Skip to content

chore: update next/react packages #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mduthey wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore: update next/react packages #138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1b9614e
chore: update next/react packages
mduthey Dec 11, 2025
a990905
restore: swc-darwin-arm64 from lock
mduthey Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 14 additions & 14 deletions frontend/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions frontend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,12 @@
"clsx": "^2.1.1",
"graphql": "^16.9.0",
"isbot": "^5.1.28",
"next": "^15.3.5",
"next": "^15.3.6",
Copy link

@coderabbitai coderabbitai bot Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

security advisories next 15.3.6

💡 Result:

Which product do you mean by "next"? (example: Nextcloud, Next.js, Next-Auth, a Linux distro, a vendor product) Also confirm that "15.3.6" is the version number you want advisories for.

🌐 Web query:

security vulnerabilities react 19.1.2 react-dom

💡 Result:

Short answer: A critical RCE (CVE-2025-55182, aka "React2Shell") was disclosed for React Server Components; versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 were vulnerable. React released patched packages (including 19.1.2) on December 3, 2025 — so 19.1.2 is a security fix for that issue. [1][2][3]

What to do now (Dec 11, 2025):

  • If you run any Server Components / React Server Function endpoints, upgrade to a patched React Server Components package (for example 19.1.2 or newer, or 19.2.1 as listed by React). Verify the specific package affected: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. [1][2]
  • If you use Next.js or other frameworks that bundle RSC packages, apply their vendor patches (Next.js patched releases noted in advisories). [2][3]
  • If you cannot patch immediately, block or restrict access to RSC endpoints and deploy WAF/IDS rules until patched. Monitor for public PoCs and active exploitation. [2][4]

Sources:
[1] React security advisory / blog (Dec 3, 2025). (react.dev)
[2] Wallarm / industry advisories summarizing CVE-2025-55182 and active exploitation. (lab.wallarm.com)
[3] Institutional advisory / notices summarizing impact and affected packages (e.g., CMU, vendor advisories). (cmu.edu)

If you want, I can: (a) check your project's package.json / lockfile for vulnerable packages, or (b) produce an npm upgrade/pinning plan and CI checks. Which do you prefer?

Citations:

🌐 Web query:

next.js 15.3.6 latest patch version

💡 Result:

As of Dec 11, 2025 the patched release for the 15.3.x line is next@15.3.6. [1][2]

Sources:

  • Next.js security advisory / blog (patched versions list). [1]
  • vercel/next.js GitHub security advisory. [2]

🌐 Web query:

react 19.1.2 latest patch stable version

💡 Result:

Short answer: 19.1.2 is a stable security patch for the 19.1 line (released Dec 3, 2025), but the overall latest stable React release is 19.2.1 (released Dec 3, 2025). [1][2][3]

Sources:

  • React security advisory / blog (patches 19.0.1, 19.1.2, 19.2.1). [1]
  • React GitHub releases (19.1.2 and 19.2.1 tags, Dec 3, 2025). [2]
  • endoflife.date listing showing latest 19.2.1. [3]

These are critical security patches for CVE-2025-55182 (React2Shell RCE), not routine maintenance updates.

The updates to react@19.1.2 and react-dom@19.1.2 address a critical remote code execution vulnerability in React Server Components (CVE-2025-55182) affecting versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. These patches were released on December 3, 2025. Similarly, next@15.3.6 is the patched version for the 15.3.x line for this same vulnerability.

These versions should be applied immediately if the project uses React Server Components or Server Functions with Next.js. Verify that:

  • Any react-server-dom-* packages (webpack, parcel, turbopack) are also updated to patched versions
  • Next.js is running a vendor-patched release that includes RSC fixes
  • If RSC endpoints cannot be patched immediately, restrict access and monitor for active exploitation

The type definitions (@types/react@^19.1.8 and @types/react-dom@^19.1.6) remain compatible with these patched versions.

Also applies to: 29-30

🤖 Prompt for AI Agents 
In frontend/package.json around line 25 (and also apply to lines 29-30), the
project pins vulnerable versions; update "next" to "15.3.6", bump "react" and
"react-dom" to "19.1.2" (and keep/update @types/react to ^19.1.8 and
@types/react-dom to ^19.1.6 if present), and update any react-server-dom-*
packages to their patched releases; after changing package.json, run your
package manager install (npm/yarn/pnpm), lockfile update, run tests/build, and
verify Next.js vendor-patched release is used—if you cannot immediately patch
RSC endpoints, restrict access and monitor traffic until patched.

"next-compose-plugins": "^2.2.1",
"next-mdx-remote": "^5.0.0",
"next-tx3": "^0.1.3",
"react": "^19.1.0",
"react-dom": "^19.1.0",
"react": "^19.1.2",
"react-dom": "^19.1.2",
"remark-gfm": "^4.0.1",
"tx3-sdk": "^0.6.0",
"zustand": "^5.0.5"
Expand Down
Loading