Bump the npm group across 1 directory with 21 updates#73
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-01e1662cea

dependabot Bot commented on behalf of github Apr 23, 2026 •

edited

Loading

Uh oh!

binos30 commented Apr 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.2.2

5.2.2 (2025-09-14)

Bug Fixes

v5.2.1

5.2.1 (2025-07-29)

Bug Fixes

v5.2.0

5.2.0 (2025-07-25)

Features

10.5.0 “Each Endeavouring, All Achieving”

10.4.27

10.4.26

10.4.25

10.4.24

10.4.23

10.4.22

10.5.0 “Each Endeavouring, All Achieving”

10.4.27

10.4.26

10.4.25

10.4.24

10.4.23

10.4.22

v1.15.2

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

🔧 Maintenance & Chores

v1.15.1

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

v1.15.2 - April 21, 2026

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

🔧 Maintenance & Chores

v1.15.1 - April 19, 2026

🔒 Security Fixes

🚀 New Features

v5.3.8

What's Changed

Dependencies

New Contributors

v1.11.20

1.11.20 (2026-03-12)

Bug Fixes

v1.11.19

1.11.19 (2025-10-31)

Bug Fixes

v1.11.18

1.11.18 (2025-08-30)

Bug Fixes

v1.11.17

1.11.17 (2025-08-29)

Bug Fixes

v1.11.16

1.11.16 (2025-08-29)

Bug Fixes

v1.11.15

1.11.15 (2025-08-28)

Bug Fixes

1.11.20 (2026-03-12)

Bug Fixes

1.11.19 (2025-10-31)

Bug Fixes

1.11.18 (2025-08-30)

Bug Fixes

1.11.17 (2025-08-29)

Bug Fixes

1.11.16 (2025-08-29)

Bug Fixes

1.11.15 (2025-08-28)

Bug Fixes

1.11.14 (2025-08-27)

Bug Fixes

8.5.10

dependabot Bot commented on behalf of github Apr 23, 2026 •

edited

Loading