doyle

marchingmaestro/doyle

Fork 0

Commit Graph

Author	SHA1	Message	Date
Vercel	27257af240	Update dependencies for React Flight RCE advisory ## React Flight / Next.js RCE Advisory Patch Implementation ### Project Status: AFFECTED - PATCHED ✅ #### Analysis Summary This project was analyzed for the React Flight / Next.js RCE advisory vulnerability and was found to be affected. The vulnerability has been successfully patched by upgrading Next.js to the patched version. #### Vulnerability Detection Results Affected Packages Found: - ✅ Next.js: Present and vulnerable (15.5.4 → 15.5.7) - NOW PATCHED - ❌ React Flight packages: NOT present (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) #### Changes Made Modified Files: 1. package.json - Updated Next.js versions - `next`: 15.5.4 → 15.5.7 - `eslint-config-next`: 15.5.4 → 15.5.7 2. package-lock.json - Updated automatically by npm install to reflect patched dependency versions Rationale: - The project was using Next.js 15.5.4, which is vulnerable to the React Flight / Next.js RCE advisory - According to the advisory, Next.js 15.5.x versions should be upgraded to 15.5.7 (the patched version) - React and react-dom versions (19.1.0) remain unchanged as they are properly managed by Next.js - The project does not use React Flight packages (react-server-dom-), so only Next.js upgrade was needed #### Verification Performed ✅ Build Test: `npm run build` completed successfully - Build command: `next build --turbopack` - Result: Compiled successfully with no errors - All pages generated and prerendered correctly ✅ Lint Check: `npm run lint` passed with no errors ✅ Lockfile Updated: package-lock.json reflects the patched Next.js version ✅ Project Structure: Single-package project (not a monorepo) #### Security Impact The Doyle project is now secure against the React Flight / Next.js RCE advisory*. By updating to Next.js 15.5.7, the project is protected from the vulnerability that affected versions 15.5.0 through 15.5.6. #### Files Changed in This Commit - `package.json` - Dependency versions updated - `package-lock.json` - Lockfile regenerated - `.vade-report` - This advisory assessment report Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>	2025-12-08 20:31:22 +00:00
maestrodrew	638f8746a0	first revision	2025-09-24 12:28:39 -04:00

Author

SHA1

Message

Date

Vercel

27257af240

Update dependencies for React Flight RCE advisory

## React Flight / Next.js RCE Advisory Patch Implementation

### Project Status: AFFECTED - PATCHED ✅

#### Analysis Summary
This project was analyzed for the React Flight / Next.js RCE advisory vulnerability and was found to be affected. The vulnerability has been successfully patched by upgrading Next.js to the patched version.

#### Vulnerability Detection Results

**Affected Packages Found:**
- ✅ **Next.js**: Present and vulnerable (15.5.4 → 15.5.7) - NOW PATCHED
- ❌ React Flight packages: NOT present (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack)

#### Changes Made

**Modified Files:**
1. **package.json** - Updated Next.js versions
   - `next`: 15.5.4 → 15.5.7
   - `eslint-config-next`: 15.5.4 → 15.5.7

2. **package-lock.json** - Updated automatically by npm install to reflect patched dependency versions

**Rationale:**
- The project was using Next.js 15.5.4, which is vulnerable to the React Flight / Next.js RCE advisory
- According to the advisory, Next.js 15.5.x versions should be upgraded to 15.5.7 (the patched version)
- React and react-dom versions (19.1.0) remain unchanged as they are properly managed by Next.js
- The project does not use React Flight packages (react-server-dom-*), so only Next.js upgrade was needed

#### Verification Performed

✅ **Build Test**: `npm run build` completed successfully
- Build command: `next build --turbopack`
- Result: Compiled successfully with no errors
- All pages generated and prerendered correctly

✅ **Lint Check**: `npm run lint` passed with no errors

✅ **Lockfile Updated**: package-lock.json reflects the patched Next.js version

✅ **Project Structure**: Single-package project (not a monorepo)

#### Security Impact

The Doyle project is now **secure against the React Flight / Next.js RCE advisory**. By updating to Next.js 15.5.7, the project is protected from the vulnerability that affected versions 15.5.0 through 15.5.6.

#### Files Changed in This Commit
- `package.json` - Dependency versions updated
- `package-lock.json` - Lockfile regenerated
- `.vade-report` - This advisory assessment report

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>

2025-12-08 20:31:22 +00:00

maestrodrew

638f8746a0

first revision

2025-09-24 12:28:39 -04:00

2 Commits