bump solid-js to avoid security vulnerability

[enrique-ramirez]

TanStack Devtools version

v0.10.0

Framework/Library version

React 19.2.4

Describe the bug and the steps to reproduce it

solid-js depends on seroval, which has a vulnerability issue. It's been addressed in solid-js@1.9.11 as per this issue.

However, tooling on my repository still reports this issue:

Dependency chain: @tanstack/react-devtools → @tanstack/devtools@0.11.0 → solid-js@1.9.10 → seroval@1.3.2

Your Minimal, Reproducible Example - (Sandbox Highly Recommended)

Screenshots or Videos (Optional)

No response

Do you intend to try to help solve this bug with your own PR?

No, because I do not have time to dig into it

Terms & Code of Conduct

• I agree to follow this project's Code of Conduct
• I understand that if my bug cannot be reliable reproduced in a debuggable environment, it will probably not be fixed and this issue may even be closed.

[github-actions]

Hi @enrique-ramirez, thanks for taking the time to file this issue! 👋

After reviewing your report, it looks like one required field is missing:

Minimal, Reproducible Example — The template requires a link to a reproducible example (e.g. a CodeSandbox, Stackblitz, or similar), but the field was left empty. For a dependency/security vulnerability report like this one, a minimal example could be:

• A small repo or sandbox that has @tanstack/react-devtools installed and shows the vulnerable seroval in the dependency tree (e.g. via npm ls seroval output or a package-lock.json snippet).

Additionally, there's a small inconsistency worth clarifying:

• The TanStack Devtools version field lists v0.10.0, but the dependency chain in the description shows @tanstack/devtools@0.11.0. Could you confirm which version you're using?

Once you've added the reproducible example and clarified the version, we'll be happy to look into this further. Thanks!