Commit cd8af71
authored
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?v=4&size=40){kind=avatar}
Update Next.js and React Flight to patch RCE (#882)
## React Flight / Next.js RCE Advisory Fix
### Summary
Updated the relay-kit monorepo to address the React Flight / Next.js RCE advisory by ensuring the affected demo application uses a patched version of Next.js.
### Analysis Results
The monorepo was scanned for packages affected by the React Flight / Next.js RCE advisory:
**Affected Packages Detected:**
- `demo/package.json`: Contains `next` (Next.js framework)
**Not Affected:**
- No `react-server-dom-webpack`, `react-server-dom-parcel`, or `react-server-dom-turbopack` packages found
- All other workspace packages are library packages without Next.js or React Flight dependencies
### Changes Made
#### Modified Files:
1. **demo/package.json**
- Updated `next` from `"latest"` to `"15.5.7"` (patched version for 15.5.x line)
- Reason: Next.js 15.5.7 is the patched version that addresses the React Flight RCE vulnerability
2. **pnpm-lock.yaml**
- Updated lock file to reflect the pinned Next.js 15.5.7 version
- Lock file now resolves to:
- `[email protected]` (patched)
- `[email protected]` (safe - not vulnerable)
- `[email protected]` (safe - matches React version)
### Technical Details
**Vulnerability Context:**
The advisory addresses an RCE vulnerability in React Flight / Next.js:
- Next.js 15.5.x: Patched version is 15.5.7
- The project was using `"latest"` which was resolving to 15.5.5, an older version
- Upgraded to explicitly pin 15.5.7, the patched version
**Why React versions were not manually updated:**
- This is a Next.js project, so Next.js handles React version management automatically
- React 19.1.1 is safe (not one of the vulnerable versions: 19.0.0, 19.1.0, 19.2.0)
- No manual React version changes were needed
**Non-Affected Packages:**
- The workspace contains utility packages (SDK, hooks, UI components, adapters) that are library packages
- None of these depend on Next.js or React Flight packages
- They remain unchanged as they are not affected by this vulnerability
### Verification
- Lock file correctly resolves to `[email protected]`
- React and react-dom versions are compatible with the patched Next.js
- No React Flight packages are present in the codebase
- All dependencies have been successfully resolved via `pnpm install`
### Implementation Notes
- Only the affected package (demo) was updated
- The fix follows the advisory guidance for Next.js 15.x projects
- No breaking changes or additional configuration was required
- The update is minimal and focused, ensuring no unintended side effects
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>1 parent 84e79a8 commit cd8af71
2 files changed
+45
-45
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
38 | 38 | | |
39 | 39 | | |
40 | 40 | | |
41 | | - | |
| 41 | + | |
42 | 42 | | |
43 | 43 | | |
44 | 44 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments