Loosen react pin from exact 19.0.4 to ~19.0.4

ihabadham · claude · ihabadham · commit 3cf59a9c971e · 2026-04-22T07:43:59.000+02:00
The exact pin locked out every 19.0.x patch including 19.0.5 and
future security patches within the 19.0 line. Pro's own install docs
(docs/pro/react-server-components/upgrading-existing-pro-app.md:26-28
and create-without-ssr.md:37) prescribe `react@~19.0.4` — tilde range
that keeps the CVE floor while allowing 19.0.x patches.

react-on-rails-rsc@19.0.4's peer dep is `react: ^19.0.3`, so 19.0.5
satisfies it. After this change, yarn resolves react to 19.0.5.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/package.json b/package.json
@@ -78,8 +78,8 @@
     "postcss-loader": "7.3.3",
     "postcss-preset-env": "^8.5.0",
     "prop-types": "^15.8.1",
-    "react": "19.0.4",
-    "react-dom": "19.0.4",
+    "react": "~19.0.4",
+    "react-dom": "~19.0.4",
     "react-intl": "^6.4.4",
     "react-on-rails-pro": "16.6.0",
     "react-on-rails-pro-node-renderer": "16.6.0",
diff --git a/yarn.lock b/yarn.lock
@@ -8738,10 +8738,10 @@ react-deep-force-update@^1.0.0:
   resolved "https://registry.npmjs.org/react-deep-force-update/-/react-deep-force-update-1.1.2.tgz"
   integrity sha512-WUSQJ4P/wWcusaH+zZmbECOk7H5N2pOIl0vzheeornkIMhu+qrNdGFm0bDZLCb0hSF0jf/kH1SgkNGfBdTc4wA==
 
-react-dom@19.0.4:
-  version "19.0.4"
-  resolved "https://registry.npmjs.org/react-dom/-/react-dom-19.0.4.tgz#792d2868dc672c6f8abfce62bdb250e913dcfe2b"
-  integrity sha512-JiVlwQwuINIQf2+XUjtRFtLxhTE6hcyX7ZyCmY0HM7I/Kgi7qyXThkzwzg6uCfu3rTg9Ofe1x8qWYrfqthIrzg==
+react-dom@~19.0.4:
+  version "19.0.5"
+  resolved "https://registry.npmjs.org/react-dom/-/react-dom-19.0.5.tgz#7666ca4385dd1f1d2ac2445423077b2f232aa3c0"
+  integrity sha512-yqJj7o8tlj5FiLpycpClCCTp1f1FXvMgCkFej41N1iTmVDiTeDIay6Y69sn8w9JXSCzZyCLP3fotgEhZagDZWw==
   dependencies:
     scheduler "^0.25.0"
 
@@ -8873,10 +8873,10 @@ react-transition-group@4.4.5:
     loose-envify "^1.4.0"
     prop-types "^15.6.2"
 
-react@19.0.4:
-  version "19.0.4"
-  resolved "https://registry.npmjs.org/react/-/react-19.0.4.tgz#8031673e73cbb8ecba2c35c8c461396aa38dc69d"
-  integrity sha512-6RpEg9/n0sThnO+2CaMLWuvL1iyctm9/lcSTwvmyCoJYD5eiIrwxevXtrMqrtUr96HCdQB8/Yf+oK1QGy8kXEQ==
+react@~19.0.4:
+  version "19.0.5"
+  resolved "https://registry.npmjs.org/react/-/react-19.0.5.tgz#b9406da29c7085e446e4c2372dcfe4f7c4801aec"
+  integrity sha512-yIoQWl4moQfHFKNGmyJavhOki09GwCRcMFuXv3y3KMXoQrGnDi0ZHGe4H9EtQE+jrMWU4hgxaILMS4rxTkJdGw==
 
 read-cache@^1.0.0:
   version "1.0.0"
