Bump react-dom from 19.2.4 to 19.2.5

[dependabot]

Bumps react-dom from 19.2.4 to 19.2.5.

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency-only change updating react-dom (and corresponding lockfile react/peer dependency entries) with no application code modifications.

Overview
Bumps the React DOM dependency to 19.2.5 in package.json.

Updates package-lock.json to match, including refreshed react/react-dom resolved versions, integrity hashes, and react-dom peer dependency range.

^{Reviewed by Cursor Bugbot for commit b8f368f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	react@​19.2.4 ⏵ 19.2.5
	react-dom@​19.2.4 ⏵ 19.2.5

View full report

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying the lockfile entry for react-dom (resolved URL, scripts) to support the review.

Verdict: benign

Evidence

• Scanner: Report status is clean with 0 unicode, confusable, IOC, and heuristic findings over 14 upstream files between tagged commits 90ab3f89… → 23f4f9f… (matches the v19.2.5 release commit). No disagreement with manual checklist review.
• Source & scope: Patch 19.2.4 → 19.2.5 from facebook/react; changed paths are normal monorepo release churn (version bumps in packages/*/package.json, ReactVersions.js, and packages/react-server/src/ReactFlightReplyServer.js, which matches the stated RSC “cycle protections” fix—not random or unrelated files).
• Lockfile: react-dom resolves to https://registry.npmjs.org/react-dom/-/react-dom-19.2.5.tgz with a standard integrity subresource hash; the node_modules/react-dom stanza shows no lifecycle scripts block in the lockfile (consistent with typical React packages).
• Risk checklist: No typosquat, no unexpected hosts in the artifact metadata shown, no workflow-only PR pattern described, and the change is a single-patch semver step aligned with public release notes.

Action: Safe to merge from a supply-chain perspective if CI passes; optionally keep react on the same 19.2.x line as react-dom’s peer (^19.2.5) to avoid peer warnings, which is a normal hygiene check—not a malware signal.

Compatibility Analysis

Searching the codebase for react-dom usage and checking react version alignment.

1) Where react-dom shows up

• Declared dependency: package.json lists react-dom at ^19.2.5 alongside Docusaurus and other React libraries.
• Lockfile: package-lock.json resolves react-dom to 19.2.5 (and react is also 19.2.5).
• Application source: No import / require of react-dom in src/ (or other app TS/JS). Components (Runnable.tsx, Quiz.tsx, stringify.ts) import only from react.
• Effective use: Supplied for the Docusaurus / React 19 client runtime (hydration, etc.); your code does not call react-dom APIs directly.

2) Overlap with 19.2.5 changes

• Release notes emphasize React Server Components: “more cycle protections” (facebook/react#36236), i.e. internal Flight / RSC handling, not a documented public API change to createRoot, hydrateRoot, etc.
• Your repo does not implement RSC or import react-dom; any effect is framework-internal (Docusaurus + bundler). No clear intersection with code you own.

3) Risks / unknowns

• Low: Patch within 19.2.x; react and react-dom are already matched at 19.2.5 in the lockfile.
• Residual: If Docusaurus or a plugin relied on a very specific RSC/Flight edge case, behavior could shift slightly (e.g. stricter cycle detection). That is theoretical for a typical Docusaurus doc site and would surface as build/runtime errors in CI, not as silent data bugs in your snippets.

4) Recommendation

Merge — patch bump, aligned react/react-dom, no direct react-dom usage; changelog points to defensive RSC fixes, which are appropriate to take and low risk for this project. Rely on your usual CI build (docusaurus build) as the final gate.

---

Malware Scan Summary

• Status: clean
• Warn only mode: true
• Changed upstream files scanned: 14
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 90ab3f89f4824ac763b6f877c6f711200d1338d2..23f4f9f30da9e9af2108c18bb197bae75ab584ea
• Resolved refs: from=90ab3f89f4824ac763b6f877c6f711200d1338d2 to=23f4f9f30da9e9af2108c18bb197bae75ab584ea
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 0

[dependabot]

Looks like react-dom is up-to-date now, so this is no longer needed.