Context: Content SDK's `react` and `nextjs` packages declare `"react": "^19.2.1"` as a peer dependency. React 19.2.1 through 19.2.3 contain incomplete mitigations for CVE-2026-23864, a High-severity (CVSS 7.5) denial-of-service vulnerability affecting Server Components and Server Actions. Developers who install the minimum allowed React version are silently exposed. React 19.2.4 (Jan 26, 2026) is the fully patched version.
Steps:
1. Open `packages/react/package.json` -- change `"react": "^19.2.1"` to `"react": ">=19.2.4"` and `"react-dom": "^19.2.1"` to `"react-dom": ">=19.2.4"`
2. Open `packages/nextjs/package.json` -- apply the same change to `react` and `react-dom` peer dependencies
3. Run `yarn install` at root to verify no peer conflicts
4. Run the full test suite: `yarn test`
5. Update CHANGELOG with the peer dependency bump and CVE reference
Acceptance criteria:
`react` peer dependency floor is `>=19.2.4` in all published packages that declare it
CI passes with React 19.2.4
CHANGELOG entry references CVE-2026-23864
Risks: Teams pinned to React 19.2.1--19.2.3 will receive a peer warning on next install. This is intentional -- they should upgrade to close the security gap.