Skip to content

build(deps): bump the next-react group across 1 directory with 4 updates#369

Merged
mergify[bot] merged 4 commits into
mainfrom
dependabot/npm_and_yarn/next-react-46fce48fe7
May 18, 2026
Merged

build(deps): bump the next-react group across 1 directory with 4 updates#369
mergify[bot] merged 4 commits into
mainfrom
dependabot/npm_and_yarn/next-react-46fce48fe7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 11, 2026
edited
Loading

Bumps the next-react group with 4 updates in the / directory: next, react, react-dom and eslint-config-next.

Updates next from 16.2.4 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

Moderate:

Low:

Core Changes

  • fix: preserve HTTP access fallbacks during prerender recovery (#92231)
  • Fix fallback route params case in app-page handler (#91737)
  • Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
  • Patch setHeader for direct route handlers (#93101)
  • Include deployment id in cacheHandlers keys (#93453)
  • Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

... (truncated)

Commits
  • ee6e79b v16.2.6
  • afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
  • 97a154e Turbopack: Fix middleware matcher suffix (#93590)
  • 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
  • 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
  • a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
  • 766148f v16.2.5
  • 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
  • d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
  • 9d50c0b Strip next-resume header from incoming requests (#92)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

Commits

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

Commits

Updates eslint-config-next from 16.2.4 to 16.2.6

Release notes

Sourced from eslint-config-next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

Moderate:

Low:

Core Changes

  • fix: preserve HTTP access fallbacks during prerender recovery (#92231)
  • Fix fallback route params case in app-page handler (#91737)
  • Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
  • Patch setHeader for direct route handlers (#93101)
  • Include deployment id in cacheHandlers keys (#93453)
  • Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for eslint-config-next since your current version.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 11, 2026
@dependabot dependabot Bot changed the title build(deps): bump the next-react group with 4 updates build(deps): bump the next-react group across 1 directory with 4 updates May 15, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/next-react-46fce48fe7 branch from 57f8c03 to 43b566d Compare May 15, 2026 00:57
@julianken-bot
Copy link
Copy Markdown
Collaborator

julianken-bot commented May 18, 2026

@dependabot rebase

@dependabot dependabot Bot changed the title build(deps): bump the next-react group across 1 directory with 4 updates chore(deps): bump the next-react group across 1 directory with 4 updates May 18, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/next-react-46fce48fe7 branch from 43b566d to c0c78f6 Compare May 18, 2026 00:57
@julianken-bot
Copy link
Copy Markdown
Collaborator

julianken-bot commented May 18, 2026

@dependabot recreate

@dependabot dependabot Bot changed the title chore(deps): bump the next-react group across 1 directory with 4 updates build(deps): bump the next-react group across 1 directory with 4 updates May 18, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/next-react-46fce48fe7 branch from c0c78f6 to c272418 Compare May 18, 2026 01:03
@dependabot
build(deps): bump the next-react group across 1 directory with 4 updates
19a89f1 
Bumps the next-react group with 4 updates in the / directory: [next](https://github.com/vercel/next.js), [react](https://github.com/facebook/react/tree/HEAD/packages/react), [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) and [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next).


Updates `next` from 16.2.4 to 16.2.6
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.4...v16.2.6)

Updates `react` from 19.2.5 to 19.2.6
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react)

Updates `react-dom` from 19.2.5 to 19.2.6
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react-dom)

Updates `eslint-config-next` from 16.2.4 to 16.2.6
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.6/packages/eslint-config-next)

---
updated-dependencies:
- dependency-name: eslint-config-next
  dependency-version: 16.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: next-react
- dependency-name: next
  dependency-version: 16.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: next-react
- dependency-name: react
  dependency-version: 19.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: next-react
- dependency-name: react-dom
  dependency-version: 19.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: next-react
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/next-react-46fce48fe7 branch from c272418 to 19a89f1 Compare May 18, 2026 01:06
@julianken-bot
Copy link
Copy Markdown
Collaborator

julianken-bot commented May 18, 2026

BLOCKED — eslint-config-next major bump introduces a new lint rule (react-hooks/set-state-in-effect) that catches three pre-existing setState-in-effect anti-patterns. Not safe to auto-merge.

Failing locations (ESLint job [76445336974]):

  • src/components/MobileNav.tsx:31 — error
  • src/components/MobileNav.tsx:50 — error
  • src/components/agentic-patterns/HubFilterableContent.tsx:86 — error

All three trip the new rule (added in eslint-config-next ~v16.2.5+ alongside React 19's tighter effect-cascade guidance). The bump isn't doing anything wrong here — it's surfacing genuine effect-body setState calls that the previous ruleset let through.

Out of this skill's scope to fix the consumer code. Three resolution paths for Julian:

  1. Fix the three setState calls (lift state into a parent, derive during render, or move to an event handler — the canonical React 19 patterns).
  2. Override the rule in .eslintrc / eslint.config.* to warn (least invasive, preserves the bump).
  3. Add line-scoped eslint-disable-next-line react-hooks/set-state-in-effect comments at each site (most surgical; explicitly opts the three call sites out).

Will leave the PR open with this comment as the blocking finding.

@julianken-bot julianken-bot mentioned this pull request May 18, 2026
Merged
julianken-bot
julianken-bot approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@julianken-bot julianken-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: APPROVE (1 IMPORTANT)

Security-motivated patch bump (next 16.2.6 ships 7 High + 4 Moderate + 2 Low advisory fixes including GHSA-8h8q-6873-q5fj, GHSA-492v-c6pp-mqqv, GHSA-c4j6-fc7j-m34r). Mergeable as-is; the one inline finding is small and non-blocking.

Verification ledger

Check Command Result
HEAD unchanged mid-review gh pr view 369 --json headRefOid 5695ecb (matches initial fetch)
Net source diff git diff ec7099b..5695ecb -- src/ +4 lines across 2 files, all // eslint-disable-next-line
Bot collaborator permission gh api repos/.../collaborators/julianken-bot/permission write
Typecheck (post-install) pnpm tsc --noEmit exit 0
Lint at PR HEAD with 16.2.6 pnpm exec eslint src/components/MobileNav.tsx src/components/agentic-patterns/HubFilterableContent.tsx 1 warning (unused-disable, line 88) — see inline finding
Disable-still-needed check Removed each disable individually + re-ran eslint MobileNav:31, MobileNav:51, HubFilterableContent:86 all re-trigger error; HubFilterableContent:88 does NOT
CI on this HEAD gh pr checks 369 all green
Lockfile reconciliation git diff ec7099b..5695ecb -- package.json exactly the 4 declared bumps, no scope creep

Findings

  1. HubFilterableContent.tsx:88 — IMPORTANT — over-applied set-state-in-effect disable directive (see inline).

Specific things that are right

  • The three load-bearing disables (MobileNav:31, MobileNav:51, HubFilterableContent:86) are placed at sites where the rule genuinely fires and where the underlying patterns are defensible per React docs: portal-mount flag (#31), prop-driven exit animation (#51), and external-system hydration from window.location (#86). useEffect/setState is the correct shape for each — they are not derivable during render.
  • The merge resolution against main is clean: package.json shows exactly the 4 declared version bumps and nothing else; the lockfile diff matches.
  • The two merge commits use Julian's noreply email (proper attribution).

Bottom line

Merge. After merge, optionally remove the line-88 disable in a follow-up touch — it's a one-liner and need not gate this PR.


Reviewed as @julianken-bot under the reviewing-as-julianken-bot rubric. Same-tier risk: NO (implementer path used Sonnet for orchestration; reviewer is Opus 4.7).

Comment thread src/components/agentic-patterns/HubFilterableContent.tsx
if (q && q !== query) {
// eslint-disable-next-line react-hooks/set-state-in-effect
setQuery(q);
// eslint-disable-next-line react-hooks/set-state-in-effect
Copy link
Copy Markdown
Collaborator

@julianken-bot julianken-bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMPORTANT: This // eslint-disable-next-line react-hooks/set-state-in-effect directive is reported as unused by eslint-config-next 16.2.6:

HubFilterableContent.tsx
  88:7  warning  Unused eslint-disable directive (no problems were reported from 'react-hooks/set-state-in-effect')

The rule fires once per synchronous setState cluster inside an effect — it flags the leading call (line 87 setQuery(q)) but does NOT separately flag the trailing setDebouncedQuery(q) two lines below. Verified by removing the line-88 directive and re-running pnpm exec eslint against the freshly installed eslint-config-next@16.2.6: zero errors, zero warnings.

CI didn't fail because pnpm lint does not pass --max-warnings 0, so unused-disable surfaces as a warning rather than an error. It is, however, dead code today and a maintenance footgun later (a future lint config tweak could promote unused-disable to error tier).

Suggested fix: drop the directive on line 88. The disable on line 86 is still needed.

(Sites preserved in their current form: MobileNav.tsx:31 and MobileNav.tsx:51, plus HubFilterableContent.tsx:86 all still trigger the rule under 16.2.6 and require their disables.)

@julianken-bot
Copy link
Copy Markdown
Collaborator

julianken-bot commented May 18, 2026

@Mergifyio queue

@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented May 18, 2026
edited
Loading

Merge Queue Status

  • Entered queue2026-05-18 02:59 UTC · Rule: default
  • Checks skipped · PR is already up-to-date
  • Merged2026-05-18 03:00 UTC · at 5695ecb330b24c575ab9c89a22f1d13abd2cd146 · squash

This pull request spent 53 seconds in the queue, including 12 seconds running CI.

Required conditions to merge
  • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • github-review-decision = APPROVED [🛡 GitHub branch protection]
  • any of [🛡 GitHub branch protection]:
    • check-success = ESLint
    • check-neutral = ESLint
    • check-skipped = ESLint
  • any of [🛡 GitHub branch protection]:
    • check-success = TypeScript
    • check-neutral = TypeScript
    • check-skipped = TypeScript
  • any of [🛡 GitHub branch protection]:
    • check-success = Vitest
    • check-neutral = Vitest
    • check-skipped = Vitest
  • any of [🛡 GitHub branch protection]:
    • check-success = Next.js Build
    • check-neutral = Next.js Build
    • check-skipped = Next.js Build
  • any of [🛡 GitHub branch protection]:
    • check-success = Analyze Bundle
    • check-neutral = Analyze Bundle
    • check-skipped = Analyze Bundle
  • any of [🛡 GitHub branch protection]:
    • check-success = CodeQL Analysis
    • check-neutral = CodeQL Analysis
    • check-skipped = CodeQL Analysis
  • any of [🛡 GitHub branch protection]:
    • check-success = E2E Shard 1/4
    • check-neutral = E2E Shard 1/4
    • check-skipped = E2E Shard 1/4
  • any of [🛡 GitHub branch protection]:
    • check-success = E2E Shard 2/4
    • check-neutral = E2E Shard 2/4
    • check-skipped = E2E Shard 2/4
  • any of [🛡 GitHub branch protection]:
    • check-success = E2E Shard 3/4
    • check-neutral = E2E Shard 3/4
    • check-skipped = E2E Shard 3/4
  • any of [🛡 GitHub branch protection]:
    • check-success = E2E Shard 4/4
    • check-neutral = E2E Shard 4/4
    • check-skipped = E2E Shard 4/4

@mergify mergify Bot added the queued label May 18, 2026
@mergify mergify Bot merged commit ccbe666 into main May 18, 2026
13 checks passed
@mergify mergify Bot deleted the dependabot/npm_and_yarn/next-react-46fce48fe7 branch May 18, 2026 03:00
@mergify mergify Bot removed the queued label May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julianken-bot julianken-bot julianken-bot approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@julianken-bot @julianken