Skip to content

react-aria/react-stately upgrade & versioning updates#1557

Draft
emmatown wants to merge 3 commits into
mainfrom
react-aria-upgrade
Draft

react-aria/react-stately upgrade & versioning updates#1557
emmatown wants to merge 3 commits into
mainfrom
react-aria-upgrade

Conversation

@emmatown

@emmatown emmatown commented Jul 14, 2026

Copy link
Copy Markdown
Member

This makes @keystar/ui use the newer versions of react-aria and react-stately which are just single packages which should significantly reduce the number of installed dependencies.

The newer packages also put some APIs that previously weren't marked private behind /private entrypoints, since these naturally might break in newer versions I've pinned them to exact versions, this should solve various issues we've had in the past where something changed in a non-major version of react-aria/react-stately and that broke Keystatic in some way because the version requirements were loose.

I've also added optional peer dependencies on react-aria and react-stately from @keystar/ui and on react-aria, react-stately and @keystar/ui from @keystatic/core. Note I haven't removed the normal dependencies on these though so essentially if you don't depend on these yourself, things just work but if you e.g. use @keystar/ui to make UI for a custom field, you need to have the exactly matching version of @keystar/ui installed. This isn't changing things practically since things already broke previously if you had mismatched versions but this makes the requirement explicit so users will get a peer dependency warning/error if it's wrong.

This is similar to how react-dom requires a matching version of react but react-dom doesn't do major versions for requiring a newer version of react.

In the future, we may want to migrate to react-aria-components so we're only using public APIs and can potentially be looser with the version requirements but I haven't done that here.

@changeset-bot

changeset-bot Bot commented Jul 14, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: df8337f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 14 packages
Name Type
@keystatic/core Minor
@keystar/ui Minor
@keystar/docs Patch
@example/astro-content Patch
@example/astro Patch
@example/localization Patch
@example/next-app Patch
@example/next-block-builder Patch
@example/next-pages Patch
@keystatic/remix-test-app Patch
keystatic-docs Patch
@keystatic/templates-astro Patch
@keystatic/templates-nextjs Patch
@keystatic/templates-remix Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@socket-security

socket-security Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​internationalized/​string@​3.2.91001007094100
Addedreact-aria@​3.50.0791008795100
Added@​internationalized/​number@​3.6.71001008697100
Addedreact-stately@​3.48.0861009195100
Added@​internationalized/​date@​3.12.2891008797100

View full report

@socket-security

socket-security Bot commented Jul 14, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @internationalized/date is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: design-system/docs/package.jsonnpm/@internationalized/date@3.12.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@internationalized/date@3.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm react-aria is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: design-system/docs/package.jsonnpm/react-aria@3.50.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-aria@3.50.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm react-stately is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: design-system/pkg/package.jsonnpm/react-stately@3.48.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-stately@3.48.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@emmatown emmatown force-pushed the react-aria-upgrade branch 4 times, most recently from d3e423a to f2311cc Compare July 14, 2026 05:40
@emmatown emmatown changed the title react aria upgrade react-aria/react-stately upgrade & versioning updates Jul 15, 2026
@emmatown emmatown force-pushed the react-aria-upgrade branch 3 times, most recently from 3a3c040 to 19824c8 Compare July 15, 2026 06:47
@emmatown emmatown force-pushed the react-aria-upgrade branch from 19824c8 to df8337f Compare July 15, 2026 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant