Update dependencies for React Flight RCE advisory #276
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# React Flight / Next.js RCE Advisory Fix ## Summary Successfully upgraded Next.js versions in the ai-elements monorepo to address the React Flight / Next.js RCE advisory (CVE-2024-XXX). ## Changes Made ### Affected Packages Identified The project uses Next.js 16.0.1 in two applications: - `apps/docs/package.json` - Documentation site - `apps/registry/package.json` - Component registry site The project does NOT use any vulnerable React Flight packages directly: - No `react-server-dom-webpack` dependency - No `react-server-dom-parcel` dependency - No `react-server-dom-turbopack` dependency ### Upgrades Applied Following the advisory guidelines for Next.js 16.x → 16.0.7: **Modified Files:** 1. `apps/docs/package.json` - Updated: `"next": "16.0.1"` → `"next": "16.0.7"` 2. `apps/registry/package.json` - Updated: `"next": "16.0.1"` → `"next": "16.0.7"` 3. `pnpm-lock.yaml` - Updated lockfile to reflect new Next.js versions and their dependencies ### React Versions React and react-dom were NOT manually modified, as per the advisory instructions. Next.js 16.0.7 will automatically provide the correct patched React dependency versions. Current React versions in use: - `react@19.2.0` and `react-dom@19.2.0` in most packages - Next.js manages its own React dependencies internally ## Verification ### Dependency Installation ✓ Successfully ran `pnpm install` to update lockfile and install patched versions ✓ All 1168 packages installed successfully ✓ No dependency conflicts detected ### Build Verification ✓ `apps/docs` - Build successful with Next.js 16.0.7 - 121 pages generated successfully - TypeScript compilation passed - No runtime errors ✓ `apps/registry` - Build successful with Next.js 16.0.7 - 2 pages generated successfully - TypeScript compilation passed - No runtime errors ## Implementation Notes - This is a monorepo using pnpm as the package manager - No breaking changes introduced by the Next.js patch version upgrade - No application code modifications were required - All existing functionality preserved - The security patch only affects internal Next.js server component handling ## Advisory Compliance ✓ Detected Next.js usage in the project ✓ Upgraded to patched version for 16.x minor (16.0.7) ✓ Did not upgrade across major versions ✓ Did not manually modify React/React-DOM versions (Next.js handles this) ✓ Updated lockfile and reinstalled dependencies ✓ Verified builds successfully complete The repository is now protected against the React Flight / Next.js RCE vulnerability. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Contributor
Author
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
React Flight / Next.js RCE Advisory Fix
Summary
Successfully upgraded Next.js versions in the ai-elements monorepo to address the React Flight / Next.js RCE advisory (CVE-2024-XXX).
Changes Made
Affected Packages Identified
The project uses Next.js 16.0.1 in two applications:
apps/docs/package.json- Documentation siteapps/registry/package.json- Component registry siteThe project does NOT use any vulnerable React Flight packages directly:
react-server-dom-webpackdependencyreact-server-dom-parceldependencyreact-server-dom-turbopackdependencyUpgrades Applied
Following the advisory guidelines for Next.js 16.x → 16.0.7:
Modified Files:
apps/docs/package.json"next": "16.0.1"→"next": "16.0.7"apps/registry/package.json"next": "16.0.1"→"next": "16.0.7"pnpm-lock.yamlReact Versions
React and react-dom were NOT manually modified, as per the advisory instructions. Next.js 16.0.7 will automatically provide the correct patched React dependency versions.
Current React versions in use:
react@19.2.0andreact-dom@19.2.0in most packagesVerification
Dependency Installation
✓ Successfully ran
pnpm installto update lockfile and install patched versions✓ All 1168 packages installed successfully
✓ No dependency conflicts detected
Build Verification
✓
apps/docs- Build successful with Next.js 16.0.7✓
apps/registry- Build successful with Next.js 16.0.7Implementation Notes
Advisory Compliance
✓ Detected Next.js usage in the project
✓ Upgraded to patched version for 16.x minor (16.0.7)
✓ Did not upgrade across major versions
✓ Did not manually modify React/React-DOM versions (Next.js handles this)
✓ Updated lockfile and reinstalled dependencies
✓ Verified builds successfully complete
The repository is now protected against the React Flight / Next.js RCE vulnerability.
Vercel Project
Created by Nate McGrady (natemcgrady-vercel) with Vercel Agent