Skip to content

fix(core): TRAC-668 bump Next.js, React, and opennextjs/cloudflare for security patches#3007

Merged
chanceaclark merged 1 commit into
canaryfrom
TRAC-668/security-bump-nextjs-react
May 13, 2026
Merged

fix(core): TRAC-668 bump Next.js, React, and opennextjs/cloudflare for security patches#3007
chanceaclark merged 1 commit into
canaryfrom
TRAC-668/security-bump-nextjs-react

Conversation

@chanceaclark
Copy link
Copy Markdown
Contributor

@chanceaclark chanceaclark commented May 8, 2026
edited
Loading

Jira: TRAC-668

What/Why?

Addresses multiple CVEs disclosed May 2026 in the React/Next.js ecosystem. Several of these cannot be blocked at the WAF level, making application-level patching essential.

React (GHSA-rv78-f8rc-xrxh) — Denial of Service via specially crafted requests to server function endpoints causing OOM or excessive CPU usage. Affects react-server-dom-turbopack (used by Next.js) 19.1.0–19.1.6.

Next.js 16.2.x — Middleware/proxy bypass via segment-prefetch routes and dynamic route parameter injection; SSRF via WebSocket upgrades; XSS via CSP nonces and beforeInteractive scripts; cache poisoning in RSC responses and middleware redirects.

@opennextjs/cloudflare bumped from 1.17.3 → 1.19.9 (latest) in the native-hosting workflow to pick up any compatible fixes and test deployment stability (we had issues with an earlier version).

eslint-config-next intentionally left at 15.5.10 — all @16.x releases require ESLint 9+/flat config migration, which is out of scope here.

Testing

  • Typecheck passes (pnpm run typecheck from root)
  • Native hosting deploy succeeds via the native-hosting workflow (primary validation gate for the opennextjs bump)
  • Storefront loads and checkout flow works against the native hosting deployment

Migration

No breaking changes or file moves.

@vercel
Copy link
Copy Markdown

vercel Bot commented May 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
catalyst Ready Ready Preview, Comment May 12, 2026 9:53pm

Request Review

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 8, 2026
edited
Loading

🦋 Changeset detected

Latest commit: a11dfb0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@bigcommerce/catalyst-core Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 4ab5740 to 75fab52 Compare May 8, 2026 17:21
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 8, 2026
edited
Loading

Bundle Size Report

Comparing against baseline from b47ace7 (2026-05-12).

Metric Baseline Current Delta
First Load JS 117.7 kB 128.8 kB +11.1 kB (+9.4%) ⚠️
Total JS 429.8 kB 434.3 kB +4.5 kB (+1%)

Per-Route First Load JS

Route Baseline Current Delta
/(default)/(auth)/change-password/page 301.2 kB 317.4 kB +16.2 kB (+5.4%) ⚠️
/(default)/(auth)/login/forgot-password/page 300.4 kB 316.6 kB +16.2 kB (+5.4%) ⚠️
/(default)/(auth)/login/page 300.8 kB 317 kB +16.2 kB (+5.4%) ⚠️
/(default)/(auth)/register/page 336.9 kB 353.2 kB +16.3 kB (+4.8%)
/(default)/(faceted)/brand/[slug]/page 312.9 kB 329.1 kB +16.2 kB (+5.2%) ⚠️
/(default)/(faceted)/category/[slug]/page 321.2 kB 337.5 kB +16.3 kB (+5.1%) ⚠️
/(default)/(faceted)/search/page 312.9 kB 329.1 kB +16.2 kB (+5.2%) ⚠️
/(default)/[...rest]/page 295.9 kB 312.1 kB +16.2 kB (+5.5%) ⚠️
/(default)/account/addresses/page 340.4 kB 356.6 kB +16.2 kB (+4.8%)
/(default)/account/orders/[id]/page 304 kB 320.2 kB +16.2 kB (+5.3%) ⚠️
/(default)/account/orders/page 305 kB 321.2 kB +16.2 kB (+5.3%) ⚠️
/(default)/account/settings/page 311.6 kB 327.8 kB +16.2 kB (+5.2%) ⚠️
/(default)/account/wishlists/[id]/page 319 kB 335.1 kB +16.1 kB (+5%) ⚠️
/(default)/account/wishlists/page 314 kB 330.2 kB +16.2 kB (+5.2%) ⚠️
/(default)/blog/[blogId]/page 295.9 kB 312.1 kB +16.2 kB (+5.5%) ⚠️
/(default)/blog/page 296.9 kB 313.1 kB +16.2 kB (+5.5%) ⚠️
/(default)/cart/page 316.8 kB 333 kB +16.2 kB (+5.1%) ⚠️
/(default)/compare/page 308.1 kB 324.3 kB +16.2 kB (+5.3%) ⚠️
/(default)/gift-certificates/balance/page 299.8 kB 316.1 kB +16.3 kB (+5.4%) ⚠️
/(default)/gift-certificates/page 295.9 kB 312.1 kB +16.2 kB (+5.5%) ⚠️
/(default)/gift-certificates/purchase/page 339.5 kB 355.7 kB +16.2 kB (+4.8%)
/(default)/page 313.1 kB 329.3 kB +16.2 kB (+5.2%) ⚠️
/(default)/product/[slug]/page 367.9 kB 384.1 kB +16.2 kB (+4.4%)
/(default)/webpages/[id]/contact/page 337.9 kB 354.1 kB +16.2 kB (+4.8%)
/(default)/webpages/[id]/normal/page 304 kB 320.2 kB +16.2 kB (+5.3%) ⚠️
/(default)/wishlist/[token]/page 308.9 kB 325.1 kB +16.2 kB (+5.2%) ⚠️
/maintenance/page 289.9 kB 306.3 kB +16.4 kB (+5.7%) ⚠️
/_global-error/page 125.2 kB 142.8 kB +17.6 kB (+14.1%) ⚠️
/_not-found/page 125.2 kB 142.8 kB +17.6 kB (+14.1%) ⚠️

Threshold: 5% increase. Routes with ⚠️ exceed the threshold.

@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 75fab52 to c699d1e Compare May 8, 2026 17:27
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from c699d1e to 7643a4f Compare May 8, 2026 17:49
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 7643a4f to ce70f27 Compare May 8, 2026 18:24
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from ce70f27 to 2029f51 Compare May 8, 2026 18:40
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 2029f51 to babe478 Compare May 8, 2026 18:56
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from babe478 to 5f7a988 Compare May 8, 2026 19:20
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 5f7a988 to 16dcad8 Compare May 8, 2026 19:43
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 16dcad8 to e8dd30e Compare May 8, 2026 19:53
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from e8dd30e to f8f473c Compare May 8, 2026 20:07
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from f8f473c to d91c212 Compare May 8, 2026 20:17
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from d91c212 to 3dcabb5 Compare May 8, 2026 20:23
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 3dcabb5 to 5d96686 Compare May 8, 2026 20:46
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from a8e4fc0 to 119fa90 Compare May 11, 2026 17:39
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 119fa90 to f1d7192 Compare May 11, 2026 17:46
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch 2 times, most recently from e3664ba to 1f50cfa Compare May 11, 2026 17:51
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 1f50cfa to 0ea6423 Compare May 11, 2026 17:57
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 0ea6423 to c0d7cd3 Compare May 11, 2026 18:01
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from c0d7cd3 to 9b94c04 Compare May 11, 2026 19:29
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 9b94c04 to 67ef24b Compare May 11, 2026 22:16
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 67ef24b to 18fc940 Compare May 11, 2026 23:15
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 18fc940 to 076fc46 Compare May 12, 2026 20:31
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 076fc46 to 66624c7 Compare May 12, 2026 20:57
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 66624c7 to 8a7aadc Compare May 12, 2026 20:59
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 8a7aadc to 489a738 Compare May 12, 2026 21:44
@chanceaclark chanceaclark force-pushed the TRAC-668/security-bump-nextjs-react branch from 489a738 to 439c476 Compare May 12, 2026 21:51
@chanceaclark @claude
fix(core): TRAC-668 bump Next.js, React, and opennextjs/cloudflare fo…
a11dfb0 
…r security patches

Addresses multiple CVEs disclosed May 2026:

- next: ~16.1.6 → ~16.2.6 (middleware bypass, SSRF, XSS, cache poisoning)
- react/react-dom: 19.1.5 → 19.1.7 (GHSA-rv78-f8rc-xrxh DoS via OOM/CPU on server function endpoints)
- @opennextjs/cloudflare: 1.17.3 → 1.19.9 in native-hosting workflow

eslint-config-next intentionally left at 15.5.10 — @16.x requires ESLint 9+/flat config migration.

Fixes TRAC-668
Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions github-actions Bot mentioned this pull request May 13, 2026
Open
@chanceaclark chanceaclark mentioned this pull request May 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jorgemoya jorgemoya jorgemoya approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chanceaclark @jorgemoya