chore(deps): bump the npm_and_yarn group across 1 directory with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package	From	To
@aws-sdk/client-s3	3.1024.0	3.1048.0
@aws-sdk/lib-storage	3.1024.0	3.1048.0
axios	1.15.2	1.16.1
mermaid	11.12.2	11.15.0
playwright	1.57.0	1.60.0
react	19.2.1	19.2.6
@types/react	19.2.7	19.2.14
react-dom	19.2.1	19.2.6
react-router-dom	7.12.0	7.15.1
tailwindcss	4.0.7	4.3.0
vocs	1.2.2	1.4.1

Updates @aws-sdk/client-s3 from 3.1024.0 to 3.1048.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1048.0

3.1048.0(2026-05-15)

Chores

• packages: update import paths (#8024) (901b75a1)
• codegen:
  • updated import sources for aws-sdk core (#8015) (1af90474)
  • sync for browser bundle fixes (#8022) (eabae7d8)
• core/client: consolidate packages into core/client (#8010) (832d9e76)

New Features

• clients: update client endpoints as of 2026-05-15 (4aa76bd0)
• client-mediapackagev2: This release adds support for AvailabilityStartTimeConfiguration in MediaPackageV2 DASH manifests (6c8a84d4)
• client-partnercentral-selling: Enable TCV intake on Opportunity to improve Opportunities Hygiene and downstream revenue attribution. (d68a75c4)
• client-cloudwatch-logs: Updating the max limit for start query api parameter. (931876e1)

---

For list of updated packages, view updated-packages.md in assets-3.1048.0.zip

v3.1047.0

3.1047.0(2026-05-14)

Chores

• upgrade fast-xml-parser to 5.7.3 (#8021) (b2aae04e)

New Features

• clients: update client endpoints as of 2026-05-14 (3505575d)
• client-glue: Release --has-databases parameter for AWS Glue get-catalogs API, which filters catalog responses to include only those capable of containing databases, excluding parent catalogs that hold only other catalogs. Remove model-level validation on partition index list size for AWS Glue tables. (e2b076ee)
• client-database-migration-service: Add 9 SDK waiters for DMS Schema Conversion async operations. Eliminates manual polling for import, assessment, conversion, export, and creation jobs. (32d372e7)
• client-mgn: Introducing new option for security groups mapping - with MAP-DHCP the service translates security rules from your source environment with DHCP compatibility. (27c07049)
• client-bedrock: Advanced Prompt Optimization (AdvPO) allows you to optimize and migrate your prompts for any model on Bedrock by automatically evaluating responses and rewriting prompts to improve performance. This release provides a programmatic way to create, get, list, stop, and delete AdvPO jobs. (7e479fde)
• client-cloudfront: Adding a new boolean for OCSP Revocations in Viewer mTLS Create and Update APIs, and adding a new 'Passthrough' option for TrustStore modes (ee96afaa)
• client-datazone: Adds support for SageMaker Unified Studio notebook operations, including notebook import and export (383f4ea2)
• client-qconnect: ListModels is an API that returns the available AI models for a Connect Assistant based on its region and AI prompt type. (0d6d7ec3)
• client-grafana: Adds support for dual-stack (IPv4 and IPv6) connectivity to Amazon Managed Grafana workspaces. Customers can configure the ipAddressType parameter when creating or updating a workspace to choose between IPv4-only or dual-stack (IPv4 and IPv6) access. (1184c5e5)

---

For list of updated packages, view updated-packages.md in assets-3.1047.0.zip

v3.1046.0

3.1046.0(2026-05-14)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1048.0 (2026-05-15)

Note: Version bump only for package @​aws-sdk/client-s3

3.1047.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-s3

3.1046.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/client-s3

3.1045.0 (2026-05-07)

Note: Version bump only for package @​aws-sdk/client-s3

3.1044.0 (2026-05-06)

Features

• client-s3: Validate outpost access point resource name (bee88a5)

3.1043.0 (2026-05-05)

Note: Version bump only for package @​aws-sdk/client-s3

... (truncated)

Commits

• 313813d Publish v3.1048.0
• 1af9047 chore(codegen): updated import sources for aws-sdk core (#8015)
• eabae7d chore(codegen): sync for browser bundle fixes (#8022)
• 8edb907 Publish v3.1047.0
• a664335 Publish v3.1046.0
• 9ce20f6 chore(codegen): dependency version bump (#8008)
• acffbf9 chore: update smithy/core imports (#7979)
• b329def Publish v3.1045.0
• 1ccd438 Publish v3.1044.0
• bee88a5 feat(client-s3): Validate outpost access point resource name
• Additional commits viewable in compare view

Updates @aws-sdk/lib-storage from 3.1024.0 to 3.1048.0

Release notes

Sourced from @​aws-sdk/lib-storage's releases.

v3.1048.0

3.1048.0(2026-05-15)

Chores

• packages: update import paths (#8024) (901b75a1)
• codegen:
  • updated import sources for aws-sdk core (#8015) (1af90474)
  • sync for browser bundle fixes (#8022) (eabae7d8)
• core/client: consolidate packages into core/client (#8010) (832d9e76)

New Features

• clients: update client endpoints as of 2026-05-15 (4aa76bd0)
• client-mediapackagev2: This release adds support for AvailabilityStartTimeConfiguration in MediaPackageV2 DASH manifests (6c8a84d4)
• client-partnercentral-selling: Enable TCV intake on Opportunity to improve Opportunities Hygiene and downstream revenue attribution. (d68a75c4)
• client-cloudwatch-logs: Updating the max limit for start query api parameter. (931876e1)

---

For list of updated packages, view updated-packages.md in assets-3.1048.0.zip

v3.1047.0

3.1047.0(2026-05-14)

Chores

• upgrade fast-xml-parser to 5.7.3 (#8021) (b2aae04e)

New Features

• clients: update client endpoints as of 2026-05-14 (3505575d)
• client-glue: Release --has-databases parameter for AWS Glue get-catalogs API, which filters catalog responses to include only those capable of containing databases, excluding parent catalogs that hold only other catalogs. Remove model-level validation on partition index list size for AWS Glue tables. (e2b076ee)
• client-database-migration-service: Add 9 SDK waiters for DMS Schema Conversion async operations. Eliminates manual polling for import, assessment, conversion, export, and creation jobs. (32d372e7)
• client-mgn: Introducing new option for security groups mapping - with MAP-DHCP the service translates security rules from your source environment with DHCP compatibility. (27c07049)
• client-bedrock: Advanced Prompt Optimization (AdvPO) allows you to optimize and migrate your prompts for any model on Bedrock by automatically evaluating responses and rewriting prompts to improve performance. This release provides a programmatic way to create, get, list, stop, and delete AdvPO jobs. (7e479fde)
• client-cloudfront: Adding a new boolean for OCSP Revocations in Viewer mTLS Create and Update APIs, and adding a new 'Passthrough' option for TrustStore modes (ee96afaa)
• client-datazone: Adds support for SageMaker Unified Studio notebook operations, including notebook import and export (383f4ea2)
• client-qconnect: ListModels is an API that returns the available AI models for a Connect Assistant based on its region and AI prompt type. (0d6d7ec3)
• client-grafana: Adds support for dual-stack (IPv4 and IPv6) connectivity to Amazon Managed Grafana workspaces. Customers can configure the ipAddressType parameter when creating or updating a workspace to choose between IPv4-only or dual-stack (IPv4 and IPv6) access. (1184c5e5)

---

For list of updated packages, view updated-packages.md in assets-3.1047.0.zip

v3.1046.0

3.1046.0(2026-05-14)

... (truncated)

Changelog

Sourced from @​aws-sdk/lib-storage's changelog.

3.1048.0 (2026-05-15)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1047.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1046.0 (2026-05-14)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1045.0 (2026-05-07)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1044.0 (2026-05-06)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1043.0 (2026-05-05)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1042.0 (2026-05-04)

... (truncated)

Commits

• 313813d Publish v3.1048.0
• eabae7d chore(codegen): sync for browser bundle fixes (#8022)
• 8edb907 Publish v3.1047.0
• a664335 Publish v3.1046.0
• 9ce20f6 chore(codegen): dependency version bump (#8008)
• acffbf9 chore: update smithy/core imports (#7979)
• b329def Publish v3.1045.0
• 1ccd438 Publish v3.1044.0
• 96baad9 Publish v3.1043.0
• d942e31 Publish v3.1042.0
• Additional commits viewable in compare view

Updates axios from 1.15.2 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#10836)
• @​tommyhgunz14 (#7413)
• @​abhu85 (#10829)
• @​divyanshuraj1095 (#10853)
• @​sagodi97 (#10856)
• @​rkdfx (#10868)
• @​Liuwei1125 (#10866)

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)

... (truncated)

Commits

• 1337d6b chore(release): prepare release 1.16.1 (#10877)
• 858a790 fix: remove all caches (#10882)
• 34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
• 847d89b fix: support URL object as config.url input (#10866)
• 4094886 fix(progress): guard malformed XHR upload events (#10868)
• 44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
• 64e1095 chore: update PR and issue template to use h2 (#10865)
• 3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
• c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
• caa00a9 fix: https data in cleartext to proxy (#10858)
• Additional commits viewable in compare view

Updates mermaid from 11.12.2 to 11.15.0

Release notes

Sourced from mermaid's releases.

mermaid@11.15.0

Minor Changes

• #7174 0aca217 Thanks @​milesspencer35! - feat(sequence): Add support for decimal start and increment values in the autonumber directive

• #7512 8e17492 Thanks @​aruncveli! - feat(flowchart): add datastore shape

  In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with A@{ shape: datastore, label: "Datastore" }.

• #6440 9ad8dde Thanks @​yordis, @​lgazo! - feat: add Event Modeling diagram

• #7707 27db774 Thanks @​txmxthy! - feat(architecture): expose four fcose layout knobs for architecture-beta diagrams (nodeSeparation, idealEdgeLengthMultiplier, edgeElasticity, numIter) so authors can tune layout density and spread overlapping siblings without changing diagram source

• #7604 bf9502f Thanks @​M-a-c! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting

  If you have namespaces in class diagrams that use .s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set class.hierarchicalNamespaces=false in your mermaid config:

  config:
    class:
      hierarchicalNamespaces: false

• #7272 88cdd3d Thanks @​xinbenlv! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors

Patch Changes

• #7737 e9b0f34 Thanks @​ashishjain0512! - fix: prevent unbalanced CSS styles in classDefs

• #7737 37ff937 Thanks @​ashishjain0512! - fix: create CSS styles using the CSSOM

  This removes some invalid CSS and normalizes some CSS formatting.

• #7508 bfe60cc Thanks @​biiab! - fix(stateDiagram): end note now only closes a note when used on a new line

• #7737 faafb5d Thanks @​ashishjain0512! - fix(gantt): add iteration limit for excludes field

• #7737 65f8be2 Thanks @​ashishjain0512! - fix: disallow some CSS at-rules in custom CSS

• #7726 1502f32 Thanks @​aloisklink! - fix(wardley): fix unnecessary sanitization of text

• #7578 1f98db8 Thanks @​Gaston202! - fix(class): self-referential class multiplicity labels no longer rendered multiple times

  Fixes #7560. Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.

• #7592 2343e38 Thanks @​knsv-bot! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams

• #7589 7fb9509 Thanks @​NYCU-Chung! - fix(block): prevent column widths from shrinking when mixing different column spans

• #7632 3f9e0f1 Thanks @​ekiauhce! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams

... (truncated)

Commits

• 41646df Merge pull request #7739 from aloisklink/ci/fix-release
• 2671f5c docs: fix v11.15.0 release
• f4bf04b Merge pull request #7738 from mermaid-js/changeset-release/master
• abfb563 Version Packages
• 60b289f Release Candidate 11.15.0 (#7737)
• d37c0db Merge pull request #7730 from aloisklink/fix/fix-edgeLabelRightLeft-changes
• 5ab5a28 docs: improve nested namespace changeset
• 18f8b4c fix: revert endEdgeLabelLeft/endEdgeLabelRight change
• 504b2eb Merge pull request #7726 from aloisklink/fix/correct-unnecessary-html-escapes...
• 1502f32 fix(wardley): fix unnecessary sanitization of text
• Additional commits viewable in compare view

Updates playwright from 1.57.0 to 1.60.0

Release notes

Sourced from playwright's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates react from 19.2.1 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

19.2.3 (December 11th, 2025)

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon facebook/react#35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #35289, #35345)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• 90ab3f8 Version 19.2.4
• 612e371 Version 19.2.3
• b910fc1 Version 19.2.2
• See full diff in compare view

Updates @types/react from 19.2.7 to 19.2.14

Commits

• See full diff in compare view

Updates react-dom from 19.2.1 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

19.2.3 (December 11th, 2025)

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #35351)

19.2.2 (December 11th, 2025)

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon facebook/react#35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #35289, #35345)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• 90ab3f8 Version 19.2.4
• 612e371 Version 19.2.3
• b910fc1 Version 19.2.2
• See full diff in compare view

Updates react-router-dom from 7.12.0 to 7.15.1

Changel...

Description has been truncated

[cloudflare-workers-and-pages]

Deploying frameworks with    Cloudflare Pages

Latest commit:	b20c08c
Status:	✅  Deploy successful!
Preview URL:	https://89b6e377.frameworks-573.pages.dev
Branch Preview URL:	https://dependabot-npm-and-yarn-deve.frameworks-573.pages.dev

View logs