fix(deps)!: bump minimum react and next versions (#14807)

# ⚠️ Security Issue

A critical-severity vulnerability in React Server Components
([CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182))
affects React 19 and frameworks that use it, including Next.js
([CVE-2025-66478](GHSA-9qr9-h5gf-34mp)).

## Summary

An unauthenticated attacker can craft malicious HTTP requests that
achieve remote code execution on the server via insecure deserialization
in the RSC "Flight" protocol. For exact details, please read the summary
and impact statements directly from the CVEs listed above.

Note: this vulnerability is not inherit of Payload itself, as Payload
does not install any of these dependencies directly (with the exception
of templates and examples). Payload simply _enforces_ these versions
through its peer dependencies.

## Resolution

**You are strongly encouraged to upgrade your own apps to the nearest
patched versions of React and Next.js as soon as possible.**

Here's a breakdown of the vulnerable packages and their patched
releases:

| Vulnerable package | Patched release |
| ------------- | ------------- |
| React | 19.0, 19.1, 19.2	19.0.1, 19.1.2, and 19.2.1 |
| Next.js | 14.3.0-canary, 15.x, and 16.x (App Router) 14.3.0-canary.88,
15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |

Author: jacobsfletch

examples/astro/payload/package.json

@@ -27,10 +27,10 @@
     "@payloadcms/richtext-lexical": "3.11.0",
     "cross-env": "^7.0.3",
     "graphql": "^16.8.1",
-    "next": "15.2.3",
+    "next": "15.4.8",
     "payload": "3.11.0",
-    "react": "19.0.0",
-    "react-dom": "19.0.0",
+    "react": "19.2.1",
+    "react-dom": "19.2.1",
     "sharp": "0.32.6"
   },
   "devDependencies": {

examples/astro/pnpm-lock.yaml

@@ -21,10 +21,10 @@
     "@payloadcms/richtext-slate": "latest",
     "@payloadcms/ui": "latest",
     "cross-env": "^7.0.3",
-    "next": "^15.2.3",
+    "next": "^15.4.8",
     "payload": "latest",
-    "react": "19.0.0",
-    "react-dom": "19.0.0",
+    "react": "19.2.1",
+    "react-dom": "19.2.1",
     "react-hook-form": "^7.51.3"
   },
   "devDependencies": {

examples/auth/package.json

@@ -25,10 +25,10 @@
     "dotenv": "^8.2.0",
     "graphql": "^16.9.0",
     "install": "^0.13.0",
-    "next": "^15.2.3",
+    "next": "^15.4.8",
     "payload": "latest",
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0"
+    "react": "^19.2.1",
+    "react-dom": "^19.2.1"
   },
   "devDependencies": {
     "@swc/core": "^1.6.13",

examples/custom-components/package.json

@@ -17,10 +17,10 @@
     "cross-env": "^7.0.3",
     "express": "^4.21.1",
     "graphql": "^16.8.1",
-    "next": "15.2.3",
+    "next": "15.4.8",
     "payload": "latest",
-    "react": "19.0.0",
-    "react-dom": "19.0.0"
+    "react": "^19.2.1",
+    "react-dom": "^19.2.1"
   },
   "devDependencies": {
     "@types/express": "^5.0.0",

examples/custom-server/package.json

@@ -24,10 +24,10 @@
     "dotenv": "^8.2.0",
     "escape-html": "^1.0.3",
     "graphql": "^16.9.0",
-    "next": "^15.2.3",
+    "next": "^15.4.8",
     "payload": "latest",
-    "react": "19.0.0",
-    "react-dom": "19.0.0"
+    "react": "19.2.1",
+    "react-dom": "19.2.1"
   },
   "devDependencies": {
     "@payloadcms/graphql": "latest",

examples/draft-preview/package.json

@@ -25,10 +25,10 @@
     "ejs": "3.1.10",
     "graphql": "^16.9.0",
     "juice": "11.0.0",
-    "next": "^15.2.3",
+    "next": "^15.4.8",
     "payload": "latest",
-    "react": "19.0.0",
-    "react-dom": "19.0.0"
+    "react": "^19.2.1",
+    "react-dom": "^19.2.1"
   },
   "devDependencies": {
     "@payloadcms/graphql": "latest",

examples/email/package.json

@@ -25,10 +25,10 @@
     "@payloadcms/richtext-lexical": "latest",
     "cross-env": "^7.0.3",
     "graphql": "^16.9.0",
-    "next": "^15.2.3",
+    "next": "^15.4.8",
     "payload": "latest",
-    "react": "19.0.0",
-    "react-dom": "19.0.0",
+    "react": "19.2.1",
+    "react-dom": "19.2.1",
     "react-hook-form": "^7.41.0",
     "react-select": "^5.9.0"
   },

examples/form-builder/package.json

@@ -27,10 +27,10 @@
     "dotenv": "^8.2.0",
     "escape-html": "^1.0.3",
     "graphql": "^16.9.0",
-    "next": "^15.2.3",
+    "next": "^15.4.8",
     "payload": "latest",
-    "react": "19.0.0",
-    "react-dom": "19.0.0",
+    "react": "^19.2.1",
+    "react-dom": "^19.2.1",
     "react-hook-form": "^7.51.3"
   },
   "devDependencies": {

examples/live-preview/package.json

@@ -39,12 +39,12 @@
     "graphql": "^16.8.2",
     "jsonwebtoken": "9.0.2",
     "lucide-react": "^0.378.0",
-    "next": "^15.2.3",
+    "next": "^15.4.8",
     "next-intl": "^3.23.2",
     "payload": "latest",
     "prism-react-renderer": "^2.3.1",
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0",
+    "react": "^19.2.1",
+    "react-dom": "^19.2.1",
     "react-hook-form": "7.45.4",
     "sharp": "0.32.6",
     "tailwind-merge": "^2.3.0",