Sync with react.dev @ e22544e6

package.json

@@ -35,7 +35,11 @@
     "classnames": "^2.2.6",
     "debounce": "^1.2.1",
     "github-slugger": "^1.3.0",
+<<<<<<< HEAD
     "next": "15.4.8",
+=======
+    "next": "15.1.9",
+>>>>>>> e22544e68d6fffda33332771efe27034739f35a4
     "next-remote-watch": "^1.0.0",
     "parse-numeric-range": "^1.2.0",
     "react": "^19.0.0",

src/components/Layout/HomeContent.js

@@ -264,7 +264,11 @@ export function HomeContent() {
                 color="gray"
                 icon="framework"
                 href="/learn/creating-a-react-app">
+<<<<<<< HEAD
                 開始使用框架
+=======
+                Get started with a framework
+>>>>>>> e22544e68d6fffda33332771efe27034739f35a4
               </CTA>
             </div>
           </Center>

src/components/MDX/Sandpack/template.ts

@@ -35,8 +35,8 @@ root.render(
           eject: 'react-scripts eject',
         },
         dependencies: {
-          react: '^19.2.0',
-          'react-dom': '^19.2.0',
+          react: '^19.2.1',
+          'react-dom': '^19.2.1',
           'react-scripts': '^5.0.0',
         },
       },

src/components/MDX/SandpackWithHTMLOutput.tsx

@@ -56,8 +56,8 @@ export default function formatHTML(markup) {
 const packageJSON = `
 {
   "dependencies": {
-    "react": "^19.2.0",
-    "react-dom": "^19.2.0",
+    "react": "^19.2.1",
+    "react-dom": "^19.2.1",
     "react-scripts": "^5.0.0",
     "html-format": "^1.1.2"
   },

src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md

@@ -0,0 +1,168 @@
+---
+title: "Critical Security Vulnerability in React Server Components"
+author: The React Team
+date: 2025/12/03
+description: There is an unauthenticated remote code execution vulnerability in React Server Components. A fix has been published in versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately.
+
+---
+
+December 3, 2025 by [The React Team](/community/team)
+
+---
+
+<Intro>
+
+There is an unauthenticated remote code execution vulnerability in React Server Components.
+
+We recommend upgrading immediately.
+
+</Intro>
+
+---
+
+On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. 
+
+Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. 
+
+This vulnerability was disclosed as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) and is rated CVSS 10.0.
+
+The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
+
+* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
+* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
+* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
+
+## Immediate Action Required {/*immediate-action-required*/}
+
+A fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.
+
+If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
+
+### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/}
+
+Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). 
+
+We will update this post with upgrade instructions on how to upgrade as they become available.
+
+### Hosting Provider Mitigations {/*hosting-provider-mitigations*/}
+
+We have worked with a number of hosting providers to apply temporary mitigations.
+
+You should not depend on these to secure your app, and still update immediately.
+
+### Vulnerability overview {/*vulnerability-overview*/}
+
+[React Server Functions](https://react.dev/reference/rsc/server-functions) allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client.
+
+An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.
+
+## Update Instructions {/*update-instructions*/}
+
+### Next.js {/*update-next-js*/}
+
+All users should upgrade to the latest patched version in their release line:
+
+```bash
+npm install [email protected]   // for 15.0.x
+npm install [email protected]   // for 15.1.x
+npm install [email protected]   // for 15.2.x
+npm install [email protected]   // for 15.3.x
+npm install [email protected]   // for 15.4.x
+npm install [email protected]   // for 15.5.x
+npm install [email protected]   // for 16.0.x
+```
+
+If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
+
+```bash
+npm install next@14
+```
+
+See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
+
+### React Router {/*update-react-router*/}
+
+If you are using React Router's unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:
+
+```bash
+npm install react@latest
+npm install react-dom@latest
+npm install react-server-dom-parcel@latest
+npm install react-server-dom-webpack@latest
+npm install @vitejs/plugin-rsc@latest
+```
+
+### Expo {/*expo*/}
+
+To learn more about mitigating, read the article on [expo.dev/changelog](https://expo.dev/changelog/mitigating-critical-security-vulnerability-in-react-server-components).
+
+### Redwood SDK {/*update-redwood-sdk*/}
+
+Ensure you are on rwsdk>=1.0.0-alpha.0
+
+For the latest beta version:
+
+```bash
+npm install rwsdk@latest
+```
+
+Upgrade to the latest `react-server-dom-webpack`:
+
+```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+```
+
+See [Redwood docs](https://docs.rwsdk.com/migrating/) for more migration instructions.
+
+### Waku {/*update-waku*/}
+
+Upgrade to the latest `react-server-dom-webpack`:
+
+```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest
+```
+
+See [Waku announcement](https://github.com/wakujs/waku/discussions/1823) for more migration instructions.
+
+### `@vitejs/plugin-rsc` {/*vitejs-plugin-rsc*/}
+
+Upgrade to the latest RSC plugin:
+
+```bash
+npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
+```
+
+### `react-server-dom-parcel` {/*update-react-server-dom-parcel*/}
+
+Update to the latest version:
+
+ ```bash
+ npm install react@latest react-dom@latest react-server-dom-parcel@latest
+ ```
+
+### `react-server-dom-turbopack` {/*update-react-server-dom-turbopack*/}
+
+Update to the latest version:
+
+ ```bash
+ npm install react@latest react-dom@latest react-server-dom-turbopack@latest
+ ```
+
+### `react-server-dom-webpack` {/*update-react-server-dom-webpack*/}
+
+Update to the latest version:
+
+ ```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+ ```
+
+## Timeline {/*timeline*/}
+
+* **November 29th**: Lachlan Davidson reported the security vulnerability via [Meta Bug Bounty](https://bugbounty.meta.com/).
+* **November 30th**: Meta security researchers confirmed and began working with the React team on a fix.
+* **December 1st**: A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
+* **December 3rd**: The fix was published to npm and the publicly disclosed as CVE-2025-55182.
+
+## Attribution {/*attribution*/}
+
+Thank you to [Lachlan Davidson](https://github.com/lachlan2k) for discovering, reporting, and working to help fix this vulnerability.

src/content/blog/index.md

@@ -12,6 +12,12 @@ You can also follow the [@react.dev](https://bsky.app/profile/react.dev) account
 
 <div className="sm:-mx-5 flex flex-col gap-5 mt-12">
 
+<BlogCard title="Critical Security Vulnerability in React Server Components" date="December 3, 2025" url="/blog/2025/12/03/critical-security-vulnerability-in-react-server-components">
+
+There is an unauthenticated remote code execution vulnerability in React Server Components. A fix has been published in versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately.
+
+</BlogCard>
+
 <BlogCard title="React Conf 2025 Recap" date="October 16, 2025" url="/blog/2025/10/16/react-conf-2025-recap">
 
 Last week we hosted React Conf 2025. In this post, we summarize the talks and announcements from the event...

src/content/learn/add-react-to-an-existing-project.md

@@ -20,9 +20,15 @@ title: 將 React 加入到一個現有的專案
 
 以下是我們推薦的設定方式：
 
+<<<<<<< HEAD
 1. 使用其中一個[基於 React 的框架](/learn/creating-a-react-app)來**建構你的應用程式中的 React 部分**。
 2. **在你的框架設定中指定 `/some-app` 作為*基本路徑***。（這裡是如何設定：[Next.js](https://nextjs.org/docs/app/api-reference/config/next-config-js/basePath)、[Gatsby](https://www.gatsbyjs.com/docs/how-to/previews-deploys-hosting/path-prefix/))。
 3. **設定你的伺服器或代理**，讓所有在 `/some-app/` 下的請求都由 React 應用程式處理。
+=======
+1. **Build the React part of your app** using one of the [React-based frameworks](/learn/creating-a-react-app).
+2. **Specify `/some-app` as the *base path*** in your framework's configuration (here's how: [Next.js](https://nextjs.org/docs/app/api-reference/config/next-config-js/basePath), [Gatsby](https://www.gatsbyjs.com/docs/how-to/previews-deploys-hosting/path-prefix/)).
+3. **Configure your server or a proxy** so that all requests under `/some-app/` are handled by your React app.
+>>>>>>> e22544e68d6fffda33332771efe27034739f35a4
 
 這可確保你的應用程式的 React 部分可以[受益於融入這些框架的最佳實踐](/learn/build-a-react-app-from-scratch#consider-using-a-framework)。
 
@@ -149,7 +155,11 @@ root.render(<NavigationBar />);
 
 注意原始的 HTML 內容從 `index.html` 被保留下來，但是你自己的 `NavigationBar` React component 現在出現在你 HTML 中的 `<nav id="navigation">` 內。閱讀 [`createRoot` 使用文件](/reference/react-dom/client/createRoot#rendering-a-page-partially-built-with-react)以了解更多關於在現有 HTML 頁面中 render React component 的資訊。
 
+<<<<<<< HEAD
 當你在現有的專案中採用 React 時，通常會從小的互動式 component（如按鈕）開始，然後逐漸「向上移動」，直到最終整個頁面都是使用 React 建構的。如果你達到了那裡，我們建議立即遷移到[一個 React 框架](/learn/creating-a-react-app) ，以充分利用 React 的優勢。
+=======
+When you adopt React in an existing project, it's common to start with small interactive components (like buttons), and then gradually keep "moving upwards" until eventually your entire page is built with React. If you ever reach that point, we recommend migrating to [a React framework](/learn/creating-a-react-app) right after to get the most out of React.
+>>>>>>> e22544e68d6fffda33332771efe27034739f35a4
 
 ## 在現有的原生手機應用程式中使用 React Native {/*using-react-native-in-an-existing-native-mobile-app*/}
 

src/content/learn/your-first-component.md

@@ -215,7 +215,11 @@ function Profile() {
 
 你的 React 應用程式從「root」component 開始。通常，在你啟動一個新專案時，它會自動被建立。例如，如果你使用 [CodeSandbox](https://codesandbox.io/) 或 [Next.js](https://nextjs.org/) 框架，root component 會定義在 pages/index.js 中。在這些例子中，你一直在 export root component。
 
+<<<<<<< HEAD
 [基於 React 的框架](/learn/creating-a-react-app)更進一步。它們不使用空的 HTML 檔案，然後讓 React 用 JavaScript「接管」頁面管理，而是*也*會從你的 React 元件自動生成 HTML。這讓你的應用程式能夠在 JavaScript 程式碼載入之前就顯示一些內容。
+=======
+[React-based frameworks](/learn/creating-a-react-app) take this a step further. Instead of using an empty HTML file and letting React "take over" managing the page with JavaScript, they *also* generate the HTML automatically from your React components. This allows your app to show some content before the JavaScript code loads.
+>>>>>>> e22544e68d6fffda33332771efe27034739f35a4
 
 [基於 React 的框架]((/learn/start-a-new-react-project)) 更進一步。它們不只是使用空的 HTML 檔案並讓 React 通過 JavaScript 管理頁面，它們*還會*自動從你的 React component 中生成 HTML。這使得你的應用程式在 JavaScript 程式碼載入之前就能顯示一些內容。
 

src/content/reference/react/addTransitionType.md

@@ -39,7 +39,7 @@ startTransition(() => {
 
 #### Returns {/*returns*/}
 
-`startTransition` does not return anything.
+`addTransitionType` does not return anything.
 
 #### Caveats {/*caveats*/}
 

src/content/versions.md

@@ -54,8 +54,12 @@ For versions older than React 15, see [15.react.dev](https://15.react.dev).
 - [React 19 Deep Dive: Coordinating HTML](https://www.youtube.com/watch?v=IBBN-s77YSI)
 
 **Releases**
+- [v19.2.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1921-dec-3-2025)
 - [v19.2.0 (October, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1920-october-1st-2025)
+- [v19.1.2 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1912-dec-3-2025)
+- [v19.1.1 (July, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1911-july-28-2025)
 - [v19.1.0 (March, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1910-march-28-2025)
+- [v19.0.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1901-dec-3-2025)
 - [v19.0.0 (December, 2024)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1900-december-5-2024)
 
 ### React 18 {/*react-18*/}

src/sidebarBlog.json

@@ -11,6 +11,13 @@
       "path": "/blog",
       "skipBreadcrumb": true,
       "routes": [
+        {
+          "title": "Critical Security Vulnerability in React Server Components",
+          "titleForHomepage": "Vulnerability in React Server Components",
+          "icon": "blog",
+          "date": "December 03, 2025",
+          "path": "/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
+        },
         {
           "title": "React Conf 2025 Recap",
           "titleForHomepage": "React Conf 2025 Recap",