fix(deps): update react monorepo to v19 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@types/react-dom (source)	^17.0.11 -> ^19.0.0
react (source)	17.0.2 -> 19.0.0
react-dom (source)	17.0.2 -> 19.0.0

---

Release Notes

facebook/react (react)

v19.0.0

Compare Source

v18.3.1

Compare Source

v18.3.0

Compare Source

v18.2.0

Compare Source

React DOM

• Provide a component stack as a second argument to onRecoverableError. (@​gnoff in #​24591)
• Fix hydrating into document causing a blank page on mismatch. (@​gnoff in #​24523)
• Fix false positive hydration errors with Suspense. (@​gnoff in #​24480 and @​acdlite in #​24532)
• Fix ignored setState in Safari when adding an iframe. (@​gaearon in #​24459)

React DOM Server

• Pass information about server errors to the client. (@​salazarm and @​gnoff in #​24551 and #​24591)
• Allow to provide a reason when aborting the HTML stream. (@​gnoff in #​24680)
• Eliminate extraneous text separators in the HTML where possible. (@​gnoff in #​24630)
• Disallow complex children inside <title> elements to match the browser constraints. (@​gnoff in #​24679)
• Fix buffering in some worker environments by explicitly setting highWaterMark to 0. (@​jplhomer in #​24641)

Server Components (Experimental)

• Add support for useId() inside Server Components. (@​gnoff in #​24172)

v18.1.0

Compare Source

React DOM

• Fix the false positive warning about react-dom/client when using UMD bundle. (@​alireza-molaee in #​24274)
• Fix suppressHydrationWarning to work in production too. (@​gaearon in #​24271)
• Fix componentWillUnmount firing twice inside of Suspense. (@​acdlite in #​24308)
• Fix some transition updates being ignored. (@​acdlite in #​24353)
• Fix useDeferredValue causing an infinite loop when passed an unmemoized value. (@​acdlite in #​24247)
• Fix throttling of revealing Suspense fallbacks. (@​sunderls in #​24253)
• Fix an inconsistency in whether the props object is the same between renders. (@​Andarist and @​acdlite in #​24421)
• Fix a missing warning about a setState loop in useEffect. (@​gaearon in #​24298)
• Fix a spurious hydration error. (@​gnoff in #​24404)
• Warn when calling setState in useInsertionEffect. (@​gaearon in #​24295)
• Ensure the reason for hydration errors is always displayed. (@​gaearon in #​24276)

React DOM Server

• Fix escaping for the bootstrapScriptContent contents. (@​gnoff in #​24385)
• Significantly improve performance of renderToPipeableStream. (@​gnoff in #​24291)

ESLint Plugin: React Hooks

• Fix false positive errors with a large number of branches. (@​scyron6 in #​24287)
• Don't consider a known dependency stable when the variable is reassigned. (@​afzalsayed96 in #​24343)

Use Subscription

• Replace the implementation with the use-sync-external-store shim. (@​gaearon in #​24289)

v18.0.0

Compare Source

Below is a list of all new features, APIs, deprecations, and breaking changes.
Read React 18 release post and React 18 upgrade guide for more information.

New Features

React

• useId is a new hook for generating unique IDs on both the client and server, while avoiding hydration mismatches. It is primarily useful for component libraries integrating with accessibility APIs that require unique IDs. This solves an issue that already exists in React 17 and below, but it’s even more important in React 18 because of how the new streaming server renderer delivers HTML out-of-order.
• startTransition and useTransition let you mark some state updates as not urgent. Other state updates are considered urgent by default. React will allow urgent state updates (for example, updating a text input) to interrupt non-urgent state updates (for example, rendering a list of search results).
• useDeferredValue lets you defer re-rendering a non-urgent part of the tree. It is similar to debouncing, but has a few advantages compared to it. There is no fixed time delay, so React will attempt the deferred render right after the first render is reflected on the screen. The deferred render is interruptible and doesn't block user input.
• useSyncExternalStore is a new hook that allows external stores to support concurrent reads by forcing updates to the store to be synchronous. It removes the need for useEffect when implementing subscriptions to external data sources, and is recommended for any library that integrates with state external to React.
• useInsertionEffect is a new hook that allows CSS-in-JS libraries to address performance issues of injecting styles in render. Unless you’ve already built a CSS-in-JS library we don’t expect you to ever use this. This hook will run after the DOM is mutated, but before layout effects read the new layout. This solves an issue that already exists in React 17 and below, but is even more important in React 18 because React yields to the browser during concurrent rendering, giving it a chance to recalculate layout.

React DOM Client

These new APIs are now exported from react-dom/client:

• createRoot: New method to create a root to render or unmount. Use it instead of ReactDOM.render. New features in React 18 don't work without it.
• hydrateRoot: New method to hydrate a server rendered application. Use it instead of ReactDOM.hydrate in conjunction with the new React DOM Server APIs. New features in React 18 don't work without it.

Both createRoot and hydrateRoot accept a new option called onRecoverableError in case you want to be notified when React recovers from errors during rendering or hydration for logging. By default, React will use reportError, or console.error in the older browsers.

React DOM Server

These new APIs are now exported from react-dom/server and have full support for streaming Suspense on the server:

• renderToPipeableStream: for streaming in Node environments.
• renderToReadableStream: for modern edge runtime environments, such as Deno and Cloudflare workers.

The existing renderToString method keeps working but is discouraged.

facebook/react (react-dom)

v19.0.0

Compare Source

v18.3.1

Compare Source

v18.3.0

Compare Source

v18.2.0

Compare Source

React DOM

• Provide a component stack as a second argument to onRecoverableError. (@​gnoff in #​24591)
• Fix hydrating into document causing a blank page on mismatch. (@​gnoff in #​24523)
• Fix false positive hydration errors with Suspense. (@​gnoff in #​24480 and @​acdlite in #​24532)
• Fix ignored setState in Safari when adding an iframe. (@​gaearon in #​24459)

React DOM Server

• Pass information about server errors to the client. (@​salazarm and @​gnoff in #​24551 and #​24591)
• Allow to provide a reason when aborting the HTML stream. (@​gnoff in #​24680)
• Eliminate extraneous text separators in the HTML where possible. (@​gnoff in #​24630)
• Disallow complex children inside <title> elements to match the browser constraints. (@​gnoff in #​24679)
• Fix buffering in some worker environments by explicitly setting highWaterMark to 0. (@​jplhomer in #​24641)

Server Components (Experimental)

• Add support for useId() inside Server Components. (@​gnoff in #​24172)

v18.1.0

Compare Source

React DOM

• Fix the false positive warning about react-dom/client when using UMD bundle. (@​alireza-molaee in #​24274)
• Fix suppressHydrationWarning to work in production too. (@​gaearon in #​24271)
• Fix componentWillUnmount firing twice inside of Suspense. (@​acdlite in #​24308)
• Fix some transition updates being ignored. (@​acdlite in #​24353)
• Fix useDeferredValue causing an infinite loop when passed an unmemoized value. (@​acdlite in #​24247)
• Fix throttling of revealing Suspense fallbacks. (@​sunderls in #​24253)
• Fix an inconsistency in whether the props object is the same between renders. (@​Andarist and @​acdlite in #​24421)
• Fix a missing warning about a setState loop in useEffect. (@​gaearon in #​24298)
• Fix a spurious hydration error. (@​gnoff in #​24404)
• Warn when calling setState in useInsertionEffect. (@​gaearon in #​24295)
• Ensure the reason for hydration errors is always displayed. (@​gaearon in #​24276)

React DOM Server

• Fix escaping for the bootstrapScriptContent contents. (@​gnoff in #​24385)
• Significantly improve performance of renderToPipeableStream. (@​gnoff in #​24291)

ESLint Plugin: React Hooks

• Fix false positive errors with a large number of branches. (@​scyron6 in #​24287)
• Don't consider a known dependency stable when the variable is reassigned. (@​afzalsayed96 in #​24343)

Use Subscription

• Replace the implementation with the use-sync-external-store shim. (@​gaearon in #​24289)

v18.0.0

Compare Source

Below is a list of all new features, APIs, deprecations, and breaking changes.
Read React 18 release post and React 18 upgrade guide for more information.

New Features

React

• useId is a new hook for generating unique IDs on both the client and server, while avoiding hydration mismatches. It is primarily useful for component libraries integrating with accessibility APIs that require unique IDs. This solves an issue that already exists in React 17 and below, but it’s even more important in React 18 because of how the new streaming server renderer delivers HTML out-of-order.
• startTransition and useTransition let you mark some state updates as not urgent. Other state updates are considered urgent by default. React will allow urgent state updates (for example, updating a text input) to interrupt non-urgent state updates (for example, rendering a list of search results).
• useDeferredValue lets you defer re-rendering a non-urgent part of the tree. It is similar to debouncing, but has a few advantages compared to it. There is no fixed time delay, so React will attempt the deferred render right after the first render is reflected on the screen. The deferred render is interruptible and doesn't block user input.
• useSyncExternalStore is a new hook that allows external stores to support concurrent reads by forcing updates to the store to be synchronous. It removes the need for useEffect when implementing subscriptions to external data sources, and is recommended for any library that integrates with state external to React.
• useInsertionEffect is a new hook that allows CSS-in-JS libraries to address performance issues of injecting styles in render. Unless you’ve already built a CSS-in-JS library we don’t expect you to ever use this. This hook will run after the DOM is mutated, but before layout effects read the new layout. This solves an issue that already exists in React 17 and below, but is even more important in React 18 because React yields to the browser during concurrent rendering, giving it a chance to recalculate layout.

React DOM Client

These new APIs are now exported from react-dom/client:

• createRoot: New method to create a root to render or unmount. Use it instead of ReactDOM.render. New features in React 18 don't work without it.
• hydrateRoot: New method to hydrate a server rendered application. Use it instead of ReactDOM.hydrate in conjunction with the new React DOM Server APIs. New features in React 18 don't work without it.

Both createRoot and hydrateRoot accept a new option called onRecoverableError in case you want to be notified when React recovers from errors during rendering or hydration for logging. By default, React will use reportError, or console.error in the older browsers.

React DOM Server

These new APIs are now exported from react-dom/server and have full support for streaming Suspense on the server:

• renderToPipeableStream: for streaming in Node environments.
• renderToReadableStream: for modern edge runtime environments, such as Deno and Cloudflare workers.

The existing renderToString method keeps working but is discouraged.

---

Configuration

📅 Schedule: Branch creation - "* 0-3 1 * *" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🎉 Deployment for commit 2a9cdf6 :

Ingresses

• 🚀 https://api-recherche-entreprises-renovate-major-react-4etk2g.dev.fabrique.social.gouv.fr/
• 🚀 https://app-front-recherche-entreprises-renovate-major-react-4etk2g.dev.fabrique.social.gouv.fr/

Docker images

• 📦 docker pull ghcr.io/socialgouv/recherche-entreprises/api:sha-2a9cdf639c27e8bc39dc827171d02581631393fa
• 📦 docker pull ghcr.io/socialgouv/recherche-entreprises/front:sha-2a9cdf639c27e8bc39dc827171d02581631393fa

Debug

• 📕 Loki logs for namespace recherche-entreprises-renovate-major-react-monorepo-1o9y7x
• 📈 Pods monitoring for namespace recherche-entreprises-renovate-major-react-monorepo-1o9y7x
• 📈 Workloads monitoring for namespace recherche-entreprises-renovate-major-react-monorepo-1o9y7x
• 👮‍♂️ Namespace rancher recherche-entreprises-renovate-major-react-monorepo-1o9y7x
• 👮‍♂️ Deployment app-api
• 👮‍♂️ Deployment app-front

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	npm/[email protected]	CVE: GHSA-33f9-j839-rf8h Prototype Pollution in immer (CRITICAL) Affected versions: >= 7.0.0, < 9.0.6 Patched version: 9.0.6	front/yarn.lock	⚠︎
Critical CVE	npm/[email protected]	CVE: GHSA-g4rg-993r-mgx7 Improper Neutralization of Special Elements used in a Command in Shell-quote (CRITICAL) Affected versions: <= 1.7.2 Patched version: 1.7.3	front/yarn.lock	⚠︎
Critical CVE	npm/[email protected]	CVE: GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils (CRITICAL) Affected versions: >= 2.0.0, < 2.0.3 Patched version: 2.0.3	front/yarn.lock	⚠︎
Critical CVE	npm/[email protected]	CVE: GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils (CRITICAL) Affected versions: < 1.4.1 Patched version: 1.4.1	front/yarn.lock	⚠︎
Critical CVE	npm/[email protected]	CVE: GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsource (CRITICAL) Affected versions: < 1.1.1 Patched version: 1.1.1	front/yarn.lock	⚠︎
Critical CVE	npm/[email protected]	CVE: GHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parse (CRITICAL) Affected versions: < 1.5.8 Patched version: 1.5.8	front/yarn.lock	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]

[socket-security]

Report too large to display inline

View full report↗︎