chore(deps): lock file maintenance website

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Confidence
		lockFileMaintenance	All locks refreshed
@types/node (source)	dependencies	minor	^24.3.0 → ^24.10.12
@types/react (source)	dependencies	patch	^19.2.2 → ^19.2.13
@types/react-dom (source)	dependencies	patch	^19.2.2 → ^19.2.3
next (source)	dependencies	patch	^15.5.7 → ^15.5.12
prettier (source)	devDependencies	minor	^3.6.2 → ^3.8.1
react (source)	dependencies	patch	^19.2.1 → ^19.2.4
react-dom (source)	dependencies	patch	^19.2.1 → ^19.2.4
styled-components (source)	dependencies	minor	^6.1.19 → ^6.3.8	6.3.9
typescript (source)	dependencies	patch	5.9.2 → 5.9.3

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Release Notes

vercel/next.js (next)

v15.5.12

Compare Source

v15.5.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#​85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#​89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#​82340)
• Turbopack: support pattern into exports field (#​82757)
• NFT tracing fixes (#​84155 and #​85323)
• Turbopack: validate CSS without computing all paths (#​83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#​89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

v15.5.10

Compare Source

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.5.9

Compare Source

v15.5.8

Compare Source

prettier/prettier (prettier)

v3.8.1

Compare Source

v3.8.0

Compare Source

diff

🔗 Release note

v3.7.4

Compare Source

diff

LWC: Avoid quote around interpolations (#​18383 by @​kovsu)

<!-- Input -->
<div foo={bar}>   </div>

<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>

<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>

TypeScript: Fix comment inside union type gets duplicated (#​18393 by @​fisker)

// Input
type Foo = (/** comment */ a | b) | c;

// Prettier 3.7.3
type Foo = /** comment */ (/** comment */ a | b) | c;

// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;

TypeScript: Fix unstable comment print in union type comments (#​18395 by @​fisker)

// Input
type X = (A | B) & (
  // comment
  A | B
);

// Prettier 3.7.3 (first format)
type X = (A | B) &
  (// comment
  A | B);

// Prettier 3.7.3 (second format)
type X = (
  | A
  | B // comment
) &
  (A | B);

// Prettier 3.7.4
type X = (A | B) &
  // comment
  (A | B);

v3.7.3

Compare Source

diff

API: Fix prettier.getFileInfo() change that breaks VSCode extension (#​18375 by @​fisker)

An internal refactor accidentally broke the VSCode extension plugin loading.

v3.7.2

Compare Source

diff

JavaScript: Fix string print when switching quotes (#​18351 by @​fisker)

// Input
console.log("A descriptor\\'s .kind must be \"method\" or \"field\".")

// Prettier 3.7.1
console.log('A descriptor\\'s .kind must be "method" or "field".');

// Prettier 3.7.2
console.log('A descriptor\\\'s .kind must be "method" or "field".');

JavaScript: Preserve quote for embedded HTML attribute values (#​18352 by @​kovsu)

// Input
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

// Prettier 3.7.1
const html = /* HTML */ ` <div class=${styles.banner}></div> `;

// Prettier 3.7.2
const html = /* HTML */ ` <div class="${styles.banner}"></div> `;

TypeScript: Fix comment in empty type literal (#​18364 by @​fisker)

// Input
export type XXX = {
  // tbd
};

// Prettier 3.7.1
export type XXX = { // tbd };

// Prettier 3.7.2
export type XXX = {
  // tbd
};

v3.7.1

Compare Source

diff

API: Fix performance regression in doc printer (#​18342 by @​fisker)

Prettier 3.7.1 can be very slow when formatting big files, the regression has been fixed.

v3.7.0

Compare Source

diff

🔗 Release Notes

facebook/react (react)

v19.2.4: 19.2.4 (January 26th, 2026)

Compare Source

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#​35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

v19.2.3: 19.2.3 (December 11th, 2025)

Compare Source

React Server Components

• Add extra loop protection to React Server Functions (@​sebmarkbage #​35351)

v19.2.2: 19.2.2 (December 11th, 2025)

Compare Source

React Server Components

• Move react-server-dom-webpack/*.unbundled to private react-server-dom-unbundled (@​eps1lon #​35290)
• Patch Promise cycles and toString on Server Functions (@​sebmarkbage, @​unstubbable #​35289)

styled-components/styled-components (styled-components)

v6.3.8

Compare Source

Patch Changes

• 55d05c1: Make react-dom an optional peer dependency, clean up some unnecessary type peers.

v6.3.7

Compare Source

Patch Changes

• 51ffa9c: Fix createGlobalStyle compatibility with React StrictMode and RSC

  This fix addresses issues where global styles would disappear or behave incorrectly in React StrictMode and RSC:

  1. Static styles optimization: Static global styles (without props/interpolations) are now only injected once and won't be removed/re-added on every render. This prevents the style flickering that could occur during concurrent rendering.

  2. StrictMode-aware cleanup: Style cleanup now uses queueMicrotask to coordinate with React's effect lifecycle. In StrictMode's simulated unmount/remount cycle, styles are preserved. On real unmount, styles are properly removed.

  3. RSC compatibility: Move useRef inside RSC guard in createGlobalStyle and unify all useContext calls to use consistent !IS_RSC ? pattern.

  4. RSC inline style tag cleanup: Fix bug where server-defined createGlobalStyle rendered in client components would leave behind accumulated SSR-rendered inline <style data-styled-global> tags. The cleanup effect now removes these hoisted style tags when the component unmounts or re-renders with different CSS.

  These changes ensure createGlobalStyle works correctly with:

  • React StrictMode's double-render behavior
  • React 18/19's concurrent rendering features
  • React 19's style hoisting with the precedence attribute
  • React Server Components (server-defined GlobalStyles in client components)

• 51ffa9c: Restore styled.br.

• 1f794b7: Add package.json "exports" field for better native ESM integration.

v6.3.6

Compare Source

Patch Changes

• 189bc17: Fix url() CSS function values being incorrectly stripped when using unquoted URLs containing // (e.g., url(https://example.com)). The // in protocol URLs like https://, http://, file://, and protocol-relative URLs was incorrectly being treated as a JavaScript-style line comment.

v6.3.5

Compare Source

Patch Changes

• 7ff7002: Fix: Line comments (//) in multiline CSS declarations no longer cause parsing errors (fixes #​5613)

  JS-style line comments (//) placed after multiline declarations like calc() were not being properly stripped, causing CSS parsing issues. Comments are now correctly removed anywhere in the CSS while preserving valid syntax.

  Example that now works:

  const Box = styled.div`
    max-height: calc(100px + 200px + 300px); // This comment no longer breaks parsing
    background-color: green;
  `;

• 7ff7002: Fix: Contain invalid CSS syntax to just the affected line

  In styled-components v6, invalid CSS syntax (like unbalanced braces) could cause all subsequent styles to be ignored. This fix ensures that malformed CSS only affects the specific declaration, not subsequent valid styles.

  Example that now works:

  const Circle = styled.div`
    width: 100px;
    line-height: ${() => '14px}'}; // ⛔️ This malformed line is dropped
    background-color: green; // ✅ Now preserved (was ignored in v6)
  `;

v6.3.4

Compare Source

Patch Changes

• 8e8c282: Fixed createGlobalStyle to not use useLayoutEffect on the server, which was causing a warning and broken styles in v6.3.x. The check typeof React.useLayoutEffect === 'function' is not reliable for detecting server vs client environments in React 18+, so we now use the __SERVER__ build constant instead.

v6.3.3

Compare Source

Patch Changes

• 6e4d1e7: fix: suppress false "created dynamically" warnings in React Server Components

  The dynamic creation warning check now properly detects RSC environments and skips validation when IS_RSC is true. This eliminates false warnings for module-level styled components in server components, which were incorrectly flagged due to RSC's different module evaluation context. Module-level styled components in RSC files no longer trigger warnings since they cannot be created inside render functions by definition.

v6.3.2

Compare Source

Patch Changes

• a4b4a6b: fix: include TypeScript declaration files in npm package

  Fixed Rollup TypeScript plugin configuration to override tsconfig.json's noEmit setting, ensuring TypeScript declaration files are generated during build.

• a4b4a6b: fix: resolve TypeScript error blocking type declaration emission

  Fixed TypeScript error in StyledComponent when merging style attributes from attrs. Added explicit type cast to React.CSSProperties to safely merge CSS property objects. This error was preventing TypeScript declaration files from being generated during build.

v6.3.1

Compare Source

Patch Changes

• 046e880: Ensure TypeScript declaration files are included in npm package, needed to tweak a Rollup setting.

v6.3.0

Compare Source

Minor Changes

• 28fd502: Add React Server Components (RSC) support

  styled-components now automatically detects RSC environments and handles CSS delivery appropriately:

  • No 'use client' directive required: Components work in RSC without any wrapper or directive
  • Automatic CSS injection: In RSC mode, styled components emit inline <style> tags that React 19 automatically hoists and deduplicates
  • Zero configuration: Works out of the box with Next.js App Router and other RSC-enabled frameworks
  • Backward compatible: Existing SSR patterns with ServerStyleSheet continue to work unchanged

  RSC best practices:

  • Prefer static styles over dynamic interpolations to avoid serialization overhead
  • Use data attributes for discrete variants (e.g., &[data-size='lg'])
  • CSS custom properties work perfectly in styled-components, can be set via inline style, and cascade to children:

  const Container = styled.div``;
  const Button = styled.button`
    background: var(--color-primary, blue);
  `;
  
  // Variables set on parent cascade to all DOM children
  <Container style={{ '--color-primary': 'orchid' }}>
    <Button>Inherits orchid background</Button>
  </Container>;

  • Use build-time CSS variable generation for theming since ThemeProvider is a no-op in RSC

  Technical details:

  • RSC detection via typeof React.createContext === 'undefined'
  • ThemeProvider and StyleSheetManager become no-ops in RSC (children pass-through)
  • React hooks are conditionally accessed via runtime guards
  • CSS is retrieved from the StyleSheet Tag for inline delivery in RSC mode

• 856cf06: feat: update built-in element aliases to include modern HTML and SVG elements

  Added support for modern HTML and SVG elements that were previously missing:

  HTML elements:

  • search - HTML5 search element
  • slot - Web Components slot element
  • template - HTML template element

  SVG filter elements:

  • All fe* filter primitive elements (feBlend, feColorMatrix, feComponentTransfer, etc.)
  • clipPath, linearGradient, radialGradient - gradient and clipping elements
  • textPath - SVG text path element
  • switch, symbol, use - SVG structural elements

  This ensures styled-components has comprehensive coverage of all styleable HTML and SVG elements supported by modern browsers and React.

Patch Changes

• 418adbe: fix(types): add CSS custom properties (variables) support to style prop

  CSS custom properties (CSS variables like --primary-color) are now fully supported in TypeScript without errors:

  • .attrs({ style: { '--var': 'value' } }) - CSS variables in attrs
  • <Component style={{ '--var': 'value' }} /> - CSS variables in component props
  • Mixed usage with regular CSS properties works seamlessly

• aef2ad6: Update shared css property handling tools to latest versions.

v6.2.0

Compare Source

microsoft/TypeScript (typescript)

v5.9.3: TypeScript 5.9.3

Compare Source

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

---

Configuration

📅 Schedule: Branch creation - On day 1 of the month, every 12 months ( * * 1 */12 * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1c444e5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-rx	Ready	Preview, Comment	Feb 8, 2026 2:43am

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm typescript License: LicenseRef-W3C-Community-Final-Specification-Agreement - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt) From: pnpm-lock.yaml → npm/typescript@5.9.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@5.9.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm sharp during install Install script: install Source: node install/check.js || npm run build From: pnpm-lock.yaml → npm/sharp@0.34.5 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sharp@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report