Fix React Server Components CVE vulnerabilities#15
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR aims to remediate React Server Components–related CVEs by upgrading Next.js (and its resolved transitive dependencies) to patched versions.
Changes:
- Update
nextdependency from^16.0.7to16.0.10inpackage.json. - Regenerate
package-lock.jsonto resolvenext@16.0.10and associated@next/*binaries.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| package.json | Pins Next.js to 16.0.10 to pick up security fixes. |
| package-lock.json | Updates resolved Next.js and related @next/* package versions/integrity entries. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "framer-motion": "^12.23.24", | ||
| "lucide-react": "^0.548.0", | ||
| "next": "^16.0.7", | ||
| "next": "16.0.10", |
There was a problem hiding this comment.
next is pinned to an exact version (16.0.10) while all other dependencies use semver ranges. If this repo’s convention is to allow patch/minor updates via ranges (and rely on the lockfile for reproducibility), consider switching to ^16.0.10 so future security/patch releases can be picked up without manual edits.
| "next": "16.0.10", | |
| "next": "^16.0.10", |
| "next": "16.0.10", | ||
| "react": "^19.2.1", | ||
| "react-dom": "^19.2.1", | ||
| "three": "^0.181.0", |
There was a problem hiding this comment.
The PR bumps next to 16.0.10 but leaves eslint-config-next (and @next/eslint-plugin-next) on 16.0.6. Keeping these versions aligned with the installed Next.js version avoids unexpected lint rule/plugin incompatibilities; consider upgrading eslint-config-next to 16.0.10 as well.
| "next": "16.0.10", | ||
| "react": "^19.2.1", | ||
| "react-dom": "^19.2.1", | ||
| "three": "^0.181.0", |
There was a problem hiding this comment.
PR description says it updates React, Next.js, and related Server Components packages to patched versions for multiple CVEs, but this change set only updates next (React remains at 19.2.1 in the lockfile). Please confirm all affected packages/versions for the referenced CVEs are actually covered, and update any remaining packages if needed.
Important
This is an automatic PR generated by Vercel to help you patch known vulnerabilities related to CVE-2025-55182 (React2Shell), CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. We can't guarantee the PR is comprehensive, and it may contain mistakes.
Not all projects are affected by all issues, but patched versions are required to ensure full remediation.
Vercel has deployed WAF mitigations globally to help protect your application, but upgrading remains required for complete protection.
This automated pull request updates your React, Next.js, and related Server Components packages to versions that fix all currently known React Server Components vulnerabilities, including the two newly discovered issues.
See our Security Bulletins for more information and reach out to security@vercel.com with any questions.