Fix React Server Components CVE vulnerabilities#49
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
构建失败 |
There was a problem hiding this comment.
Pull request overview
This automated PR from Vercel updates Next.js and related dependencies to address security vulnerabilities CVE-2025-55182 (React2Shell), CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. However, the target version 15.5.8 is already deprecated and contains a known security vulnerability, requiring an update to a newer patched version.
Key changes:
- Upgrades Next.js from "latest" (14.2.24) to pinned version 15.5.8 (major version upgrade)
- Updates internal dependencies including @swc/helpers, styled-jsx, and all platform-specific SWC binaries
- Adds sharp image optimization library as an optional dependency
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Changes Next.js from "latest" to pinned version "15.5.8" |
| package-lock.json | Updates Next.js from 14.2.24 to 15.5.8 with major dependency changes including removal of busboy/graceful-fs, addition of sharp, updates to @swc/helpers (0.5.5→0.5.15), styled-jsx (5.1.1→5.1.6), all @next/swc platform binaries, and Node.js requirement changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "lodash": "^4.17.21", | ||
| "negotiator": "^0.6.3", | ||
| "next": "latest", | ||
| "next": "15.5.8", |
There was a problem hiding this comment.
This PR upgrades Next.js from version 14.2.24 to 15.5.8, which is a major version upgrade. Next.js 15 introduces several breaking changes including:
- Minimum Node.js version requirement changed from 18.17.0 to 18.18.0 or 19.8.0 or >= 20.0.0
- React 19 support is now included as a peer dependency option
- The turbopack configuration in next.config.js may need adjustments for Next.js 15
- Several internal dependencies have been removed (busboy, graceful-fs) or replaced
The PR description mentions this is an automated fix, but major version upgrades typically require manual testing and verification of the application to ensure no breaking changes affect functionality. Consider:
- Testing all application features thoroughly
- Reviewing the Next.js 15 migration guide
- Verifying compatibility with other dependencies (e.g., @next/third-parties is still at 14.1.0 and may need updating)
- Checking if any Next.js-specific code needs updates
| "lodash": "^4.17.21", | ||
| "negotiator": "^0.6.3", | ||
| "next": "latest", | ||
| "next": "15.5.8", |
There was a problem hiding this comment.
The PR changes Next.js from "latest" to a specific pinned version "15.5.8". While pinning to a specific version is generally good for reproducibility, in this security context it's problematic because:
- The "latest" tag would automatically receive future security patches
- Pinning to 15.5.8 (which is already deprecated and vulnerable according to the package-lock.json) means the application won't automatically receive security updates
- This requires manual intervention to update versions in the future
Consider using a caret range like "^15.5.9" (once a patched version is available) or keeping "latest" to ensure automatic security updates are received. Alternatively, if you choose to pin, establish a process to regularly update this dependency to address future security vulnerabilities.
| "next": "15.5.8", | |
| "next": "latest", |
Important
This is an automatic PR generated by Vercel to help you patch known vulnerabilities related to CVE-2025-55182 (React2Shell), CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. We can't guarantee the PR is comprehensive, and it may contain mistakes.
Not all projects are affected by all issues, but patched versions are required to ensure full remediation.
Vercel has deployed WAF mitigations globally to help protect your application, but upgrading remains required for complete protection.
This automated pull request updates your React, Next.js, and related Server Components packages to versions that fix all currently known React Server Components vulnerabilities, including the two newly discovered issues.
See our Security Bulletins for more information and reach out to security@vercel.com with any questions.