chore(deps): update non-major (static)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sanity/pkg-utils	^7.11.7 -> ^7.11.9
@sanity/ui (source)	4.0.0-static.32 -> 4.0.0-static.36
@types/node (source)	^20.17.9 -> ^20.19.19
@types/pako (source)	^2.0.3 -> ^2.0.4
@types/react (source)	^19.1.10 -> ^19.2.2
@types/react-dom (source)	^19.1.7 -> ^19.2.1
@vitejs/plugin-react (source)	^5.0.0 -> ^5.0.4
esbuild	^0.25.8 -> ^0.25.10
eslint-plugin-react-hooks (source)	6.0.0-rc.1 -> 6.0.0-rc.2
lightningcss	^1.30.1 -> ^1.30.2
react (source)	^19.1.1 -> ^19.2.0
react-dom (source)	^19.1.1 -> ^19.2.0
react-is (source)	^19.1.1 -> ^19.2.0
typescript (source)	5.9.2 -> 5.9.3
vite (source)	^7.1.2 -> ^7.1.9

---

Release Notes

sanity-io/pkg-utils (@​sanity/pkg-utils)

v7.11.9

Compare Source

Bug Fixes

• deps: update dependency @​babel/core to ^7.28.3 (e0cfb4b)

v7.11.8

Compare Source

Bug Fixes

• deps: Update dependency esbuild to ^0.25.9 (#​1787) (0290820)

sanity-io/ui (@​sanity/ui)

v4.0.0-static.36

Compare Source

Bug Fixes

• deps: update dependency framer-motion to ^12.23.21 (v4) (#​2103) (dc92b9f)

---

This release is also available on:

• npm package (@​static dist-tag)

v4.0.0-static.35

Compare Source

Features

• take full advantage of conditional context sub (484a92d)

---

This release is also available on:

• npm package (@​static dist-tag)

v4.0.0-static.34

Compare Source

Bug Fixes

• reduce usage of useResponsiveProp (2ea4568)

---

This release is also available on:

• npm package (@​static dist-tag)

v4.0.0-static.33

Compare Source

Bug Fixes

• add displayName to React.createContext (1787b4d)

---

This release is also available on:

• npm package (@​static dist-tag)

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v5.0.4

Compare Source

Perf: use native refresh wrapper plugin in rolldown-vite (#​881)

v5.0.3

Compare Source

HMR did not work for components imported with queries with rolldown-vite (#​872)

Perf: simplify refresh wrapper generation (#​835)

v5.0.2

Compare Source

Skip transform hook completely in rolldown-vite in dev if possible (#​783)

v5.0.1

Compare Source

Set optimizeDeps.rollupOptions.transform.jsx instead of optimizeDeps.rollupOptions.jsx for rolldown-vite (#​735)

optimizeDeps.rollupOptions.jsx is going to be deprecated in favor of optimizeDeps.rollupOptions.transform.jsx.

Perf: skip babel-plugin-react-compiler if code has no "use memo" when { compilationMode: "annotation" } (#​734)

Respect tsconfig jsxImportSource (#​726)

Fix reactRefreshHost option on rolldown-vite (#​716)

Fix RefreshRuntime being injected twice for class components on rolldown-vite (#​708)

Skip babel-plugin-react-compiler on non client environment (689)

evanw/esbuild (esbuild)

v0.25.10

Compare Source

• Fix a panic in a minification edge case (#​4287)

  This release fixes a panic due to a null pointer that could happen when esbuild inlines a doubly-nested identity function and the final result is empty. It was fixed by emitting the value undefined in this case, which avoids the panic. This case must be rare since it hasn't come up until now. Here is an example of code that previously triggered the panic (which only happened when minifying):

  function identity(x) { return x }
  identity({ y: identity(123) })

• Fix @supports nested inside pseudo-element (#​4265)

  When transforming nested CSS to non-nested CSS, esbuild is supposed to filter out pseudo-elements such as ::placeholder for correctness. The CSS nesting specification says the following:

  The nesting selector cannot represent pseudo-elements (identical to the behavior of the ':is()' pseudo-class). We’d like to relax this restriction, but need to do so simultaneously for both ':is()' and '&', since they’re intentionally built on the same underlying mechanisms.

  However, it seems like this behavior is different for nested at-rules such as @supports, which do work with pseudo-elements. So this release modifies esbuild's behavior to now take that into account:

  /* Original code */
  ::placeholder {
    color: red;
    body & { color: green }
    @​supports (color: blue) { color: blue }
  }
  
  /* Old output (with --supported:nesting=false) */
  ::placeholder {
    color: red;
  }
  body :is() {
    color: green;
  }
  @​supports (color: blue) {
     {
      color: blue;
    }
  }
  
  /* New output (with --supported:nesting=false) */
  ::placeholder {
    color: red;
  }
  body :is() {
    color: green;
  }
  @​supports (color: blue) {
    ::placeholder {
      color: blue;
    }
  }

v0.25.9

Compare Source

• Better support building projects that use Yarn on Windows (#​3131, #​3663)

  With this release, you can now use esbuild to bundle projects that use Yarn Plug'n'Play on Windows on drives other than the C: drive. The problem was as follows:

  1. Yarn in Plug'n'Play mode on Windows stores its global module cache on the C: drive
  2. Some developers put their projects on the D: drive
  3. Yarn generates relative paths that use ../.. to get from the project directory to the cache directory
  4. Windows-style paths don't support directory traversal between drives via .. (so D:\.. is just D:)
  5. I didn't have access to a Windows machine for testing this edge case

  Yarn works around this edge case by pretending Windows-style paths beginning with C:\ are actually Unix-style paths beginning with /C:/, so the ../.. path segments are able to navigate across drives inside Yarn's implementation. This was broken for a long time in esbuild but I finally got access to a Windows machine and was able to debug and fix this edge case. So you should now be able to bundle these projects with esbuild.

• Preserve parentheses around function expressions (#​4252)

  The V8 JavaScript VM uses parentheses around function expressions as an optimization hint to immediately compile the function. Otherwise the function would be lazily-compiled, which has additional overhead if that function is always called immediately as lazy compilation involves parsing the function twice. You can read V8's blog post about this for more details.

  Previously esbuild did not represent parentheses around functions in the AST so they were lost during compilation. With this change, esbuild will now preserve parentheses around function expressions when they are present in the original source code. This means these optimization hints will not be lost when bundling with esbuild. In addition, esbuild will now automatically add this optimization hint to immediately-invoked function expressions. Here's an example:

  // Original code
  const fn0 = () => 0
  const fn1 = (() => 1)
  console.log(fn0, function() { return fn1() }())
  
  // Old output
  const fn0 = () => 0;
  const fn1 = () => 1;
  console.log(fn0, function() {
    return fn1();
  }());
  
  // New output
  const fn0 = () => 0;
  const fn1 = (() => 1);
  console.log(fn0, (function() {
    return fn1();
  })());

  Note that you do not want to wrap all function expressions in parentheses. This optimization hint should only be used for functions that are called on initial load. Using this hint for functions that are not called on initial load will unnecessarily delay the initial load. Again, see V8's blog post linked above for details.

• Update Go from 1.23.10 to 1.23.12 (#​4257, #​4258)

  This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain false positive reports (specifically CVE-2025-4674 and CVE-2025-47907) from vulnerability scanners that only detect which version of the Go compiler esbuild uses.

facebook/react (eslint-plugin-react-hooks)

v6.0.0-rc.2

Compare Source

parcel-bundler/lightningcss (lightningcss)

v1.30.2

Compare Source

Fixes

• Fix installing on android
• Don't warn on ::grammar-error and ::spelling-error selectors
• Update browser compat data

Rust crate changes

• Bump browserslist-rs to 0.19.0
• migrate to maintained library instead of deprecated paste
• Use serde-content instead of private serde types

facebook/react (react)

v19.2.0

Compare Source

Below is a list of all new features, APIs, and bug fixes.

Read the React 19.2 release post for more information.

New React Features

• <Activity>: A new API to hide and restore the UI and internal state of its children.
• useEffectEvent is a React Hook that lets you extract non-reactive logic into an Effect Event.
• cacheSignal (for RSCs) lets your know when the cache() lifetime is over.
• React Performance tracks appear on the Performance panel’s timeline in your browser developer tools

New React DOM Features

• Added resume APIs for partial pre-rendering with Web Streams:
  • resume: to resume a prerender to a stream.
  • resumeAndPrerender: to resume a prerender to HTML.
• Added resume APIs for partial pre-rendering with Node Streams:
  • resumeToPipeableStream: to resume a prerender to a stream.
  • resumeAndPrerenderToNodeStream: to resume a prerender to HTML.
• Updated prerender APIs to return a postponed state that can be passed to the resume APIs.

Notable changes

• React DOM now batches suspense boundary reveals, matching the behavior of client side rendering. This change is especially noticeable when animating the reveal of Suspense boundaries e.g. with the upcoming <ViewTransition> Component. React will batch as much reveals as possible before the first paint while trying to hit popular first-contentful paint metrics.
• Add Node Web Streams (prerender, renderToReadableStream) to server-side-rendering APIs for Node.js
• Use underscore instead of : IDs generated by useId

All Changes

React

• <Activity /> was developed over many years, starting before ClassComponent.setState (@​acdlite @​sebmarkbage and many others)
• Stringify context as "SomeContext" instead of "SomeContext.Provider" (@​kassens #​33507)
• Include stack of cause of React instrumentation errors with %o placeholder (@​eps1lon #​34198)
• Fix infinite useDeferredValue loop in popstate event (@​acdlite #​32821)
• Fix a bug when an initial value was passed to useDeferredValue (@​acdlite #​34376)
• Fix a crash when submitting forms with Client Actions (@​sebmarkbage #​33055)
• Hide/unhide the content of dehydrated suspense boundaries if they resuspend (@​sebmarkbage #​32900)
• Avoid stack overflow on wide trees during Hot Reload (@​sophiebits #​34145)
• Improve Owner and Component stacks in various places (@​sebmarkbage, @​eps1lon: #​33629, #​33724, #​32735, #​33723)
• Add cacheSignal (@​sebmarkbage #​33557)

React DOM

• Block on Suspensey Fonts during reveal of server-side-rendered content (@​sebmarkbage #​33342)
• Use underscore instead of : for IDs generated by useId (@​sebmarkbage, @​eps1lon: #​32001, #​33342#​33099, #​33422)
• Stop warning when ARIA 1.3 attributes are used (@​Abdul-Omira #​34264)
• Allow nonce to be used on hoistable styles (@​Andarist #​32461)
• Warn for using a React owned node as a Container if it also has text content (@​sebmarkbage #​32774)
• s/HTML/text for for error messages if text hydration mismatches (@​rickhanlonii #​32763)
• Fix a bug with React.use inside React.lazy-ed Component (@​hi-ogawa #​33941)
• Enable the progressiveChunkSize option for server-side-rendering APIs (@​sebmarkbage #​33027)
• Fix a bug with deeply nested Suspense inside Suspense fallback when server-side-rendering (@​gnoff #​33467)
• Avoid hanging when suspending after aborting while rendering (@​gnoff #​34192)
• Add Node Web Streams to server-side-rendering APIs for Node.js (@​sebmarkbage #​33475)

React Server Components

• Preload <img> and <link> using hints before they're rendered (@​sebmarkbage #​34604)
• Log error if production elements are rendered during development (@​eps1lon #​34189)
• Fix a bug when returning a Temporary reference (e.g. a Client Reference) from Server Functions (@​sebmarkbage #​34084, @​denk0403 #​33761)
• Pass line/column to filterStackFrame (@​eps1lon #​33707)
• Support Async Modules in Turbopack Server References (@​lubieowoce #​34531)
• Add support for .mjs file extension in Webpack (@​jennyscript #​33028)
• Fix a wrong missing key warning (@​unstubbable #​34350)
• Make console log resolve in predictable order (@​sebmarkbage #​33665)

React Reconciler

• createContainer and createHydrationContainer had their parameter order adjusted after on* handlers to account for upcoming experimental APIs

microsoft/TypeScript (typescript)

v5.9.3

Compare Source

vitejs/vite (vite)

v7.1.9

Compare Source

Reverts

• server: drain stdin when not interactive (#​20885) (12d72b0)

v7.1.8

Compare Source

Bug Fixes

• css: improve url escape characters handling (#​20847) (24a61a3)
• deps: update all non-major dependencies (#​20855) (788a183)
• deps: update artichokie to 0.4.2 (#​20864) (e670799)
• dev: skip JS responses for document requests (#​20866) (6bc6c4d)
• glob: fix HMR for array patterns with exclusions (#​20872) (63e040f)
• keep ids for virtual modules as-is (#​20808) (d4eca98)
• server: drain stdin when not interactive (#​20837) (bb950e9)
• server: improve malformed URL handling in middlewares (#​20830) (d65a983)

Documentation

• create-vite: provide deno example (#​20747) (fdb758a)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20810) (ea68a88)
• deps: update rolldown-related dependencies (#​20854) (4dd06fd)
• update url of create-react-app license (#​20865) (166a178)

v7.1.7

Compare Source

Bug Fixes

• build: fix ssr environment emitAssets: true when sharedConfigBuild: true (#​20787) (4c4583c)
• client: use CSP nonce when rendering error overlay (#​20791) (9bc9d12)
• deps: update all non-major dependencies (#​20811) (9f2247c)
• glob: handle glob imports from folders starting with dot (#​20800) (105abe8)
• hmr: trigger prune event when import is removed from non hmr module (#​20768) (9f32b1d)
• hmr: wait for import.meta.hot.prune callbacks to complete before running other HMRs (#​20698) (98a3484)

v7.1.6

Compare Source

Bug Fixes

• deps: update all non-major dependencies (#​20773) (88af2ae)
• esbuild: inject esbuild helper functions with minified $ variables correctly (#​20761) (7e8e004)
• fallback terser to main thread when nameCache is provided (#​20750) (a679a64)
• types: strict env typings fail when skipLibCheck is false (#​20755) (cc54e29)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20675) (a67bb5f)
• deps: update rolldown-related dependencies (#​20772) (d785e72)

---

Configuration

📅 Schedule: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​pako@​2.0.3 ⏵ 2.0.4			+1
	esbuild@​0.25.8 ⏵ 0.25.10
	@​types/​react-dom@​19.1.7 ⏵ 19.2.1	+1		+3	+3
	@​types/​react@​19.1.10 ⏵ 19.2.2	+1		+1	+2
	@​types/​node@​20.19.9 ⏵ 20.19.19
	vite@​7.1.5 ⏵ 7.1.9	+1
	lightningcss@​1.30.1 ⏵ 1.30.2
	react@​19.1.1 ⏵ 19.2.0	+1		+1
	typescript@​5.9.2 ⏵ 5.9.3			+1
	react-dom@​19.1.1 ⏵ 19.2.0	+1		+1
	@​vitejs/​plugin-react@​5.0.0 ⏵ 5.0.4	+1			+1
	@​sanity/​pkg-utils@​7.11.7 ⏵ 7.11.9				+1
	eslint-plugin-react-hooks@​6.0.0-rc.1 ⏵ 6.0.0-rc.2
	react-is@​19.1.1 ⏵ 19.2.0
	@​sanity/​ui@​4.0.0-static.32 ⏵ 4.0.0-static.36	+2		+16

View full report

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
ui-workshop	Ready	Preview	Comment	Oct 7, 2025 6:50am

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		[email protected] has a License Policy Violation. License: LicenseRef-W3C-Community-Final-Specification-Agreement (package/ThirdPartyNoticeText.txt) From: package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report