vercel[bot]
8cf1326979
Update dependencies for React Flight RCE advisory ( #1144 )
...
# React Flight / Next.js RCE Advisory Patch
## Summary
Successfully patched the React Flight / Next.js RCE vulnerability across all affected Next.js projects in the vercel/next-learn repository.
## Analysis Results
### Projects Affected:
The repository contains multiple Next.js projects. Analysis determined:
**Updated to patched versions:**
- 2 projects using Next.js 15.1.x → Updated to 15.1.9
- 10 projects using Next.js "latest" → Pinned to 16.0.7
- 1 project already on Next.js 16.0.7 → No changes needed
**Not affected (no changes made):**
- 1 project using Next.js 13.0.2 (too old, predates vulnerability)
- 1 root workspace using Next.js 14.2.23 (stable release, not in affected range)
- No projects use react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack
## Changes Made
### Files Modified:
**SEO Projects (Next.js 15.1.x):**
- `seo/package.json` - Updated `next: ^15.1.6` → `next: 15.1.9`
- `seo/demo/package.json` - Updated `next: ^15.1.6` → `next: 15.1.9`
**Dashboard Projects (Next.js latest):**
- `dashboard/starter-example/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `dashboard/final-example/package.json` - Already at `next: 16.0.7` (no change)
**Basics Projects (Next.js latest):**
- `basics/api-routes-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/assets-metadata-css-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/basics-final/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/data-fetching-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/demo/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/dynamic-routes-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/dynamic-routes-step-1/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/learn-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/navigate-between-pages-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
**Lockfiles:**
- `pnpm-lock.yaml` - Updated root workspace lockfile
- `basics/learn-starter/pnpm-lock.yaml` - New lockfile created
- `seo/pnpm-lock.yaml` - New lockfile created
**Not Modified:**
- `basics/typescript-final/package.json` - Uses `next: ^13.0.2` (not affected)
- `package.json` (root) - Uses `next: ^14.0.0` resolving to 14.2.23 (not affected)
## Patch Strategy
### For Next.js 15.1.x projects:
Updated to **15.1.9** per advisory guidance:
- 15.1.x → 15.1.9 (patched version for 15.1 minor)
- Did not upgrade to React manually (Next.js supplies correct versions)
### For Next.js "latest" projects:
Pinned to **16.0.7** per advisory guidance:
- Changed from "latest" to explicit "16.0.7"
- This prevents automatic upgrades and ensures the patched version is used
- 16.x → 16.0.7 (patched version for 16.0 minor)
- Did not upgrade React manually (Next.js supplies correct versions)
### For unaffected projects:
- Next.js 13.x: Too old to be affected by this vulnerability
- Next.js 14.2.x: Stable releases before 14.3.0-canary.77 are not affected
## Verification
### Build Tests Performed:
✅ **basics/learn-starter** (Next.js 16.0.7):
- Compiled successfully
- Static pages generated
- Build completed without dependency errors
✅ **seo/** (Next.js 15.1.9):
- Linting and type checking passed
- Compiled successfully
- Static pages generated
- Build completed successfully
✅ **Root workspace** (pnpm install):
- All dependencies installed successfully
- Lockfile updated correctly
- No breaking changes introduced
⚠️ **dashboard/final-example** (Next.js 16.0.7):
- Next.js compilation successful
- Build failures due to missing PostgreSQL database (expected in sandbox)
- Not a dependency-related issue; application requires database for data fetching
- Dependency upgrade confirmed working
## Implementation Approach
1. **Detection Phase:**
- Scanned all package.json files in the repository
- Identified Next.js versions and determined affected projects
- Checked for React Flight packages (none found)
2. **Update Phase:**
- Updated package.json files with appropriate patched versions
- Maintained version constraints per advisory guidelines
- Did not upgrade across major versions
3. **Lockfile Phase:**
- Ran `pnpm install` at root to update workspace lockfile
- Individual project lockfiles created/updated as needed
- All dependencies resolved to patched versions
4. **Verification Phase:**
- Tested builds on representative projects
- Confirmed Next.js 15.1.9 builds successfully
- Confirmed Next.js 16.0.7 builds successfully
- Verified no breaking changes introduced
## Why This Approach:
**Version Selection:**
- 15.1.x → 15.1.9: Official patched version for 15.1 minor per advisory
- 16.0.x → 16.0.7: Official patched version for 16.0 minor per advisory
- Did not upgrade React/React-DOM manually: Next.js manages these dependencies
**"latest" → Pinned Version:**
- Changed from "latest" to explicit version numbers
- Ensures projects use patched versions
- Prevents accidental use of vulnerable versions if "latest" tag moves
**Selective Updates:**
- Only updated projects in affected version ranges
- Left Next.js 13.x and 14.2.x unchanged (not vulnerable)
- Followed advisory guidance precisely
## Advisory Compliance:
✅ Detected if project is affected (checked all package.json files)
✅ Updated Next.js 15.1.x to 15.1.9
✅ Updated Next.js 16.x to 16.0.7
✅ Did not upgrade across major versions
✅ Did not manually upgrade React/React-DOM (Next.js manages these)
✅ Updated lockfiles and reinstalled dependencies
✅ Verified builds work with patched versions
✅ Did not modify application logic
✅ No React Flight packages found (not applicable)
## References:
- React Flight / Next.js RCE Advisory
- CVE-2025-66478 (Next.js RCE)
- CVE-2025-55182 (React Flight RCE)
- GitHub Advisory: GHSA-9qr9-h5gf-34mp
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
2025-12-05 17:40:13 -06:00
Lee Robinson
46d15fa2e5
Move from @vercel/postgres to postgres (provider-agnostic) ( #989 )
...
* Postgres
* fix
* fix
* prettier-fix
---------
Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com >
2025-01-29 11:39:32 -06:00
Mohammed Elzanaty
9874174ed4
feature: add prettier config ( #452 )
...
* chore: fix dashboard readme
* feat: add prettier config
* chore: update Node version requirement to 18.17.0
* Remove extra space
* Update @tailwind/forms
* Testing
---------
Co-authored-by: mohamed.elzanaty3 <mohamed.elzanaty3@vodafone.com >
Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com >
Co-authored-by: Delba de Oliveira <delbabrown@gmail.com >
2023-11-16 17:52:29 +00:00
Stephanie Dietz
162d59256e
Learn run through 💅🏼 ( #230 )
...
* remove auth sign out form side anv
* remove unused clsx
* comment out code
* comment out code that throws error when trying to deploy to vercel
* Remove vercel emails
* comment out more code so it will deploy to vercel
* Include AUTH_URL
* add notes to commented out code
* Add bcrypt
* Use .env instead of .env.local
* Update types
* Move skeletons
* Update import
* Delete search functionality
* More fixes
* Misc fixes
* Update login-form.tsx
* Update table.tsx
* Update eslint
* eslint fix
* formatting
---------
Co-authored-by: Delba de Oliveira <delbabrown@gmail.com >
2023-10-26 16:38:00 -06:00
Stephanie Dietz
ef82a24b33
remove npm lock file ( #229 )
2023-10-26 12:57:19 -05:00
Delba de Oliveira
82f2fae791
Add starter example ( #225 )
...
* Duplicate starter
* Remove code for chapter 16
* Add code for chapter 15
* first 3 chapters
* Remove routes and actions
* chapter 3
* Chapters 12-13
* chapter 5
* Revert "Chapters 12-13"
This reverts commit b6da764d85💅
* Create pnpm-lock.yaml
* build errors
* Fix
* Fix
* Update next
* Update nextauth
---------
Co-authored-by: StephDietz <steph.dietz@vercel.com >
2023-10-26 12:49:57 -05:00
Delba de Oliveira
9044c85918
Fix broken images, remove unused assets, update types, polish ( #224 )
...
* Update next to canary
* Update layout.tsx
* Use canary
* Remove serverActions flag warning
* Use unstable_noStore
* Add Date.now() test
* Update metadataBase url
* Create wrapper component for Cards
* Update page.tsx
* Misc
* Delete unused data fetch
* Add noStore to /invoices and /customers functions
* Remove date.now()
* Use canary
* Rename component
* Fix imports
* Update types for useFormStatus and useFormState
* Rename folder, add team members
* fixed images and added login button pending state
* Update dashboard/final-example/app/lib/data.ts
Co-authored-by: Matt Kane <m@mk.gg >
---------
Co-authored-by: Steven Tey <stevensteel97@gmail.com >
Co-authored-by: Matt Kane <m@mk.gg >
2023-10-26 09:31:48 -06:00
Delba de Oliveira
3814b8d96b
Prep for PPR and Polish ( #215 )
...
* Update next to canary
* Update layout.tsx
* Use canary
* Remove serverActions flag warning
* Use unstable_noStore
* Add Date.now() test
* Update metadataBase url
* Create wrapper component for Cards
* Update page.tsx
* Misc
* Delete unused data fetch
* Add noStore to /invoices and /customers functions
* Remove date.now()
* Use canary
* Rename component
* Fix imports
* Update types for useFormStatus and useFormState
* change react types due to https://github.com/DefinitelyTyped/DefinitelyTyped/issues/66841
---------
Co-authored-by: Steven Tey <stevensteel97@gmail.com >
2023-10-26 14:06:35 +01:00
Balázs Orbán
f8adecb7a4
Match NextAuth config with the course ( #221 )
...
* Create .env.local.example
* changes
* Update page.tsx
* Update definitions.ts
* wip signin validation
* fix validation in action
* fix
* remove import
* change
* update
* change
* added button state
* improved UI
---------
Co-authored-by: Steven Tey <stevensteel97@gmail.com >
2023-10-25 23:53:07 +01:00
Balázs Orbán
abf301951d
feat: update to next-auth v5 ( #219 )
...
* Update to latest + refactoring.
* idk, fuck it
* Trying to make it work
* add `next-auth` fixes (#211 )
Co-authored-by: Balázs Orbán <info@balazsorban.com >
* Another one
* test
* bump `next` and `next-auth`, `bcrypt` -> `bcryptjs`
* simplify
* upgrade types
* add basic html form validatoin
* add zod validation
* update
* remove non next-auth changes
* revert
* revert
* revert
* revert
* uses bcrypt
* fix imports
* tweaks
* revert
* revert
* revert
---------
Co-authored-by: Lee Robinson <lrobinson2011@gmail.com >
Co-authored-by: Delba de Oliveira <delbabrown@gmail.com >
2023-10-25 00:14:12 +01:00
Michael Novotny
26203163d0
Replaces dummy with placeholder ( #217 )
...
* Replaces `dummy` with `placeholder`
* Fix lockfile?
2023-10-20 22:59:52 +01:00
dependabot[bot]
f2a0cab1ed
Bump postcss from 8.4.28 to 8.4.31 ( #190 )
...
Bumps [postcss](https://github.com/postcss/postcss ) from 8.4.28 to 8.4.31.
- [Release notes](https://github.com/postcss/postcss/releases )
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md )
- [Commits](https://github.com/postcss/postcss/compare/8.4.28...8.4.31 )
---
updated-dependencies:
- dependency-name: postcss
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com >
2023-10-04 09:16:29 +01:00
Emil Kowalski
6feda66199
Add login screen ( #186 )
...
* Add login screen
* Update lock fil
* Polish the view
* Update ui
---------
Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com >
2023-10-03 18:33:04 +02:00
Delba de Oliveira
da17909352
Add Code for Chapter 12 - Accessibility and Form Validation ( #180 )
2023-10-02 10:43:55 -05:00
Delba de Oliveira
b0d832e2cf
Code for Chapters 9-10 ( #172 )
2023-10-02 09:26:13 -05:00
Stephanie Dietz
c478aa149b
Adds auth to dashboard using NextAuth ( #173 )
2023-09-27 15:23:12 -05:00
Stephanie Dietz
7e4b69351e
Add database ( #153 )
...
* add database to project. Seed data. Update customerId to customer_id
* seed customers table data
* use database everywhere
* refactor
* fix ts lint errors
* add type to invoice edit page
* remove fetch-data file and fetch data directly in components
* update lates invoices to use sql
* in invoice table, search the database here with SQL
* rename tsx files to ts and add node script to seed data
* address rest of PR comments
* move all data fetches to own file
* add types to filter invoices function
* remove unused param
* prettier
* update function names
2023-09-13 12:16:09 -05:00
Michael Novotny
1725e58866
Moves prettier and lint to root of the project ( #143 )
2023-09-06 12:57:56 -05:00
