fix(deps): update web frontend (minor/patch)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
eslint-plugin-react-refresh	^0.4.20 → ^0.5.0
react (source)	19.2.6 → 19.2.7
react-dom (source)	19.2.6 → 19.2.7

---

Release Notes

ArnaudBarre/eslint-plugin-react-refresh (eslint-plugin-react-refresh)

v0.5.2

Compare Source

• Support nested function calls for extraHOCs (actually fixes #​104)

v0.5.1

Compare Source

• Mark ESLint v10 as supported
• Support false positives with TypeScript function overloading (fixes #​105)
• Support nested function calls for extraHOCs (fixes #​104)

v0.5.0

Compare Source

Breaking changes

• The package now ships as ESM and requires ESLint 9 + node 20. Because legacy config doesn't support ESM, this requires to use flat config
• A new reactRefresh export is available and prefered over the default export. It's an object with two properties:
  • plugin: The plugin object with the rules
  • configs: An object containing configuration presets, each exposed as a function. These functions accept your custom options, merge them with sensible defaults for that config, and return the final config object.
• customHOCs option was renamed to extraHOCs
• Validation of HOCs calls is now more strict, you may need to add some HOCs to the extraHOCs option

Config example:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";

export default defineConfig(
  /* Main config */
  reactRefresh.configs.vite({ extraHOCs: ["someLibHOC"] }),
);

Config example without config:

import { defineConfig } from "eslint/config";
import { reactRefresh } from "eslint-plugin-react-refresh";

export default defineConfig({
  files: ["**/*.ts", "**/*.tsx"],
  plugins: {
    // other plugins
    "react-refresh": reactRefresh.plugin,
  },
  rules: {
    // other rules
    "react-refresh/only-export-components": [
      "warn",
      { extraHOCs: ["someLibHOC"] },
    ],
  },
});

Why

This version follows a revamp of the internal logic to better make the difference between random call expressions like export const Enum = Object.keys(Record) and actual React HOC calls like export const MemoComponent = memo(Component). (fixes #​93)

The rule now handles ternaries and patterns like export default customHOC(props)(Component) which makes it able to correctly support files like this one given this config:

{
  "react-refresh/only-export-components": [
    "warn",
    { "extraHOCs": ["createRootRouteWithContext"] }
  ]
}

[!NOTE]
Actually createRoute functions from TanStack Router are not React HOCs, they return route objects that fake to be a memoized component but are not. When only doing createRootRoute({ component: Foo }), HMR will work fine, but as soon as you add a prop to the options that is not a React component, HMR will not work. I would recommend to avoid adding any TanStack function to extraHOCs it you want to preserve good HMR in the long term. Bluesky thread.

Because I'm not 100% sure this new logic doesn't introduce any false positive, this is done in a major-like version. This also give me the occasion to remove the hardcoded connect from the rule. If you are using connect from react-redux, you should now add it to extraHOCs like this:

{
  "react-refresh/only-export-components": ["warn", { "extraHOCs": ["connect"] }]
}

facebook/react (react)

v19.2.7

Compare Source

facebook/react (react-dom)

v19.2.7

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on saturday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/eslint-plugin-react-refresh	^0.5.0	Unknown	Unknown
npm/react	19.2.7	🟢 6.7	Details Check Score Reason Code-Review 🟢 9 Found 29/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST ⚠️ 1 SAST tool is not run on all commits -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed
npm/react-dom	19.2.7	🟢 6.7	Details Check Score Reason Code-Review 🟢 9 Found 29/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST ⚠️ 1 SAST tool is not run on all commits -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed

Scanned Files

• web/package.json