Context: JSS 22.12 ships with a React peer dependency of `^19.1.0`, which resolves to any React version from 19.1.0 upward. CVE-2026-23864 (CVSS 7.5, DoS via memory exhaustion in Server Components) was patched in React 19.2.4. Developers installing JSS 22.12 today could resolve to React 19.1.x or 19.2.0-19.2.3, all of which are vulnerable to unauthenticated denial-of-service attacks. Since JSS Next.js apps use Server Components, this is a direct exposure path.
Steps:
1. Open `packages/sitecore-jss/package.json` — change `"@sitecore-cloudsdk/events": "^0.5.2"` peer dependency is fine, but verify no React peer here. If React is referenced, update floor.
2. Open `packages/sitecore-jss-react/package.json` — change `"react": "^19.1.0"` to `"react": ">=19.2.4"` and `"react-dom": "^19.1.0"` to `"react-dom": ">=19.2.4"`.
3. Open `packages/sitecore-jss-nextjs/package.json` — change `"react": "^19.1.0"` to `"react": ">=19.2.4"` and `"react-dom": "^19.1.0"` to `"react-dom": ">=19.2.4"`.
4. Run `yarn install` to verify no peer conflicts within the monorepo.
5. Run `yarn test-packages` to confirm all tests pass.
6. Update CHANGELOG with the security rationale.
Acceptance criteria:
React peer dependency floor is `>=19.2.4` in all published packages that declare a React peer
`yarn install` succeeds without peer conflicts
CI passes
CHANGELOG entry references CVE-2026-23864
Risks: Teams pinned to React 19.1.x or 19.2.0-19.2.3 will receive a peer dependency warning on next install. This is intentional — they must upgrade to a patched React version.