fix: React Server Components CVE vulnerabilities#11245
Merged
anthonyshew merged 4 commits intomainfrom Dec 12, 2025
Merged
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
turbo-orchestrator
bot
added
area: examples
Contributor
Author
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
Contributor
Author
There was a problem hiding this comment.
🔧 Build Fix:
The pnpm-lock.yaml lockfile contains outdated dependency specifications that don't match apps/docs/package.json. Specifically, the lockfile pins next@^16.0.7 while package.json requires next@16.0.10, causing pnpm install --frozen-lockfile to fail during Vercel builds.
View Details
📝 Patch Details
diff --git a/examples/basic/pnpm-lock.yaml b/examples/basic/pnpm-lock.yaml
index 816bc5292..6d5d0c8cb 100644
--- a/examples/basic/pnpm-lock.yaml
+++ b/examples/basic/pnpm-lock.yaml
@@ -24,8 +24,8 @@ importers:
specifier: workspace:*
version: link:../../packages/ui
next:
- specifier: ^16.0.7
- version: 16.0.7(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+ specifier: 16.0.10
+ version: 16.0.10(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
react:
specifier: ^19.2.0
version: 19.2.0
@@ -61,8 +61,8 @@ importers:
specifier: workspace:*
version: link:../../packages/ui
next:
- specifier: ^16.0.7
- version: 16.0.7(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
+ specifier: 16.0.10
+ version: 16.0.10(react-dom@19.2.0(react@19.2.0))(react@19.2.0)
react:
specifier: ^19.2.0
version: 19.2.0
@@ -357,56 +357,56 @@ packages:
cpu: [x64]
os: [win32]
- '@next/env@16.0.7':
- resolution: {integrity: sha512-gpaNgUh5nftFKRkRQGnVi5dpcYSKGcZZkQffZ172OrG/XkrnS7UBTQ648YY+8ME92cC4IojpI2LqTC8sTDhAaw==}
+ '@next/env@16.0.10':
+ resolution: {integrity: sha512-8tuaQkyDVgeONQ1MeT9Mkk8pQmZapMKFh5B+OrFUlG3rVmYTXcXlBetBgTurKXGaIZvkoqRT9JL5K3phXcgang==}
'@next/eslint-plugin-next@15.5.0':
resolution: {integrity: sha512-+k83U/fST66eQBjTltX2T9qUYd43ntAe+NZ5qeZVTQyTiFiHvTLtkpLKug4AnZAtuI/lwz5tl/4QDJymjVkybg==}
- '@next/swc-darwin-arm64@16.0.7':
- resolution: {integrity: sha512-LlDtCYOEj/rfSnEn/Idi+j1QKHxY9BJFmxx7108A6D8K0SB+bNgfYQATPk/4LqOl4C0Wo3LACg2ie6s7xqMpJg==}
+ '@next/swc-darwin-arm64@16.0.10':
+ resolution: {integrity: sha512-4XgdKtdVsaflErz+B5XeG0T5PeXKDdruDf3CRpnhN+8UebNa5N2H58+3GDgpn/9GBurrQ1uWW768FfscwYkJRg==}
engines: {node: '>= 10'}
cpu: [arm64]
os: [darwin]
- '@next/swc-darwin-x64@16.0.7':
- resolution: {integrity: sha512-rtZ7BhnVvO1ICf3QzfW9H3aPz7GhBrnSIMZyr4Qy6boXF0b5E3QLs+cvJmg3PsTCG2M1PBoC+DANUi4wCOKXpA==}
+ '@next/swc-darwin-x64@16.0.10':
+ resolution: {integrity: sha512-spbEObMvRKkQ3CkYVOME+ocPDFo5UqHb8EMTS78/0mQ+O1nqE8toHJVioZo4TvebATxgA8XMTHHrScPrn68OGw==}
engines: {node: '>= 10'}
cpu: [x64]
os: [darwin]
- '@next/swc-linux-arm64-gnu@16.0.7':
- resolution: {integrity: sha512-mloD5WcPIeIeeZqAIP5c2kdaTa6StwP4/2EGy1mUw8HiexSHGK/jcM7lFuS3u3i2zn+xH9+wXJs6njO7VrAqww==}
+ '@next/swc-linux-arm64-gnu@16.0.10':
+ resolution: {integrity: sha512-uQtWE3X0iGB8apTIskOMi2w/MKONrPOUCi5yLO+v3O8Mb5c7K4Q5KD1jvTpTF5gJKa3VH/ijKjKUq9O9UhwOYw==}
engines: {node: '>= 10'}
cpu: [arm64]
os: [linux]
- '@next/swc-linux-arm64-musl@16.0.7':
- resolution: {integrity: sha512-+ksWNrZrthisXuo9gd1XnjHRowCbMtl/YgMpbRvFeDEqEBd523YHPWpBuDjomod88U8Xliw5DHhekBC3EOOd9g==}
+ '@next/swc-linux-arm64-musl@16.0.10':
+ resolution: {integrity: sha512-llA+hiDTrYvyWI21Z0L1GiXwjQaanPVQQwru5peOgtooeJ8qx3tlqRV2P7uH2pKQaUfHxI/WVarvI5oYgGxaTw==}
engines: {node: '>= 10'}
cpu: [arm64]
os: [linux]
- '@next/swc-linux-x64-gnu@16.0.7':
- resolution: {integrity: sha512-4WtJU5cRDxpEE44Ana2Xro1284hnyVpBb62lIpU5k85D8xXxatT+rXxBgPkc7C1XwkZMWpK5rXLXTh9PFipWsA==}
+ '@next/swc-linux-x64-gnu@16.0.10':
+ resolution: {integrity: sha512-AK2q5H0+a9nsXbeZ3FZdMtbtu9jxW4R/NgzZ6+lrTm3d6Zb7jYrWcgjcpM1k8uuqlSy4xIyPR2YiuUr+wXsavA==}
engines: {node: '>= 10'}
cpu: [x64]
os: [linux]
- '@next/swc-linux-x64-musl@16.0.7':
- resolution: {integrity: sha512-HYlhqIP6kBPXalW2dbMTSuB4+8fe+j9juyxwfMwCe9kQPPeiyFn7NMjNfoFOfJ2eXkeQsoUGXg+O2SE3m4Qg2w==}
+ '@next/swc-linux-x64-musl@16.0.10':
+ resolution: {integrity: sha512-1TDG9PDKivNw5550S111gsO4RGennLVl9cipPhtkXIFVwo31YZ73nEbLjNC8qG3SgTz/QZyYyaFYMeY4BKZR/g==}
engines: {node: '>= 10'}
cpu: [x64]
os: [linux]
- '@next/swc-win32-arm64-msvc@16.0.7':
- resolution: {integrity: sha512-EviG+43iOoBRZg9deGauXExjRphhuYmIOJ12b9sAPy0eQ6iwcPxfED2asb/s2/yiLYOdm37kPaiZu8uXSYPs0Q==}
+ '@next/swc-win32-arm64-msvc@16.0.10':
+ resolution: {integrity: sha512-aEZIS4Hh32xdJQbHz121pyuVZniSNoqDVx1yIr2hy+ZwJGipeqnMZBJHyMxv2tiuAXGx6/xpTcQJ6btIiBjgmg==}
engines: {node: '>= 10'}
cpu: [arm64]
os: [win32]
- '@next/swc-win32-x64-msvc@16.0.7':
- resolution: {integrity: sha512-gniPjy55zp5Eg0896qSrf3yB1dw4F/3s8VK1ephdsZZ129j2n6e1WqCbE2YgcKhW9hPB9TVZENugquWJD5x0ug==}
+ '@next/swc-win32-x64-msvc@16.0.10':
+ resolution: {integrity: sha512-E+njfCoFLb01RAFEnGZn6ERoOqhK1Gl3Lfz1Kjnj0Ulfu7oJbuMyvBKNj/bw8XZnenHDASlygTjZICQW+rYW1Q==}
engines: {node: '>= 10'}
cpu: [x64]
os: [win32]
@@ -1090,8 +1090,8 @@ packages:
natural-compare@1.4.0:
resolution: {integrity: sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==}
- next@16.0.7:
- resolution: {integrity: sha512-3mBRJyPxT4LOxAJI6IsXeFtKfiJUbjCLgvXO02fV8Wy/lIhPvP94Fe7dGhUgHXcQy4sSuYwQNcOLhIfOm0rL0A==}
+ next@16.0.10:
+ resolution: {integrity: sha512-RtWh5PUgI+vxlV3HdR+IfWA1UUHu0+Ram/JBO4vWB54cVPentCD0e+lxyAYEsDTqGGMg7qpjhKh6dc6aW7W/sA==}
engines: {node: '>=20.9.0'}
hasBin: true
peerDependencies:
@@ -1642,34 +1642,34 @@ snapshots:
'@img/sharp-win32-x64@0.34.5':
optional: true
- '@next/env@16.0.7': {}
+ '@next/env@16.0.10': {}
'@next/eslint-plugin-next@15.5.0':
dependencies:
fast-glob: 3.3.1
- '@next/swc-darwin-arm64@16.0.7':
+ '@next/swc-darwin-arm64@16.0.10':
optional: true
- '@next/swc-darwin-x64@16.0.7':
+ '@next/swc-darwin-x64@16.0.10':
optional: true
- '@next/swc-linux-arm64-gnu@16.0.7':
+ '@next/swc-linux-arm64-gnu@16.0.10':
optional: true
- '@next/swc-linux-arm64-musl@16.0.7':
+ '@next/swc-linux-arm64-musl@16.0.10':
optional: true
- '@next/swc-linux-x64-gnu@16.0.7':
+ '@next/swc-linux-x64-gnu@16.0.10':
optional: true
- '@next/swc-linux-x64-musl@16.0.7':
+ '@next/swc-linux-x64-musl@16.0.10':
optional: true
- '@next/swc-win32-arm64-msvc@16.0.7':
+ '@next/swc-win32-arm64-msvc@16.0.10':
optional: true
- '@next/swc-win32-x64-msvc@16.0.7':
+ '@next/swc-win32-x64-msvc@16.0.10':
optional: true
'@nodelib/fs.scandir@2.1.5':
@@ -2519,9 +2519,9 @@ snapshots:
natural-compare@1.4.0: {}
- next@16.0.7(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
+ next@16.0.10(react-dom@19.2.0(react@19.2.0))(react@19.2.0):
dependencies:
- '@next/env': 16.0.7
+ '@next/env': 16.0.10
'@swc/helpers': 0.5.15
caniuse-lite: 1.0.30001759
postcss: 8.4.31
@@ -2529,14 +2529,14 @@ snapshots:
react-dom: 19.2.0(react@19.2.0)
styled-jsx: 5.1.6(react@19.2.0)
optionalDependencies:
- '@next/swc-darwin-arm64': 16.0.7
- '@next/swc-darwin-x64': 16.0.7
- '@next/swc-linux-arm64-gnu': 16.0.7
- '@next/swc-linux-arm64-musl': 16.0.7
- '@next/swc-linux-x64-gnu': 16.0.7
- '@next/swc-linux-x64-musl': 16.0.7
- '@next/swc-win32-arm64-msvc': 16.0.7
- '@next/swc-win32-x64-msvc': 16.0.7
+ '@next/swc-darwin-arm64': 16.0.10
+ '@next/swc-darwin-x64': 16.0.10
+ '@next/swc-linux-arm64-gnu': 16.0.10
+ '@next/swc-linux-arm64-musl': 16.0.10
+ '@next/swc-linux-x64-gnu': 16.0.10
+ '@next/swc-linux-x64-musl': 16.0.10
+ '@next/swc-win32-arm64-msvc': 16.0.10
+ '@next/swc-win32-x64-msvc': 16.0.10
sharp: 0.34.5
transitivePeerDependencies:
- '@babel/core'
Analysis
Outdated pnpm-lock.yaml out of sync with package.json
What fails: pnpm install --frozen-lockfile fails with ERR_PNPM_OUTDATED_LOCKFILE during Vercel build because the lockfile specifies next@^16.0.7 while apps/docs/package.json requires next@16.0.10.
How to reproduce:
cd examples/basic
pnpm install --frozen-lockfileResult:
[ERROR] ERR_PNPM_OUTDATED_LOCKFILE Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>/apps/docs/package.json
[ERROR] Failure reason:
[ERROR] specifiers in the lockfile ({"@repo/ui":"workspace:*","next":"^16.0.7",...}) don't match specs in package.json ({"@repo/ui":"workspace:*","next":"16.0.10",...})
Solution: Regenerate the lockfile to synchronize it with the updated dependency versions in package.json.
anthonyshew
changed the title
ch4og
pushed a commit
to csmplay/mapban
that referenced
this pull request
Dec 23, 2025
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [turbo](https://turborepo.com) ([source](https://github.com/vercel/turborepo)) | [`2.6.3` -> `2.7.1`](https://renovatebot.com/diffs/npm/turbo/2.6.3/2.7.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>vercel/turborepo (turbo)</summary> ### [`v2.7.1`](https://github.com/vercel/turborepo/releases/tag/v2.7.1): Turborepo v2.7.1 [Compare Source](vercel/turborepo@v2.7.0...v2.7.1) <!-- Release notes generated using configuration in .github/release.yml at v2.7.1 --> #### What's Changed ##### Docs - docs: Release post for 2.7 by [@​anthonyshew](https://github.com/anthonyshew) in [#​11272](vercel/turborepo#11272) ##### Examples - fix: Typo in example with-solid README.md description by [@​jack-dev-crypto](https://github.com/jack-dev-crypto) in [#​11287](vercel/turborepo#11287) ##### Changelog - fix: Correctly validate workspace root as package by [@​anthonyshew](https://github.com/anthonyshew) in [#​11284](vercel/turborepo#11284) - fix: Overly aggressive path checking in microfrontends loading by [@​anthonyshew](https://github.com/anthonyshew) in [#​11286](vercel/turborepo#11286) - chore(boundaries): Allow packages to import themselves by [@​NicholasLYang](https://github.com/NicholasLYang) in [#​10202](vercel/turborepo#10202) - feat(query): Provide query for external dependencies by [@​chris-olszewski](https://github.com/chris-olszewski) in [#​9929](vercel/turborepo#9929) - fix: Correct version mismatch causing noUpdateNotifier to fail by [@​DevaanshKathuria](https://github.com/DevaanshKathuria) in [#​11133](vercel/turborepo#11133) - chore: Format version printing similar to rest of prelude by [@​anthonyshew](https://github.com/anthonyshew) in [#​11289](vercel/turborepo#11289) #### New Contributors - [@​jack-dev-crypto](https://github.com/jack-dev-crypto) made their first contribution in [#​11287](vercel/turborepo#11287) **Full Changelog**: <vercel/turborepo@v2.7.0...v2.7.1> ### [`v2.7.0`](https://github.com/vercel/turborepo/releases/tag/v2.7.0): Turborepo v2.7.0 [Compare Source](vercel/turborepo@v2.6.3...v2.7.0) <!-- Release notes generated using configuration in .github/release.yml at v2.7.0 --> #### What's Changed ##### Docs - docs(security): Update Next.js by [@​anthonyshew](https://github.com/anthonyshew) in [#​11208](vercel/turborepo#11208) - docs: Remove flags code by [@​anthonyshew](https://github.com/anthonyshew) in [#​11209](vercel/turborepo#11209) - docs: Cleanup Sentry from gitignore by [@​anthonyshew](https://github.com/anthonyshew) in [#​11210](vercel/turborepo#11210) - docs: Comment out Tinybird by [@​anthonyshew](https://github.com/anthonyshew) in [#​11211](vercel/turborepo#11211) - docs(fix): Sitemap by [@​anthonyshew](https://github.com/anthonyshew) in [#​11207](vercel/turborepo#11207) - docs: Revert "Comment out Tinybird" by [@​anthonyshew](https://github.com/anthonyshew) in [#​11223](vercel/turborepo#11223) - docs: Move search to built-in by [@​anthonyshew](https://github.com/anthonyshew) in [#​11224](vercel/turborepo#11224) - docs: fix typo in design-system.css comment by [@​YASHRDX0001](https://github.com/YASHRDX0001) in [#​11231](vercel/turborepo#11231) - chore: Upgrade pnpm to 9 by [@​anthonyshew](https://github.com/anthonyshew) in [#​11226](vercel/turborepo#11226) - chore: Update pnpm to version 10 by [@​anthonyshew](https://github.com/anthonyshew) in [#​11237](vercel/turborepo#11237) - fix: React Server Components CVE vulnerabilities by [@​vercel](https://github.com/vercel)\[bot] in [#​11245](vercel/turborepo#11245) - docs: Add `turboExtendsKeyword` future flag and `$TURBO_EXTENDS$` microsyntax by [@​anthonyshew](https://github.com/anthonyshew) in [#​11246](vercel/turborepo#11246) - docs: Fix Bun filtered install commands by [@​anthonyshew](https://github.com/anthonyshew) in [#​11260](vercel/turborepo#11260) - docs: Add `turbo.json` composition docs by [@​anthonyshew](https://github.com/anthonyshew) in [#​11247](vercel/turborepo#11247) - feat: Turborepo Devtools by [@​anthonyshew](https://github.com/anthonyshew) in [#​11263](vercel/turborepo#11263) - fix: Improve layouts and task graph sourcing for devtools" by [@​anthonyshew](https://github.com/anthonyshew) in [#​11269](vercel/turborepo#11269) - docs: Devtools by [@​anthonyshew](https://github.com/anthonyshew) in [#​11270](vercel/turborepo#11270) - chore: Remove future flags for nonRootExtends and turboExtendsKeyword in preparation for stable release by [@​anthonyshew](https://github.com/anthonyshew) in [#​11280](vercel/turborepo#11280) ##### create-turbo - fix(cli): Preserve exit codes in notifyUpdate functions by [@​pyrytakala](https://github.com/pyrytakala) in [#​11153](vercel/turborepo#11153) ##### turbo-ignore - fix: Quoting in turbo-ignore commands by [@​anthonyshew](https://github.com/anthonyshew) in [#​11239](vercel/turborepo#11239) ##### eslint - fix: Upgrade Next.js to 15.5.7 (CVE-2025-55182) by [@​ctate](https://github.com/ctate) in [#​11232](vercel/turborepo#11232) ##### [@​turbo/repository](https://github.com/turbo/repository) - chore: Update to Rust 1.92.0 by [@​ognevny](https://github.com/ognevny) in [#​11250](vercel/turborepo#11250) ##### Examples - examples(dev-deps): bump turbo from 2.6.1 to 2.6.3 in /examples/with-shell-commands by [@​dependabot](https://github.com/dependabot)\[bot] in [#​11217](vercel/turborepo#11217) - examples(dev-deps): bump the basic group in /examples/basic with 2 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​11218](vercel/turborepo#11218) - examples(dev-deps): bump the with-svelte group in /examples/with-svelte with 3 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​11219](vercel/turborepo#11219) - examples: Use slim image (debian) for prepare and builder stage, use latest no… by [@​mrr11k](https://github.com/mrr11k) in [#​11228](vercel/turborepo#11228) - examples(dev-deps): bump the with-svelte group in /examples/with-svelte with 2 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​11254](vercel/turborepo#11254) - examples(dev-deps): bump typescript-eslint from 8.48.1 to 8.49.0 in /examples/basic in the basic group by [@​dependabot](https://github.com/dependabot)\[bot] in [#​11253](vercel/turborepo#11253) - examples(deps): bump react from 19.2.0 to 19.2.3 in /examples/non-monorepo by [@​dependabot](https://github.com/dependabot)\[bot] in [#​11255](vercel/turborepo#11255) ##### Changelog - fix(turbo-utils): Add test for conflicting configs and remove stale TODO by [@​deepakpathik](https://github.com/deepakpathik) in [#​11201](vercel/turborepo#11201) - feat: Yarn 4 catalogs by [@​anthonyshew](https://github.com/anthonyshew) in [#​11115](vercel/turborepo#11115) - fix: Add Windows-specific env var to default passthroughs by [@​anthonyshew](https://github.com/anthonyshew) in [#​11233](vercel/turborepo#11233) - fix: Add fine grained interruptible task restarts in watch mode by [@​johnpyp](https://github.com/johnpyp) in [#​11135](vercel/turborepo#11135) - perf: Find tasks impacted by packages faster by [@​anthonyshew](https://github.com/anthonyshew) in [#​11235](vercel/turborepo#11235) - ci: Fix release pipeline by [@​anthonyshew](https://github.com/anthonyshew) in [#​11240](vercel/turborepo#11240) - ci: Fix release pipeline by [@​anthonyshew](https://github.com/anthonyshew) in [#​11241](vercel/turborepo#11241) - fix: Compose tasks when composing turbo.json by [@​anthonyshew](https://github.com/anthonyshew) in [#​11248](vercel/turborepo#11248) - chore: Run pre-commit fmt on all files by [@​anthonyshew](https://github.com/anthonyshew) in [#​11261](vercel/turborepo#11261) - feat: Task-level `extends` field by [@​anthonyshew](https://github.com/anthonyshew) in [#​11259](vercel/turborepo#11259) - fix: Allow root microfrontends.json config for [@​vercel/microfrontends](https://github.com/vercel/microfrontends) by [@​anthonyshew](https://github.com/anthonyshew) in [#​11264](vercel/turborepo#11264) - chore: Fix lint-staged and orphan GitHub Action by [@​anthonyshew](https://github.com/anthonyshew) in [#​11275](vercel/turborepo#11275) - chore: Remove coverage tooling by [@​anthonyshew](https://github.com/anthonyshew) in [#​11276](vercel/turborepo#11276) - chore: Clear false positive unused warnings by [@​anthonyshew](https://github.com/anthonyshew) in [#​11277](vercel/turborepo#11277) - ci: Fix flaky test (hopefully) by [@​anthonyshew](https://github.com/anthonyshew) in [#​11278](vercel/turborepo#11278) #### New Contributors - [@​deepakpathik](https://github.com/deepakpathik) made their first contribution in [#​11201](vercel/turborepo#11201) - [@​YASHRDX0001](https://github.com/YASHRDX0001) made their first contribution in [#​11231](vercel/turborepo#11231) - [@​ctate](https://github.com/ctate) made their first contribution in [#​11232](vercel/turborepo#11232) - [@​johnpyp](https://github.com/johnpyp) made their first contribution in [#​11135](vercel/turborepo#11135) - [@​vercel](https://github.com/vercel)\[bot] made their first contribution in [#​11245](vercel/turborepo#11245) **Full Changelog**: <vercel/turborepo@v2.6.3...v2.7.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xNC4yIiwidXBkYXRlZEluVmVyIjoiNDIuMTQuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Reviewed-on: https://git.csmpro.ru/csmpro/mapban/pulls/77 Co-authored-by: Renovate Bot <renovate@csmpro.ru> Co-committed-by: Renovate Bot <renovate@csmpro.ru>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important
This is an automatic PR generated by Vercel to help you patch known vulnerabilities related to CVE-2025-55182 (React2Shell), CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. We can't guarantee the PR is comprehensive, and it may contain mistakes.
Not all projects are affected by all issues, but patched versions are required to ensure full remediation.
Vercel has deployed WAF mitigations globally to help protect your application, but upgrading remains required for complete protection.
This automated pull request updates your React, Next.js, and related Server Components packages to versions that fix all currently known React Server Components vulnerabilities, including the two newly discovered issues.
See our Security Bulletins for more information and reach out to security@vercel.com with any questions.
Fixes VULN-3312