fix(deps): update react monorepo to v19.2.5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
react (source)	19.2.4 → 19.2.5
react-dom (source)	19.2.4 → 19.2.5

---

Release Notes

facebook/react (react)

v19.2.5: 19.2.5 (April 8th, 2026)

Compare Source

React Server Components

• Add more cycle protections (#​36236 by @​eps1lon and @​unstubbable)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🚀 Preview deployment ready!

✅ Preview URL: https://pr-1493---web-njpdbbjcea-an.a.run.app
📝 Commit SHA: 053d8d8 (view commit)

This comment was automatically generated by the deploy-preview workflow.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Change:

• react: 19.2.4 → 19.2.5
• react-dom: 19.2.4 → 19.2.5

Release Date: April 8, 2026

Changes in React 19.2.5:

• React Server Components: Added more cycle protections to address security vulnerabilities in Server Functions (#36236)
  • This is a targeted security fix for React Server Components (RSC) Flight feature
  • Fixes security vulnerabilities specifically in Server Functions
  • Zero bundle size impact across all production builds

Breaking Changes: None

Security Fixes: Yes - security vulnerabilities in Server Functions were addressed

🎯 Impact Scope Investigation

React Usage in Codebase:

This project uses React in a limited, client-side capacity through Astro's React integration:

1. React Components (Client-side only):

   • src/components/ArticleSummarizer.tsx - AI summarization UI using Chrome Summarizer API
   • src/components/LikeButton.tsx - Like button with optimistic updates
   • src/components/TTSControls.tsx - Text-to-speech controls using Web Speech API
   • src/components/FormattedDate.tsx - Date formatting component
   • src/libs/og-image/image.tsx - OG image generation (using satori)

2. Testing Environment:

   • @testing-library/react 16.3.2 for component testing
   • Test files: src/components/LikeButton.spec.tsx, src/libs/og-image/image.test.tsx

3. Integration Method:

   • Using @astrojs/react 5.0.3 for client-side component hydration
   • Static site generation (output: 'static')
   • react-dom/server.edge alias in production for React 19 compatibility

Impact Analysis:

✅ No React Server Components (RSC) or Server Functions in use

• No "use server" or "use client" directives found in the codebase
• All React components are client-side only, hydrated by Astro
• The security fix in v19.2.5 targets RSC Flight feature, which is not used in this project

✅ No Breaking Changes

• Patch version update (19.2.4 → 19.2.5)
• Zero bundle size changes reported in React's release
• Backward compatibility maintained

✅ No API Changes

• All existing React hooks and patterns remain unchanged
• No migration required for useState, useEffect, useCallback, useRef usage
• @testing-library/react compatibility maintained

💡 Recommended Actions

Immediate Actions:

1. ✅ Safe to merge immediately - This is a security patch with no breaking changes
2. Run existing tests to verify compatibility: pnpm test:libs
3. Merge the PR to benefit from the security improvements

Post-Merge Verification:

1. Verify that all interactive components function correctly:
   • ArticleSummarizer (AI summary generation)
   • LikeButton (like/unlike functionality)
   • TTSControls (text-to-speech)
2. Run the development server to ensure no runtime issues: pnpm dev
3. Check that OG image generation still works correctly

Notes:

• Although this project doesn't use React Server Components, keeping React updated ensures access to the latest security patches
• The change is purely additive (more cycle protections) and doesn't modify existing behavior for client-side React usage
• No code changes required in the application

🔗 Reference Links

• React 19.2.5 Release Notes
• PR #36236: [Flight] Add more cycle protections
• React 19.2.4...19.2.5 Comparison

Generated by koki-develop/claude-renovate-review

---

🚫 Permission Denied Tool Executions

The following tool executions that Claude Code attempted were blocked due to insufficient permissions.
Consider adding them to allowed_tools if needed.

Run #24369763003 - 1 tool denied

Tool	Input
WebSearch	{"query":"React 19.2.5 release cycle protections server components security fix changelog"}

Generated by koki-develop/claude-denied-tools