Bump frontend and component library dependencies

[masenf]

All Submissions:

• Have you followed the guidelines stated in CONTRIBUTING.md file?
• Have you checked to ensure there aren't any other open Pull Requests for the desired changed?

Type of change

• New feature (non-breaking change which adds functionality)

Description

This PR bumps frontend and component library dependencies to their current releases across multiple packages:

Core frontend dependencies (reflex-base):

• react / react-dom: 19.2.6 → 19.2.7
• react-router and related packages: 7.15.0 → 7.18.0
• isbot: 5.1.40 → 5.1.43
• universal-cookie: 7.2.2 → 8.1.2
• postcss: 8.5.14 → 8.5.15
• tailwindcss / @tailwindcss/postcss: 4.3.0 → 4.3.1
• @tailwindcss/typography: 0.5.19 → 0.5.20
• Bun: 1.3.13 → 1.3.14
• rich upper bound: <15 → <16 (adopting rich 15)

Component library updates:

• reflex-components-plotly: react-plotly.js 2.6.0 → 4.0.0, plotly.js (and dist-min/locale variants) 3.5.x → 3.6.0
• reflex-components-code: shiki and @shikijs/transformers 3.3.0 → 4.2.0
• reflex-components-core: react-error-boundary 6.1.1 → 6.1.2
• reflex-components-lucide: lucide-react 1.14.0 → 1.20.0
• reflex-components-radix: Multiple Radix UI primitives bumped (accordion, dialog, form, progress, slider)
• reflex-components-internal: @hugeicons/react 1.1.6 → 1.1.7, @icons-pack/react-simple-icons 13.8.0 → 13.13.0
• reflex-site-shared: react-medium-image-zoom 5.4.2 → 5.4.8
• docs: @inkeep/cxkit-react 0.5.115 → 0.5.119

Other changes:

• Removed the now-redundant cookie package.json override in reflex-base — universal-cookie 8 and react-router both resolve cookie to 1.x on their own
• Updated reflex-hosting-cli to support rich 15
• Regenerated .pyi stubs for affected components

All changes are non-breaking and maintain backward compatibility.

Test Plan

Existing tests pass. Dependency updates are configuration-only changes with no API modifications. The .pyi stub regeneration is automated and validated by the build system.

https://claude.ai/code/session_017VbHTc3JxgKUNBCrCMN2cp

[codspeed-hq]

Merging this PR will not alter performance

✅ 26 untouched benchmarks
⏩ 8 skipped benchmarks¹

---

_{Comparing claude/gallant-lovelace-w3c4dp (7c42ff5) with main (8945367)}

Footnotes

1. 8 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[greptile-apps]

Greptile Summary

This PR bumps frontend npm and Python package dependencies across multiple reflex packages — all version string updates with no API or logic changes. The cookie npm override is also removed since universal-cookie 8 and react-router 7.18 both resolve the cookie transitive dependency to 1.x independently.

• Frontend npm bumps: React 19.2.7, React Router 7.18.0, Bun 1.3.14, Tailwind 4.3.1, shiki 4.2.0, react-plotly.js 4.0.0 / plotly.js 3.6.0, lucide-react 1.20.0, multiple Radix UI primitives, and several doc/site dependencies.
• Python dependency widening: Both reflex-base and reflex-hosting-cli raise the rich upper bound from <15 to <16, allowing rich 15.x (resolved to 15.0.0 in the lock file).
• Lock file: uv.lock is regenerated with updated hashes and switches exclude-newer from a fixed timestamp to the epoch sentinel, deferring to exclude-newer-span = "P7D" for future regeneration.

Confidence Score: 5/5

Safe to merge — all changes are version string updates with no logic modifications.

Every changed file is either a package version constant, a dependency constraint in a pyproject.toml, or a regenerated lock file. The core codeToHtml API used in the shiki template is unchanged in shiki 4.x. The createPlotlyComponent factory path and Plot tag remain the same. The universal-cookie constructor/get/set/remove calls in state.js match the stable Cookies class API present in v8. No logic paths are altered.

No files require special attention.

Important Files Changed

Filename	Overview
packages/reflex-base/src/reflex_base/constants/installer.py	Version bumps for Bun, React Router, React, isbot, universal-cookie, and postcss; removes the cookie npm override now that universal-cookie 8 and react-router resolve it on their own
packages/reflex-components-plotly/src/reflex_components_plotly/plotly.py	Bumps react-plotly.js from 2.6.0 to 4.0.0 and all plotly.js dist variants from 3.5.x to 3.6.0; createPlotlyComponent factory import and Plot tag usage unchanged
packages/reflex-components-code/src/reflex_components_code/shiki_code_block.py	Bumps shiki and @shikijs/transformers from 3.3.0 to 4.2.0; shiki 4.x keeps codeToHtml API fully compatible — only breaking change upstream is a CSS class typo fix
packages/reflex-base/pyproject.toml	Widens the rich Python dependency upper bound from <15 to <16, allowing rich 15.x; uv.lock confirms resolution to rich 15.0.0
packages/reflex-hosting-cli/pyproject.toml	Mirrors the rich <16 upper bound change from reflex-base to keep the two packages aligned
uv.lock	Updates resolved package hashes (rich 14→15); changes exclude-newer from a fixed timestamp to the epoch sentinel with exclude-newer-span=P7D taking effect for future regeneration
packages/reflex-components-radix/src/reflex_components_radix/primitives/slider.py	Bumps @radix-ui/react-slider from 1.3.6 to 1.4.1 — minor version bump with no API changes expected
packages/reflex-base/src/reflex_base/plugins/tailwind_v4.py	Bumps tailwindcss and @tailwindcss/postcss from 4.3.0 to 4.3.1; @tailwindcss/typography from 0.5.19 to 0.5.20

_{Reviews (2): Last reviewed commit: "Bump frontend and backend dependency pin..." | Re-trigger Greptile}