Merge pull request #2773 from bigcommerce/patch/catalyst-makeswift-1.3.8

chanceaclark · web-flow · commit c698ce1ae41f · 2025-12-12T13:08:26.000-07:00
chore: fix CVEs
diff --git a/.changeset/clever-regions-mate.md b/.changeset/clever-regions-mate.md
@@ -0,0 +1,45 @@
+---
+"@bigcommerce/catalyst-makeswift": patch
+---
+
+Catalyst has been upgraded to Next.js 15.5.9. This is a patch version upgrade that requires migration steps for existing stores to fix a security vulnerability.
+
+## 🔒 Security Update
+
+**This upgrade addresses a security vulnerability ([CVE-2025-55184 + CVE-2025-55183](https://nextjs.org/blog/security-update-2025-12-11))** that affects React Server Components. These vulnerabilities allow a Denial of Service attack and Source Code Exposure attach. This upgrade includes:
+
+- Next.js 15.5.9 with the security patch
+- React 19.1.4 and React DOM 19.1.4 with the security patch
+
+**All users are strongly encouraged to upgrade immediately.**
+
+## Key Changes
+
+- ⚡ **Next.js 15.5.9**: Upgraded from Next.js 15.5.7 to 15.5.9
+- ⚛️ **React 19**: Upgraded to React 19.1.4 and React DOM 19.1.4
+
+## Migration Guide
+
+### Update Dependencies
+
+If you're maintaining a custom Catalyst store, update your `package.json`:
+
+```json
+{
+  "dependencies": {
+    "next": "15.5.9",
+    "react": "19.1.4",
+    "react-dom": "19.1.4"
+  },
+  "devDependencies": {
+    "@next/bundle-analyzer": "15.5.9",
+    "eslint-config-next": "15.5.9"
+  }
+}
+```
+
+Then run:
+
+```bash
+pnpm install
+```
diff --git a/core/package.json b/core/package.json
@@ -53,14 +53,14 @@
     "lodash.debounce": "^4.0.8",
     "lru-cache": "^11.1.0",
     "lucide-react": "^0.474.0",
-    "next": "15.5.8",
+    "next": "15.5.9",
     "next-auth": "5.0.0-beta.30",
     "next-intl": "^4.1.0",
     "nuqs": "^2.4.3",
     "p-lazy": "^5.0.0",
-    "react": "19.1.3",
+    "react": "19.1.4",
     "react-day-picker": "^9.7.0",
-    "react-dom": "19.1.3",
+    "react-dom": "19.1.4",
     "react-headroom": "^3.2.1",
     "schema-dts": "^1.1.5",
     "server-only": "^0.0.1",
@@ -78,7 +78,7 @@
     "@bigcommerce/eslint-config-catalyst": "workspace:^",
     "@faker-js/faker": "^9.8.0",
     "@gql.tada/cli-utils": "^1.6.3",
-    "@next/bundle-analyzer": "15.5.8",
+    "@next/bundle-analyzer": "15.5.9",
     "@playwright/test": "^1.52.0",
     "@tailwindcss/container-queries": "^0.1.1",
     "@tailwindcss/typography": "^0.5.16",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
