## React Flight / Next.js RCE Advisory Update
### Summary
Successfully addressed the React Flight / Next.js RCE advisory for the worth-calculator project. The project was affected by the vulnerability as it uses Next.js 15.x.
### Vulnerability Detection
**Affected Packages Found:**
- ✅ `next@15.0.2` - Vulnerable version detected in dependencies
- ✅ `eslint-config-next@15.0.2` - Dev dependency that needed updating
**Not Used:**
- ❌ `react-server-dom-webpack` - Not used
- ❌ `react-server-dom-parcel` - Not used
- ❌ `react-server-dom-turbopack` - Not used
### Changes Made
#### Modified Files:
1. **package.json**
- Upgraded `next` from `15.0.2` → `15.0.5` (patched version for 15.0.x)
- Upgraded `eslint-config-next` from `15.0.2` → `15.0.5` (matching version)
- React versions left unchanged as Next.js manages these dependencies automatically
2. **package-lock.json**
- Updated via `npm install --legacy-peer-deps`
- All dependencies resolved to compatible versions
### Verification Results
✅ **Build Verification**: `npm run build` completed successfully
- Next.js 15.0.5 built without errors
- All pages generated correctly
- Pre-existing ESLint warnings only (not introduced by this change)
✅ **Linter Check**: `npm run lint` passed
- Only pre-existing warnings found
- No new errors introduced by the update
✅ **Dependency Resolution**: Confirmed via `npm ls`
- next@15.0.5 ✓
- eslint-config-next@15.0.5 ✓
### Notes
- The project uses an RC build of React (`19.0.0-rc-02c0e824-20241028`) which required using `--legacy-peer-deps` flag during installation, but this is not a blocker as it's already configured in the project
- No React or React-DOM version changes needed as Next.js handles these automatically
- No manual changes to application code were required
- All changes are dependency-related and backward compatible
### Security Impact
This update patches the Next.js vulnerability affecting React Server Components security, addressing the RCE advisory identified in the security notice.
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
