Vercel
27257af240
## React Flight / Next.js RCE Advisory Patch Implementation ### Project Status: AFFECTED - PATCHED ✅ #### Analysis Summary This project was analyzed for the React Flight / Next.js RCE advisory vulnerability and was found to be affected. The vulnerability has been successfully patched by upgrading Next.js to the patched version. #### Vulnerability Detection Results **Affected Packages Found:** - ✅ **Next.js**: Present and vulnerable (15.5.4 → 15.5.7) - NOW PATCHED - ❌ React Flight packages: NOT present (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) #### Changes Made **Modified Files:** 1. **package.json** - Updated Next.js versions - `next`: 15.5.4 → 15.5.7 - `eslint-config-next`: 15.5.4 → 15.5.7 2. **package-lock.json** - Updated automatically by npm install to reflect patched dependency versions **Rationale:** - The project was using Next.js 15.5.4, which is vulnerable to the React Flight / Next.js RCE advisory - According to the advisory, Next.js 15.5.x versions should be upgraded to 15.5.7 (the patched version) - React and react-dom versions (19.1.0) remain unchanged as they are properly managed by Next.js - The project does not use React Flight packages (react-server-dom-*), so only Next.js upgrade was needed #### Verification Performed ✅ **Build Test**: `npm run build` completed successfully - Build command: `next build --turbopack` - Result: Compiled successfully with no errors - All pages generated and prerendered correctly ✅ **Lint Check**: `npm run lint` passed with no errors ✅ **Lockfile Updated**: package-lock.json reflects the patched Next.js version ✅ **Project Structure**: Single-package project (not a monorepo) #### Security Impact The Doyle project is now **secure against the React Flight / Next.js RCE advisory**. By updating to Next.js 15.5.7, the project is protected from the vulnerability that affected versions 15.5.0 through 15.5.6. #### Files Changed in This Commit - `package.json` - Dependency versions updated - `package-lock.json` - Lockfile regenerated - `.vade-report` - This advisory assessment report Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
This is a Next.js project bootstrapped with create-next-app.
Getting Started
First, run the development server:
npm run dev
# or
yarn dev
# or
pnpm dev
# or
bun dev
Open http://localhost:3000 with your browser to see the result.
You can start editing the page by modifying app/page.tsx. The page auto-updates as you edit the file.
This project uses next/font to automatically optimize and load Geist, a new font family for Vercel.
Learn More
To learn more about Next.js, take a look at the following resources:
- Next.js Documentation - learn about Next.js features and API.
- Learn Next.js - an interactive Next.js tutorial.
You can check out the Next.js GitHub repository - your feedback and contributions are welcome!
Deploy on Vercel
The easiest way to deploy your Next.js app is to use the Vercel Platform from the creators of Next.js.
Check out our Next.js deployment documentation for more details.