Update repo for React Flight RCE advisory (#277)

vercel[bot] · haydenbleasel · web-flow · commit f524f7e7b7fe · 2025-12-04T21:04:02.000-08:00
## React Flight / Next.js RCE Advisory Security Update

Successfully updated the ai-elements monorepo to address the React Flight / Next.js RCE advisory (CVE-2025-XXXXX).

### Summary of Changes

The project was found to be affected by the vulnerability. Two Next.js applications were using vulnerable versions and have been patched.

### Affected Packages Detected

- **apps/docs**: Next.js 16.0.1 → 16.0.7
- **apps/registry**: Next.js 16.0.1 → 16.0.7

Both applications were running Next.js 16.0.1, which is vulnerable to the RCE advisory. According to the security guidance, Next.js 16.x projects must be upgraded to 16.0.7.

### Not Affected

The project does NOT use any of the following vulnerable React Flight packages:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack

Other workspace packages (elements, examples, shadcn-ui, cli, typescript-config) do not use Next.js and were not affected.

### Files Modified

1. **apps/docs/package.json** - Updated Next.js from 16.0.1 to 16.0.7
2. **apps/registry/package.json** - Updated Next.js from 16.0.1 to 16.0.7
3. **pnpm-lock.yaml** - Updated lockfile to reflect new Next.js versions
4. **apps/docs/next-env.d.ts** - Auto-generated type definitions updated by Next.js 16.0.7

### Implementation Details

- Used pnpm package manager to install dependencies and update lockfile
- Did NOT manually update React or React-DOM versions (Next.js manages these automatically)
- Followed the advisory guideline: "For Next.js 16.x → set to 16.0.7"
- Did NOT upgrade across major versions (stayed within Next.js 16.x)

### Verification

Both Next.js applications were successfully built with the patched version:
- ✅ `apps/registry` - Build passed (Next.js 16.0.7 with Turbopack)
- ✅ `apps/docs` - Build passed (Next.js 16.0.7 with Turbopack)

All TypeScript compilation and static page generation completed without errors.

### Security Impact

This update patches the React Flight / Next.js RCE vulnerability in both Next.js applications within the monorepo. The patched version 16.0.7 includes critical security fixes that prevent remote code execution attacks.

Co-authored-by: Vercel &lt;vercel[bot]@users.noreply.github.com&gt;
Co-authored-by: Hayden Bleasel &lt;hello@haydenbleasel.com&gt;
diff --git a/apps/docs/next-env.d.ts b/apps/docs/next-env.d.ts
@@ -1,6 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
-import "./.next/dev/types/routes.d.ts";
+import "./.next/types/routes.d.ts";
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
