fix(deps): Update dependency reactfire to v4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
reactfire (source)	^2.0.3 → ^4.2.3

---

Release Notes

FirebaseExtended/reactfire (reactfire)

v4.2.3

Compare Source

What's Changed

• [fix] Remove useUser's initialData override by @​jhuleatt in #​539

Full Changelog: FirebaseExtended/reactfire@v4.2.2...v4.2.3

v4.2.2

Compare Source

What's Changed

• [auth] fix flash of loading state from useUser #​521
• Move build from TSDX to Vite #​534

New Contributors

• @​mikkimichaelis made their first contribution in #​494
• @​rwhogg made their first contribution in #​532

Full Changelog: FirebaseExtended/reactfire@v4.2.1...v4.2.2

v4.2.1

Compare Source

What's Changed

Fixes

• Fix reconciler : Export SDK contexts for react-reconciler use case by @​RenaudRohlinger in #​486

Note: this is a very niche use case for those using ReactFire with a custom reconciler. Most ReactFire devs shouldn't import the *SdkContexts directly.

Dependency updates

• Bump semver-regex from 3.1.2 to 3.1.3 by @​dependabot in #​454
• Bump tmpl from 1.0.4 to 1.0.5 by @​dependabot in #​456
• Bump nth-check from 2.0.0 to 2.0.1 by @​dependabot in #​458

Docs improvements

• Clarify need for providers in docs by @​jhuleatt in #​460
• update link for useObservable by @​ajonp in #​475
• Update use.md by @​Apfii in #​481

✨ New Contributors

• @​ajonp made their first contribution in #​475
• @​RenaudRohlinger made their first contribution in #​486
• @​Apfii made their first contribution in #​481

Full Changelog: FirebaseExtended/reactfire@v4.2.0...v4.2.1

v4.2.0

Compare Source

New Features

• add useCallableFunctionResponse hook to make it easier to call a function on render (#​449)

Fixes

• Add missing Cloud Functions hooks and provider (#​444)
• Update RxFire dependency to ^6.0.2 to get new types for Cloud Functions helper (FirebaseExtended/rxfire#34)
• Internal cleanup: use RxFire's fromTask (#​448)

v4.1.1

Compare Source

Fix an issue where ReactFire hooks wouldn't move past the loading state if undefined was the first value emitted (PR #​446, Issue #​440)

v4.1.0

Compare Source

• New Feature: Adds support for App Check (PR #​430, Issue #​406)

v4.0.1

Compare Source

• Update lockfile (fixes #​433)
• Add missing Analytics exports (useAnalytics, AnalyticsProvider, useInitAnalytics) (PR #​431)

  Thank you @​shiiinji!

• [internal cleanup] Use RxFire's remote config implementation instead of a custom ReactFire implementation (PR #​434)

  Thank you @​sujishpatel!

• [internal cleanup] Use @ts-expect-error instead of @ts-ignore for safer typings (PR #​435)

  Thank you @​sujishpatel!

v4.0.0

Compare Source

ReactFire version 4 supports Firebase version 9. Firebase v9 introduces a new API that is more tree-shakeable, which should result in reduced bundle size and therefore faster page loads for your users!

ReactFire v3 -> v4 upgrade guide

Check out discussion #​402 for more context.

ReactFire v3 source is available in the v3 branch.

v3.0.0

Compare Source

v3 of ReactFire supports stable builds of React

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 3am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm cipher-base is missing type checks, leading to hash rewind and passing on crafted data CVE: GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data (CRITICAL) Affected versions: < 1.0.5 Patched version: 1.0.5 From: ? → npm/cipher-base@1.0.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cipher-base@1.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm minimist CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 1.2.6 From: ? → npm/minimist@1.2.5 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimist@1.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos CVE: GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos (CRITICAL) Affected versions: >= 3.0.10 < 3.1.3 Patched version: 3.1.3 From: ? → npm/pbkdf2@3.1.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm pbkdf2 silently disregards Uint8Array input, returning static keys CVE: GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys (CRITICAL) Affected versions: >= 1.0.0 < 3.1.3 Patched version: 3.1.3 From: ? → npm/pbkdf2@3.1.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm sha.js is missing type checks leading to hash rewind and passing on crafted data CVE: GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data (CRITICAL) Affected versions: < 2.4.12 Patched version: 2.4.12 From: ? → npm/sha.js@2.4.11 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sha.js@2.4.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperfokus	Error		Apr 1, 2026 6:47pm