chore: bump Next.js and React to patched RSC security releases

[AmanVarshney01]

Summary by CodeRabbit

• Chores
  • Updated React and React-DOM dependencies from v19.1.0 to v19.2.1 across multiple starter templates and projects.
  • Updated Next.js dependencies to the latest patch versions, including 15.3.5→15.3.6, 15.4.6→15.4.8, and 16.0.0→16.0.7.
  • Routine maintenance dependency updates across all included project templates.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Multiple starter and example package.json files across accelerate, generator-prisma-client, optimize, and orm directories have been updated with newer versions of Next.js, React, and React-DOM dependencies.

Changes

Cohort / File(s)	Change Summary
Accelerate Projects accelerate/accelerate-hacker-news/package.json, accelerate/astro-starter/package.json, accelerate/nextjs-starter/package.json, accelerate/remix-starter/package.json	Updated react and react-dom from 19.1.0 to 19.2.1; updated next from 15.3.5 to 15.3.6 (hacker-news and nextjs-starter only)
Generator Prisma Client Next.js Webpack & Turbopack generator-prisma-client/nextjs-starter-turbopack/package.json, generator-prisma-client/nextjs-starter-webpack/package.json, generator-prisma-client/nextjs-starter-webpack-monorepo/packages/next-app/package.json, generator-prisma-client/nextjs-starter-webpack-turborepo/apps/web/package.json, generator-prisma-client/nextjs-starter-webpack-with-middleware/package.json	Updated next from 15.3.5 to 15.3.6 (most), 16.0.1 to 16.0.7 (turbopack); updated react and react-dom from 19.1.0 to 19.2.1 (or 19.2.0 to 19.2.1 for turbopack)
Generator Prisma Client React Router generator-prisma-client/react-router-starter-cloudflare-workerd/package.json, generator-prisma-client/react-router-starter-nodejs/package.json	Updated react and react-dom from 19.1.0 to 19.2.1
Optimize Starter optimize/starter/packages/client/package.json	Updated react and react-dom from 19.1.0 to 19.2.1
ORM Projects orm/ai-sdk-nextjs/package.json, orm/authjs-nextjs/package.json, orm/betterauth-nextjs/package.json, orm/clerk-nextjs/package.json, orm/nextjs-graphql/package.json, orm/nextjs-trpc/package.json, orm/nextjs/package.json, orm/react-router-7/package.json	Updated next (15.3.5 to 15.3.6, 15.4.6 to 15.4.8, 15.5.4 to 15.5.7, or 16.0.0 to 16.0.7 depending on project); updated react and react-dom from 19.1.0 to 19.2.1 (or 19.2.0 to 19.2.1 for nextjs-trpc)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify version consistency across projects with similar setups (e.g., all Next.js 15.3.5-based projects updated to 15.3.6)
• Confirm no unintended changes or version mismatches were introduced alongside the dependency bumps

Possibly related PRs

• DC-4755 Fix Example Projects #8278: Updates dependency versions in orm/clerk-nextjs/package.json for Next.js and React libraries
• update all nextjs examples in generator-prisma-client/ #8342: Bumps Next.js, React, and React-DOM versions across multiple generator-prisma-client example package.json files

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: bumping Next.js and React dependencies to address patched RSC security releases across multiple starter projects.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (11)

accelerate/remix-starter/package.json (2)

56-57: Update @types/react and @types/react-dom to align with React 19.2.1.

The TypeScript type definitions are pinned to 19.1.x while the runtime React version is 19.2.1. This version mismatch may cause TypeScript compilation errors or missing type definitions for new React 19.2 features.

Update the type definitions to match the React runtime version:

-    "@types/react": "19.1.8",
-    "@types/react-dom": "19.1.6",
+    "@types/react": "19.2.x",
+    "@types/react-dom": "19.2.x",

(Use the exact 19.2.x versions once you've verified compatibility with your codebase.)

---

71-71: Upgrade eslint-plugin-react-hooks to v6+ for React 19.2 compatibility.

React 19.2 requires eslint-plugin-react-hooks v6 or higher for proper support of new hook semantics (including useEffectEvent). The current pinned version is 5.2.0, which is incompatible with React 19.2.

Upgrade the package to v6+:

-    "eslint-plugin-react-hooks": "5.2.0",
+    "eslint-plugin-react-hooks": "^6.0.0",

As per React 19 documentation, "React 19.2 requires eslint-plugin-react-hooks v6+ for new hook semantics."

optimize/starter/packages/client/package.json (1)

24-25: Update type definitions to match React 19.2.1 runtime version.

The type definitions (@types/[email protected] and @types/[email protected]) are pinned at 19.1.x while the runtime is at 19.2.1. Update to @types/[email protected] and @types/[email protected] (or the latest 19.2.x available) to maintain version alignment between types and runtime.

orm/react-router-7/package.json (1)

26-27: Update type definitions to match React 19.2.1.

@types/react and @types/react-dom are at 19.1.x while react/react-dom are 19.2.1. React 19.2 includes breaking TypeScript changes that require corresponding type definition updates.

Apply this diff:

  "devDependencies": {
    "@react-router/dev": "7.6.3",
    "@tailwindcss/vite": "4.1.13",
    "@types/node": "22.19.0",
-   "@types/react": "19.1.8",
-   "@types/react-dom": "19.1.6",
+   "@types/react": "19.2.2",
+   "@types/react-dom": "19.2.2",

generator-prisma-client/nextjs-starter-webpack-monorepo/packages/next-app/package.json (1)

39-40: Update type definitions to match React 19.2.1.

@types/react and @types/react-dom are at 19.1.x while react/react-dom are upgraded to 19.2.1. React 19.2 has breaking TypeScript changes requiring updated type definitions to prevent compilation errors.

Apply this diff:

  "devDependencies": {
    "@types/node": "22.19.0",
-   "@types/react": "19.1.8",
-   "@types/react-dom": "19.1.6",
+   "@types/react": "19.2.2",
+   "@types/react-dom": "19.2.2",

accelerate/accelerate-hacker-news/package.json (1)

20-21: Update type definitions to match React 19.2.1.

@types/react and @types/react-dom are at 19.1.x while react/react-dom are 19.2.1. React 19.2 includes TypeScript breaking changes that require compatible type definitions.

Apply this diff:

  "devDependencies": {
    "@faker-js/faker": "9.9.0",
    "@types/node": "22.19.0",
-   "@types/react": "19.1.8",
-   "@types/react-dom": "19.1.6",
+   "@types/react": "19.2.2",
+   "@types/react-dom": "19.2.2",

orm/nextjs/package.json (1)

22-23: Update type definitions to match React 19.2.1.

@types/react and @types/react-dom are at 19.1.x while react/react-dom are upgraded to 19.2.1. React 19.2 has breaking TypeScript changes that require compatible type definitions.

Apply this diff:

  "devDependencies": {
    "@eslint/eslintrc": "3.3.1",
    "@types/node": "22.19.0",
-   "@types/react": "19.1.8",
-   "@types/react-dom": "19.1.6",
+   "@types/react": "19.2.2",
+   "@types/react-dom": "19.2.2",

orm/betterauth-nextjs/package.json (1)

24-25: Update type definitions to match React 19.2.1.

@types/react and @types/react-dom are at 19.1.0 (significantly old) while react/react-dom are 19.2.1. React 19.2 includes breaking TypeScript changes requiring updated type definitions.

Apply this diff:

  "devDependencies": {
    "@eslint/eslintrc": "3.3.1",
    "dotenv": "^17.2.1",
    "@tailwindcss/postcss": "4.1.14",
    "@types/node": "24.6.2",
-   "@types/react": "19.1.0",
-   "@types/react-dom": "19.1.0",
+   "@types/react": "19.2.2",
+   "@types/react-dom": "19.2.2",

generator-prisma-client/nextjs-starter-webpack-with-middleware/package.json (1)

42-43: Update type definitions to match React 19.2.1.

@types/react and @types/react-dom are pinned to 19.1.x versions while react and react-dom are at 19.2.1. React 19.2 includes TypeScript breaking changes (ref cleanup, useRef args, ReactElement props type, JSX namespace changes). Type definitions must be updated to avoid TypeScript compilation failures.

Apply this diff to align type definitions:

  "devDependencies": {
    "@types/node": "22.19.0",
-   "@types/react": "19.1.8",
-   "@types/react-dom": "19.1.6",
+   "@types/react": "19.2.2",
+   "@types/react-dom": "19.2.2",

generator-prisma-client/nextjs-starter-webpack-turborepo/apps/web/package.json (1)

30-30: Update eslint-config-next to match the next version.

eslint-config-next should be synchronized with the next version to avoid potential compatibility issues and ensure linting rules align with framework behavior.

-    "eslint-config-next": "15.3.5",
+    "eslint-config-next": "15.3.6",

generator-prisma-client/nextjs-starter-webpack/package.json (1)

46-46: Update eslint-config-next to match the next version.

eslint-config-next should be synchronized with the next version to avoid potential compatibility issues and ensure linting rules align with framework behavior.

-    "eslint-config-next": "15.3.5",
+    "eslint-config-next": "15.3.6",

🧹 Nitpick comments (8)

generator-prisma-client/nextjs-starter-webpack-with-middleware/package.json (1)

47-47: Update eslint-config-next to match next version.

eslint-config-next is pinned to 15.3.5 while next is 15.3.6. Keep tooling versions aligned for consistent linting rules.

-   "eslint-config-next": "15.3.5",
+   "eslint-config-next": "15.3.6",

generator-prisma-client/nextjs-starter-webpack-monorepo/packages/next-app/package.json (1)

43-43: Update eslint-config-next to match next version.

eslint-config-next is pinned to 15.3.5 while next is 15.3.6. Keep tooling versions aligned.

-   "eslint-config-next": "15.3.5",
+   "eslint-config-next": "15.3.6",

accelerate/accelerate-hacker-news/package.json (1)

24-24: Update eslint-config-next to match next version.

eslint-config-next should be 15.3.6 to align with next version.

-   "eslint-config-next": "15.3.5",
+   "eslint-config-next": "15.3.6",

orm/nextjs/package.json (1)

26-26: Update eslint-config-next to match next version.

eslint-config-next should be 15.3.6 to align with next version.

-   "eslint-config-next": "15.3.5",
+   "eslint-config-next": "15.3.6",

orm/betterauth-nextjs/package.json (1)

27-27: Update eslint-config-next to match next version.

eslint-config-next should be 15.5.7 to align with next version.

-   "eslint-config-next": "15.5.4",
+   "eslint-config-next": "15.5.7",

generator-prisma-client/nextjs-starter-turbopack/package.json (1)

46-46: Update eslint-config-next to match next version.

eslint-config-next is at 16.0.1 while next is 16.0.7. Consider aligning versions.

-   "eslint-config-next": "16.0.1",
+   "eslint-config-next": "16.0.7",

orm/ai-sdk-nextjs/package.json (1)

26-27: Consider pinning @types/react and @types/react-dom to specific versions.

Using caret ranges (e.g., ^19) for type definitions can cause version drifts across environments. For consistency and reproducibility, consider pinning to exact versions like other packages in this PR (e.g., 19.1.8). If you prefer flexibility, document the rationale.

orm/nextjs-trpc/package.json (1)

49-51: LGTM: Strict type pinning via overrides.

The overrides section enforces exact versions for @types/react and @types/react-dom (19.2.2), which aligns with React 19.2.1 and prevents version drifts. This is a best practice for type safety and reproducibility. Consider adopting this pattern in other packages for consistency.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ee465e2 and 1a32732.

📒 Files selected for processing (20)

• accelerate/accelerate-hacker-news/package.json (1 hunks)
• accelerate/astro-starter/package.json (1 hunks)
• accelerate/nextjs-starter/package.json (1 hunks)
• accelerate/remix-starter/package.json (1 hunks)
• generator-prisma-client/nextjs-starter-turbopack/package.json (1 hunks)
• generator-prisma-client/nextjs-starter-webpack-monorepo/packages/next-app/package.json (1 hunks)
• generator-prisma-client/nextjs-starter-webpack-turborepo/apps/web/package.json (1 hunks)
• generator-prisma-client/nextjs-starter-webpack-with-middleware/package.json (1 hunks)
• generator-prisma-client/nextjs-starter-webpack/package.json (1 hunks)
• generator-prisma-client/react-router-starter-cloudflare-workerd/package.json (1 hunks)
• generator-prisma-client/react-router-starter-nodejs/package.json (1 hunks)
• optimize/starter/packages/client/package.json (1 hunks)
• orm/ai-sdk-nextjs/package.json (1 hunks)
• orm/authjs-nextjs/package.json (1 hunks)
• orm/betterauth-nextjs/package.json (1 hunks)
• orm/clerk-nextjs/package.json (1 hunks)
• orm/nextjs-graphql/package.json (1 hunks)
• orm/nextjs-trpc/package.json (1 hunks)
• orm/nextjs/package.json (1 hunks)
• orm/react-router-7/package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: AmanVarshney01
Repo: prisma/prisma-examples PR: 8327
File: orm/graphql-auth/prisma/schema.prisma:2-4
Timestamp: 2025-10-15T13:58:59.096Z
Learning: The "prisma-client" generator provider (introduced in Prisma v6) is the newer, ESM-ready alternative to "prisma-client-js". It requires an explicit output path and is better suited for modern runtimes, edge deployments, and will become the default in Prisma v7. Use "prisma-client" for new projects or when modernizing existing projects.

Learnt from: FGoessler
Repo: prisma/prisma-examples PR: 8260
File: generator-prisma-client/nextjs-starter-webpack-turborepo/packages/database/package.json:13-13
Timestamp: 2025-08-22T12:12:24.602Z
Learning: When analyzing changes from package.json seed scripts to "prisma db seed", always verify the actual content of prisma.config.ts rather than relying solely on regex patterns, as the configuration may be properly defined but in a format that doesn't match overly restrictive search patterns.

📚 Learning: 2025-10-15T13:58:59.096Z

Learnt from: AmanVarshney01
Repo: prisma/prisma-examples PR: 8327
File: orm/graphql-auth/prisma/schema.prisma:2-4
Timestamp: 2025-10-15T13:58:59.096Z
Learning: The "prisma-client" generator provider (introduced in Prisma v6) is the newer, ESM-ready alternative to "prisma-client-js". It requires an explicit output path and is better suited for modern runtimes, edge deployments, and will become the default in Prisma v7. Use "prisma-client" for new projects or when modernizing existing projects.

Applied to files:

• generator-prisma-client/nextjs-starter-webpack/package.json
• accelerate/accelerate-hacker-news/package.json
• orm/betterauth-nextjs/package.json
• generator-prisma-client/react-router-starter-cloudflare-workerd/package.json
• generator-prisma-client/nextjs-starter-webpack-with-middleware/package.json
• orm/nextjs/package.json
• generator-prisma-client/react-router-starter-nodejs/package.json

📚 Learning: 2025-08-22T12:12:24.602Z

Learnt from: FGoessler
Repo: prisma/prisma-examples PR: 8260
File: generator-prisma-client/nextjs-starter-webpack-turborepo/packages/database/package.json:13-13
Timestamp: 2025-08-22T12:12:24.602Z
Learning: When analyzing changes from package.json seed scripts to "prisma db seed", always verify the actual content of prisma.config.ts rather than relying solely on regex patterns, as the configuration may be properly defined but in a format that doesn't match overly restrictive search patterns.

Applied to files:

• generator-prisma-client/nextjs-starter-webpack-with-middleware/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: test (orm/betterauth-nextjs)
• GitHub Check: test (orm/astro)
• GitHub Check: test (orm/betterauth-astro)
• GitHub Check: test (orm/clerk-nextjs)
• GitHub Check: test (orm/authjs-nextjs)
• GitHub Check: test (orm/clerk-astro)
• GitHub Check: test (orm/grpc)
• GitHub Check: test (orm/hapi-graphql)
• GitHub Check: test (orm/nextjs)
• GitHub Check: test (orm/nuxt)
• GitHub Check: test (orm/sveltekit)
• GitHub Check: test (orm/solid-start)

🔇 Additional comments (15)

accelerate/remix-starter/package.json (1)

36-37: React 19.2.1 security fix is appropriate and necessary.

This version bump correctly addresses CVE-2025-55182, a critical unauthenticated remote-code-execution vulnerability in React Server Components affecting React 19.1.0. The fix aligns with the PR's objective to deploy patched RSC security releases.

optimize/starter/packages/client/package.json (1)

18-19: React and React-DOM version bump looks good.

The upgrade from 19.1.0 to 19.2.1 aligns with the PR objective of patching RSC security releases. However, note that the type definitions (@types/react and @types/react-dom) at lines 24–25 remain at 19.1.x, which may be misaligned with the runtime React version.

orm/authjs-nextjs/package.json (2)

15-18: Next.js and React versions align with PR objective of patched security releases.

The patch bump to Next.js 15.4.8 and minor bump to React 19.2.1 appear to address the RSC security fixes mentioned in the PR title. TypeScript types are correctly aligned with React 19.

---

15-15: Confirm Next.js 15.4.8 and React 19.2.1 patch critical RSC vulnerability.

These versions contain security fixes for CVE-2025-66478 (Next.js) / CVE-2025-55182 (React) — a critical unauthenticated RCE in React Server Components (CVSS 10.0) affecting unsafe deserialization in Server Function endpoints. Both patched releases were published December 3, 2025 with no new vulnerabilities introduced. Immediate upgrade is warranted.

accelerate/nextjs-starter/package.json (1)

20-20: No type definition mismatch concern for this file.

This minimal starter package does not declare @types/react or @types/react-dom in devDependencies, so TypeScript type safety should be verified at build/usage time by consuming applications.

Also applies to: 23-24

generator-prisma-client/nextjs-starter-turbopack/package.json (1)

41-42: Excellent type definition handling with pnpm overrides.

Type definitions are correctly pinned to 19.2.2 via both direct devDependency and pnpm overrides, matching React 19.2.1. This ensures TypeScript compatibility across the workspace.

Also applies to: 54-58

generator-prisma-client/nextjs-starter-webpack-turborepo/apps/web/package.json (1)

15-18: Verify breaking-change compatibility for React 19 and Next.js 15.

React 19 removes several APIs (e.g., propTypes, defaultProps for function components, legacy Context API, string refs) and changes ref semantics. Next.js 15 makes async API changes (cookies(), headers(), params, searchParams) and removes default GET Route Handler caching. Ensure the codebase in this package doesn't rely on removed APIs and has been tested after the upgrade.

generator-prisma-client/nextjs-starter-webpack/package.json (1)

30-33: Verify breaking-change compatibility for React 19 and Next.js 15.

React 19 removes several APIs (e.g., propTypes, defaultProps for function components, legacy Context API, string refs) and changes ref semantics. Next.js 15 makes async API changes (cookies(), headers(), params, searchParams) and removes default GET Route Handler caching. Ensure the codebase in this package doesn't rely on removed APIs and has been tested after the upgrade.

orm/ai-sdk-nextjs/package.json (1)

17-19: Verify breaking-change compatibility for React 19 and Next.js 15.

React 19 removes several APIs (e.g., propTypes, defaultProps for function components, legacy Context API, string refs) and changes ref semantics. Next.js 15.4 has significant Turbopack and bundler integration changes. Ensure the codebase has been tested and doesn't rely on removed APIs. Note: This package uses next dev --turbopack (line 6), which is stable in 15.4 but confirm compatibility.

generator-prisma-client/react-router-starter-cloudflare-workerd/package.json (1)

24-25: Verify React 19 breaking-change compatibility.

React 19 removes several APIs (propTypes, defaultProps for function components, legacy Context API, string refs) and changes ref semantics. Ensure the codebase doesn't rely on removed APIs and has been tested. This React Router package should generally be unaffected by Next.js changes, but confirm React-specific breaking changes are addressed.

accelerate/astro-starter/package.json (1)

21-22: Verify React 19 compatibility with Astro's React integration.

React 19 removes several APIs (propTypes, defaultProps for function components, legacy Context API, string refs) and changes ref semantics. Verify that Astro's React component integration (@astrojs/react v4.3.0) is compatible with React 19.2.1 and that no Astro-specific React patterns break. Confirm the codebase doesn't rely on removed React APIs.

orm/nextjs-graphql/package.json (1)

22-24: Verify breaking-change compatibility for React 19 and Next.js 15.

React 19 removes several APIs (propTypes, defaultProps for function components, legacy Context API, string refs) and changes ref semantics. Next.js 15 makes async API changes (cookies(), headers(), params, searchParams) and removes default GET Route Handler caching. Ensure the GraphQL setup and codebase have been tested and don't rely on removed APIs.

orm/nextjs-trpc/package.json (1)

29-29: Verify breaking-change compatibility for React 19 and Next.js 16.

Next.js 16.0.7 includes additional stability improvements over 15.x. React 19.2.1 removes several APIs (propTypes, defaultProps for function components, legacy Context API, string refs) and changes ref semantics. Ensure the TRPC setup and codebase have been tested and don't rely on removed APIs. Note: This package uses next dev --turbopack (line 7) and should be compatible with 16.0.7.

Also applies to: 32-33

generator-prisma-client/react-router-starter-nodejs/package.json (1)

17-18: Verify React 19 breaking-change compatibility.

React 19 removes several APIs (propTypes, defaultProps for function components, legacy Context API, string refs) and changes ref semantics. Ensure the React Router and Node.js setup don't rely on removed APIs and have been tested. The type definitions are range-pinned (^19.1.2), which is acceptable for a starter template but consider pinning to exact versions for reproducibility (e.g., 19.1.2).

orm/clerk-nextjs/package.json (1)

15-15: Dependency updates are compatible and properly integrated.

The version bumps to [email protected] and [email protected] are safe for this project. The @clerk/[email protected] explicitly supports Next.js ^15.2.3 (confirmed in peer dependencies), and the codebase already implements the required async patterns: auth() and currentUser() are properly awaited in the relevant server contexts, and ClerkProvider is correctly integrated in the root layout.

Also applies to: 17-18