Vercel
|
9058c65e6b
|
Update React Flight/Next.js RCE vulnerability
## React Flight / Next.js RCE Advisory - Patch Implementation Report
### Project Status: PATCHED ✅
The perler-beads repository has been successfully updated to address the React Flight / Next.js RCE advisory. Vulnerable dependencies have been patched to secure versions.
### Changes Made
#### 1. Next.js Version Update
- **File:** `package.json`
- **Changed:** `"next": "15.3.1"` → `"next": "15.3.6"`
- **Reason:** Next.js 15.3.1 is affected by the RCE vulnerability. Per the advisory, Next.js 15.3.x versions require patching to 15.3.6.
- **Status:** ✅ Patched
#### 2. ESLint Config Update
- **File:** `package.json` (devDependencies)
- **Changed:** `"eslint-config-next": "15.3.1"` → `"eslint-config-next": "15.3.6"`
- **Reason:** Must match the Next.js version for consistency
- **Status:** ✅ Updated
#### 3. Lockfile Update
- **File:** `package-lock.json`
- **Details:** Updated all Next.js dependencies from 15.3.1 to 15.3.6 including:
- `next` package (15.3.1 → 15.3.6)
- All `@next/*` sub-packages updated to match
- **Status:** ✅ Updated
### Vulnerability Assessment
**Affected Packages Detected:**
- ✅ **Next.js:** 15.3.1 (affected) → 15.3.6 (patched)
- ❌ **React Flight Packages:** Not used in this project
- `react-server-dom-webpack` - NOT present
- `react-server-dom-parcel` - NOT present
- `react-server-dom-turbopack` - NOT present
**React & React-DOM:**
- Current: `^19.0.0` (as specified in package.json)
- Lockfile resolves to: `19.1.0`
- **Action:** No changes made - per advisory instructions, React versions in Next.js projects are not manually updated. Next.js 15.3.6 handles React dependency management automatically.
- **Status:** ✅ Appropriate for Next.js 15.3.6
### Patch Verification
#### Build Test
```
> next build
✓ Compiled successfully in 2000ms
✓ Generating static pages (7/7)
Route (app) build status: SUCCESS
```
#### Linter Test
```
> next lint
✓ No ESLint warnings or errors
```
#### Dependency Resolution
- Next.js in node_modules: 15.3.6 ✅
- Next.js in package-lock.json: 15.3.6 ✅
- Next.js in package.json: 15.3.6 ✅
### Files Modified
1. `package.json` - Updated Next.js and eslint-config-next versions
2. `package-lock.json` - Updated lockfile with resolved patched versions
### Files Not Modified
- `react` and `react-dom` package specifications remain at `^19.0.0` (correct per advisory)
- All application code remains unchanged
- All other dependencies remain unchanged
### Verification Summary
✅ **Project is vulnerable** - Next.js 15.3.1 was affected
✅ **Patches applied** - Updated to Next.js 15.3.6
✅ **Dependencies resolve** - Lockfile confirms 15.3.6 is installed
✅ **Build succeeds** - Next.js build completes without errors
✅ **Linter passes** - No new lint issues introduced
✅ **No breaking changes** - Application code unchanged
### Conclusion
The perler-beads repository has been successfully patched for the React Flight / Next.js RCE advisory:
- Vulnerable Next.js 15.3.1 upgraded to secure 15.3.6
- All supporting dependencies updated to match
- Build verification passed
- No additional code changes required
The project is now secure against this vulnerability.
---
*Implementation completed per React Flight / Next.js RCE advisory requirements*
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
2025-12-08 12:01:58 +00:00 |
|