From 0217ab81865155f594b204dbe88ae4ff4932053a Mon Sep 17 00:00:00 2001 From: Nimit Bhandari Date: Thu, 14 May 2026 15:05:57 +0530 Subject: [PATCH] chore: modernize release pipeline with OIDC trusted publishing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add `repository`, `homepage`, `bugs` fields to package.json. Required for npm provenance verification: npm cross-checks the workflow's origin against package.json.repository.url at publish time, and rejects the publish if they don't match. Without these fields the first trusted-publishing run would 422. - Bump `engines.node` from `>=10` (EOL since 2021) to `>=20`. Honest signal — CI runs on Node 20 and 22. - Patch/minor dev-dep bumps where the lockfile resolution stays clean: eslint 9.39.4, prettier 3.8.3, postcss 8.5.14, react/react-dom 19.2.6, @types/react 19.2.14, @babel/runtime 7.29.2 resolution. Held vitest at ^4.0.18 / vite at ^7.3.1 to keep yarn 1.x dependency linking working (vitest 4.1.x changed packaging in a way that triggers yarn 1 invariant violations on nested vite lookups). - Pin every GitHub Action by commit SHA in ci.yml, release.yml. Bumps checkout v6 -> v6.0.2, setup-node v6 -> v6.4.0, peter-evans/ create-pull-request v8 -> v8.1.1. Defense against tag-rewrite attacks. - Add workflow-level `permissions: contents: read` (default-deny) to ci.yml, release.yml. release.yml's job retains its explicit contents/pull-requests: write where it needs them. - New publish.yml: tag-triggered (v*) npm publish via OIDC Trusted Publishing with --provenance, gated behind the `npm-publish` GitHub environment for reviewer approval. Pre-release tags (vX.Y.Z-foo) route to the `next` dist-tag so they don't replace `latest`. Removes the need for a long-lived NPM_TOKEN. - Update release.yml PR body: removes the manual `npm publish` step, points at the new tag-driven publish flow. Pre-merge setup required before the first release tag is pushed: 1. npmjs.com -> Trusted publishers -> add `reearth/react-align` + workflow filename `publish.yml` + environment `npm-publish`. 2. GitHub -> Settings -> Environments -> create `npm-publish` with required reviewers. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 7 ++- .github/workflows/publish.yml | 92 ++++++++++++++++++++++++++++ .github/workflows/release.yml | 14 +++-- package.json | 26 +++++--- yarn.lock | 112 +++++++++++++++++++--------------- 5 files changed, 185 insertions(+), 66 deletions(-) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 90b1fb2..939c188 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: test: name: Test & Build @@ -17,10 +20,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} cache: 'yarn' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..3920fc6 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,92 @@ +# Publishes react-align to npm with provenance via npm Trusted Publishing +# (OIDC). +# +# Prerequisites (one-time setup, do these BEFORE the first tag push): +# 1. On npmjs.com: react-align package settings → Trusted publishers → +# add this repo (reearth/react-align) and this workflow filename +# (publish.yml). This tells npm to accept OIDC tokens minted by this +# exact workflow instead of an NPM_TOKEN secret. +# 2. On GitHub: Settings → Environments → create `npm-publish` with +# required reviewers. The publish job pauses for manual approval, so +# a compromised tag push can't auto-publish. +# +# Release flow: +# 1. Run the `Release` workflow (release.yml) to open a release PR. +# 2. Merge the PR. +# 3. Push the matching tag (e.g. `v2.4.0`). This workflow fires. +# 4. Approve the `npm-publish` environment in the run page. +# 5. npm receives the package with a provenance attestation; anyone can +# verify with `npm audit signatures`. +# +# Dist-tag selection: +# Stable tags like `v2.4.0` publish to the default `latest` dist-tag — +# `npm install react-align` picks them up automatically. +# Pre-release tags like `v2.4.0-rc.0` or `v3.0.0-beta.1` (anything with a +# hyphen) publish to the `next` dist-tag instead, so they don't replace +# `latest`. Users opt in via `npm install react-align@next`. + +name: Publish + +on: + push: + tags: + - "v*" + +permissions: + contents: read + +jobs: + npm: + name: npm publish + runs-on: ubuntu-latest + environment: npm-publish # gates publish on required reviewer approval + permissions: + contents: read + id-token: write # for npm provenance and trusted publishing + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + # npm Trusted Publishing requires Node >=22.14 and npm >=11.5.1. + # This repo uses yarn for development, so we activate a recent + # npm via corepack just for the publish step rather than + # declaring `packageManager: "npm@..."` in package.json (which + # would conflict with the yarn-based dev workflow). + node-version: "22" + registry-url: "https://registry.npmjs.org" + cache: "yarn" + - name: Activate npm via corepack + # Trusted Publishing needs npm >=11.5.1; Node 22 ships npm 10.x. + # corepack fetches a fresh npm binary directly, bypassing the + # buggy `npm install -g npm@latest` self-upgrade path. + run: | + corepack enable npm + corepack prepare npm@11.14.1 --activate + npm --version + - name: Install dependencies + run: yarn install --frozen-lockfile + - name: Verify tag matches package.json version + # The release PR already bumped package.json. We just sanity-check + # that the pushed tag matches, then publish — no version mutation + # here, so the npm tarball is exactly what merged to main. + run: | + PKG_VERSION=$(node -p "require('./package.json').version") + TAG_VERSION="${GITHUB_REF_NAME#v}" + if [ "$PKG_VERSION" != "$TAG_VERSION" ]; then + echo "::error::Tag $GITHUB_REF_NAME (=> $TAG_VERSION) does not match package.json version $PKG_VERSION" + exit 1 + fi + echo "Publishing version $PKG_VERSION" + - name: Build + run: yarn build + - name: Publish to npm with provenance + # Pre-release tags (vX.Y.Z-foo) go to the `next` dist-tag so they + # don't replace `latest`. Stable tags (vX.Y.Z) go to `latest`. + run: | + if [[ "$GITHUB_REF_NAME" == *-* ]]; then + echo "Pre-release detected; publishing to dist-tag 'next'" + npm publish --provenance --access public --tag next + else + echo "Stable release; publishing to dist-tag 'latest'" + npm publish --provenance --access public + fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 31e6c65..a58905e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,6 +12,9 @@ on: - minor - major +permissions: + contents: read + jobs: create-release-pr: runs-on: ubuntu-latest @@ -23,12 +26,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '20' cache: 'yarn' @@ -151,7 +154,7 @@ jobs: fi - name: Create Pull Request - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: token: ${{ secrets.GITHUB_TOKEN }} branch: release/v${{ steps.bump_version.outputs.new_version }} @@ -169,9 +172,8 @@ jobs: ### Release Checklist - [ ] Review changelog and version bump - [ ] Merge this PR to main - - [ ] Create a GitHub release from main with tag `v${{ steps.bump_version.outputs.new_version }}` - - [ ] Run `yarn build` locally - - [ ] Run `npm publish` to publish to npm registry + - [ ] Push the tag `v${{ steps.bump_version.outputs.new_version }}` (`git tag v${{ steps.bump_version.outputs.new_version }} && git push origin v${{ steps.bump_version.outputs.new_version }}`) + - [ ] Approve the `npm-publish` environment on the resulting Publish workflow run to publish to npm with provenance --- *This PR was automatically generated by the release workflow* diff --git a/package.json b/package.json index f290bf4..0a0071b 100644 --- a/package.json +++ b/package.json @@ -3,6 +3,12 @@ "version": "2.3.1", "author": "KaWaite", "license": "MIT", + "repository": { + "type": "git", + "url": "git+https://github.com/reearth/react-align.git" + }, + "homepage": "https://github.com/reearth/react-align#readme", + "bugs": "https://github.com/reearth/react-align/issues", "main": "./dist/react-align.umd.js", "module": "./dist/react-align.mjs", "types": "./dist/index.d.ts", @@ -23,7 +29,7 @@ "src" ], "engines": { - "node": ">=10" + "node": ">=20" }, "peerDependencies": { "@hello-pangea/dnd": "*", @@ -35,12 +41,12 @@ "trailingComma": "es5" }, "resolutions": { - "@types/react": "19.2.10", + "@types/react": "19.2.14", "@types/react-dom": "19.2.3", - "**/@types/react": "19.2.10", + "**/@types/react": "19.2.14", "**/@types/react-dom": "19.2.3", "minimist": "^1.2.8", - "@babel/runtime": "^7.26.10", + "@babel/runtime": "^7.29.2", "js-yaml": "^4.1.1" }, "devDependencies": { @@ -49,17 +55,17 @@ "@testing-library/jest-dom": "^6.9.1", "@testing-library/react": "^16.3.2", "@testing-library/user-event": "^14.6.1", - "@types/react": "^19.2.10", + "@types/react": "^19.2.14", "@types/react-dom": "^19.2.3", "@vitejs/plugin-react": "^5.1.2", - "eslint": "^9.39.2", + "eslint": "^9.39.4", "eslint-config-reearth": "^0.3.8", "husky": "^9.1.7", "jsdom": "^27.4.0", - "postcss": "^8.5.6", - "prettier": "^3.8.1", - "react": "^19.2.4", - "react-dom": "^19.2.4", + "postcss": "^8.5.14", + "prettier": "^3.8.3", + "react": "^19.2.6", + "react-dom": "^19.2.6", "tslib": "^2.8.1", "typescript": "^5.9.3", "vite": "^7.3.1", diff --git a/yarn.lock b/yarn.lock index 149fdfb..e80cbd3 100644 --- a/yarn.lock +++ b/yarn.lock @@ -167,10 +167,10 @@ dependencies: "@babel/helper-plugin-utils" "^7.27.1" -"@babel/runtime@^7.12.5", "@babel/runtime@^7.26.10", "@babel/runtime@^7.26.7": - version "7.28.4" - resolved "https://registry.yarnpkg.com/@babel/runtime/-/runtime-7.28.4.tgz#a70226016fabe25c5783b2f22d3e1c9bc5ca3326" - integrity sha512-Q/N6JNWvIvPnLDvjlE1OUBLPQHH6l3CltCEsHIujp45zQUSSh8K+gHnaEX45yAT1nyngnINhvWtzN+Nb9D8RAQ== +"@babel/runtime@^7.12.5", "@babel/runtime@^7.26.7", "@babel/runtime@^7.29.2": + version "7.29.2" + resolved "https://registry.yarnpkg.com/@babel/runtime/-/runtime-7.29.2.tgz#9a6e2d05f4b6692e1801cd4fb176ad823930ed5e" + integrity sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g== "@babel/template@^7.27.2": version "7.27.2" @@ -507,14 +507,14 @@ resolved "https://registry.npmjs.org/@eslint-community/regexpp/-/regexpp-4.12.2.tgz" integrity sha512-EriSTlt5OC9/7SXkRSCAhfSxxoSUgBm33OH+IkwbdpgoqsSsUg7y3uh+IICI/Qg4BBWr3U2i39RpmycbxMq4ew== -"@eslint/config-array@^0.21.1": - version "0.21.1" - resolved "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.1.tgz" - integrity sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA== +"@eslint/config-array@^0.21.2": + version "0.21.2" + resolved "https://registry.yarnpkg.com/@eslint/config-array/-/config-array-0.21.2.tgz#f29e22057ad5316cf23836cee9a34c81fffcb7e6" + integrity sha512-nJl2KGTlrf9GjLimgIru+V/mzgSK0ABCDQRvxw5BjURL7WfH5uoWmizbH7QB6MmnMBd8cIC9uceWnezL1VZWWw== dependencies: "@eslint/object-schema" "^2.1.7" debug "^4.3.1" - minimatch "^3.1.2" + minimatch "^3.1.5" "@eslint/config-helpers@^0.4.2": version "0.4.2" @@ -530,19 +530,19 @@ dependencies: "@types/json-schema" "^7.0.15" -"@eslint/eslintrc@^3.3.1": - version "3.3.3" - resolved "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.3.tgz" - integrity sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ== +"@eslint/eslintrc@^3.3.5": + version "3.3.5" + resolved "https://registry.yarnpkg.com/@eslint/eslintrc/-/eslintrc-3.3.5.tgz#c131793cfc1a7b96f24a83e0a8bbd4b881558c60" + integrity sha512-4IlJx0X0qftVsN5E+/vGujTRIFtwuLbNsVUe7TO6zYPDR1O6nFwvwhIKEKSrl6dZchmYBITazxKoUYOjdtjlRg== dependencies: - ajv "^6.12.4" + ajv "^6.14.0" debug "^4.3.2" espree "^10.0.1" globals "^14.0.0" ignore "^5.2.0" import-fresh "^3.2.1" js-yaml "^4.1.1" - minimatch "^3.1.2" + minimatch "^3.1.5" strip-json-comments "^3.1.1" "@eslint/js@9.21.0": @@ -550,10 +550,10 @@ resolved "https://registry.npmjs.org/@eslint/js/-/js-9.21.0.tgz" integrity sha512-BqStZ3HX8Yz6LvsF5ByXYrtigrV5AXADWLAGc7PH/1SxOb7/FIYYMszZZWiUou/GB9P2lXWk2SV4d+Z8h0nknw== -"@eslint/js@9.39.2": - version "9.39.2" - resolved "https://registry.yarnpkg.com/@eslint/js/-/js-9.39.2.tgz#2d4b8ec4c3ea13c1b3748e0c97ecd766bdd80599" - integrity sha512-q1mjIoW1VX4IvSocvM/vbTiveKC4k9eLrajNEuSsmjymSDEbpGddtpfOoN7YGAqBK3NG+uqo8ia4PDTt8buCYA== +"@eslint/js@9.39.4": + version "9.39.4" + resolved "https://registry.yarnpkg.com/@eslint/js/-/js-9.39.4.tgz#a3f83bfc6fd9bf33a853dfacd0b49b398eb596c1" + integrity sha512-nE7DEIchvtiFTwBw4Lfbu59PG+kCofhjsKaCWzxTpt4lfRjRMqG6uMBzKXuEcyXhOHoUp9riAm7/aWYGhXZ9cw== "@eslint/object-schema@^2.1.7": version "2.1.7" @@ -1095,10 +1095,10 @@ resolved "https://registry.yarnpkg.com/@types/react-dom/-/react-dom-19.2.3.tgz#c1e305d15a52a3e508d54dca770d202cb63abf2c" integrity sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ== -"@types/react@19.2.10", "@types/react@^19.2.10": - version "19.2.10" - resolved "https://registry.yarnpkg.com/@types/react/-/react-19.2.10.tgz#f3ea799e6b4cebad6dfd231c238fc9de7652e2d2" - integrity sha512-WPigyYuGhgZ/cTPRXB2EwUw+XvsRA3GqHlsP4qteqrnnjDrApbS7MxcGr/hke5iUoeB7E/gQtrs9I37zAJ0Vjw== +"@types/react@19.2.14", "@types/react@^19.2.14": + version "19.2.14" + resolved "https://registry.yarnpkg.com/@types/react/-/react-19.2.14.tgz#39604929b5e3957e3a6fa0001dafb17c7af70bad" + integrity sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w== dependencies: csstype "^3.2.2" @@ -1417,10 +1417,10 @@ ajv-formats@~3.0.1: dependencies: ajv "^8.0.0" -ajv@^6.12.4: - version "6.12.6" - resolved "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz" - integrity sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g== +ajv@^6.14.0: + version "6.15.0" + resolved "https://registry.yarnpkg.com/ajv/-/ajv-6.15.0.tgz#07e982c74626167aa7a2495c53817892d7139492" + integrity sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw== dependencies: fast-deep-equal "^3.1.1" fast-json-stable-stringify "^2.0.0" @@ -2264,24 +2264,24 @@ eslint-visitor-keys@^4.2.0, eslint-visitor-keys@^4.2.1: resolved "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz" integrity sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ== -eslint@^9.39.2: - version "9.39.2" - resolved "https://registry.yarnpkg.com/eslint/-/eslint-9.39.2.tgz#cb60e6d16ab234c0f8369a3fe7cc87967faf4b6c" - integrity sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw== +eslint@^9.39.4: + version "9.39.4" + resolved "https://registry.yarnpkg.com/eslint/-/eslint-9.39.4.tgz#855da1b2e2ad66dc5991195f35e262bcec8117b5" + integrity sha512-XoMjdBOwe/esVgEvLmNsD3IRHkm7fbKIUGvrleloJXUZgDHig2IPWNniv+GwjyJXzuNqVjlr5+4yVUZjycJwfQ== dependencies: "@eslint-community/eslint-utils" "^4.8.0" "@eslint-community/regexpp" "^4.12.1" - "@eslint/config-array" "^0.21.1" + "@eslint/config-array" "^0.21.2" "@eslint/config-helpers" "^0.4.2" "@eslint/core" "^0.17.0" - "@eslint/eslintrc" "^3.3.1" - "@eslint/js" "9.39.2" + "@eslint/eslintrc" "^3.3.5" + "@eslint/js" "9.39.4" "@eslint/plugin-kit" "^0.4.1" "@humanfs/node" "^0.16.6" "@humanwhocodes/module-importer" "^1.0.1" "@humanwhocodes/retry" "^0.4.2" "@types/estree" "^1.0.6" - ajv "^6.12.4" + ajv "^6.14.0" chalk "^4.0.0" cross-spawn "^7.0.6" debug "^4.3.2" @@ -2300,7 +2300,7 @@ eslint@^9.39.2: is-glob "^4.0.0" json-stable-stringify-without-jsonify "^1.0.1" lodash.merge "^4.6.2" - minimatch "^3.1.2" + minimatch "^3.1.5" natural-compare "^1.4.0" optionator "^0.9.3" @@ -3135,6 +3135,13 @@ minimatch@^3.1.2: dependencies: brace-expansion "^1.1.7" +minimatch@^3.1.5: + version "3.1.5" + resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.5.tgz#580c88f8d5445f2bd6aa8f3cadefa0de79fbd69e" + integrity sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w== + dependencies: + brace-expansion "^1.1.7" + minimatch@^9.0.3, minimatch@^9.0.4: version "9.0.5" resolved "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz" @@ -3388,6 +3395,15 @@ possible-typed-array-names@^1.0.0: resolved "https://registry.npmjs.org/possible-typed-array-names/-/possible-typed-array-names-1.1.0.tgz" integrity sha512-/+5VFTchJDoVj3bhoqi6UeymcD00DAwb1nJwamzPvHEszJ4FpF6SNNbUbOS8yI56qHzdV8eK0qEfOSiodkTdxg== +postcss@^8.5.14: + version "8.5.14" + resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.5.14.tgz#a66c2d7808fadf69ebb5b84a03f8bafd76c4919c" + integrity sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg== + dependencies: + nanoid "^3.3.11" + picocolors "^1.1.1" + source-map-js "^1.2.1" + postcss@^8.5.6: version "8.5.6" resolved "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz" @@ -3402,10 +3418,10 @@ prelude-ls@^1.2.1: resolved "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz" integrity sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g== -prettier@^3.8.1: - version "3.8.1" - resolved "https://registry.yarnpkg.com/prettier/-/prettier-3.8.1.tgz#edf48977cf991558f4fcbd8a3ba6015ba2a3a173" - integrity sha512-UOnG6LftzbdaHZcKoPFtOcCKztrQ57WkHDeRD9t/PTQtmT0NHSeWWepj6pS0z/N7+08BHFDQVUrfmfMRcZwbMg== +prettier@^3.8.3: + version "3.8.3" + resolved "https://registry.yarnpkg.com/prettier/-/prettier-3.8.3.tgz#560f2de55bf01b4c0503bc629d5df99b9a1d09b0" + integrity sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw== pretty-format@^27.0.2: version "27.5.1" @@ -3445,10 +3461,10 @@ raf-schd@^4.0.3: resolved "https://registry.yarnpkg.com/raf-schd/-/raf-schd-4.0.3.tgz#5d6c34ef46f8b2a0e880a8fcdb743efc5bfdbc1a" integrity sha512-tQkJl2GRWh83ui2DiPTJz9wEiMN20syf+5oKfB03yYP7ioZcJwsIK8FjrtLwH1m7C7e+Tt2yYBlrOpdT+dyeIQ== -react-dom@^19.2.4: - version "19.2.4" - resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-19.2.4.tgz#6fac6bd96f7db477d966c7ec17c1a2b1ad8e6591" - integrity sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ== +react-dom@^19.2.6: + version "19.2.6" + resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-19.2.6.tgz#44a81b0bcca22da814c00847d09d01c8615529b7" + integrity sha512-0prMI+hvBbPjsWnxDLxlCGyM8PN6UuWjEUCYmZhO67xIV9Xasa/r/vDnq+Xyq4Lo27g8QSbO5YzARu0D1Sps3g== dependencies: scheduler "^0.27.0" @@ -3475,10 +3491,10 @@ react-refresh@^0.18.0: resolved "https://registry.npmjs.org/react-refresh/-/react-refresh-0.18.0.tgz" integrity sha512-QgT5//D3jfjJb6Gsjxv0Slpj23ip+HtOpnNgnb2S5zU3CB26G/IDPGoy4RJB42wzFE46DRsstbW6tKHoKbhAxw== -react@^19.2.4: - version "19.2.4" - resolved "https://registry.yarnpkg.com/react/-/react-19.2.4.tgz#438e57baa19b77cb23aab516cf635cd0579ee09a" - integrity sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ== +react@^19.2.6: + version "19.2.6" + resolved "https://registry.yarnpkg.com/react/-/react-19.2.6.tgz#3dadb8e12b2a7934c1d5317973e5dce1301f9a4d" + integrity sha512-sfWGGfavi0xr8Pg0sVsyHMAOziVYKgPLNrS7ig+ivMNb3wbCBw3KxtflsGBAwD3gYQlE/AEZsTLgToRrSCjb0Q== redent@^3.0.0: version "3.0.0"