Bump react from 18.3.1 to 19.0.0

[dependabot]

Bumps react from 18.3.1 to 19.0.0.

Release notes

Sourced from react's releases.

19.0.0 (December 5, 2024)

Below is a list of all new features, APIs, deprecations, and breaking changes. Read React 19 release post and React 19 upgrade guide for more information.

Note: To help make the upgrade to React 19 easier, we’ve published a [email protected] release that is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19. We recommend upgrading to React 18.3.1 first to help identify any issues before upgrading to React 19.

New Features

React

• Actions: startTransition can now accept async functions. Functions passed to startTransition are called “Actions”. A given Transition can include one or more Actions which update state in the background and update the UI with one commit. In addition to updating state, Actions can now perform side effects including async requests, and the Action will wait for the work to finish before finishing the Transition. This feature allows Transitions to include side effects like fetch() in the pending state, and provides support for error handling, and optimistic updates.
• useActionState: is a new hook to order Actions inside of a Transition with access to the state of the action, and the pending state. It accepts a reducer that can call Actions, and the initial state used for first render. It also accepts an optional string that is used if the action is passed to a form action prop to support progressive enhancement in forms.
• useOptimistic: is a new hook to update state while a Transition is in progress. It returns the state, and a set function that can be called inside a transition to “optimistically” update the state to expected final value immediately while the Transition completes in the background. When the transition finishes, the state is updated to the new value.
• use: is a new API that allows reading resources in render. In React 19, use accepts a promise or Context. If provided a promise, use will suspend until a value is resolved. use can only be used in render but can be called conditionally.
• ref as a prop: Refs can now be used as props, removing the need for forwardRef.
• Suspense sibling pre-warming: When a component suspends, React will immediately commit the fallback of the nearest Suspense boundary, without waiting for the entire sibling tree to render. After the fallback commits, React will schedule another render for the suspended siblings to “pre-warm” lazy requests.

React DOM Client

• <form> action prop: Form Actions allow you to manage forms automatically and integrate with useFormStatus. When a <form> action succeeds, React will automatically reset the form for uncontrolled components. The form can be reset manually with the new requestFormReset API.
• <button> and <input> formAction prop: Actions can be passed to the formAction prop to configure form submission behavior. This allows using different Actions depending on the input.
• useFormStatus: is a new hook that provides the status of the parent <form> action, as if the form was a Context provider. The hook returns the values: pending, data, method, and action.
• Support for Document Metadata: We’ve added support for rendering document metadata tags in components natively. React will automatically hoist them into the <head> section of the document.
• Support for Stylesheets: React 19 will ensure stylesheets are inserted into the <head> on the client before revealing the content of a Suspense boundary that depends on that stylesheet.
• Support for async scripts: Async scripts can be rendered anywhere in the component tree and React will handle ordering and deduplication.
• Support for preloading resources: React 19 ships with preinit, preload, prefetchDNS, and preconnect APIs to optimize initial page loads by moving discovery of additional resources like fonts out of stylesheet loading. They can also be used to prefetch resources used by an anticipated navigation.

React DOM Server

• Added prerender and prerenderToNodeStream APIs for static site generation. They are designed to work with streaming environments like Node.js Streams and Web Streams. Unlike renderToString, they wait for data to load for HTML generation.

React Server Components

• RSC features such as directives, server components, and server functions are now stable. This means libraries that ship with Server Components can now target React 19 as a peer dependency with a react-server export condition for use in frameworks that support the Full-stack React Architecture. The underlying APIs used to implement a React Server Components bundler or framework do not follow semver and may break between minors in React 19.x. See docs for how to support React Server Components.

Deprecations

• Deprecated: element.ref access: React 19 supports ref as a prop, so we’re deprecating element.ref in favor of element.props.ref. Accessing will result in a warning.
• react-test-renderer: In React 19, react-test-renderer logs a deprecation warning and has switched to concurrent rendering for web usage. We recommend migrating your tests to @​testinglibrary.com/docs/react-testing-library/intro/) or @​testingesting-library.com/docs/react-native-testing-library/intro)

Breaking Changes

React 19 brings in a number of breaking changes, including the removals of long-deprecated APIs. We recommend first upgrading to 18.3.1, where we've added additional deprecation warnings. Check out the upgrade guide for more details and guidance on codemodding.

React

• New JSX Transform is now required: We introduced a new JSX transform in 2020 to improve bundle size and use JSX without importing React. In React 19, we’re adding additional improvements like using ref as a prop and JSX speed improvements that require the new transform.
• Errors in render are not re-thrown: Errors that are not caught by an Error Boundary are now reported to window.reportError. Errors that are caught by an Error Boundary are reported to console.error. We’ve introduced onUncaughtError and onCaughtError methods to createRoot and hydrateRoot to customize this error handling.
• Removed: propTypes: Using propTypes will now be silently ignored. If required, we recommend migrating to TypeScript or another type-checking solution.
• Removed: defaultProps for functions: ES6 default parameters can be used in place. Class components continue to support defaultProps since there is no ES6 alternative.
• Removed: contextTypes and getChildContext: Legacy Context for class components has been removed in favor of the contextType API.

... (truncated)

Changelog

Sourced from react's changelog.

19.0.0 (December 5, 2024)

Below is a list of all new features, APIs, deprecations, and breaking changes. Read React 19 release post and React 19 upgrade guide for more information.

Note: To help make the upgrade to React 19 easier, we’ve published a [email protected] release that is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19. We recommend upgrading to React 18.3.1 first to help identify any issues before upgrading to React 19.

New Features

React

• Actions: startTransition can now accept async functions. Functions passed to startTransition are called “Actions”. A given Transition can include one or more Actions which update state in the background and update the UI with one commit. In addition to updating state, Actions can now perform side effects including async requests, and the Action will wait for the work to finish before finishing the Transition. This feature allows Transitions to include side effects like fetch() in the pending state, and provides support for error handling, and optimistic updates.
• useActionState: is a new hook to order Actions inside of a Transition with access to the state of the action, and the pending state. It accepts a reducer that can call Actions, and the initial state used for first render. It also accepts an optional string that is used if the action is passed to a form action prop to support progressive enhancement in forms.
• useOptimistic: is a new hook to update state while a Transition is in progress. It returns the state, and a set function that can be called inside a transition to “optimistically” update the state to expected final value immediately while the Transition completes in the background. When the transition finishes, the state is updated to the new value.
• use: is a new API that allows reading resources in render. In React 19, use accepts a promise or Context. If provided a promise, use will suspend until a value is resolved. use can only be used in render but can be called conditionally.
• ref as a prop: Refs can now be used as props, removing the need for forwardRef.
• Suspense sibling pre-warming: When a component suspends, React will immediately commit the fallback of the nearest Suspense boundary, without waiting for the entire sibling tree to render. After the fallback commits, React will schedule another render for the suspended siblings to “pre-warm” lazy requests.

React DOM Client

• <form> action prop: Form Actions allow you to manage forms automatically and integrate with useFormStatus. When a <form> action succeeds, React will automatically reset the form for uncontrolled components. The form can be reset manually with the new requestFormReset API.
• <button> and <input> formAction prop: Actions can be passed to the formAction prop to configure form submission behavior. This allows using different Actions depending on the input.
• useFormStatus: is a new hook that provides the status of the parent <form> action, as if the form was a Context provider. The hook returns the values: pending, data, method, and action.
• Support for Document Metadata: We’ve added support for rendering document metadata tags in components natively. React will automatically hoist them into the <head> section of the document.
• Support for Stylesheets: React 19 will ensure stylesheets are inserted into the <head> on the client before revealing the content of a Suspense boundary that depends on that stylesheet.
• Support for async scripts: Async scripts can be rendered anywhere in the component tree and React will handle ordering and deduplication.
• Support for preloading resources: React 19 ships with preinit, preload, prefetchDNS, and preconnect APIs to optimize initial page loads by moving discovery of additional resources like fonts out of stylesheet loading. They can also be used to prefetch resources used by an anticipated navigation.

React DOM Server

• Added prerender and prerenderToNodeStream APIs for static site generation. They are designed to work with streaming environments like Node.js Streams and Web Streams. Unlike renderToString, they wait for data to load for HTML generation.

React Server Components

• RSC features such as directives, server components, and server functions are now stable. This means libraries that ship with Server Components can now target React 19 as a peer dependency with a react-server export condition for use in frameworks that support the Full-stack React Architecture. The underlying APIs used to implement a React Server Components bundler or framework do not follow semver and may break between minors in React 19.x. See docs for how to support React Server Components.

Deprecations

• Deprecated: element.ref access: React 19 supports ref as a prop, so we’re deprecating element.ref in favor of element.props.ref. Accessing will result in a warning.
• react-test-renderer: In React 19, react-test-renderer logs a deprecation warning and has switched to concurrent rendering for web usage. We recommend migrating your tests to @​testing-library/react or @​testing-library/react-native

Breaking Changes

React 19 brings in a number of breaking changes, including the removals of long-deprecated APIs. We recommend first upgrading to 18.3.1, where we've added additional deprecation warnings. Check out the upgrade guide for more details and guidance on codemodding.

React

• New JSX Transform is now required: We introduced a new JSX transform in 2020 to improve bundle size and use JSX without importing React. In React 19, we’re adding additional improvements like using ref as a prop and JSX speed improvements that require the new transform.
• Errors in render are not re-thrown: Errors that are not caught by an Error Boundary are now reported to window.reportError. Errors that are caught by an Error Boundary are reported to console.error. We’ve introduced onUncaughtError and onCaughtError methods to createRoot and hydrateRoot to customize this error handling.
• Removed: propTypes: Using propTypes will now be silently ignored. If required, we recommend migrating to TypeScript or another type-checking solution.
• Removed: defaultProps for functions: ES6 default parameters can be used in place. Class components continue to support defaultProps since there is no ES6 alternative.

... (truncated)

Commits

• e137890 [string-refs] cleanup string ref code (#31443)
• d1f0472 [string-refs] remove enableLogStringRefsProd flag (#31414)
• 3dc1e48 Followup: remove dead test code from #30346 (#31415)
• 07aa494 Remove enableRefAsProp feature flag (#30346)
• 45804af [flow] Eliminate usage of more than 1-arg React.AbstractComponent in React ...
• 5636fad [string-refs] log string ref from prod (#31161)
• b78a7f2 [rcr] Re-export useMemoCache in top level React namespace (#31139)
• 4e9540e [Fiber] Log the Render/Commit phases and the gaps in between (#31016)
• d4688df [Fiber] Track Event Time, startTransition Time and setState Time (#31008)
• 15da917 Don't read currentTransition back from internals (#30991)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected] ➜ 19.0.0	None	0	0 B

View full report↗︎

[BrandtH22]

pending docusaurus compatibility

[BrandtH22]

@dependabot rebase

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
AI-detected potential code anomaly	npm/[email protected]	Notes: The code is obfuscated, which may lead to unexpected anomalies. No immediate malicious behavior is found, however caution is advised. Confidence: 1.00 Severity: 0.60	package-lock.json package.json	⚠︎
License Policy Violation	npm/[email protected]	License: CC-BY-4.0 (npm metadata) License: CC-BY-4.0 (package/LICENSE) License: CC-BY-4.0 (package/package.json)	package-lock.json package.json	⚠︎

View full report↗︎

Next steps

What is an AI-detected potential code anomaly?

AI has identified unusual behaviors that may pose a security risk.

An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

What is a license policy violation?

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]

[dependabot]

Superseded by #780.