marchingmaestro/doyle
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
40 Commits 2 Branches 0 Tags
4df330a024edbc3cb879ed1fc48fbe245a3dd060
Commit Graph

6 Commits

Author SHA1 Message Date
maestrodrew d8fc36b09e CVE-2025-55184 2025-12-15 14:12:47 -05:00
Vercel 27257af240 Update dependencies for React Flight RCE advisory 
## React Flight / Next.js RCE Advisory Patch Implementation

### Project Status: AFFECTED - PATCHED 

#### Analysis Summary
This project was analyzed for the React Flight / Next.js RCE advisory vulnerability and was found to be affected. The vulnerability has been successfully patched by upgrading Next.js to the patched version.

#### Vulnerability Detection Results

**Affected Packages Found:**
-  **Next.js**: Present and vulnerable (15.5.4 → 15.5.7) - NOW PATCHED
-  React Flight packages: NOT present (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack)

#### Changes Made

**Modified Files:**
1. **package.json** - Updated Next.js versions
   - `next`: 15.5.4 → 15.5.7
   - `eslint-config-next`: 15.5.4 → 15.5.7

2. **package-lock.json** - Updated automatically by npm install to reflect patched dependency versions

**Rationale:**
- The project was using Next.js 15.5.4, which is vulnerable to the React Flight / Next.js RCE advisory
- According to the advisory, Next.js 15.5.x versions should be upgraded to 15.5.7 (the patched version)
- React and react-dom versions (19.1.0) remain unchanged as they are properly managed by Next.js
- The project does not use React Flight packages (react-server-dom-*), so only Next.js upgrade was needed

#### Verification Performed

 **Build Test**: `npm run build` completed successfully
- Build command: `next build --turbopack`
- Result: Compiled successfully with no errors
- All pages generated and prerendered correctly

 **Lint Check**: `npm run lint` passed with no errors

 **Lockfile Updated**: package-lock.json reflects the patched Next.js version

 **Project Structure**: Single-package project (not a monorepo)

#### Security Impact

The Doyle project is now **secure against the React Flight / Next.js RCE advisory**. By updating to Next.js 15.5.7, the project is protected from the vulnerability that affected versions 15.5.0 through 15.5.6.

#### Files Changed in This Commit
- `package.json` - Dependency versions updated
- `package-lock.json` - Lockfile regenerated
- `.vade-report` - This advisory assessment report

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
 2025-12-08 20:31:22 +00:00
maestrodrew fe6d006435 add analytics 2025-10-29 21:50:53 -04:00
maestrodrew cf51e857f8 improved playback 2025-09-24 14:21:53 -04:00
maestrodrew b260c3771d remove unused package 2025-09-24 12:57:20 -04:00
maestrodrew 638f8746a0 first revision 2025-09-24 12:28:39 -04:00