chore(deps): bump react to 19.2.1 for RCE CVE fix

[cau1k]

Summary

• Bump react/react-dom 19.2.0 → 19.2.1, types to latest
• Addresses recent RCE CVE

Summary by CodeRabbit

• Chores
  • Updated React and associated type definition dependencies to latest patch versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Minor version upgrades applied to React and React DOM dependencies, along with their corresponding type definitions in the docs package. React and react-dom incremented from ^19.2.0 to ^19.2.1; @types/react and @types/react-dom incremented from ^19.2.2 to ^19.2.3.

Changes

Cohort / File(s)	Summary
Dependency Version Bumps apps/docs/package.json	Updated react and react-dom from ^19.2.0 to ^19.2.1; updated @types/react and @types/react-dom from ^19.2.2 to ^19.2.3

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

• Single-file change with homogeneous dependency version updates
• No functional code alterations or breaking changes to review
• Straightforward semver patch/minor version increments

Poem

🐰 A hop and a bump, version numbers align,
React and types dance in harmony fine,
Nineteen point two dot one, the updates are neat,
Dependencies refreshed, our packages complete!
Thump thump! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: a dependency bump of react to version 19.2.1, and includes the stated security motivation (RCE CVE fix).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/bump-react

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d9e2b50 and 93f6159.

📒 Files selected for processing (1)

• apps/docs/package.json (2 hunks)

🔇 Additional comments (3)

apps/docs/package.json (3)

30-31: Address inconsistency in AI summary regarding @types/react version.

The AI summary claims @types/react was upgraded from ^19.2.2 to ^19.2.3, but the code shows ^19.2.7. This is a material discrepancy that needs clarification.

Verify that @types/react ^19.2.7 is the intended version and is compatible with React ^19.2.1, or confirm if the version was incorrectly reported in the summary.

Also applies to: 41-42

---

30-31: This is not a concern. A search across all 6 package.json files in the monorepo confirms that only apps/docs/package.json contains React dependencies, which is the appropriate structure. The other packages (root package.json, internals/tsconfig, packages/core, packages/librarian-plugin, packages/prompts) do not require React, so they should not include this dependency.

---

30-31: CVE-2025-55182 is a critical unauthenticated RCE in React Server Components; the 19.2.1 patch is the correct fix.

Verification confirms React 19.2.0 is affected by CVE-2025-55182 (critical severity, affecting versions 19.0, 19.1.0, 19.1.1, and 19.2.0). React published patched versions 19.0.1, 19.1.2, and 19.2.1 on December 3, 2025. The bump to ^19.2.1 correctly resolves this vulnerability. Merge after confirming all app instances using React are updated.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}