shen/worth-calculator
1
0
Fork 0
mirror of https://github.com/Zippland/worth-calculator.git synced 2026-03-01 08:29:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
89fd5bcb0d1c4e0aee9b2cc115d9e79029ef5a23
worth-calculator/package-lock.json
Vercel 89fd5bcb0d Update React Flight/Next.js RCE vulnerability 
## React Flight / Next.js RCE Advisory Update

### Summary
Successfully addressed the React Flight / Next.js RCE advisory for the worth-calculator project. The project was affected by the vulnerability as it uses Next.js 15.x.

### Vulnerability Detection
**Affected Packages Found:**
-  `next@15.0.2` - Vulnerable version detected in dependencies
-  `eslint-config-next@15.0.2` - Dev dependency that needed updating

**Not Used:**
-  `react-server-dom-webpack` - Not used
-  `react-server-dom-parcel` - Not used  
-  `react-server-dom-turbopack` - Not used

### Changes Made

#### Modified Files:
1. **package.json**
   - Upgraded `next` from `15.0.2` → `15.0.5` (patched version for 15.0.x)
   - Upgraded `eslint-config-next` from `15.0.2` → `15.0.5` (matching version)
   - React versions left unchanged as Next.js manages these dependencies automatically

2. **package-lock.json**
   - Updated via `npm install --legacy-peer-deps`
   - All dependencies resolved to compatible versions

### Verification Results

 **Build Verification**: `npm run build` completed successfully
- Next.js 15.0.5 built without errors
- All pages generated correctly
- Pre-existing ESLint warnings only (not introduced by this change)

 **Linter Check**: `npm run lint` passed
- Only pre-existing warnings found
- No new errors introduced by the update

 **Dependency Resolution**: Confirmed via `npm ls`
- next@15.0.5 ✓
- eslint-config-next@15.0.5 ✓

### Notes
- The project uses an RC build of React (`19.0.0-rc-02c0e824-20241028`) which required using `--legacy-peer-deps` flag during installation, but this is not a blocker as it's already configured in the project
- No React or React-DOM version changes needed as Next.js handles these automatically
- No manual changes to application code were required
- All changes are dependency-related and backward compatible

### Security Impact
This update patches the Next.js vulnerability affecting React Server Components security, addressing the RCE advisory identified in the security notice.

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
2025-12-08 11:38:06 +00:00

216 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink