Merge pull request #121 from reactjs/sync-e22544e6

orama254 · web-flow · commit 2a15b0ba33ca · 2026-02-26T08:42:19.000+03:00
Sync with react.dev @ e22544e
diff --git a/package.json b/package.json
@@ -35,7 +35,7 @@
     "classnames": "^2.2.6",
     "debounce": "^1.2.1",
     "github-slugger": "^1.3.0",
-    "next": "15.1.0",
+    "next": "15.1.9",
     "next-remote-watch": "^1.0.0",
     "parse-numeric-range": "^1.2.0",
     "react": "^19.0.0",
diff --git a/src/components/MDX/Sandpack/template.ts b/src/components/MDX/Sandpack/template.ts
@@ -35,8 +35,8 @@ root.render(
           eject: 'react-scripts eject',
         },
         dependencies: {
-          react: '^19.2.0',
-          'react-dom': '^19.2.0',
+          react: '^19.2.1',
+          'react-dom': '^19.2.1',
           'react-scripts': '^5.0.0',
         },
       },
diff --git a/src/components/MDX/SandpackWithHTMLOutput.tsx b/src/components/MDX/SandpackWithHTMLOutput.tsx
@@ -56,8 +56,8 @@ export default function formatHTML(markup) {
 const packageJSON = `
 {
   "dependencies": {
-    "react": "^19.2.0",
-    "react-dom": "^19.2.0",
+    "react": "^19.2.1",
+    "react-dom": "^19.2.1",
     "react-scripts": "^5.0.0",
     "html-format": "^1.1.2"
   },
diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
@@ -0,0 +1,168 @@
+---
+title: "Critical Security Vulnerability in React Server Components"
+author: The React Team
+date: 2025/12/03
+description: There is an unauthenticated remote code execution vulnerability in React Server Components. A fix has been published in versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately.
+
+---
+
+December 3, 2025 by [The React Team](/community/team)
+
+---
+
+<Intro>
+
+There is an unauthenticated remote code execution vulnerability in React Server Components.
+
+We recommend upgrading immediately.
+
+</Intro>
+
+---
+
+On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. 
+
+Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. 
+
+This vulnerability was disclosed as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) and is rated CVSS 10.0.
+
+The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
+
+* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
+* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
+* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
+
+## Immediate Action Required {/*immediate-action-required*/}
+
+A fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.
+
+If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
+
+### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/}
+
+Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). 
+
+We will update this post with upgrade instructions on how to upgrade as they become available.
+
+### Hosting Provider Mitigations {/*hosting-provider-mitigations*/}
+
+We have worked with a number of hosting providers to apply temporary mitigations.
+
+You should not depend on these to secure your app, and still update immediately.
+
+### Vulnerability overview {/*vulnerability-overview*/}
+
+[React Server Functions](https://react.dev/reference/rsc/server-functions) allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client.
+
+An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.
+
+## Update Instructions {/*update-instructions*/}
+
+### Next.js {/*update-next-js*/}
+
+All users should upgrade to the latest patched version in their release line:
+
+```bash
+npm install next@15.0.5   // for 15.0.x
+npm install next@15.1.9   // for 15.1.x
+npm install next@15.2.6   // for 15.2.x
+npm install next@15.3.6   // for 15.3.x
+npm install next@15.4.8   // for 15.4.x
+npm install next@15.5.7   // for 15.5.x
+npm install next@16.0.7   // for 16.0.x
+```
+
+If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
+
+```bash
+npm install next@14
+```
+
+See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
+
+### React Router {/*update-react-router*/}
+
+If you are using React Router's unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:
+
+```bash
+npm install react@latest
+npm install react-dom@latest
+npm install react-server-dom-parcel@latest
+npm install react-server-dom-webpack@latest
+npm install @vitejs/plugin-rsc@latest
+```
+
+### Expo {/*expo*/}
+
+To learn more about mitigating, read the article on [expo.dev/changelog](https://expo.dev/changelog/mitigating-critical-security-vulnerability-in-react-server-components).
+
+### Redwood SDK {/*update-redwood-sdk*/}
+
+Ensure you are on rwsdk>=1.0.0-alpha.0
+
+For the latest beta version:
+
+```bash
+npm install rwsdk@latest
+```
+
+Upgrade to the latest `react-server-dom-webpack`:
+
+```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+```
+
+See [Redwood docs](https://docs.rwsdk.com/migrating/) for more migration instructions.
+
+### Waku {/*update-waku*/}
+
+Upgrade to the latest `react-server-dom-webpack`:
+
+```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest
+```
+
+See [Waku announcement](https://github.com/wakujs/waku/discussions/1823) for more migration instructions.
+
+### `@vitejs/plugin-rsc` {/*vitejs-plugin-rsc*/}
+
+Upgrade to the latest RSC plugin:
+
+```bash
+npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
+```
+
+### `react-server-dom-parcel` {/*update-react-server-dom-parcel*/}
+
+Update to the latest version:
+
+ ```bash
+ npm install react@latest react-dom@latest react-server-dom-parcel@latest
+ ```
+
+### `react-server-dom-turbopack` {/*update-react-server-dom-turbopack*/}
+
+Update to the latest version:
+
+ ```bash
+ npm install react@latest react-dom@latest react-server-dom-turbopack@latest
+ ```
+
+### `react-server-dom-webpack` {/*update-react-server-dom-webpack*/}
+
+Update to the latest version:
+
+ ```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+ ```
+
+## Timeline {/*timeline*/}
+
+* **November 29th**: Lachlan Davidson reported the security vulnerability via [Meta Bug Bounty](https://bugbounty.meta.com/).
+* **November 30th**: Meta security researchers confirmed and began working with the React team on a fix.
+* **December 1st**: A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
+* **December 3rd**: The fix was published to npm and the publicly disclosed as CVE-2025-55182.
+
+## Attribution {/*attribution*/}
+
+Thank you to [Lachlan Davidson](https://github.com/lachlan2k) for discovering, reporting, and working to help fix this vulnerability.
diff --git a/src/content/blog/index.md b/src/content/blog/index.md
@@ -12,6 +12,12 @@ You can also follow the [@react.dev](https://bsky.app/profile/react.dev) account
 
 <div className="sm:-mx-5 flex flex-col gap-5 mt-12">
 
+<BlogCard title="Critical Security Vulnerability in React Server Components" date="December 3, 2025" url="/blog/2025/12/03/critical-security-vulnerability-in-react-server-components">
+
+There is an unauthenticated remote code execution vulnerability in React Server Components. A fix has been published in versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately.
+
+</BlogCard>
+
 <BlogCard title="React Conf 2025 Recap" date="October 16, 2025" url="/blog/2025/10/16/react-conf-2025-recap">
 
 Last week we hosted React Conf 2025. In this post, we summarize the talks and announcements from the event...
diff --git a/src/content/community/conferences.md b/src/content/community/conferences.md
@@ -71,67 +71,10 @@ April 14-17,  2026. In-person in London
 ## Past Conferences {/*past-conferences*/}
 
 
-### React Norway 2025 {/*react-norway-2025*/}
-June 13, 2025. In-person in Oslo, Norway + remote (virtual event)
-
-[Website](https://reactnorway.com/) - [Twitter](https://x.com/ReactNorway)
-
-### React Summit US 2025 {/*react-summit-us-2025*/}
-November 18 - 21, 2025. In-person in New York, USA + remote (hybrid event)
-
-[Website](https://reactsummit.us/) - [Twitter](https://x.com/reactsummit)
-
-### React Advanced London 2025 {/*react-advanced-london-2025*/}
-November 28 & December 1, 2025. In-person in London, UK + online (hybrid event)
-
-[Website](https://reactadvanced.com/) - [Twitter](https://x.com/reactadvanced)
-
-### CityJS Singapore 2026 {/*cityjs-singapore-2026*/}
-February 4-6,  2026. In-person in Singapore
-
-[Website](https://india.cityjsconf.org/) - [Twitter](https://x.com/cityjsconf) - [Bluesky](https://bsky.app/profile/cityjsconf.bsky.social)
-
-### CityJS New Delhi 2026 {/*cityjs-newdelhi-2026*/}
-February 12-13,  2026. In-person in New Delhi, India
-
-[Website](https://india.cityjsconf.org/) - [Twitter](https://x.com/cityjsconf) - [Bluesky](https://bsky.app/profile/cityjsconf.bsky.social)
-
-
-### React Paris 2026 {/*react-paris-2026*/}
-March 26 - 27, 2026. In-person in Paris, France (hybrid event)
-
-[Website](https://athens.cityjsconf.org/) - [Twitter](https://x.com/cityjsconf) - [Bluesky](https://bsky.app/profile/cityjsconf.bsky.social)
-
-
-### CityJS London 2026 {/*cityjs-london-2026*/}
-April 14-17,  2026. In-person in London
-
-[Website](https://india.cityjsconf.org/) - [Twitter](https://x.com/cityjsconf) - [Bluesky](https://bsky.app/profile/cityjsconf.bsky.social)
-
-### CityJS London 2025 {/*cityjs-london*/}
-April 23 - 25, 2025. In-person in London, UK
-
-[Website](https://london.cityjsconf.org/) - [Twitter](https://x.com/cityjsconf) -  [Bluesky](https://bsky.app/profile/cityjsconf.bsky.social)
-
-### React Paris 2025 {/*react-paris-2025*/}
-March 20 - 21, 2025. In-person in Paris, France (hybrid event)
-
-[Website](https://react.paris/) - [Twitter](https://x.com/BeJS_) - [YouTube](https://www.youtube.com/playlist?list=PL53Z0yyYnpWitP8Zv01TSEQmKLvuRh_Dj)
-
-
-### CityJS London 2026 {/*cityjs-london-2026*/}
-April 14-17,  2026. In-person in London
+### React Nexus 2025 {/*react-nexus-2025*/}
+July 03 - 05, 2025. In-person in Bangalore, India
 
-
-### React Norway 2025 {/*react-norway-2025*/}
-June 13, 2025. In-person in Oslo, Norway + remote (virtual event)
-
-[Website](https://reactnorway.com/) - [Twitter](https://x.com/ReactNorway)
-
-### CityJS Athens 2025 {/*cityjs-athens*/}
-May 27 - 31, 2025. In-person in Athens, Greece
-
-[Website](https://athens.cityjsconf.org/) - [Twitter](https://x.com/cityjsconf) - [Bluesky](https://bsky.app/profile/cityjsconf.bsky.social)
+[Website](https://reactnexus.com/) - [Twitter](https://x.com/ReactNexus) - [Bluesky](https://bsky.app/profile/reactnexus.com) - [Linkedin](https://www.linkedin.com/company/react-nexus) - [YouTube](https://www.youtube.com/reactify_in)
 
 ## Past Conferences {/*past-conferences*/}
 
@@ -152,6 +95,9 @@ April 3 (Reanimated Training) + April 4 (Conference), 2025. Paris, France.
 [Website](https://reactnativeconnection.io/) - [X](https://x.com/reactnativeconn) - [Bluesky](https://bsky.app/profile/reactnativeconnect.bsky.social)
 
 
+### React Norway 2025 {/*react-norway-2025*/}
+June 13, 2025. In-person in Oslo, Norway + remote (virtual event)
+
 ### React Norway 2025 {/*react-norway-2025*/}
 June 13, 2025. In-person in Oslo, Norway + remote (virtual event)
 
@@ -160,7 +106,7 @@ June 13, 2025. In-person in Oslo, Norway + remote (virtual event)
 ### CityJS Athens 2025 {/*cityjs-athens*/}
 May 27 - 31, 2025. In-person in Athens, Greece
 
-[Website](https://reactnexus.com/) - [Twitter](https://x.com/ReactNexus) - [Bluesky](https://bsky.app/profile/reactnexus.com) - [Linkedin](https://www.linkedin.com/company/react-nexus) - [YouTube](https://www.youtube.com/reactify_in)
+[Website](https://athens.cityjsconf.org/) - [Twitter](https://x.com/cityjsconf) - [Bluesky](https://bsky.app/profile/cityjsconf.bsky.social)
 
 ### App.js Conf 2025 {/*appjs-conf-2025*/}
 May 28 - 30, 2025. In-person in Kraków, Poland + remote
diff --git a/src/content/learn/thinking-in-react.md b/src/content/learn/thinking-in-react.md
@@ -37,15 +37,9 @@ Anza kwa kuchora visanduku kuzunguka kila kijenzi na kijenzi kidogo kwenye kiigi
 
 Kulingana na msingi wako, unaweza kufikiria kugawanya muundo katika vijenzi kwa njia tofauti:
 
-<<<<<<< HEAD
 * **Programming**--tumia mbinu zile zile za kuamua ikiwa unapaswa kuunda kitendaji kipya au object. Mbinu moja kama hiyo ni [kanuni ya uwajibikaji mmoja (single responsibility principle)](https://en.wikipedia.org/wiki/Single_responsibility_principle), yaani, kijenzi kinapaswa kufanya jambo moja tu. Ikiwa kitaishia kukua, inapaswa kigawanywe kiwe vijenzi vidogo.
 * **CSS**--fikiria ni nini ungetengeneza viteule vya darasa. (Hatahivyo, vijenzi ni vidogo kwa kiasi fulani.)
 * **Design**--fikiria jinsi unavyoweza kupanga safu za muundo.
-=======
-* **Programming**--use the same techniques for deciding if you should create a new function or object. One such technique is the [separation of concerns](https://en.wikipedia.org/wiki/Separation_of_concerns), that is, a component should ideally only be concerned with one thing. If it ends up growing, it should be decomposed into smaller subcomponents. 
-* **CSS**--consider what you would make class selectors for. (However, components are a bit less granular.)
-* **Design**--consider how you would organize the design's layers.
->>>>>>> 2534424ec6c433cc2c811d5a0bd5a65b75efa5f0
 
 Ikiwa JSON yako imeundwa vizuri, mara nyingi utapata kwamba inaelekeza kwa muundo wa vijenzi vya UI yako. Hiyo ni kwa sababu UI na miundo ya data mara nyingi huwa na usanifu sawa wa habari--yaani, umbo sawa. Tenganisha UI yako katika vijenzi, ambapo kila kijenzi kinalingana na kipande kimoja cha muundo yako wa data.
 
diff --git a/src/content/learn/tutorial-tic-tac-toe.md b/src/content/learn/tutorial-tic-tac-toe.md
@@ -283,9 +283,15 @@ Katika CodeSandbox utaona sehemu tatu kuu:
 
 ![CodeSandbox na msimbo wa mwanzo](../images/tutorial/react-starter-code-codesandbox.png)
 
+<<<<<<< HEAD
 1. Sehemu ya _Files_ na orodha ya mafaili kama `App.js`, `index.js`, `styles.css` na folda inayoitwa `public`
 1. _Kihariri cha msimbo_ ambapo utaona msimbo wa chanzo wa faili uliyouchagua
 1. Sehemu ya _kivinjari_ ambapo utaona jinsi msimbo ulioandika utakavyonyeshwa
+=======
+1. The _Files_ section with a list of files like `App.js`, `index.js`, `styles.css` in `src` folder and a folder called `public`
+1. The _code editor_ where you'll see the source code of your selected file
+1. The _browser_ section where you'll see how the code you've written will be displayed
+>>>>>>> e22544e68d6fffda33332771efe27034739f35a4
 
 Faili ya `App.js` inapaswa kuchaguliwa katika sehemu ya _Files_. Maudhui ya faili hiyo katika _mhariri wa msimbo_ yanapaswa kuwa:
 
@@ -2247,7 +2253,11 @@ body {
 
 </Sandpack>
 
+<<<<<<< HEAD
 Unapozunguka kupitia orodha ya `history` ndani ya function unayopitisha kwa `map`, hoja ya `squares` inapitia kila kipengele cha `history`, na hoja ya `move` inapitia kila kiashiria cha orodha: `0`, `1`, `2`, …. (Katika hali nyingi, ungehitaji vipengele halisi vya orodha, lakini ili kuonyesha orodha ya harakati utahitaji tu viashiria.)
+=======
+As you iterate through the `history` array inside the function you passed to `map`, the `squares` argument goes through each element of `history`, and the `move` argument goes through each array index: `0`, `1`, `2`, …. (In most cases, you'd need the actual array elements, but to render a list of moves you will only need indexes.)
+>>>>>>> e22544e68d6fffda33332771efe27034739f35a4
 
 Kwa kila harakati katika historia ya mchezo wa tic-tac-toe, unaunda kipengele cha orodha `<li>` kinachojumuisha kitufe `<button>`. Kitufe kinakuwa na kihariri cha `onClick` kinachoitwa function inayoitwa `jumpTo` (ambayo huja kuwa umeitekeleza bado).
 
diff --git a/src/content/reference/react/addTransitionType.md b/src/content/reference/react/addTransitionType.md
@@ -39,7 +39,7 @@ startTransition(() => {
 
 #### Returns {/*returns*/}
 
-`startTransition` does not return anything.
+`addTransitionType` does not return anything.
 
 #### Caveats {/*caveats*/}
 
diff --git a/src/content/versions.md b/src/content/versions.md
@@ -54,8 +54,12 @@ For versions older than React 15, see [15.react.dev](https://15.react.dev).
 - [React 19 Deep Dive: Coordinating HTML](https://www.youtube.com/watch?v=IBBN-s77YSI)
 
 **Releases**
+- [v19.2.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1921-dec-3-2025)
 - [v19.2.0 (October, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1920-october-1st-2025)
+- [v19.1.2 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1912-dec-3-2025)
+- [v19.1.1 (July, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1911-july-28-2025)
 - [v19.1.0 (March, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1910-march-28-2025)
+- [v19.0.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1901-dec-3-2025)
 - [v19.0.0 (December, 2024)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1900-december-5-2024)
 
 ### React 18 {/*react-18*/}
diff --git a/src/sidebarBlog.json b/src/sidebarBlog.json
@@ -11,6 +11,13 @@
       "path": "/blog",
       "skipBreadcrumb": true,
       "routes": [
+        {
+          "title": "Critical Security Vulnerability in React Server Components",
+          "titleForHomepage": "Vulnerability in React Server Components",
+          "icon": "blog",
+          "date": "December 03, 2025",
+          "path": "/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
+        },
         {
           "title": "React Conf 2025 Recap",
           "titleForHomepage": "React Conf 2025 Recap",
diff --git a/yarn.lock b/yarn.lock
