Update dependency react to v15

[dev-mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
react (source)	dependencies	major	~0.13.3 → ~15.0.0

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	Vulnerability
High	8.7	CVE-2026-26996
Low	1.3	CVE-2025-5889

---

Release Notes

facebook/react (react)

v15.0.0

Compare Source

Major changes

• Initial render now uses document.createElement instead of generating HTML. Previously we would generate a large string of HTML and then set node.innerHTML. At the time, this was decided to be faster than using document.createElement for the majority of cases and browsers that we supported. Browsers have continued to improve and so overwhelmingly this is no longer true. By using createElement we can make other parts of React faster. (@​sophiebits in #​5205)
• data-reactid is no longer on every node. As a result of using document.createElement, we can prime the node cache as we create DOM nodes, allowing us to skip a potential lookup (which used the data-reactid attribute). Root nodes will have a data-reactroot attribute and server generated markup will still contain data-reactid. (@​sophiebits in #​5205)
• No more extra <span>s. ReactDOM will now render plain text nodes interspersed with comment nodes that are used for demarcation. This gives us the same ability to update individual pieces of text, without creating extra nested nodes. If you were targeting these <span>s in your CSS, you will need to adjust accordingly. You can always render them explicitly in your components. (@​mwiencek in #​5753)
• Rendering null now uses comment nodes. Previously null would render to <noscript> elements. We now use comment nodes. This may cause issues if making use of :nth-child CSS selectors. While we consider this rendering behavior an implementation detail of React, it's worth noting the potential problem. (@​sophiebits in #​5451)
• Functional components can now return null. We added support for defining stateless components as functions in React 0.14. However, React 0.14 still allowed you to define a class component without extending React.Component or using React.createClass(), so we couldn’t reliably tell if your component is a function or a class, and did not allow returning null from it. This issue is solved in React 15, and you can now return null from any component, whether it is a class or a function. (@​jimfb in #​5884)
• Improved SVG support. All SVG tags are now fully supported. (Uncommon SVG tags are not present on the React.DOM element helper, but JSX and React.createElement work on all tag names.) All SVG attributes that are implemented by the browsers should be supported too. If you find any attributes that we have missed, please let us know in this issue. (@​zpao in #​6243)

Breaking changes

• No more extra <span>s.
• React.cloneElement() now resolves defaultProps. We fixed a bug in React.cloneElement() that some components may rely on. If some of the props received by cloneElement() are undefined, it used to return an element with undefined values for those props. We’re changing it to be consistent with createElement(). Now any undefined props passed to cloneElement() are resolved to the corresponding component’s defaultProps. (@​truongduy134 in #​5997)
• ReactPerf.getLastMeasurements() is opaque. This change won’t affect applications but may break some third-party tools. We are revamping ReactPerf implementation and plan to release it during the 15.x cycle. The internal performance measurement format is subject to change so, for the time being, we consider the return value of ReactPerf.getLastMeasurements() an opaque data structure that should not be relied upon. (@​gaearon in #​6286)

Removed deprecations

These deprecations were introduced nine months ago in v0.14 with a warning and are removed:

• Deprecated APIs are removed from the React top-level export: findDOMNode, render, renderToString, renderToStaticMarkup, and unmountComponentAtNode. As a reminder, they are now available on ReactDOM and ReactDOMServer. (@​jimfb in #​5832)
• Deprecated addons are removed: batchedUpdates and cloneWithProps. (@​jimfb in #​5859, @​zpao in #​6016)
• Deprecated component instance methods are removed: setProps, replaceProps, and getDOMNode. (@​jimfb in #​5570)
• Deprecated CommonJS react/addons entry point is removed. As a reminder, you should use separate react-addons-* packages instead. This only applies if you use the CommonJS builds. (@​gaearon in #​6285)
• Passing children to void elements like <input> was deprecated, and now throws an error. (@​jonhester in #​3372)
• React-specific properties on DOM refs (e.g. this.refs.div.props) were deprecated, and are removed now. (@​jimfb in #​5495)

New deprecations, introduced with a warning

Each of these changes will continue to work as before with a new warning until the release of React 16 so you can upgrade your code gradually.

• LinkedStateMixin and valueLink are now deprecated due to very low popularity. If you need this, you can use a wrapper component that implements the same behavior: react-linked-input. (@​jimfb in #​6127)
• Future versions of React will treat <input value={null}> as a request to clear the input. However, React 0.14 has been ignoring value={null}. React 15 warns you on a null input value and offers you to clarify your intention. To fix the warning, you may explicitly pass an empty string to clear a controlled input, or pass undefined to make the input uncontrolled. (@​antoaravinth in #​5048)
• ReactPerf.printDOM() was renamed to ReactPerf.printOperations(), and ReactPerf.getMeasurementsSummaryMap() was renamed to ReactPerf.getWasted(). (@​gaearon in #​6287)

New helpful warnings

• If you use a minified copy of the development build, React DOM kindly encourages you to use the faster production build instead. (@​sophiebits in #​5083)
• React DOM: When specifying a unit-less CSS value as a string, a future version will not add px automatically. This version now warns in this case (ex: writing style={{width: '300'}}. Unitless number values like width: 300 are unchanged. (@​pluma in #​5140)
• Synthetic Events will now warn when setting and accessing properties (which will not get cleared appropriately), as well as warn on access after an event has been returned to the pool. (@​kentcdodds in #​5940 and @​koba04 in #​5947)
• Elements will now warn when attempting to read ref and key from the props. (@​prometheansacrifice in #​5744)
• React will now warn if you pass a different props object to super() in the constructor. (@​prometheansacrifice in #​5346)
• React will now warn if you call setState() inside getChildContext(). (@​raineroviir in #​6121)
• React DOM now attempts to warn for mistyped event handlers on DOM elements, such as onclick which should be onClick. (@​ali in #​5361)
• React DOM now warns about NaN values in style. (@​jontewks in #​5811)
• React DOM now warns if you specify both value and defaultValue for an input. (@​mgmcdermott in #​5823)
• React DOM now warns if an input switches between being controlled and uncontrolled. (@​TheBlasfem in #​5864)
• React DOM now warns if you specify onFocusIn or onFocusOut handlers as they are unnecessary in React. (@​jontewks in #​6296)
• React now prints a descriptive error message when you pass an invalid callback as the last argument to ReactDOM.render(), this.setState(), or this.forceUpdate(). (@​conorhastings in #​5193 and @​gaearon in #​6310)
• Add-Ons: TestUtils.Simulate() now prints a helpful message if you attempt to use it with shallow rendering. (@​conorhastings in #​5358)
• PropTypes: arrayOf() and objectOf() provide better error messages for invalid arguments. (@​chicoxyzzy in #​5390)

Notable bug fixes

• Fixed multiple small memory leaks. (@​sophiebits in #​4983 and @​victor-homyakov in #​6309)
• Input events are handled more reliably in IE 10 and IE 11; spurious events no longer fire when using a placeholder. (@​jquense in #​4051)
• The componentWillReceiveProps() lifecycle method is now consistently called when context changes. (@​milesj in #​5787)
• React.cloneElement() doesn’t append slash to an existing key when used inside React.Children.map(). (@​ianobermiller in #​5892)
• React DOM now supports the cite and profile HTML attributes. (@​AprilArcus in #​6094 and @​saiichihashimoto in #​6032)
• React DOM now supports cssFloat, gridRow and gridColumn CSS properties. (@​stevenvachon in #​6133 and @​mnordick in #​4779)
• React DOM now correctly handles borderImageOutset, borderImageWidth, borderImageSlice, floodOpacity, strokeDasharray, and strokeMiterlimit as unitless CSS properties. (@​rofrischmann in #​6210 and #​6270)
• React DOM now supports the onAnimationStart, onAnimationEnd, onAnimationIteration, onTransitionEnd, and onInvalid events. Support for onLoad has been added to object elements. (@​tomduncalf in #​5187, @​milesj in #​6005, and @​ara4n in #​5781)
• React DOM now defaults to using DOM attributes instead of properties, which fixes a few edge case bugs. Additionally the nullification of values (ex: href={null}) now results in the forceful removal, no longer trying to set to the default value used by browsers in the absence of a value. (@​syranide in #​1510)
• React DOM does not mistakenly coerce children to strings for Web Components. (@​jimfb in #​5093)
• React DOM now correctly normalizes SVG <use> events. (@​edmellum in #​5720)
• React DOM does not throw if a <select> is unmounted while its onChange handler is executing. (@​sambev in #​6028)
• React DOM does not throw in Windows 8 apps. (@​Andrew8xx8 in #​6063)
• React DOM does not throw when asynchronously unmounting a child with a ref. (@​yiminghe in #​6095)
• React DOM no longer forces synchronous layout because of scroll position tracking. (@​syranide in #​2271)
• Object.is is used in a number of places to compare values, which leads to fewer false positives, especially involving NaN. In particular, this affects the shallowCompare add-on. (@​chicoxyzzy in #​6132)
• Add-Ons: ReactPerf no longer instruments adding or removing an event listener because they don’t really touch the DOM due to event delegation. (@​antoaravinth in #​5209)

Other improvements

• React now uses loose-envify instead of envify so it installs fewer transitive dependencies. (@​qerub in #​6303)
• Shallow renderer now exposes getMountedInstance(). (@​glenjamin in #​4918)
• Shallow renderer now returns the rendered output from render(). (@​simonewebdesign in #​5411)
• React no longer depends on ES5 shams for Object.create and Object.freeze in older environments. It still, however, requires ES5 shims in those environments. (@​dgreensp in #​4959)
• React DOM now allows data- attributes with names that start with numbers. (@​nLight in #​5216)
• React DOM adds a new suppressContentEditableWarning prop for components like Draft.js that intentionally manage contentEditable children with React. (@​mxstbr in #​6112)
• React improves the performance for createClass() on complex specs. (@​sophiebits in #​5550)

v0.14.10

React

• Backport support for the new JSX transform to 0.14.x. (@​lunaruan in #​18299 and @​gaearon in #​20024)

v0.14.8

Compare Source

React

• Fixed memory leak when rendering on the server

v0.14.7

Compare Source

React

• Fixed bug with <option> tags when using dangerouslySetInnerHTML
• Fixed memory leak in synthetic event system

React TestUtils Add-on

• Fixed bug with calling setState in componentWillMount when using shallow rendering

v0.14.6

Compare Source

React

• Updated fbjs dependency to pick up change affecting handling of undefined document.

v0.14.5

Compare Source

React

• More minor internal changes for better compatibility with React Native

v0.14.4

Compare Source

React

• Minor internal changes for better compatibility with React Native

React DOM

• The autoCapitalize and autoCorrect props are now set as attributes in the DOM instead of properties to improve cross-browser compatibility
• Fixed bug with controlled <select> elements not handling updates properly

React Perf Add-on

• Some DOM operation names have been updated for clarity in the output of .printDOM()

v0.14.3

Compare Source

React DOM

• Added support for nonce attribute for <script> and <style> elements
• Added support for reversed attribute for <ol> elements

React TestUtils Add-on

• Fixed bug with shallow rendering and function refs

React CSSTransitionGroup Add-on

• Fixed bug resulting in timeouts firing incorrectly when mounting and unmounting rapidly

React on Bower

• Added react-dom-server.js to expose renderToString and renderToStaticMarkup for usage in the browser

v0.14.2

Compare Source

React DOM

• Fixed bug with development build preventing events from firing in some versions of Internet Explorer & Edge
• Fixed bug with development build when using es5-sham in older versions of Internet Explorer
• Added support for integrity attribute
• Fixed bug resulting in children prop being coerced to a string for custom elements, which was not the desired behavior
• Moved react from dependencies to peerDependencies to match expectations and align with react-addons-* packages

v0.14.1

Compare Source

React

• Backport support for the new JSX transform to 0.14.x. (@​lunaruan in #​18299 and @​gaearon in #​20024)

v0.14.0

Compare Source

Major changes

• Split the main react package into two: react and react-dom. This paves the way to writing components that can be shared between the web version of React and React Native. This means you will need to include both files and some functions have been moved from React to ReactDOM.
• Addons have been moved to separate packages (react-addons-clone-with-props, react-addons-create-fragment, react-addons-css-transition-group, react-addons-linked-state-mixin, react-addons-perf, react-addons-pure-render-mixin, react-addons-shallow-compare, react-addons-test-utils, react-addons-transition-group, react-addons-update, ReactDOM.unstable_batchedUpdates).
• Stateless functional components - React components were previously created using React.createClass or using ES6 classes. This release adds a new syntax where a user defines a single stateless render function (with one parameter: props) which returns a JSX element, and this function may be used as a component.
• Refs to DOM components as the DOM node itself. Previously the only useful thing you can do with a DOM component is call getDOMNode() to get the underlying DOM node. Starting with this release, a ref to a DOM component is the actual DOM node. Note that refs to custom (user-defined) components work exactly as before; only the built-in DOM components are affected by this change.

Breaking changes

• React.initializeTouchEvents is no longer necessary and has been removed completely. Touch events now work automatically.
• Add-Ons: Due to the DOM node refs change mentioned above, TestUtils.findAllInRenderedTree and related helpers are no longer able to take a DOM component, only a custom component.
• The props object is now frozen, so mutating props after creating a component element is no longer supported. In most cases, React.cloneElement should be used instead. This change makes your components easier to reason about and enables the compiler optimizations mentioned above.
• Plain objects are no longer supported as React children; arrays should be used instead. You can use the createFragment helper to migrate, which now returns an array.
• Add-Ons: classSet has been removed. Use classnames instead.
• Web components (custom elements) now use native property names. Eg: class instead of className.

Deprecations

• this.getDOMNode() is now deprecated and ReactDOM.findDOMNode(this) can be used instead. Note that in the common case, findDOMNode is now unnecessary since a ref to the DOM component is now the actual DOM node.
• setProps and replaceProps are now deprecated. Instead, call ReactDOM.render again at the top level with the new props.
• ES6 component classes must now extend React.Component in order to enable stateless function components. The ES3 module pattern will continue to work.
• Reusing and mutating a style object between renders has been deprecated. This mirrors our change to freeze the props object.
• Add-Ons: cloneWithProps is now deprecated. Use React.cloneElement instead (unlike cloneWithProps, cloneElement does not merge className or style automatically; you can merge them manually if needed).
• Add-Ons: To improve reliability, CSSTransitionGroup will no longer listen to transition events. Instead, you should specify transition durations manually using props such as transitionEnterTimeout={500}.

Notable enhancements

• Added React.Children.toArray which takes a nested children object and returns a flat array with keys assigned to each child. This helper makes it easier to manipulate collections of children in your render methods, especially if you want to reorder or slice this.props.children before passing it down. In addition, React.Children.map now returns plain arrays too.
• React uses console.error instead of console.warn for warnings so that browsers show a full stack trace in the console. (Our warnings appear when you use patterns that will break in future releases and for code that is likely to behave unexpectedly, so we do consider our warnings to be “must-fix” errors.)
• Previously, including untrusted objects as React children could result in an XSS security vulnerability. This problem should be avoided by properly validating input at the application layer and by never passing untrusted objects around your application code. As an additional layer of protection, React now tags elements with a specific ES2015 (ES6) Symbol in browsers that support it, in order to ensure that React never considers untrusted JSON to be a valid element. If this extra security protection is important to you, you should add a Symbol polyfill for older browsers, such as the one included by Babel’s polyfill.
• When possible, React DOM now generates XHTML-compatible markup.
• React DOM now supports these standard HTML attributes: capture, challenge, inputMode, is, keyParams, keyType, minLength, summary, wrap. It also now supports these non-standard attributes: autoSave, results, security.
• React DOM now supports these SVG attributes, which render into namespaced attributes: xlinkActuate, xlinkArcrole, xlinkHref, xlinkRole, xlinkShow, xlinkTitle, xlinkType, xmlBase, xmlLang, xmlSpace.
• The image SVG tag is now supported by React DOM.
• In React DOM, arbitrary attributes are supported on custom elements (those with a hyphen in the tag name or an is="..." attribute).
• React DOM now supports these media events on audio and video tags: onAbort, onCanPlay, onCanPlayThrough, onDurationChange, onEmptied, onEncrypted, onEnded, onError, onLoadedData, onLoadedMetadata, onLoadStart, onPause, onPlay, onPlaying, onProgress, onRateChange, onSeeked, onSeeking, onStalled, onSuspend, onTimeUpdate, onVolumeChange, onWaiting.
• Many small performance improvements have been made.
• Many warnings show more context than before.
• Add-Ons: A shallowCompare add-on has been added as a migration path for PureRenderMixin in ES6 classes.
• Add-Ons: CSSTransitionGroup can now use custom class names instead of appending -enter-active or similar to the transition name.

New helpful warnings

• React DOM now warns you when nesting HTML elements invalidly, which helps you avoid surprising errors during updates.
• Passing document.body directly as the container to ReactDOM.render now gives a warning as doing so can cause problems with browser extensions that modify the DOM.
• Using multiple instances of React together is not supported, so we now warn when we detect this case to help you avoid running into the resulting problems.

Notable bug fixes

• Click events are handled by React DOM more reliably in mobile browsers, particularly in Mobile Safari.
• SVG elements are created with the correct namespace in more cases.
• React DOM now renders <option> elements with multiple text children properly and renders <select> elements on the server with the correct option selected.
• When two separate copies of React add nodes to the same document (including when a browser extension uses React), React DOM tries harder not to throw exceptions during event handling.
• Using non-lowercase HTML tag names in React DOM (e.g., React.createElement('DIV')) no longer causes problems, though we continue to recommend lowercase for consistency with the JSX tag name convention (lowercase names refer to built-in components, capitalized names refer to custom components).
• React DOM understands that these CSS properties are unitless and does not append “px” to their values: animationIterationCount, boxOrdinalGroup, flexOrder, tabSize, stopOpacity.
• Add-Ons: When using the test utils, Simulate.mouseEnter and Simulate.mouseLeave now work.
• Add-Ons: ReactTransitionGroup now correctly handles multiple nodes being removed simultaneously.

React Tools / Babel

Breaking Changes

• The react-tools package and JSXTransformer.js browser file have been deprecated. You can continue using version 0.13.3 of both, but we no longer support them and recommend migrating to Babel, which has built-in support for React and JSX.

New Features

• Babel 5.8.24 introduces Inlining React elements: The optimisation.react.inlineElements transform converts JSX elements to object literals like {type: 'div', props: ...} instead of calls to React.createElement. This should only be enabled in production, since it disables some development warnings/checks.
• Babel 5.8.24 introduces Constant hoisting for React elements: The optimisation.react.constantElements transform hoists element creation to the top level for subtrees that are fully static, which reduces calls to React.createElement and the resulting allocations. More importantly, it tells React that the subtree hasn’t changed so React can completely skip it when reconciling. This should only be enabled in production, since it disables some development warnings/checks.

---

• If you want to rebase/retry this PR, check this box