react-native-windows icon indicating copy to clipboard operation
react-native-windows copied to clipboard
verified publisher icon microsoft

Update react NPM component to 19.1.2

Open vmoroz opened this issue 1 month ago • 2 comments

Description

Update react NPM package to 19.1.2 to address the reported security issue. See: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Type of Change

  • Bug fix (non-breaking change which fixes an issue)

Why

Some server related security issues are found in react NPM package.

What

Update the react package to the recommended version.

Changelog

Should this change be included in the release notes: yes

Update react NPM package to 19.1.2 to address the reported security issue.

Microsoft Reviewers: Open in CodeFlow

vmoroz avatar Dec 05 '25 00:12 vmoroz

I didn't think we could just bump React like this. At least upstream, the renderers are embedded. Manually bumping the version will cause issues: https://github.com/facebook/react-native/blob/main/packages/react-native/Libraries/Renderer/README.md

Are we rebuilding the renderers in RNW?

tido64 avatar Dec 05 '25 08:12 tido64

I didn't think we could just bump React like this. At least upstream, the renderers are embedded. Manually bumping the version will cause issues: https://github.com/facebook/react-native/blob/main/packages/react-native/Libraries/Renderer/README.md

Are we rebuilding the renderers in RNW?

No we still use the embedded renderers. I looked at the changes in 19.1.1 -> 19.1.2 and nothing would affect the boundary. So really this will just shut up the errors for people. The actual security issue is around server components which we don't use in RN currently. So the fact that we don't actually pick up the new renderer is probably fine.

acoates-ms avatar Dec 05 '25 22:12 acoates-ms