chore(deps): update non-major (main)

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Change	Age	Confidence
@sanity/ui (source)	^3.0.7 -> ^3.1.8
@types/node (source)	^20.19.11 -> ^20.19.19
@types/react (source)	^19.1.11 -> ^19.2.0
@types/react-dom (source)	^19.1.7 -> ^19.2.0
@vitejs/plugin-react (source)	^5.0.1 -> ^5.0.4
esbuild	^0.25.9 -> ^0.25.10
eslint-plugin-react-hooks (source)	6.0.0-rc.1 -> 6.0.0-rc.2
react (source)	^19.1.1 -> ^19.2.0
react-dom (source)	^19.1.1 -> ^19.2.0
react-is (source)	^19.1.1 -> ^19.2.0
typescript (source)	5.9.2 -> 5.9.3
vite (source)	^7.1.3 -> ^7.1.9

---

Release Notes

sanity-io/ui (@​sanity/ui)

v3.1.8

Compare Source

Bug Fixes

• deps: update dependency framer-motion to ^12.23.22 (main) (#​2109) (2d605cf)

v3.1.7

Compare Source

Bug Fixes

• deps: update dependency framer-motion to ^12.23.21 (main) (#​2101) (0ee41d2)

v3.1.6

Compare Source

Bug Fixes

• deps: update dependency framer-motion to ^12.23.19 (main) (#​2097) (43a8ee2)

v3.1.5

Compare Source

Bug Fixes

• deps: update dependency framer-motion to ^12.23.18 (main) (#​2084) (cd740ab)

v3.1.4

Compare Source

Bug Fixes

• deps: update dependency framer-motion to ^12.23.16 (main) (#​2080) (11bc8d0)

v3.1.3

Compare Source

Bug Fixes

• react 18 regression (#​2075) (5aa8489)

v3.1.2

Compare Source

Bug Fixes

• deps: update dependency framer-motion to ^12.23.15 (main) (#​2064) (ee0ca00)

v3.1.1

Compare Source

Bug Fixes

• deps: update React Compiler dependencies 🤖 ✨ (#​2060) (194e9dc)

v3.1.0

Compare Source

Features

• add options prop to useGlobalKeyDown (#​2061) (7fd41e0)

v3.0.14

Compare Source

Bug Fixes

• remove useArrayProp usage (#​2055) (d693ec7)

v3.0.13

Compare Source

Bug Fixes

• handle react-hooks/set-state-in-effect (#​2054) (dd7c347)

v3.0.12

Compare Source

Bug Fixes

• handle react-hooks/preserve-manual-memoization (#​2053) (c797d2b)

v3.0.11

Compare Source

Bug Fixes

• handle react-hooks/refs (#​2052) (630922b)

v3.0.10

Compare Source

Bug Fixes

• add displayName to React.createContext (#​2047) (1232e9b)

v3.0.9

Compare Source

Bug Fixes

• deps: update React Compiler dependencies 🤖 ✨ (#​2044) (56ed2c8)

v3.0.8

Compare Source

Bug Fixes

• deps: update dependency @​floating-ui/react-dom to ^2.1.6 (main) (#​1985) (ec2bb11)

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v5.0.4

Compare Source

Perf: use native refresh wrapper plugin in rolldown-vite (#​881)

v5.0.3

Compare Source

HMR did not work for components imported with queries with rolldown-vite (#​872)

Perf: simplify refresh wrapper generation (#​835)

v5.0.2

Compare Source

Skip transform hook completely in rolldown-vite in dev if possible (#​783)

evanw/esbuild (esbuild)

v0.25.10

Compare Source

• Fix a panic in a minification edge case (#​4287)

  This release fixes a panic due to a null pointer that could happen when esbuild inlines a doubly-nested identity function and the final result is empty. It was fixed by emitting the value undefined in this case, which avoids the panic. This case must be rare since it hasn't come up until now. Here is an example of code that previously triggered the panic (which only happened when minifying):

  function identity(x) { return x }
  identity({ y: identity(123) })

• Fix @supports nested inside pseudo-element (#​4265)

  When transforming nested CSS to non-nested CSS, esbuild is supposed to filter out pseudo-elements such as ::placeholder for correctness. The CSS nesting specification says the following:

  The nesting selector cannot represent pseudo-elements (identical to the behavior of the ':is()' pseudo-class). We’d like to relax this restriction, but need to do so simultaneously for both ':is()' and '&', since they’re intentionally built on the same underlying mechanisms.

  However, it seems like this behavior is different for nested at-rules such as @supports, which do work with pseudo-elements. So this release modifies esbuild's behavior to now take that into account:

  /* Original code */
  ::placeholder {
    color: red;
    body & { color: green }
    @​supports (color: blue) { color: blue }
  }
  
  /* Old output (with --supported:nesting=false) */
  ::placeholder {
    color: red;
  }
  body :is() {
    color: green;
  }
  @​supports (color: blue) {
     {
      color: blue;
    }
  }
  
  /* New output (with --supported:nesting=false) */
  ::placeholder {
    color: red;
  }
  body :is() {
    color: green;
  }
  @​supports (color: blue) {
    ::placeholder {
      color: blue;
    }
  }

facebook/react (eslint-plugin-react-hooks)

v6.0.0-rc.2

Compare Source

facebook/react (react)

v19.2.0

Compare Source

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #​33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #​34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #​32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #​34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #​33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #​32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #​34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #​33629, #​33724, #​32735, #​33723)
• Add cacheSignal (@​sebmarkbage #​33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #​33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #​32001, #​33342#​33099, #​33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #​34264)
• Allow nonce to be used on hoistable styles (@​Andarist #​32461)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #​32774)
• s/HTML/text for for error messages if text hydration mismatches (@​rickhanlonii #​32763)
• Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #​33941)
• Enable the progressiveChunkSize option for server-side-rendering APIs (@​sebmarkbage #​33027)
• Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #​33467)
• Avoid hanging when suspending after aborting while rendering (@​gnoff #​34192)
• Add Node Web Streams to server-side-rendering APIs for Node.js (@​sebmarkbage #​33475)

React Server Components

• Preload <img> and <link> using hints before they're rendered (@​sebmarkbage #​34604)
• Log error if production elements are rendered during development (@​eps1lon #​34189)
• Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #​34084, @​denk0403 #​33761)
• Pass line/column to filterStackFrame (@​eps1lon #​33707)
• Support Async Modules in Turbopack Server References (@​lubieowoce #​34531)
• Add support for .mjs file extension in Webpack (@​jennyscript #​33028)
• Fix a wrong missing key warning (@​unstubbable #​34350)
• Make console log resolve in predictable order (@​sebmarkbage #​33665)

React Reconciler

• createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs

microsoft/TypeScript (typescript)

v5.9.3

Compare Source

vitejs/vite (vite)

v7.1.9

Compare Source

Reverts

• server: drain stdin when not interactive (#​20885) (12d72b0)

v7.1.8

Compare Source

Bug Fixes

• css: improve url escape characters handling (#​20847) (24a61a3)
• deps: update all non-major dependencies (#​20855) (788a183)
• deps: update artichokie to 0.4.2 (#​20864) (e670799)
• dev: skip JS responses for document requests (#​20866) (6bc6c4d)
• glob: fix HMR for array patterns with exclusions (#​20872) (63e040f)
• keep ids for virtual modules as-is (#​20808) (d4eca98)
• server: drain stdin when not interactive (#​20837) (bb950e9)
• server: improve malformed URL handling in middlewares (#​20830) (d65a983)

Documentation

• create-vite: provide deno example (#​20747) (fdb758a)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20810) (ea68a88)
• deps: update rolldown-related dependencies (#​20854) (4dd06fd)
• update url of create-react-app license (#​20865) (166a178)

v7.1.7

Compare Source

Bug Fixes

• build: fix ssr environment emitAssets: true when sharedConfigBuild: true (#​20787) (4c4583c)
• client: use CSP nonce when rendering error overlay (#​20791) (9bc9d12)
• deps: update all non-major dependencies (#​20811) (9f2247c)
• glob: handle glob imports from folders starting with dot (#​20800) (105abe8)
• hmr: trigger prune event when import is removed from non hmr module (#​20768) (9f32b1d)
• hmr: wait for import.meta.hot.prune callbacks to complete before running other HMRs (#​20698) (98a3484)

v7.1.6

Compare Source

Bug Fixes

• deps: update all non-major dependencies (#​20773) (88af2ae)
• esbuild: inject esbuild helper functions with minified $ variables correctly (#​20761) (7e8e004)
• fallback terser to main thread when nameCache is provided (#​20750) (a679a64)
• types: strict env typings fail when skipLibCheck is false (#​20755) (cc54e29)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20675) (a67bb5f)
• deps: update rolldown-related dependencies (#​20772) (d785e72)

---

Configuration

📅 Schedule: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
ui-workshop	Ready	Preview	Comment	Oct 3, 2025 2:48am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	esbuild@​0.25.9 ⏵ 0.25.10
	@​types/​react-dom@​19.1.7 ⏵ 19.2.0	+1		+3	+3
	@​types/​react@​19.1.11 ⏵ 19.2.0				+2
	@​types/​node@​20.19.11 ⏵ 20.19.19			+1	+2
	react@​19.1.1 ⏵ 19.2.0	+1		+1
	@​sanity/​ui@​3.0.7 ⏵ 3.1.8	+1		+2
	typescript@​5.9.2 ⏵ 5.9.3			+1
	react-dom@​19.1.1 ⏵ 19.2.0	+1		+1
	eslint-plugin-react-hooks@​6.0.0-rc.1 ⏵ 6.0.0-rc.2
	@​vitejs/​plugin-react@​5.0.1 ⏵ 5.0.4	+1			+2
	react-is@​19.1.1 ⏵ 19.2.0
	vite@​7.1.5 ⏵ 7.1.9	+3		+19	+2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		[email protected] has a License Policy Violation. License: LicenseRef-W3C-Community-Final-Specification-Agreement (package/ThirdPartyNoticeText.txt) From: package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report