diff --git a/package.json b/package.json
index 657be88775..55fcc0a5b7 100644
--- a/package.json
+++ b/package.json
@@ -35,7 +35,7 @@
     "classnames": "^2.2.6",
     "debounce": "^1.2.1",
     "github-slugger": "^1.3.0",
-    "next": "15.1.9",
+    "next": "15.1.11",
     "next-remote-watch": "^1.0.0",
     "parse-numeric-range": "^1.2.0",
     "react": "^19.0.0",
diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
index 90a549bc2a..ffef6119d0 100644
--- a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
+++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
@@ -20,9 +20,9 @@ We recommend upgrading immediately.
 
 ---
 
-On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. 
+On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
 
-Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. 
+Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
 
 This vulnerability was disclosed as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) and is rated CVSS 10.0.
 
@@ -40,9 +40,9 @@ If your app’s React code does not use a server, your app is not affected by th
 
 ### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/}
 
-Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). 
+Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk).
 
-We will update this post with upgrade instructions on how to upgrade as they become available.
+See the [update instructions below](#update-instructions) for how to upgrade to these patches.
 
 ### Hosting Provider Mitigations {/*hosting-provider-mitigations*/}
 
@@ -58,27 +58,46 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F
 
 ## Update Instructions {/*update-instructions*/}
 
+<Note>
+
+These instructions have been updated to include the new vulnerabilities:
+
+- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5)
+- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
+
+They also include the additional case found, patched, and disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
+
+See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info.
+
+</Note>
+
 ### Next.js {/*update-next-js*/}
 
 All users should upgrade to the latest patched version in their release line:
 
 ```bash
-npm install next@15.0.5   // for 15.0.x
-npm install next@15.1.9   // for 15.1.x
-npm install next@15.2.6   // for 15.2.x
-npm install next@15.3.6   // for 15.3.x
-npm install next@15.4.8   // for 15.4.x
-npm install next@15.5.7   // for 15.5.x
-npm install next@16.0.7   // for 16.0.x
+npm install next@14.2.35  // for 13.3.x, 13.4.x, 13.5.x, 14.x
+npm install next@15.0.7   // for 15.0.x
+npm install next@15.1.11  // for 15.1.x
+npm install next@15.2.8   // for 15.2.x
+npm install next@15.3.8   // for 15.3.x
+npm install next@15.4.10  // for 15.4.x
+npm install next@15.5.9   // for 15.5.x
+npm install next@16.0.10  // for 16.0.x
+
+npm install next@15.6.0-canary.60   // for 15.x canary releases
+npm install next@16.1.0-canary.19   // for 16.x canary releases
 ```
 
-If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
+If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) please upgrade to version `14.2.35`.
+
+If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release:
 
 ```bash
 npm install next@14
 ```
 
-See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
+See the [Next.js blog](https://nextjs.org/blog/security-update-2025-12-11) for the latest update instructions and the [previous changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
 
 ### React Router {/*update-react-router*/}
 
@@ -156,6 +175,22 @@ Update to the latest version:
 npm install react@latest react-dom@latest react-server-dom-webpack@latest
  ```
 
+
+### React Native {/*react-native*/}
+
+For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed.
+
+If you are using React Native in a monorepo, you should update _only_ the impacted packages if they are installed:
+
+- `react-server-dom-webpack`
+- `react-server-dom-parcel`
+- `react-server-dom-turbopack`
+
+This is required to mitigate the security advisory, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native.
+
+See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) for more information.
+
+
 ## Timeline {/*timeline*/}
 
 * **November 29th**: Lachlan Davidson reported the security vulnerability via [Meta Bug Bounty](https://bugbounty.meta.com/).
diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md
new file mode 100644
index 0000000000..119317edca
--- /dev/null
+++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md
@@ -0,0 +1,178 @@
+---
+title: "Denial of Service and Source Code Exposure in React Server Components"
+author: The React Team
+date: 2025/12/11
+description: Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. High vulnerability Denial of Service (CVE-2025-55184), and medium vulnerability Source Code Exposure (CVE-2025-55183)
+
+
+---
+
+December 11, 2025 by [The React Team](/community/team)
+
+---
+
+<Intro>
+
+Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability.
+
+**These new vulnerabilities do not allow for Remote Code Execution.** The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit.
+
+</Intro>
+
+---
+
+The new vulnerabilities are disclosed as:
+
+- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5)
+- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
+
+We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities.
+
+<Note>
+
+#### The patches published earlier are vulnerable. {/*the-patches-published-earlier-are-vulnerable*/}
+
+If you already updated for the Critical Security Vulnerability last week, you will need to update again.
+
+If you updated to 19.0.2, 19.1.3, and 19.2.2, [these are incomplete](#additional-fix-published) and you will need to update again.
+
+Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.
+
+</Note>
+
+Further details of these vulnerabilities will be provided after the rollout of the fixes are complete.
+
+## Immediate Action Required {/*immediate-action-required*/}
+
+These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components).
+
+This includes versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of:
+
+* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
+* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
+* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
+
+Fixes were backported to versions 19.0.3, 19.1.4, and 19.2.3. If you are using any of the above packages please upgrade to any of the fixed versions immediately.
+
+As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.
+
+<Note>
+
+#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/}
+
+When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.
+
+This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix.
+
+Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.
+
+</Note>
+
+### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/}
+
+Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vite/rsc-plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk).
+
+Please see [the instructions in the previous post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.
+
+### Hosting Provider Mitigations {/*hosting-provider-mitigations*/}
+
+As before, we have worked with a number of hosting providers to apply temporary mitigations.
+
+You should not depend on these to secure your app, and still update immediately.
+
+### React Native {/*react-native*/}
+
+For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed.
+
+If you are using React Native in a monorepo, you should update _only_ the impacted packages if they are installed:
+
+- `react-server-dom-webpack`
+- `react-server-dom-parcel`
+- `react-server-dom-turbopack`
+
+This is required to mitigate the security advisories, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native.
+
+See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) for more information.
+
+## High Severity: Denial of Service {/*high-severity-denial-of-service*/}
+
+**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779)
+**Base Score:** 7.5 (High)
+
+Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
+
+This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a  performance impact on the server environment.
+
+The patches published today mitigate by preventing the infinite loop.
+
+<Note>
+
+#### Additional fix published {/*additional-fix-published*/}
+
+The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete.
+
+This left versions 19.0.2, 19.1.3, 19.2.2 vulnerable. Versions 19.0.3, 19.1.4, 19.2.3 are safe.
+
+We've fixed the additional cases and filed [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) for the vulnerable versions.
+
+</Note>
+
+## Medium Severity: Source Code Exposure {/*low-severity-source-code-exposure*/}
+
+**CVE:** [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183)
+**Base Score**: 5.3 (Medium)
+
+A security researcher has discovered that a malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument:
+
+```javascript
+'use server';
+
+export async function serverFunction(name) {
+  const conn = db.createConnection('SECRET KEY');
+  const user = await conn.createUser(name); // implicitly stringified, leaked in db
+
+  return {
+   id: user.id,
+   message: `Hello, ${name}!` // explicitly stringified, leaked in reply
+  }}
+```
+
+An attacker may be able to leak the following:
+
+```txt
+0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"}
+1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"}
+```
+
+The patches published today prevent stringifying the Server Function source code.
+
+<Note>
+
+#### Only secrets in source code may be exposed. {/*only-secrets-in-source-code-may-be-exposed*/}
+
+Secrets hardcoded in source code may be exposed, but runtime secrets such as `process.env.SECRET` are not affected.
+
+The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides. 
+
+Always verify against production bundles.
+
+</Note>
+
+---
+
+## Timeline {/*timeline*/}
+* **December 3rd**: Leak reported to Vercel and [Meta Bug Bounty](https://bugbounty.meta.com/) by [Andrew MacPherson](https://github.com/AndrewMohawk).
+* **December 4th**: Initial DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by [RyotaK](https://ryotak.net).
+* **December 6th**: Both issues confirmed by the React team, and the team began investigating.
+* **December 7th**: Initial fixes created and the React team began verifying and planning new patch.
+* **December 8th**: Affected hosting providers and open source projects notified.
+* **December 10th**: Hosting provider mitigations in place and patches verified.
+* **December 11th**: Additional DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by Shinsaku Nomura.
+* **December 11th**: Patches published and publicly disclosed as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) and [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).
+* **December 11th**: Missing DoS case found internally, patched and publicly disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
+
+---
+
+## Attribution {/*attribution*/}
+
+Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities.
diff --git a/src/content/blog/index.md b/src/content/blog/index.md
index 6266ca2067..3d68154ad6 100644
--- a/src/content/blog/index.md
+++ b/src/content/blog/index.md
@@ -11,6 +11,12 @@ title: React Blog
 
 <div className="sm:-mx-5 flex flex-col gap-5 mt-12">
 
+<BlogCard title="React 服务器组件中的拒绝服务和源代码泄露" date="2025 年 12 月 11 日" url="/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components">
+
+安全研究员在尝试利用上周公布的严重漏洞补丁时，又发现了 React 服务器组件中的两个漏洞并进行披露……
+
+</BlogCard>
+
 <BlogCard title="服务器组件中的严重安全漏洞" date="2025 年 12 月 3 日" url="/blog/2025/12/03/critical-security-vulnerability-in-react-server-components">
 
 服务器组件中存在未经身份验证的远程代码执行漏洞。版本 19.0.1、19.1.2 和 19.2.1 已经修复该漏洞。我们建议立即升级。
diff --git a/src/content/reference/react/useEffect.md b/src/content/reference/react/useEffect.md
index ce5bd76d9f..9c6492a0eb 100644
--- a/src/content/reference/react/useEffect.md
+++ b/src/content/reference/react/useEffect.md
@@ -44,9 +44,9 @@ function ChatRoom({ roomId }) {
 
 #### 参数 {/*parameters*/}
 
-* `setup`：处理 Effect 的函数。setup 函数选择性返回一个 **清理（cleanup）** 函数。当组件被添加到 DOM 的时候，React 将运行 setup 函数。在每次依赖项变更重新渲染后，React 将首先使用旧值运行 cleanup 函数（如果你提供了该函数），然后使用新值运行 setup 函数。在组件从 DOM 中移除后，React 将最后一次运行 cleanup 函数。
+* `setup`：处理 Effect 的函数。setup 函数选择性返回一个 **清理（cleanup）** 函数。当 [组件提交的时候](/learn/render-and-commit#step-3-react-commits-changes-to-the-dom)，React 会运行 setup 函数。在每次提交导致依赖项变更后，React 将首先使用旧值运行 cleanup 函数（如果你提供了该函数），然后使用新值运行 setup 函数。在组件从 DOM 中移除后，React 将最后一次运行 cleanup 函数。
  
-* **可选** `dependencies`：`setup` 代码中引用的所有响应式值的列表。响应式值包括 props、state 以及所有直接在组件内部声明的变量和函数。如果你的代码检查工具 [配置了 React](/learn/editor-setup#linting)，那么它将验证是否每个响应式值都被正确地指定为一个依赖项。依赖项列表的元素数量必须是固定的，并且必须像 `[dep1, dep2, dep3]` 这样内联编写。React 将使用 [`Object.is`](https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/Object/is) 来比较每个依赖项和它先前的值。如果省略此参数，则在每次重新渲染组件之后，将重新运行 Effect 函数。如果你想了解更多，请参见 [传递依赖数组、空数组和不传递依赖项之间的区别](#examples-dependencies)。
+* **可选** `dependencies`：`setup` 代码中引用的所有响应式值的列表。响应式值包括 props、state 以及所有直接在组件内部声明的变量和函数。如果你的代码检查工具 [配置了 React](/learn/editor-setup#linting)，那么它将验证是否每个响应式值都被正确地指定为一个依赖项。依赖项列表的元素数量必须是固定的，并且必须像 `[dep1, dep2, dep3]` 这样内联编写。React 将使用 [`Object.is`](https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/Object/is) 来比较每个依赖项和它先前的值。如果省略此参数，则在每次组件提交更改之后，将重新运行 Effect 函数。如果你想了解更多，请参见 [传递依赖数组、空数组和不传递依赖项之间的区别](#examples-dependencies)。
 
 #### 返回值 {/*returns*/}
 
@@ -107,14 +107,14 @@ function ChatRoom({ roomId }) {
 **React 在必要时会调用 setup 和 cleanup，这可能会发生多次**：
 
 1. 将组件挂载到页面时，将运行 <CodeStep step={1}>setup 代码</CodeStep>。
-2. 重新渲染 <CodeStep step={3}>依赖项</CodeStep> 变更的组件后：
+2. 如果组件提交导致 <CodeStep step={3}>依赖项</CodeStep> 被改变：
    - 首先，使用旧的 props 和 state 运行 <CodeStep step={2}>cleanup 代码</CodeStep>。
    - 然后，使用新的 props 和 state 运行 <CodeStep step={1}>setup 代码</CodeStep>。
 3. 当组件从页面卸载后，<CodeStep step={2}>cleanup 代码</CodeStep> 将运行最后一次。
 
 **用上面的代码作为例子来解释这个顺序**。  
 
-当 `ChatRoom` 组件添加到页面中时，它将使用 `serverUrl` 和 `roomId` 初始值连接到聊天室。如果 `serverUrl` 或者 `roomId` 发生改变并导致重新渲染（比如用户在下拉列表中选择了一个不同的聊天室），那么 Effect 就会 **断开与前一个聊天室的连接，并连接到下一个聊天室**。当 `ChatRoom` 组件从页面中卸载时，你的 Effect 将最后一次断开连接。
+当 `ChatRoom` 组件添加到页面中时，它将使用 `serverUrl` 和 `roomId` 初始值连接到聊天室。如果 `serverUrl` 或者 `roomId` 发生改变并导致提交（比如用户在下拉列表中选择了一个不同的聊天室），那么 Effect 就会 **断开与前一个聊天室的连接，并连接到下一个聊天室**。当 `ChatRoom` 组件从页面中卸载时，你的 Effect 将最后一次断开连接。
 
 **为了 [帮助你发现 bug](/learn/synchronizing-with-effects#step-3-add-cleanup-if-needed)，在开发环境下，React 在运行 <CodeStep step={1}>setup</CodeStep> 之前会额外运行一次<CodeStep step={1}>setup</CodeStep> 和 <CodeStep step={2}>cleanup</CodeStep>**。这是一个压力测试，用于验证 Effect 逻辑是否正确实现。如果这会导致可见的问题，那么你的 cleanup 函数就缺少一些逻辑。cleanup 函数应该停止或撤消 setup 函数正在执行的任何操作。一般来说，用户不应该能够区分只调用一次 setup（在生产环境中）与调用 *setup* → *cleanup* → *setup* 序列（在开发环境中）。[查看常见解决方案](/learn/synchronizing-with-effects#how-to-handle-the-effect-firing-twice-in-development)。
 
@@ -1145,7 +1145,7 @@ useEffect(() => {
 
 #### 传递依赖项数组 {/*passing-a-dependency-array*/}
 
-如果指定了依赖项，则 Effect 在 **初始渲染后以及依赖项变更的重新渲染后** 运行。
+如果指定了依赖项，则 Effect 在 **初始提交后以及提交导致了依赖项变更后** 运行。
 
 ```js {3}
 useEffect(() => {
@@ -1242,7 +1242,7 @@ button { margin-left: 5px; }
 
 #### 传递空依赖项数组 {/*passing-an-empty-dependency-array*/}
 
-如果你的 Effect 确实没有使用任何响应式值，则它仅在 **初始渲染后** 运行。
+如果你的 Effect 确实没有使用任何响应式值，则它仅在 **初始提交后** 运行。
 
 ```js {3}
 useEffect(() => {
@@ -1319,7 +1319,7 @@ export function createConnection(serverUrl, roomId) {
 
 #### 不传递依赖项数组 {/*passing-no-dependency-array-at-all*/}
 
-如果完全不传递依赖数组，则 Effect 会在组件的 **每次单独渲染（和重新渲染）之后** 运行。
+如果完全不传递依赖数组，则 Effect 会在组件的 **每次单独提交之后** 运行。
 
 ```js {3}
 useEffect(() => {
@@ -1480,7 +1480,7 @@ body {
 
 ### 删除不必要的对象依赖项 {/*removing-unnecessary-object-dependencies*/}
 
-如果你的 Effect 依赖于在渲染期间创建的对象或函数，则它可能会频繁运行。例如，此 Effect 在每次渲染后都重新连接，因为 `options` 对象 [每次渲染都不同](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally)：
+如果你的 Effect 依赖于在渲染期间创建的对象或函数，则它可能会频繁运行。例如，此 Effect 在每次提交后都重新连接，因为 `options` 对象 [每次渲染都不同](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally)：
 
 ```js {6-9,12,15}
 const serverUrl = 'https://localhost:1234';
@@ -1497,7 +1497,7 @@ function ChatRoom({ roomId }) {
     const connection = createConnection(options); // 它在 Effect 内部使用
     connection.connect();
     return () => connection.disconnect();
-  }, [options]); // 🚩 因此，这些依赖在重新渲染时总是不同的
+  }, [options]); // 🚩 因此，这些依赖在每次提交时总是不同的
   // ...
 ```
 
@@ -1583,7 +1583,7 @@ button { margin-left: 10px; }
 
 ### 删除不必要的函数依赖项 {/*removing-unnecessary-function-dependencies*/}
 
-如果你的 Effect 依赖于在渲染期间创建的对象或函数，则它可能会频繁运行。例如，此 Effect 在每次渲染后重新连接，因为 `createOptions` 函数 [在每次渲染时都不同](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally)：
+如果你的 Effect 依赖于在渲染期间创建的对象或函数，则它可能会频繁运行。例如，此 Effect 在每次提交后重新连接，因为 `createOptions` 函数 [在每次渲染时都不同](/learn/removing-effect-dependencies#does-some-reactive-value-change-unintentionally)：
 
 ```js {4-9,12,16}
 function ChatRoom({ roomId }) {
@@ -1601,7 +1601,7 @@ function ChatRoom({ roomId }) {
     const connection = createConnection();
     connection.connect();
     return () => connection.disconnect();
-  }, [createOptions]); // 🚩 因此，此依赖项在每次重新渲染都是不同的
+  }, [createOptions]); // 🚩 因此，此依赖项在每次提交时都是不同的
   // ...
 ```
 
@@ -1775,7 +1775,7 @@ function MyComponent() {
 ```js {3}
 useEffect(() => {
   // ...
-}); // 🚩 没有依赖项数组：每次重新渲染后重新运行！
+}); // 🚩 没有依赖项数组：每次提交后重新运行！
 ```
 
 如果你已经指定了依赖项数组，你的 Effect 仍循环地重新运行，那是因为你的某个依赖项在每次重新渲染时都是不同的。
diff --git a/src/content/reference/react/useLayoutEffect.md b/src/content/reference/react/useLayoutEffect.md
index ca0f5e1aea..43a3818368 100644
--- a/src/content/reference/react/useLayoutEffect.md
+++ b/src/content/reference/react/useLayoutEffect.md
@@ -47,9 +47,9 @@ function Tooltip() {
 
 #### 参数 {/*parameters*/}
 
-* `setup`：处理副作用的函数。setup 函数选择性返回一个*清理*（cleanup）函数。在将组件首次添加到 DOM 之前，React 将运行 setup 函数。在每次因为依赖项变更而重新渲染后，React 将首先使用旧值运行 cleanup 函数（如果你提供了该函数），然后使用新值运行 setup 函数。在组件从 DOM 中移除之前，React 将最后一次运行 cleanup 函数。
+* `setup`：处理副作用的函数。setup 函数选择性返回一个*清理*（cleanup）函数。在 [组件提交](/learn/render-and-commit#step-3-react-commits-changes-to-the-dom) 之前，React 会运行 setup 函数。在每次因为提交导致依赖项变更后，React 将首先使用旧值运行 cleanup 函数（如果你提供了该函数），然后使用新值运行 setup 函数。在组件从 DOM 中移除之前，React 将最后一次运行 cleanup 函数。
 
-* **可选** `dependencies`：`setup` 代码中引用的所有响应式值的列表。响应式值包括 props、state 以及所有直接在组件内部声明的变量和函数。如果你的代码检查工具 [配置了 React](/learn/editor-setup#linting)，那么它将验证每个响应式值都被正确地指定为一个依赖项。依赖项列表必须具有固定数量的项，并且必须像 `[dep1, dep2, dep3]` 这样内联编写。React 将使用 [`Object.is`](https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/Object/is) 来比较每个依赖项和它先前的值。如果省略此参数，则在每次重新渲染组件之后，将重新运行副作用函数。
+* **可选** `dependencies`：`setup` 代码中引用的所有响应式值的列表。响应式值包括 props、state 以及所有直接在组件内部声明的变量和函数。如果你的代码检查工具 [配置了 React](/learn/editor-setup#linting)，那么它将验证每个响应式值都被正确地指定为一个依赖项。依赖项列表必须具有固定数量的项，并且必须像 `[dep1, dep2, dep3]` 这样内联编写。React 将使用 [`Object.is`](https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/Object/is) 来比较每个依赖项和它先前的值。如果省略此参数，则在每次组件提交之后，会重新运行副作用函数。
 
 #### 返回值 {/*returns*/}
 
diff --git a/src/content/versions.md b/src/content/versions.md
index 6ed5a40cf0..6ca70a158b 100644
--- a/src/content/versions.md
+++ b/src/content/versions.md
@@ -53,11 +53,14 @@ React 文档位于 [react.dev](https://react.dev)，提供最新版本 React 的
 - [React 19 Deep Dive: Coordinating HTML](https://www.youtube.com/watch?v=IBBN-s77YSI)
 
 **发布版本**
+- [v19.2.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1922-dec-11-2025)
 - [v19.2.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1921-dec-3-2025)
 - [v19.2.0 (October, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1920-october-1st-2025)
+- [v19.1.3 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1913-dec-11-2025)
 - [v19.1.2 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1912-dec-3-2025)
 - [v19.1.1 (July, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1911-july-28-2025)
 - [v19.1.0 (March, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1910-march-28-2025)
+- [v19.0.2 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1902-dec-11-2025)
 - [v19.0.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1901-dec-3-2025)
 - [v19.0.0 (December, 2024)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1900-december-5-2024)
 
diff --git a/src/sidebarBlog.json b/src/sidebarBlog.json
index a265c7d530..02cf94be57 100644
--- a/src/sidebarBlog.json
+++ b/src/sidebarBlog.json
@@ -12,14 +12,21 @@
       "skipBreadcrumb": true,
       "routes": [
         {
-          "title": "Critical Security Vulnerability in React Server Components",
+          "title": "React 服务器组件中的拒绝服务和源代码泄露",
+          "titleForHomepage": "Additional Vulnerabilities in RSC",
+          "icon": "blog",
+          "date": "December 11, 2025",
+          "path": "/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
+        },
+        {
+          "title": "React 服务器组件中的严重安全漏洞",
           "titleForHomepage": "Vulnerability in React Server Components",
           "icon": "blog",
-          "date": "December 03, 2025",
+          "date": "December 3, 2025",
           "path": "/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
         },
         {
-          "title": "React Conf 2025 Recap",
+          "title": "2025 年 React 大会回顾",
           "titleForHomepage": "React Conf 2025 Recap",
           "icon": "blog",
           "date": "October 16, 2025",
@@ -33,7 +40,7 @@
           "path": "/blog/2025/10/07/react-compiler-1"
         },
         {
-          "title": "Introducing the React Foundation",
+          "title": "介绍 React 基金会",
           "titleForHomepage": "Introducing the React Foundation",
           "icon": "blog",
           "date": "October 7, 2025",
@@ -54,7 +61,7 @@
           "path": "/blog/2025/04/23/react-labs-view-transitions-activity-and-more"
         },
         {
-          "title": "Sunsetting Create React App",
+          "title": "停止使用 Create React App",
           "titleForHomepage": "Sunsetting Create React App",
           "icon": "blog",
           "date": "February 14, 2025",
diff --git a/yarn.lock b/yarn.lock
index 6c83a20a8a..775106607d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1259,10 +1259,10 @@
     unist-util-visit "^4.0.0"
     vfile "^5.0.0"
 
-"@next/env@15.1.9":
-  version "15.1.9"
-  resolved "https://registry.yarnpkg.com/@next/env/-/env-15.1.9.tgz#3569b6dd6a9b0af998fc6e4902da6b9ed2fc36c9"
-  integrity sha512-Te1wbiJ//I40T7UePOUG8QBwh+VVMCc0OTuqesOcD3849TVOVOyX4Hdrkx7wcpLpy/LOABIcGyLX5P/SzzXhFA==
+"@next/env@15.1.11":
+  version "15.1.11"
+  resolved "https://registry.yarnpkg.com/@next/env/-/env-15.1.11.tgz#599a126f7ce56decc39cea46668cb60d96b66bc6"
+  integrity sha512-yp++FVldfLglEG5LoS2rXhGypPyoSOyY0kxZQJ2vnlYJeP8o318t5DrDu5Tqzr03qAhDWllAID/kOCsXNLcwKw==
 
 "@next/eslint-plugin-next@12.0.3":
   version "12.0.3"
@@ -5787,12 +5787,12 @@ next-tick@^1.1.0:
   resolved "https://registry.npmjs.org/next-tick/-/next-tick-1.1.0.tgz"
   integrity sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ==
 
-next@15.1.9:
-  version "15.1.9"
-  resolved "https://registry.yarnpkg.com/next/-/next-15.1.9.tgz#eaab46d7a57c881fadf748d8ba2a8c65ec27ad8f"
-  integrity sha512-OoQpDPV2i3o5Hnn46nz2x6fzdFxFO+JsU4ZES12z65/feMjPHKKHLDVQ2NuEvTaXTRisix/G5+6hyTkwK329kA==
+next@15.1.11:
+  version "15.1.11"
+  resolved "https://registry.yarnpkg.com/next/-/next-15.1.11.tgz#8a70a236e02d8dd62fb0569bedfd5e4290e7af55"
+  integrity sha512-UiVJaOGhKST58AadwbFUZThlNBmYhKqaCs8bVtm4plTxsgKq0mJ0zTsp7t7j/rzsbAEj9WcAMdZCztjByi4EoQ==
   dependencies:
-    "@next/env" "15.1.9"
+    "@next/env" "15.1.11"
     "@swc/counter" "0.1.3"
     "@swc/helpers" "0.5.15"
     caniuse-lite "^1.0.30001579"