Fix React Server Components CVE vulnerabilities#4
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR updates the project’s Next.js dependency to a patched release intended to remediate the React Server Components (Flight) deserialization RCE advisory referenced in the PR description.
Changes:
- Upgrade
nextto15.3.8inpackage.json. - Refresh
package-lock.jsonto reflect the new Next.js version (including updated@next/*artifacts pulled in by Next).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Bumps next to 15.3.8 (currently pinned to an exact version). |
| package-lock.json | Updates resolved Next.js and related @next/* packages to match the upgrade. |
Comments suppressed due to low confidence (1)
package.json:87
- The PR description says it upgrades both React and Next to patched versions for the RSC CVE, but this change only bumps
next—react/react-domremain at^19.1.0. Please confirm whether React also needs to be upgraded for this advisory and, if so, bump the React packages accordingly (and refresh the lockfile).
"next": "15.3.8",
"next-themes": "^0.4.6",
"react": "^19.1.0",
"react-day-picker": "^9.7.0",
"react-dom": "^19.1.0",
| "lucide-react": "^0.513.0", | ||
| "motion": "^12.16.0", | ||
| "next": "^15.3.3", | ||
| "next": "15.3.8", |
There was a problem hiding this comment.
next was bumped to 15.3.8, but the repo still pins eslint-config-next to ^15.3.3 (and the lockfile currently resolves it to 15.3.3). Keeping eslint-config-next aligned with the installed Next version helps avoid rule/plugin drift; consider updating it to match the Next version you’re deploying.
| "lucide-react": "^0.513.0", | ||
| "motion": "^12.16.0", | ||
| "next": "^15.3.3", | ||
| "next": "15.3.8", |
There was a problem hiding this comment.
next is pinned to an exact version (15.3.8) while the rest of the dependencies in this file use semver ranges (mostly ^...). If the goal is to require the patched version but still allow future patch/minor updates, consider using a range like ^15.3.8 (or an explicit >=15.3.8 <16) for consistency and easier maintenance.
| "next": "15.3.8", | |
| "next": "^15.3.8", |
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project neotion. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com