Skip to content

Update monorepo internal React deps #14639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
brophdawg11 merged 26 commits into from
Dec 11, 2025
Merged

Update monorepo internal React deps #14639

brophdawg11 merged 26 commits into from
Dec 11, 2025

Conversation

@brophdawg11
Copy link
Contributor

@brophdawg11 brophdawg11 commented Dec 8, 2025
edited
Loading

Updates all of our internal deps (integration tests, playgrounds, tutorial, dev deps, etc.) to the latest versions of packages impacted by GHSA-fv66-9v8q-g76r. Our packages are not directly impacted as all impacted packages are peerDeps managed by the user application - but it's still best to update our internals deps and this will help avoid confusion as folks search through our various monorepo package.json files and see vulnerable versions.

  • react -> 19.2.1
  • react-dom -> 19.2.1
  • react-server-dom-parcel -> 19.2.1
  • @vitejs/plugin-rsc -> 0.5.6
    • This was causing some issues in CI we're still digging into so will be done in a follow up PR

This also now moves these deps to the pnpm catalog for easier updating now and in the future

@timdorr timdorr changed the title Update monorepo react deps Update monorepo internal React deps Dec 8, 2025
@timdorr
Copy link
Member

timdorr commented Dec 8, 2025

Updated the title to be clear that this is just for our internal React dependencies.

Users of the library can already upgrade to the fixed versions of React and the associated packages from the vulnerability. The version selectors on the current react-router packages all allow the fixed versions to be installed.

@brophdawg11 brophdawg11 force-pushed the brophdawg11/repo-deps branch 2 times, most recently from 53935ef to 625386a Compare December 8, 2025 18:32
@brophdawg11
Copy link
Contributor Author

brophdawg11 commented Dec 8, 2025

I think the latest E2E failure is related to #14633. Still have to dig in further.

@brophdawg11 brophdawg11 mentioned this pull request Dec 8, 2025
Merged
@brophdawg11 brophdawg11 added the dependencies Pull requests that update a dependency file label Dec 9, 2025
@brophdawg11 brophdawg11 changed the base branch from main to dev December 10, 2025 16:32
@brophdawg11 brophdawg11 force-pushed the brophdawg11/repo-deps branch from 6dd12eb to 108345a Compare December 10, 2025 16:34
@brophdawg11 brophdawg11 changed the base branch from dev to main December 10, 2025 16:34
@brophdawg11 brophdawg11 force-pushed the brophdawg11/repo-deps branch from 108345a to e8f7cdb Compare December 10, 2025 16:36
@brophdawg11
Update integration/playground/tutoprial react dependencies to ^19.2.1
3445757
@brophdawg11
Update packages/* dev dependencies to react ^19.2.1
db36a63
@brophdawg11
Remove root monorepo dep on react-server-dom-parcel
9a85b4c
@brophdawg11
Update @vitejs/plugin-rsc dev deps to 0.5.6
f0ba69c
@brophdawg11
Update lockfile
0a70866
@brophdawg11
Update unit test for updated useId format
bfc2967
@brophdawg11
Fix integration test failing due to 19.2 react performance script tag
8f9fe46
@brophdawg11
Fix flaky defer test
64f4a8a
@brophdawg11
Fix single fetch integration test due to new react 19.2 script tag
656a85b
@brophdawg11
Add back root dep for integration tests
60e4392
@brophdawg11
Revert vite plugin update to get CI passing
a7f6975
@brophdawg11
Add lockfileupdates
6f9ab90
@brophdawg11
Update e2e test to ignore react 19 performance track logs
42143a8
@brophdawg11
Move react deps to pnpm catalog
cf78dc7
@brophdawg11
Move react-server-dom-parcel to pnpm catalog
df42768
@brophdawg11
Move vite rsc pliugin to pnpm catalog
f57987c
@brophdawg11
Add pnpm-workspace file to wireit configs
858df57
@brophdawg11
Downgrade vite plugin to get CI passing
155e949
@brophdawg11 brophdawg11 force-pushed the brophdawg11/repo-deps branch from e8f7cdb to 155e949 Compare December 10, 2025 16:46
@brophdawg11 brophdawg11 changed the base branch from main to dev December 10, 2025 16:47
@remix-run remix-run deleted a comment from changeset-bot bot Dec 10, 2025
brophdawg11
brophdawg11 commented Dec 10, 2025
View reviewed changes
packages/create-react-router/package.json
"build": {
"command": "tsup",
"files": [
"../../pnpm-workspace.yaml",
Copy link
Contributor Author

@brophdawg11 brophdawg11 Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trigger a new wireit build if we update any catalog versions

@brophdawg11
Copy link
Contributor Author

brophdawg11 commented Dec 10, 2025

ok rebased all these commits and repointed to dev (and began leveraging the pnpm catalog there) since the changes ended up touching e2e tests and stuff so it felt a bit more risky to just yolo to main :)

@brophdawg11 brophdawg11 reopened this Dec 10, 2025
@brophdawg11
Copy link
Contributor Author

brophdawg11 commented Dec 10, 2025

needed a close/reopen to trigger CI for some reason...

@changeset-bot
Copy link

changeset-bot bot commented Dec 10, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: a46ef11

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@brophdawg11
Copy link
Contributor Author

brophdawg11 commented Dec 11, 2025

@jacob-ebey tracked down the RSC issue we were seeing in #14643 and the fix was pinning to react canary.

This PR adds an additional named PNPM catalog for react@canary used by the RSC integration templates/playgrounds and sets the rest of the repo react deps back to stable 19.2.1. It also lifts react types up to the catalogs and adds pnpm-workspace.yaml to the wireit configs to force rebuilds on catalog updates.

@brophdawg11 brophdawg11 merged commit ff50507 into dev Dec 11, 2025
9 checks passed
@brophdawg11 brophdawg11 deleted the brophdawg11/repo-deps branch December 11, 2025 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brophdawg11 @timdorr