Skip to content

Commit 1ca67c2

Browse files
vercel[bot]vercel[bot]
committed
Update React Flight / Next.js RCE vulnerability
# React Scan - React Flight / Next.js RCE Security Fix ## Summary Updated the react-scan monorepo to address the React Flight / Next.js RCE advisory by upgrading the vulnerable Next.js dependency. ## Analysis Scanned all package.json files in the monorepo: - Root package.json: No Next.js or React Flight packages found ✓ - kitchen-sink/package.json: React 19.0.0, React-DOM 19.0.0 (Vite app, no Next.js) ✓ - packages/extension/package.json: React 18.2.0 (React Scan extension, no Next.js) ✓ - packages/scan/package.json: No React Flight packages ✓ - packages/vite-plugin-react-scan/package.json: No React Flight packages ✓ - packages/website/package.json: **Next.js 15.2.1 VULNERABLE** ⚠️ ## Changes Made ### Modified Files 1. **packages/website/package.json** - Upgraded `next` from `15.2.1` to `15.2.6` (patched version for 15.2.x series) - React and React-DOM were NOT manually updated as Next.js supplies correct patched versions automatically 2. **pnpm-lock.yaml** - Updated lockfile by running `pnpm install` - Verified that `[email protected]` is now resolved in the lockfile ## Vulnerability Details - **Advisory**: React Flight / Next.js RCE vulnerability - **Affected Version**: Next.js 15.2.1 - **Patched Version**: Next.js 15.2.6 - **Rule Applied**: For Next.js 15.2.x -> upgrade to 15.2.6 ## Verification ✓ Dependencies installed successfully with `pnpm install` ✓ Build verified: `next build` completed successfully ✓ No build errors or dependency conflicts ✓ Output confirmed: "Compiled successfully" ## No Changes Required For - React Flight packages: Project does not use `react-server-dom-webpack`, `react-server-dom-parcel`, or `react-server-dom-turbopack` - Other workspaces: None contained vulnerable Next.js versions ## Files Staged - packages/website/package.json - pnpm-lock.yaml - .vade-report Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
1 parent f0206ef commit 1ca67c2

File tree

2 files changed

+136
-13
lines changed

2 files changed

+136
-13
lines changed

packages/website/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
"@vercel/analytics": "^1.4.1",
1414
"@vercel/speed-insights": "^1.1.0",
1515
"highlight.js": "^11.11.1",
16-
"next": "15.2.1",
16+
"next": "15.2.6",
1717
"react": "19.0.0",
1818
"react-dom": "19.0.0",
1919
"react-scan": "^0.3.4",

pnpm-lock.yaml

Lines changed: 135 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)