chore: merge RCE fixes (#2779)

chanceaclark · web-flow · commit b652b3130572 · 2025-12-12T21:05:46.000Z
* chore: fix CVEs

* Version Packages (canary)
diff --git a/core/CHANGELOG.md b/core/CHANGELOG.md
@@ -1,5 +1,49 @@
 # Changelog
 
+## 1.3.7
+
+### Patch Changes
+
+- [#2772](https://github.com/bigcommerce/catalyst/pull/2772) [`2670f4d`](https://github.com/bigcommerce/catalyst/commit/2670f4d0837d843e425a179bff588119f689567f) Thanks [@chanceaclark](https://github.com/chanceaclark)! - Catalyst has been upgraded to Next.js 15.5.9. This is a patch version upgrade that requires migration steps for existing stores to fix a security vulnerability.
+
+  ## 🔒 Security Update
+
+  **This upgrade addresses a security vulnerability ([CVE-2025-55184 + CVE-2025-55183](https://nextjs.org/blog/security-update-2025-12-11))** that affects React Server Components. These vulnerabilities allow a Denial of Service attack and Source Code Exposure attach. This upgrade includes:
+  - Next.js 15.5.9 with the security patch
+  - React 19.1.4 and React DOM 19.1.4 with the security patch
+
+  **All users are strongly encouraged to upgrade immediately.**
+
+  ## Key Changes
+  - ⚡ **Next.js 15.5.9**: Upgraded from Next.js 15.5.7 to 15.5.9
+  - ⚛️ **React 19**: Upgraded to React 19.1.4 and React DOM 19.1.4
+
+  ## Migration Guide
+
+  ### Update Dependencies
+
+  If you're maintaining a custom Catalyst store, update your `package.json`:
+
+  ```json
+  {
+    "dependencies": {
+      "next": "15.5.9",
+      "react": "19.1.4",
+      "react-dom": "19.1.4"
+    },
+    "devDependencies": {
+      "@next/bundle-analyzer": "15.5.9",
+      "eslint-config-next": "15.5.9"
+    }
+  }
+  ```
+
+  Then run:
+
+  ```bash
+  pnpm install
+  ```
+
 ## 1.3.6
 
 ### Patch Changes
diff --git a/core/package.json b/core/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@bigcommerce/catalyst-core",
   "description": "BigCommerce Catalyst is a Next.js starter kit for building headless BigCommerce storefronts.",
-  "version": "1.3.6",
+  "version": "1.3.7",
   "private": true,
   "scripts": {
     "dev": "npm run generate && next dev",
@@ -57,14 +57,14 @@
     "lodash.debounce": "^4.0.8",
     "lru-cache": "^11.1.0",
     "lucide-react": "^0.474.0",
-    "next": "15.5.8",
+    "next": "15.5.9",
     "next-auth": "5.0.0-beta.30",
     "next-intl": "^4.1.0",
     "nuqs": "^2.4.3",
     "p-lazy": "^5.0.0",
-    "react": "19.1.3",
+    "react": "19.1.4",
     "react-day-picker": "^9.7.0",
-    "react-dom": "19.1.3",
+    "react-dom": "19.1.4",
     "react-headroom": "^3.2.1",
     "schema-dts": "^1.1.5",
     "server-only": "^0.0.1",
@@ -79,7 +79,7 @@
     "@bigcommerce/eslint-config-catalyst": "workspace:^",
     "@faker-js/faker": "^9.8.0",
     "@gql.tada/cli-utils": "^1.6.3",
-    "@next/bundle-analyzer": "15.5.8",
+    "@next/bundle-analyzer": "15.5.9",
     "@playwright/test": "^1.52.0",
     "@tailwindcss/container-queries": "^0.1.1",
     "@tailwindcss/typography": "^0.5.16",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
