marchingmaestro/doyle
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update dependencies for React Flight RCE advisory

Browse Source 
## React Flight / Next.js RCE Advisory Patch Implementation

### Project Status: AFFECTED - PATCHED 

#### Analysis Summary
This project was analyzed for the React Flight / Next.js RCE advisory vulnerability and was found to be affected. The vulnerability has been successfully patched by upgrading Next.js to the patched version.

#### Vulnerability Detection Results

**Affected Packages Found:**
-  **Next.js**: Present and vulnerable (15.5.4 → 15.5.7) - NOW PATCHED
-  React Flight packages: NOT present (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack)

#### Changes Made

**Modified Files:**
1. **package.json** - Updated Next.js versions
   - `next`: 15.5.4 → 15.5.7
   - `eslint-config-next`: 15.5.4 → 15.5.7

2. **package-lock.json** - Updated automatically by npm install to reflect patched dependency versions

**Rationale:**
- The project was using Next.js 15.5.4, which is vulnerable to the React Flight / Next.js RCE advisory
- According to the advisory, Next.js 15.5.x versions should be upgraded to 15.5.7 (the patched version)
- React and react-dom versions (19.1.0) remain unchanged as they are properly managed by Next.js
- The project does not use React Flight packages (react-server-dom-*), so only Next.js upgrade was needed

#### Verification Performed

 **Build Test**: `npm run build` completed successfully
- Build command: `next build --turbopack`
- Result: Compiled successfully with no errors
- All pages generated and prerendered correctly

 **Lint Check**: `npm run lint` passed with no errors

 **Lockfile Updated**: package-lock.json reflects the patched Next.js version

 **Project Structure**: Single-package project (not a monorepo)

#### Security Impact

The Doyle project is now **secure against the React Flight / Next.js RCE advisory**. By updating to Next.js 15.5.7, the project is protected from the vulnerability that affected versions 15.5.0 through 15.5.6.

#### Files Changed in This Commit
- `package.json` - Dependency versions updated
- `package-lock.json` - Lockfile regenerated
- `.vade-report` - This advisory assessment report

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
This commit is contained in:
Vercel
2025-12-08 20:31:22 +00:00
parent fe6d006435
commit 27257af240
2 changed files with 103 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files
package.json
+2 -2
View File
@@ -10,7 +10,7 @@
},
"dependencies": {
"@vercel/analytics": "^1.5.0",
"next": "15.5.4",
"next": "15.5.7",
"react": "19.1.0",
"react-dom": "19.1.0"
},
@@ -21,7 +21,7 @@
"@types/react": "^19",
"@types/react-dom": "^19",
"eslint": "^9",
"eslint-config-next": "15.5.4",
"eslint-config-next": "15.5.7",
"tailwindcss": "^4",
"typescript": "^5"
}