Skip to content

fix(deps): update react monorepo (19.2.15 → 19.2.16)#299

Merged
joryirving merged 1 commit into
mainfrom
renovate/react-monorepo
Jun 2, 2026
Merged

fix(deps): update react monorepo (19.2.15 → 19.2.16)#299
joryirving merged 1 commit into
mainfrom
renovate/react-monorepo

Conversation

@its-miso

@its-miso its-miso Bot commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@types/react (source) 19.2.1519.2.16 age adoption passing confidence
react (source) 19.2.619.2.7 age adoption passing confidence
react-dom (source) 19.2.619.2.7 age adoption passing confidence

Release Notes

facebook/react (react)

v19.2.7: 19.2.7 (June 1st, 2026)

Compare Source

React Server Components

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@its-miso its-miso Bot added the type/patch label Jun 1, 2026

@its-saffron its-saffron Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI Automated Review

Analysis engine: MiniMax@https://litellm.jory.dev/v1 (anthropic)

Recommendation: Approve

This is a routine, low-risk Renovate dependency update for the React monorepo. The changes are confined to package-lock.json (10 +/- 10 lines) and contain no source code, no API surface changes, and no breaking changes.


Change-by-Change Findings

1. package-lock.json@types/react 19.2.15 → 19.2.16

  • Patch bump in the DefinitelyTyped type definitions for React.
  • New integrity hash sha512-esJiCAnl0kfpNdE69f3So4WJUXy95dLZydX0KwK46riIHDzHM7O9Vtf9xCHW0PXIqvgqNrswl522kA/5yx+F4w== is recorded.
  • Resolved URL https://registry.npmjs.org/@types/react/-/react-19.2.16.tgz looks well-formed.
  • No application source code references this version directly (repository impact scan finds no matches outside the lockfile).

2. package-lock.jsonreact 19.2.6 → 19.2.7

  • Patch bump. Verified via the GitHub Releases enrichment for facebook/react:
    • Tag v19.2.7, name "19.2.7 (June 1st, 2026)", published 2026-06-01T18:04:24Z.
    • Compare v19.2.6...v19.2.7 is ahead_by: 5, behind_by: 0 — a clean patch forward.
  • Release notes explicitly state: "Fixed missing FormData entries in Server Actions which regressed in 19.2.6" (PR react/react#36566 by @unstubbable). This is a regression fix, not a feature change — upgrading is strongly recommended over staying on 19.2.6.
  • New integrity hash recorded correctly. No new transitive dependency additions visible in the diff.

3. package-lock.jsonreact-dom 19.2.6 → 19.2.7

  • Same patch bump, same release artifact. Version and resolved URL updated consistently with the react upgrade.
  • Peer dependency inside the lockfile is updated from "react": "^19.2.6" to "react": "^19.2.7", which correctly aligns with the new react version. This is not a breaking change — ^19.2.7 still satisfies ^19.2.6 consumers (caret is upward-compatible within the same major).

4. No source files modified

  • Only package-lock.json is in the changeset (1 file, 10 +/- 10).
  • Repository impact scan confirms no other files reference the changed versions (e.g., no 19.2.6 or 19.2.15 strings outside the new lockfile entries).
  • The "No common manifest files changed in this PR" notice is consistent with what is shown — package.json is not part of the diff. This appears to be a lockfile-only update; if package.json truly was not updated, the semver ranges there must already permit the new versions (e.g., a ^19.2.0 or ~19.2.6 range). This is acceptable for a Renovate type/patch PR but is worth a quick sanity-check by the merger that package.json does indeed allow the new versions.

Sources

  • React 19.2.7 release: https://github.com/facebook/react/releases/tag/v19.2.7 — published 2026-06-01, regression fix for FormData in Server Actions, references PR react/react#36566.
  • Compare v19.2.6...v19.2.7: 5 commits ahead, 0 behind — clean patch.
  • Recent Releases list for facebook/react confirms the version progression 19.2.6 (May 6, 2026) → 19.2.7 (June 1, 2026) is the only change in this line since the prior Renovate bump (#134 at 19.2.15).
  • DefinitelyTyped is the publisher of @types/react; the version bump from 19.2.15 to 19.2.16 is a routine patch in the types-only package.

Standards Compliance

  • AGENTS.md explicitly lists "dependency updates" under NORMAL lane work examples, so this PR fits the standard NORMAL-lane dependency-update pattern.
  • No code standards (TypeScript, lint, Prisma, API design) are touched because no source code is changed.
  • No secrets, env files, or build artifacts are introduced.
  • The PR is opened by app/its-miso (a Renovate bot, per is_bot: true), targeting main from branch renovate/react-monorepo — matches the standard Renovate workflow used in prior PR #134 in the repo's git history.
  • Automerge is disabled by config with the note "Please merge this manually once you are satisfied," which is consistent with this being a patch-level bump that benefits from human confirmation but does not require deep review.

Linked Issue Fit

  • No linked issue was provided in the PR body or context. For a routine Renovate patch bump this is acceptable; there are no issue acceptance criteria to evaluate. The PR title (fix(deps): update react monorepo (19.2.15 → 19.2.16)) is conventional and accurately describes the change. No requirements are missed.

Evidence Provider Findings

  • No evidence providers were configured for this run (the "No evidence providers configured" notice). No provider-derived blockers exist. The review relies on the GitHub Releases enrichment and compare data embedded in the linked sources, which are sufficient for a patch-version bump of a well-known package.

Tool Harness Findings

  • The tool harness reported Planned requests: 0 and a planning warning ("Could not parse planning response as JSON"). This is a harness-side note, not a defect in the PR. There are no harness-detected code issues to address.

Unknowns or Needs Verification

  • Mend.io merge-confidence badges (adoption, age, compatibility, confidence) were not fetchable (all listed under developer.mend.io and marked "Skipped non-allowlisted URL"). For a 19.2.6 → 19.2.7 patch from the React core team, with a published release on 2026-06-01 and an explicit regression-fix changelog, the absence of these badges does not change the risk picture. If the merger uses Renovate's merge-confidence gating in CI, that should pass; if not, no action is needed.
  • package.json state was not in the diff. The merger may want to confirm locally that package.json semver ranges are compatible with react@19.2.7 and @types/react@19.2.16 (typically a ^ or ~ range would already cover these). This is a quick local check, not a blocker.
  • CI results are not included in the corpus. A standard PR check (lint, typecheck, build) is advisable before merge, but this is true of every PR and is not a PR-specific concern.

Bottom Line

  • Approve and merge. Lockfile-only patch update that fixes a documented Server Actions regression in React 19.2.6. No source code, no breaking changes, no linked issue requirements, and internal consistency between the diff and the release notes is verified.
@its-miso its-miso Bot force-pushed the renovate/react-monorepo branch from 7725c0b to ef2df7c Compare June 2, 2026 10:23

@its-saffron its-saffron Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI Automated Review

Analysis engine: MiniMax@https://litellm.jory.dev/v1 (anthropic)

Recommendation: Approve

This is a routine, patch-level dependency update generated by Renovate that bumps three React monorepo packages in package-lock.json. The release is a documented bug fix with no breaking changes, integrity hashes are updated, and the peer dependency in react-dom is correctly adjusted to track the new react version.

Change-by-change findings

  • @types/react: 19.2.15 → 19.2.16 (patch). Version, resolved URL, and integrity hash updated in package-lock.json. No other files reference this version. (Sources: PR body, diff lines 3390-3395.)
  • react: 19.2.6 → 19.2.7 (patch). Version, resolved URL, and integrity hash updated. The official release notes (facebook/react v19.2.7, published 2026-06-01) describe a single RSC fix: "Fixed missing FormData entries in Server Actions which regressed in 19.2.6 (PR #36566 by @unstubbable)". No breaking changes declared. (Sources: PR body release notes; GitHub release metadata for facebook/react@v19.2.7.)
  • react-dom: 19.2.6 → 19.2.7 (patch). Version, resolved URL, integrity hash, and peerDependencies.react updated from ^19.2.6 to ^19.2.7 — consistent with the new react release. (Sources: PR diff lines 8874-8886.)

Sources

  • https://github.com/facebook/react/releases/tag/v19.2.7 — published 2026-06-01T18:04:24Z, body matches PR description; only RSC FormData fix listed.
  • https://github.com/facebook/react/compare/v19.2.6...v19.2.7 — 5 commits ahead by eps1lon (compare metadata). Other commit messages are not visible in the truncated response, but the released notes describe the only user-facing change as the FormData fix.
  • https://github.com/facebook/react/pull/36566 — referenced as the source of the fix (page content truncated to HTML scaffolding only).
  • https://github.com/DefinitelyTyped/DefinitelyTyped — listed as the @types/react source repo; no release tags matched 19.2.16 (DefinitelyTyped publishes via incremental PR merges, not tagged releases), which is expected behavior.

Standards Compliance

  • AGENTS.md code standards: Not applicable — the diff is lockfile-only; no source code, schema, or API surface changes.
  • Dependency hygiene: AGENTS.md does not define a specific policy on dependency update flow, but the repository has a history of accepting Renovate-driven patch bumps (e.g., commit 8943faf19.2.14 → 19.2.15, PR #134).
  • Lockfile integrity: All three updated entries include new integrity SHA-512 hashes; no resolved URL drift or unexpected dependency tree churn visible in the diff.

Linked Issue Fit

  • No linked issue references were found in the PR body. This is a self-contained dependency maintenance PR from Renovate; no acceptance criteria need to be checked against an issue.

Evidence Provider Findings

  • No evidence providers were configured for this run.

Tool Harness Findings

  • Tool harness reported 0 planned requests and a planning parse warning. No code-scanning tool output to incorporate.

Unknowns or Needs Verification

  • The full body of the other 4 commits in the v19.2.6...v19.2.7 compare is not visible (commit messages are null in the metadata; HTML page was not rendered). The release notes list only the FormData fix, so this is low risk, but reviewers who want full confidence can read the compare page directly.
  • The diff shows only package-lock.json (10/10). The corresponding package.json version bumps are not visible in the patch excerpt. This is consistent with a standard Renovate flow where the package.json may already be at the target version via range specification, but I could not independently confirm from the corpus.
  • npm registry pages for the resolved tarballs were not fetched (allowlist restriction); integrity hashes were not independently re-verified against the registry.
@its-miso its-miso Bot force-pushed the renovate/react-monorepo branch from ef2df7c to 27b096c Compare June 2, 2026 15:22

@its-saffron its-saffron Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI Automated Review

Analysis engine: MiniMax@https://litellm.jory.dev/v1 (anthropic)

Recommendation: Approve

Routine Renovate dependency patch update for the React monorepo. All three version bumps are patch-level (19.2.6 → 19.2.7, 19.2.15 → 19.2.16) and the upstream release notes describe a single regression fix with no breaking changes.

Change-by-change findings

react 19.2.6 → 19.2.7 (and react-dom 19.2.6 → 19.2.7)

  • Per the official release notes (facebook/react@v19.2.7, published 2026-06-01), this release contains one fix: "Fixed missing FormData entries in Server Actions which regressed in 19.2.6" (PR #36566 by @unstubbable). This is a targeted regression fix in React Server Components, not a breaking change.
  • The react-dom peer-dependency range is updated from ^19.2.6 to ^19.2.7, which is consistent and self-consistent with the new react version.
  • GitHub compare metadata (v19.2.6...v19.2.7) shows 5 commits ahead, consistent with a small patch release.

@types/react 19.2.15 → 19.2.16

  • Patch bump of the TypeScript type definitions from DefinitelyTyped. No release notes were included in the PR body, but the prior commit history (8943faf — fix(deps): update dependency @types/react (19.2.14 → 19.2.15) #134) shows the repo routinely applies @types/react patches in lockstep with React patches.
  • Integrity hashes in package-lock.json are present and differ between the two versions, indicating a clean lockfile rewrite rather than a no-op.

Sources

  • Release notes: facebook/react@v19.2.7 (2026-06-01T18:04:24Z) — single RSC FormData regression fix.
  • Compare: facebook/react@v19.2.6...v19.2.7 — 5 commits, 0 behind.
  • Upstream PR: facebook/react#36566 by @unstubbable.
  • Repository history: Previous fix(deps) Renovate PR #134 updated @types/react 19.2.14 → 19.2.15 in the same manner, establishing this is a normal cadence.

Standards Compliance

  • Commit message follows the fix(deps): conventional-commit pattern used by prior Renovate updates in this repo.
  • Bot identity (app/its-miso) matches the Renovate automation used elsewhere in the repo's history.
  • Lockfile diff is minimal, scoped to the three packages, and shows correct integrity hash transitions.
  • No application code, API routes, CI workflows, Prisma schema, or label conventions are touched.

Linked Issue Fit

  • No linked issue is present in the PR body, so there are no acceptance criteria to verify against. This is consistent with routine Renovate dependency PRs and is not a red flag.

Evidence Provider Findings

  • No evidence providers were configured for this run. The review relies on the PR diff, GitHub release/compare metadata included in the linked sources, and repository history.

Tool Harness Findings

  • Tool harness reported Planned requests: 0 and a planning-parse warning, but the patch is small, mechanical, and fully verifiable from the diff plus release notes, so this does not block the review.

Unknowns / Needs Verification

  • Manifest vs lockfile: The harness's Changed Manifest Context states "No common manifest files changed in this PR." Only package-lock.json is modified; package.json is not in the diff. If package.json already pins these dependencies with semver ranges that include the new versions (e.g., ^19.2.0 for react/react-dom and ^19 for @types/react), the lockfile-only update is valid. If exact versions are pinned in package.json, the manifest should also be updated to keep manifest and lockfile in sync. I cannot confirm which case applies from the provided corpus, so the reviewer should verify package.json is consistent with the new lockfile entries before merging. This is a conservative verification request, not a blocker — patch-range dependencies in modern Renovate setups are commonly updated lockfile-only.
  • Mend/developer.mend.io confidence badge content was skipped (non-allowlisted URLs), so merge-confidence signals are unavailable; however, the upstream change is a one-line regression fix and does not warrant waiting on those signals.
  • react-dom's peerDependencies.react range moved from ^19.2.6 to ^19.2.7. This is normal for a patch release that bumps its own react peer floor and is backward-compatible with anyone already on ^19.2.x.
@joryirving joryirving merged commit 7942787 into main Jun 2, 2026
3 checks passed
@joryirving joryirving deleted the renovate/react-monorepo branch June 2, 2026 16:32
@its-saffron its-saffron Bot mentioned this pull request Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant