Skip to content

react2shell vul hot fix #167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
djdiptayan1 merged 2 commits into from
Dec 19, 2025
Merged

react2shell vul hot fix #167

djdiptayan1 merged 2 commits into from
Dec 19, 2025

Conversation

@djdiptayan1
Copy link
Member

@djdiptayan1 djdiptayan1 commented Dec 19, 2025

No description provided.

vercel bot and others added 2 commits December 19, 2025 07:43
@vercel
Fix React Server Components CVE vulnerabilities
4304002 
Updated dependencies to fix Next.js and React CVE vulnerabilities.

The fix-react2shell-next tool automatically updated the following packages to their secure versions:
- next
- react-server-dom-webpack
- react-server-dom-parcel  
- react-server-dom-turbopack

All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory.

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@djdiptayan1
Merge pull request #166 from SRM-IST-KTR/vercel/react-server-componen…
3d15fdb 
…ts-cve-vu-bhog1g

Fix React Server Components CVE vulnerabilities
Copilot AI review requested due to automatic review settings December 19, 2025 07:48
@vercel
Copy link
Contributor

vercel bot commented Dec 19, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
githubsrmv2 Ready Ready Preview, Comment Dec 19, 2025 7:49am

@coderabbitai
Copy link

coderabbitai bot commented Dec 19, 2025

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch staging

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@djdiptayan1 djdiptayan1 changed the title react2shall vul hot fix react2shell vul hot fix Dec 19, 2025
@djdiptayan1 djdiptayan1 merged commit 2b5d025 into release Dec 19, 2025
11 checks passed
Copilot AI reviewed Dec 19, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability in Next.js by updating the framework version from 14.1.0 to 14.2.35. The changes also include reformatting the package.json file with consistent indentation.

Key Changes:

  • Updated Next.js from ^14.1.0 to 14.2.35 (removing the caret and pinning to a specific version)
  • Reformatted package.json with 2-space indentation for better consistency

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
"ionicons": "^7.3.1",
"jimp-compact": "^0.16.1-2",
"mongoose": "^8.2.1",
"next": "14.2.35",
Copy link

Copilot AI Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The caret (^) was removed from the Next.js version constraint. This changes the update behavior - with "^14.1.0", npm/yarn would allow automatic updates to any 14.x.x version (e.g., 14.2.0, 14.3.0), but with "14.2.35", only that exact version is allowed.

If the goal is to pin to this specific version for security reasons, this is correct. However, if you want to allow future patch and minor updates within the 14.x range while staying at or above 14.2.35, consider using "^14.2.35" instead. This would allow updates to 14.2.36, 14.3.0, etc., while preventing downgrades to vulnerable versions below 14.2.35.

Suggested change
"next": "14.2.35",
"next": "^14.2.35",

Copilot uses AI. Check for mistakes.
package.json
"ionicons": "^7.3.1",
"jimp-compact": "^0.16.1-2",
"mongoose": "^8.2.1",
"next": "14.2.35",
Copy link

Copilot AI Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR title mentions "react2shall vul hot fix", but this appears to be a typo. The vulnerability is likely referring to CVE-2024-46982 (the "React Server Components (RSC) pollution vulnerability" or similar Next.js security issues). Consider updating the PR title to clarify which specific vulnerability is being addressed (e.g., "Fix Next.js security vulnerability CVE-XXXX-XXXXX").

Suggested change
"next": "14.2.35",
"next": "14.2.15",

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@djdiptayan1