fix: update react and nextjs

[PierreCrb]

🔒 Security: React & Next.js patch updates

This PR updates both React and Next.js to their latest security-patched versions following the newly disclosed RSC vulnerabilities.

Updated packages

• react: 19.2.2
• react-dom: 19.2.2
• next: 19.0.9

These versions include fixes for the vulnerabilities detailed in the React and Next.js security advisories published on December 11, 2025.

References:
React: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Next.js: https://nextjs.org/blog/security-update-2025-12-11
https://x.com/reactjs/status/1999217365628903739
https://x.com/nextjs/status/1999224298591092929

Summary by CodeRabbit

• Chores
  • Bumped React and React DOM to latest patch releases across example projects, integrations, and main packages.
  • Updated matching TypeScript React type packages to React 19 where applicable.
  • Applied minor Next.js patch bumps in several examples.
  • Added a dev tooling dependency in one example’s dev setup.
  • No functional or behavioral changes; only dependency/version updates.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3aac55d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Batched dependency version bumps across examples, integrations, and root manifests: React and React-DOM were upgraded (variants to ^19.0.3 or ^19.2.3), several Next.js examples moved from ^16.0.7 → ^16.0.10, and some dev-type packages (@types/*, vite) were updated. No source logic changes.

Changes

Cohort / File(s)	Summary
React ^19.0.0 → ^19.0.3 examples examples/react/algolia/package.json, examples/react/basic-graphql-request/package.json, examples/react/basic/package.json, examples/react/chat/package.json, examples/react/default-query-function/package.json, examples/react/devtools-panel/package.json, examples/react/eslint-legacy/package.json, examples/react/offline/package.json, examples/react/playground/package.json, examples/react/react-native/package.json, examples/react/react-router/package.json, examples/react/rick-morty/package.json, examples/react/shadow-dom/package.json, examples/react/simple/package.json, examples/react/star-wars/package.json, examples/react/suspense/package.json	Updated react / react-dom from ^19.0.0 → ^19.0.3; several dev @types/* bumped to ^19.0.3 where present.
Next.js ^16.0.7 → ^16.0.10 & React ^19.2.1 → ^19.2.3 examples examples/react/auto-refetching/package.json, examples/react/infinite-query-with-max-pages/package.json, examples/react/load-more-infinite-scroll/package.json, examples/react/nextjs-app-prefetching/package.json, examples/react/nextjs-suspense-streaming/package.json, examples/react/nextjs/package.json, examples/react/optimistic-updates-cache/package.json, examples/react/optimistic-updates-ui/package.json, examples/react/pagination/package.json, examples/react/prefetching/package.json	Updated next from ^16.0.7 → ^16.0.10 and react / react-dom from ^19.2.1 → ^19.2.3.
Integration & root manifests integrations/react-next-15/package.json, integrations/react-next-16/package.json, integrations/react-vite/package.json, integrations/react-webpack-4/package.json, integrations/react-webpack-5/package.json, package.json	Bumped react / react-dom devDependencies to ^19.2.3 (root); integrations updated React/React-DOM and some Next.js pins to match example bumps.
Packages packages/react-query-devtools/package.json, packages/react-query-next-experimental/package.json, packages/react-query-persist-client/package.json, packages/react-query/package.json	DevDependency bumps for react and/or next (where applicable) to ^19.2.3 / ^16.0.10.
Single-file / misc edits examples/react/react-router/package.json	Also added/updated devDependency vite and aligned @types/* to ^19.0.3.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Spot-check Next.js example manifests for peer-dependency implications.
• Verify examples/react/react-router/package.json addition of vite and @types version alignment.
• Sanity-check root/dev package.json version consistency.

Possibly related PRs

• chore(deps): update all non-major dependencies #9712 — Overlapping dependency bumps for React/React-DOM and @types/* across examples.
• feat(react-query-next-experimental): support Next.js 16 #9868 — Related Next.js and React version upgrades in examples/integrations.
• docs(examples): update star-wars and rick-morty examples #9696 — Similar example package.json updates affecting example projects like star-wars and rick-morty.

Suggested labels

dependencies, package: react-query, package: react-query-next-experimental, package: react-query-persist-client, package: react-query-devtools

Suggested reviewers

• TkDodo

Poem

🐰 I hopped through manifests, light on my paws,

nudged versions upward without breaking laws.
Reacts and Nexts now neatly in line—
a nibble of upkeep, a tidy small sign.
🥕 Happy builds ahead, one carrot at a time.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides context about security vulnerabilities and updated versions, but does not follow the required template structure with the 'Changes' section and 'Checklist' items.	Add the required template sections: '## 🎯 Changes' section describing the modifications and '## ✅ Checklist' section with completion status of the contributing guidelines and testing steps.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: update react and nextjs' accurately describes the primary change—updating React and Next.js packages to patched security versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6a03f0f and 3aac55d.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (9)

• integrations/react-next-15/package.json (1 hunks)
• integrations/react-next-16/package.json (1 hunks)
• integrations/react-vite/package.json (1 hunks)
• integrations/react-webpack-4/package.json (1 hunks)
• integrations/react-webpack-5/package.json (1 hunks)
• packages/react-query-devtools/package.json (1 hunks)
• packages/react-query-next-experimental/package.json (1 hunks)
• packages/react-query-persist-client/package.json (1 hunks)
• packages/react-query/package.json (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• integrations/react-next-16/package.json
• packages/react-query-persist-client/package.json

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-02T17:57:33.184Z

Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.

Applied to files:

• integrations/react-next-15/package.json
• packages/react-query-next-experimental/package.json
• packages/react-query-devtools/package.json
• integrations/react-webpack-4/package.json
• integrations/react-vite/package.json
• integrations/react-webpack-5/package.json

📚 Learning: 2025-08-19T03:18:18.303Z

Learnt from: oscartbeaumont
Repo: TanStack/query PR: 9564
File: packages/solid-query-devtools/src/production.tsx:2-3
Timestamp: 2025-08-19T03:18:18.303Z
Learning: In the solid-query-devtools package, the codebase uses a pattern of type-only default imports combined with typeof for component type annotations (e.g., `import type SolidQueryDevtoolsComp from './devtools'` followed by `typeof SolidQueryDevtoolsComp`). This pattern is consistently used across index.tsx and production.tsx files, and the maintainers prefer consistency over changing this approach.

Applied to files:

• packages/react-query-devtools/package.json

🔇 Additional comments (7)

integrations/react-webpack-5/package.json (1)

10-11: LGTM! Security patch applied correctly.

The React and react-dom updates to ^19.0.3 correctly address the RSC vulnerabilities (CVE-2025-67779) mentioned in the PR objectives. The version 19.0.3 is confirmed as a patched release per the PR comments.

integrations/react-vite/package.json (1)

12-13: LGTM! Security patch correctly applied.

The React and react-dom versions have been updated to ^19.0.3, which addresses the RSC vulnerabilities (CVE-2025-67779) referenced in the PR objectives. Both packages are correctly synchronized.

packages/react-query-devtools/package.json (1)

90-90: LGTM! Security patch correctly applied.

The React version bump from ^19.2.1 to ^19.2.3 correctly addresses CVE-2025-67779 and the RSC vulnerabilities referenced in the PR. As a patch version update in devDependencies, this change poses no breaking changes or compatibility risks for package consumers.

integrations/react-next-15/package.json (1)

13-14: Security update to React 19.2.3 addresses CVE-2025-67779.

React 19.2.3 is the patched release for the high-severity CVE-2025-67779 affecting React Server Components (CVSS 7.5). The update is compatible with Next.js 15.4.8 and recommended.

integrations/react-webpack-4/package.json (1)

10-11: Approve security update to React 19.0.3.

The version bump correctly addresses CVE-2025-67779, a high-severity denial-of-service vulnerability in React Server Components. React 19.0.2 was found to have an incomplete patch, and 19.0.3 (released December 12–13, 2025) includes the necessary backported fixes. Update the react-server-dom-* packages to matching patched versions if applicable.

packages/react-query-next-experimental/package.json (1)

62-64: Version updates are correct security patches.

React 19.2.3 and Next.js 16.0.10 are the patched versions addressing the high-severity React Server Components vulnerabilities disclosed in December 2025. The updates are necessary and match the peer dependency ranges.

packages/react-query/package.json (1)

80-81: LGTM! Security patch correctly applied.

The React and react-dom version bumps to ^19.2.3 correctly address CVE-2025-67779, the denial-of-service vulnerability in React Server Components released December 11, 2025. The peerDependencies ^18 || ^19 maintain appropriate backward compatibility.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

examples/react/optimistic-updates-ui/package.json (1)

13-15: Duplicate: Verify Next.js version discrepancy (see previous comment for context).

This file shows the same pattern as the prior example: next ^16.0.9 instead of the 19.0.9 mentioned in PR objectives. Ensure consistency across all updated files and confirm compatibility.

examples/react/prefetching/package.json (1)

13-15: Duplicate: Verify Next.js version discrepancy (see previous comment for context).

Consistent with files 1 and 2: next shows ^16.0.9 rather than 19.0.9 from PR objectives. Verify this is intentional across the repository.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f15b7fc and b09bc3a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (27)

• examples/react/algolia/package.json (1 hunks)
• examples/react/auto-refetching/package.json (1 hunks)
• examples/react/basic-graphql-request/package.json (1 hunks)
• examples/react/basic/package.json (1 hunks)
• examples/react/chat/package.json (1 hunks)
• examples/react/default-query-function/package.json (1 hunks)
• examples/react/devtools-panel/package.json (1 hunks)
• examples/react/eslint-legacy/package.json (1 hunks)
• examples/react/infinite-query-with-max-pages/package.json (1 hunks)
• examples/react/load-more-infinite-scroll/package.json (1 hunks)
• examples/react/nextjs-app-prefetching/package.json (1 hunks)
• examples/react/nextjs-suspense-streaming/package.json (1 hunks)
• examples/react/nextjs/package.json (1 hunks)
• examples/react/offline/package.json (1 hunks)
• examples/react/optimistic-updates-cache/package.json (1 hunks)
• examples/react/optimistic-updates-ui/package.json (1 hunks)
• examples/react/pagination/package.json (1 hunks)
• examples/react/playground/package.json (1 hunks)
• examples/react/prefetching/package.json (1 hunks)
• examples/react/react-native/package.json (1 hunks)
• examples/react/react-router/package.json (1 hunks)
• examples/react/rick-morty/package.json (1 hunks)
• examples/react/shadow-dom/package.json (1 hunks)
• examples/react/simple/package.json (1 hunks)
• examples/react/star-wars/package.json (1 hunks)
• examples/react/suspense/package.json (1 hunks)
• package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-02T17:57:33.184Z

Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.

Applied to files:

• examples/react/nextjs/package.json
• examples/react/nextjs-suspense-streaming/package.json
• examples/react/rick-morty/package.json
• examples/react/playground/package.json
• examples/react/auto-refetching/package.json
• examples/react/default-query-function/package.json
• examples/react/optimistic-updates-ui/package.json
• examples/react/nextjs-app-prefetching/package.json
• examples/react/algolia/package.json
• examples/react/star-wars/package.json
• examples/react/shadow-dom/package.json
• examples/react/chat/package.json
• examples/react/infinite-query-with-max-pages/package.json
• examples/react/suspense/package.json
• examples/react/devtools-panel/package.json
• examples/react/basic-graphql-request/package.json
• examples/react/pagination/package.json
• examples/react/eslint-legacy/package.json
• examples/react/offline/package.json
• examples/react/basic/package.json
• examples/react/optimistic-updates-cache/package.json
• examples/react/prefetching/package.json
• examples/react/load-more-infinite-scroll/package.json
• examples/react/react-router/package.json
• examples/react/simple/package.json

📚 Learning: 2025-08-19T03:18:18.303Z

Learnt from: oscartbeaumont
Repo: TanStack/query PR: 9564
File: packages/solid-query-devtools/src/production.tsx:2-3
Timestamp: 2025-08-19T03:18:18.303Z
Learning: In the solid-query-devtools package, the codebase uses a pattern of type-only default imports combined with typeof for component type annotations (e.g., `import type SolidQueryDevtoolsComp from './devtools'` followed by `typeof SolidQueryDevtoolsComp`). This pattern is consistently used across index.tsx and production.tsx files, and the maintainers prefer consistency over changing this approach.

Applied to files:

• examples/react/shadow-dom/package.json

🔇 Additional comments (25)

examples/react/rick-morty/package.json (1)

13-14: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.0.2) or exact versions (19.0.2) to prevent unintended upgrades until tested.

examples/react/star-wars/package.json (1)

13-14: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.0.2) or exact versions (19.0.2) to prevent unintended upgrades until tested.

examples/react/pagination/package.json (1)

13-15: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities affecting Next.js RSC, consider using tilde ranges (~16.0.9, ~19.2.2) or exact versions to prevent unintended upgrades until tested.

examples/react/basic-graphql-request/package.json (1)

15-16: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.0.2) or exact versions (19.0.2) to prevent unintended upgrades until tested.

examples/react/devtools-panel/package.json (1)

13-14: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.0.2) or exact versions (19.0.2) to prevent unintended upgrades until tested.

examples/react/nextjs-suspense-streaming/package.json (1)

14-16: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities affecting Next.js RSC streaming, consider using tilde ranges (~16.0.9, ~19.2.2) or exact versions to prevent unintended upgrades until tested.

examples/react/nextjs/package.json (1)

13-15: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities affecting Next.js RSC, consider using tilde ranges (~16.0.9, ~19.2.2) or exact versions to prevent unintended upgrades until tested.

package.json (1)

66-67: Verify caret ranges are appropriate for security-critical patches.

Using caret ranges (^) on patch-level versions allows automatic minor version upgrades. For security patches addressing critical RCE vulnerabilities, consider using tilde ranges (~19.2.2) or exact versions (19.2.2) to prevent unintended upgrades until tested.

examples/react/infinite-query-with-max-pages/package.json (1)

13-15: Verify version alignment across all examples.

This file updates React/React-DOM to ^19.2.2 (matching the PR objective), but other example files in the PR are updating to ^19.0.2 instead. Additionally, the PR objective states "next: 19.0.9" but this file (and others) are at ^16.0.9.

Please confirm whether:

1. The split between ^19.0.2 and ^19.2.2 for React is intentional (e.g., examples with Next.js use ^19.2.2, others use ^19.0.2).
2. The PR objective's "next: 19.0.9" is a typo and should be "next: 16.0.9".
3. All examples that should be at ^19.2.2 have been updated (or if some should remain at ^19.0.2).

examples/react/shadow-dom/package.json (1)

13-14: Verify whether this example should be at React ^19.2.2 instead of ^19.0.2.

The PR objective targets React/React-DOM 19.2.2, but this file is only being updated to 19.0.2. Please confirm if this is intentional (e.g., example-specific constraints) or if it should match the other Next.js examples at 19.2.2.

examples/react/react-router/package.json (1)

15-16: Check TypeScript type definitions compatibility.

React is being bumped to ^19.0.2, but @types/react remains at ^18.2.79 (line 23). Ensure that React 18.x types are compatible with React 19.0.x runtime, or consider updating types to ^19.x if needed.

examples/react/eslint-legacy/package.json (1)

16-17: Check TypeScript type definitions compatibility.

React is being bumped to ^19.0.2, but @types/react remains at ^18.2.79 (line 21). Ensure compatibility between React 18.x types and React 19.0.x runtime.

examples/react/optimistic-updates-cache/package.json (1)

13-15: LGTM.

Version updates are consistent with other Next.js examples and the PR objective (Next.js ^16.0.9, React/React-DOM ^19.2.2). Type definitions are appropriately aligned at 19.2.x.

examples/react/basic/package.json (1)

16-17: Check TypeScript type definitions compatibility.

React is being bumped to ^19.0.2, but @types/react remains at ^18.2.79 (line 21). Ensure compatibility between React 18.x types and React 19.0.x runtime.

examples/react/simple/package.json (1)

13-14: LGTM.

Minor patch version bump for non-Next.js example is consistent with the PR pattern. No type definition concerns in this simplified example.

examples/react/default-query-function/package.json (1)

13-14: LGTM.

Minor patch version bump for non-Next.js example follows the established pattern. No type definition concerns.

examples/react/algolia/package.json (1)

14-15: Verify React version branch is intentional.

Like other examples, this file uses ^19.0.2 while some examples use ^19.2.2. Confirm whether this version split is intentional or if all examples should target the same React security patch version.

examples/react/suspense/package.json (1)

14-15: Verify React version branch is intentional.

This example uses ^19.0.2, but some examples use ^19.2.2. Ensure this version split across Vite-based and Next.js-based examples is intentional.

examples/react/offline/package.json (1)

17-18: Verify React version branch is intentional.

This example uses ^19.0.2, but some examples use ^19.2.2. Ensure this version split is intentional across the repository.

examples/react/react-native/package.json (1)

22-22: Verify React version branch is intentional.

This example uses ^19.0.2, which is consistent with other non-Next.js examples. Confirm this version branch intentionally differs from ^19.2.2 used in Next.js examples.

examples/react/playground/package.json (1)

13-14: Verify React version branch is intentional.

This example uses ^19.0.2, consistent with other non-Next.js examples. Confirm this is intentional and addresses the same RSC vulnerability as ^19.2.2 versions in other examples.

examples/react/nextjs-app-prefetching/package.json (1)

13-15: The package.json versions are correct. Next.js 19.0.9 does not exist—Next.js is currently at 16.x releases. The version ^16.0.9 properly addresses the RSC vulnerability (CVE-2025-66478), which was patched starting in 16.0.7. No "PR objectives" requiring 19.0.9 are documented in the repository. No action needed.

Likely an incorrect or invalid review comment.

examples/react/chat/package.json (1)

13-14: The versions specified (^19.0.2) are correct and address the RSC vulnerabilities. React 19.0.2 is one of the officially patched versions released following the December 2025 security advisories (CVE-2025-55182, CVE-2025-55183, CVE-2025-55184). No change needed here.

examples/react/optimistic-updates-ui/package.json (1)

17-21: Inconsistent type definition updates.

File 1 (load-more-infinite-scroll) includes updates to @types/react (^19.2.7) and @types/react-dom (^19.2.3), but this file does not. Given the runtime dependency updates to React 19.2.2, consider aligning type definitions across all examples.

examples/react/load-more-infinite-scroll/package.json (1)

13-15: No changes needed. Next.js 16.0.9 fully supports React 19.2.2 and includes RSC vulnerability fixes from December 2025 (CVE-2025-66478, patched in 16.0.7 and included in 16.0.9). The version specifications are correct and compatible.

[PierreCrb]

React released an additional fix for an incomplete DoS patch (CVE-2025-67779).
Updated React to 19.0.3 / 19.2.3, as 19.0.2 / 19.2.2 are still vulnerable.

Next.js was also updated to include the patched React versions:

• next: 16.0.9 → 16.0.10
• react: 19.2.2 → 19.2.3
• react-dom: 19.2.2 → 19.2.3

Refs:
https://x.com/reactjs/status/1999267418846449786

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b09bc3a and f56d411.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (27)

• examples/react/algolia/package.json (1 hunks)
• examples/react/auto-refetching/package.json (1 hunks)
• examples/react/basic-graphql-request/package.json (1 hunks)
• examples/react/basic/package.json (1 hunks)
• examples/react/chat/package.json (1 hunks)
• examples/react/default-query-function/package.json (1 hunks)
• examples/react/devtools-panel/package.json (1 hunks)
• examples/react/eslint-legacy/package.json (1 hunks)
• examples/react/infinite-query-with-max-pages/package.json (1 hunks)
• examples/react/load-more-infinite-scroll/package.json (1 hunks)
• examples/react/nextjs-app-prefetching/package.json (1 hunks)
• examples/react/nextjs-suspense-streaming/package.json (1 hunks)
• examples/react/nextjs/package.json (1 hunks)
• examples/react/offline/package.json (1 hunks)
• examples/react/optimistic-updates-cache/package.json (1 hunks)
• examples/react/optimistic-updates-ui/package.json (1 hunks)
• examples/react/pagination/package.json (1 hunks)
• examples/react/playground/package.json (1 hunks)
• examples/react/prefetching/package.json (1 hunks)
• examples/react/react-native/package.json (1 hunks)
• examples/react/react-router/package.json (1 hunks)
• examples/react/rick-morty/package.json (1 hunks)
• examples/react/shadow-dom/package.json (1 hunks)
• examples/react/simple/package.json (1 hunks)
• examples/react/star-wars/package.json (1 hunks)
• examples/react/suspense/package.json (1 hunks)
• package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (14)

• examples/react/optimistic-updates-cache/package.json
• examples/react/eslint-legacy/package.json
• examples/react/load-more-infinite-scroll/package.json
• examples/react/star-wars/package.json
• examples/react/nextjs-app-prefetching/package.json
• examples/react/nextjs-suspense-streaming/package.json
• examples/react/infinite-query-with-max-pages/package.json
• examples/react/pagination/package.json
• examples/react/basic-graphql-request/package.json
• examples/react/nextjs/package.json
• examples/react/auto-refetching/package.json
• examples/react/shadow-dom/package.json
• examples/react/suspense/package.json
• examples/react/algolia/package.json

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-02T17:57:33.184Z

Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.

Applied to files:

• examples/react/default-query-function/package.json
• examples/react/rick-morty/package.json
• examples/react/simple/package.json
• examples/react/devtools-panel/package.json
• examples/react/optimistic-updates-ui/package.json
• examples/react/offline/package.json
• examples/react/basic/package.json
• examples/react/chat/package.json
• examples/react/prefetching/package.json
• examples/react/playground/package.json
• examples/react/react-router/package.json

🔇 Additional comments (11)

examples/react/rick-morty/package.json (1)

13-14: Approved: Security patch update for React 19.0.3.

The version bumps to ^19.0.3 address CVE-2025-67779 in React Server Components. The caret versioning allows patch-level updates within the 19.0.x range, which is appropriate for security patches.

examples/react/default-query-function/package.json (1)

13-14: Approved: Security patch update for React 19.0.3.

The version bumps address CVE-2025-67779. No TypeScript type definitions are present in this project, so no type compatibility concerns.

examples/react/optimistic-updates-ui/package.json (1)

13-15: Approved: Security patch updates for React 19.2.3 and Next.js 16.0.10.

The version bumps address CVE-2025-67779 in React Server Components and Next.js. TypeScript definitions are correctly aligned (lines 18–19: @types/react@^19.2.7, @types/react-dom@^19.2.3), matching the React 19.2.3 upgrade.

examples/react/playground/package.json (1)

13-14: Approved: Security patch update for React 19.0.3.

The version bumps address CVE-2025-67779. No React TypeScript definitions are declared in this project's devDependencies.

examples/react/offline/package.json (1)

17-18: Approved: Security patch update for React 19.0.3.

The version bumps address CVE-2025-67779. No React TypeScript definitions are declared in this project's devDependencies.

examples/react/chat/package.json (1)

13-14: Approved: Security patch update for React 19.0.3.

The version bumps address CVE-2025-67779. No React TypeScript definitions are declared in this project's devDependencies.

examples/react/simple/package.json (1)

13-14: Security patch: Update react and react-dom to 19.0.3.

The update from ^19.0.0 to ^19.0.3 applies security patches for React Server Components vulnerabilities (CVE-2025-67779).

Verify that [email protected] and [email protected] exist and contain the documented security fixes.

examples/react/devtools-panel/package.json (1)

13-14: Security patch: Update react and react-dom to 19.0.3.

The update applies security fixes for React Server Components vulnerabilities, specifically addressing CVE-2025-67779 (Denial-of-Service via unsafe deserialization) and related follow-up issues (CVE-2025-55184, CVE-2025-55183) as documented in the React security advisory published December 11, 2025. These patches are essential for production systems using React Server Components.

examples/react/react-native/package.json (1)

22-22: Security patch: Update react to 19.0.3.

The update from ^19.0.0 to ^19.0.3 applies security patches for React Server Components vulnerabilities, including the critical CVE-2025-55182 (React2Shell RCE, CVSS 10.0) and additional RSC issues (CVE-2025-55183 and CVE-2025-55184) disclosed in December 2025. The absence of react-dom is correct for React Native, which does not depend on react-dom.

package.json (1)

66-67: Revert react and react-dom versions: 19.2.3 does not exist.

React 19.2.3 and react-dom 19.2.3 are not released versions. The latest stable versions addressing CVE-2025-67779 are 19.2.2. Update to "react": "^19.2.2" and "react-dom": "^19.2.2" instead, or use the appropriate backported patch for your version line (19.0.2, 19.1.3, or 19.2.2).

Likely an incorrect or invalid review comment.

examples/react/prefetching/package.json (1)

13-15: Security patch: Update next, react, and react-dom to patched versions.

The updates address security vulnerabilities across the Next.js and React stack:

• next: ^16.0.7 → ^16.0.10 (patched Dec 12, 2025 for React Server Components vulnerabilities)
• react: ^19.2.1 → ^19.2.3 (addresses CVE-2025-67779 DoS in RSC implementations)
• react-dom: ^19.2.1 → ^19.2.3 (addresses CVE-2025-67779 DoS in RSC implementations)

See Next.js security advisory (https://nextjs.org/blog/security-update-2025-12-11) for details on patched releases.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 3aac55d

---

☁️ Nx Cloud last updated this comment at 2025-12-16 09:19:23 UTC

[TkDodo]

you didn’t update the lockfile

[PierreCrb]

you didn’t update the lockfile

My bad, I thought I had already updated it, thanks!
Lockfile is now updated and pushed :)

[pkg-pr-new]

More templates

• @tanstack/query-example-angular-auto-refetching
• @tanstack/query-example-angular-basic
• @tanstack/query-example-angular-basic-persister
• @tanstack/query-example-angular-devtools-panel
• @tanstack/query-example-angular-infinite-query-with-max-pages
• @tanstack/query-example-angular-optimistic-updates
• @tanstack/query-example-angular-pagination
• @tanstack/query-example-angular-query-options-from-a-service
• @tanstack/query-example-angular-router
• @tanstack/query-example-angular-rxjs
• @tanstack/query-example-angular-simple
• @tanstack/query-example-react-algolia
• @tanstack/query-example-react-auto-refetching
• @tanstack/query-example-react-basic
• @tanstack/query-example-react-basic-graphql-request
• @tanstack/query-example-chat
• @tanstack/query-example-react-default-query-function
• @tanstack/query-example-react-devtools-panel
• @tanstack/query-example-eslint-legacy
• @tanstack/query-example-react-infinite-query-with-max-pages
• @tanstack/query-example-react-load-more-infinite-scroll
• @tanstack/query-example-react-nextjs
• @tanstack/query-example-react-nextjs-app-prefetching
• @tanstack/query-example-nextjs-suspense-streaming
• @tanstack/query-example-react-offline
• @tanstack/query-example-react-optimistic-updates-cache
• @tanstack/query-example-react-optimistic-updates-ui
• @tanstack/query-example-react-pagination
• @tanstack/query-example-react-playground
• @tanstack/query-example-react-prefetching
• @tanstack/query-example-react-react-native
• @tanstack/query-example-react-router
• @tanstack/query-example-react-rick-morty
• @tanstack/query-example-react-shadow-dom
• @tanstack/query-example-react-simple
• @tanstack/query-example-react-star-wars
• @tanstack/query-example-react-suspense
• @tanstack/query-example-svelte-auto-refetching
• @tanstack/query-example-svelte-basic
• @tanstack/query-example-svelte-load-more-infinite-scroll
• @tanstack/query-example-svelte-optimistic-updates
• @tanstack/query-example-svelte-playground
• @tanstack/query-example-svelte-simple
• @tanstack/query-example-svelte-ssr
• @tanstack/query-example-svelte-star-wars
• @tanstack/query-example-solid-astro
• @tanstack/query-example-solid-basic
• @tanstack/query-example-solid-basic-graphql-request
• @tanstack/query-example-solid-default-query-function
• @tanstack/query-example-solid-simple
• @tanstack/query-example-solid-start-streaming
• @tanstack/query-example-vue-2.6-basic
• @tanstack/query-example-vue-2.7-basic
• @tanstack/query-example-vue-basic
• @tanstack/query-example-vue-dependent-queries
• @tanstack/query-example-vue-nuxt3
• @tanstack/query-example-vue-persister
• @tanstack/query-example-vue-simple

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-experimental@9965

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@9965

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@9965

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@9965

@tanstack/query-core

npm i https://pkg.pr.new/@tanstack/query-core@9965

@tanstack/query-devtools

npm i https://pkg.pr.new/@tanstack/query-devtools@9965

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/@tanstack/query-persist-client-core@9965

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@9965

@tanstack/react-query

npm i https://pkg.pr.new/@tanstack/react-query@9965

@tanstack/react-query-devtools

npm i https://pkg.pr.new/@tanstack/react-query-devtools@9965

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@9965

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/@tanstack/react-query-persist-client@9965

@tanstack/solid-query

npm i https://pkg.pr.new/@tanstack/solid-query@9965

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/@tanstack/solid-query-devtools@9965

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@9965

@tanstack/svelte-query

npm i https://pkg.pr.new/@tanstack/svelte-query@9965

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@9965

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@9965

@tanstack/vue-query

npm i https://pkg.pr.new/@tanstack/vue-query@9965

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/@tanstack/vue-query-devtools@9965

commit: 96eec3e

[TkDodo]

ugh

 ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>/packages/react-query/package.json