rayan/next-learn
1
0
Fork 0
mirror of https://github.com/vercel/next-learn.git synced 2026-06-11 09:51:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
220 Commits 28 Branches 0 Tags
8cf1326979fd02712e48337c539933f1d29ea335
Commit Graph

7 Commits

Author SHA1 Message Date
vercel[bot]
8cf1326979 Update dependencies for React Flight RCE advisory (#1144) 
# React Flight / Next.js RCE Advisory Patch

## Summary
Successfully patched the React Flight / Next.js RCE vulnerability across all affected Next.js projects in the vercel/next-learn repository.

## Analysis Results

### Projects Affected:
The repository contains multiple Next.js projects. Analysis determined:

**Updated to patched versions:**
- 2 projects using Next.js 15.1.x → Updated to 15.1.9
- 10 projects using Next.js "latest" → Pinned to 16.0.7
- 1 project already on Next.js 16.0.7 → No changes needed

**Not affected (no changes made):**
- 1 project using Next.js 13.0.2 (too old, predates vulnerability)
- 1 root workspace using Next.js 14.2.23 (stable release, not in affected range)
- No projects use react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack

## Changes Made

### Files Modified:

**SEO Projects (Next.js 15.1.x):**
- `seo/package.json` - Updated `next: ^15.1.6` → `next: 15.1.9`
- `seo/demo/package.json` - Updated `next: ^15.1.6` → `next: 15.1.9`

**Dashboard Projects (Next.js latest):**
- `dashboard/starter-example/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `dashboard/final-example/package.json` - Already at `next: 16.0.7` (no change)

**Basics Projects (Next.js latest):**
- `basics/api-routes-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/assets-metadata-css-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/basics-final/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/data-fetching-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/demo/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/dynamic-routes-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/dynamic-routes-step-1/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/learn-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/navigate-between-pages-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`

**Lockfiles:**
- `pnpm-lock.yaml` - Updated root workspace lockfile
- `basics/learn-starter/pnpm-lock.yaml` - New lockfile created
- `seo/pnpm-lock.yaml` - New lockfile created

**Not Modified:**
- `basics/typescript-final/package.json` - Uses `next: ^13.0.2` (not affected)
- `package.json` (root) - Uses `next: ^14.0.0` resolving to 14.2.23 (not affected)

## Patch Strategy

### For Next.js 15.1.x projects:
Updated to **15.1.9** per advisory guidance:
- 15.1.x → 15.1.9 (patched version for 15.1 minor)
- Did not upgrade to React manually (Next.js supplies correct versions)

### For Next.js "latest" projects:
Pinned to **16.0.7** per advisory guidance:
- Changed from "latest" to explicit "16.0.7"
- This prevents automatic upgrades and ensures the patched version is used
- 16.x → 16.0.7 (patched version for 16.0 minor)
- Did not upgrade React manually (Next.js supplies correct versions)

### For unaffected projects:
- Next.js 13.x: Too old to be affected by this vulnerability
- Next.js 14.2.x: Stable releases before 14.3.0-canary.77 are not affected

## Verification

### Build Tests Performed:
 **basics/learn-starter** (Next.js 16.0.7):
- Compiled successfully
- Static pages generated
- Build completed without dependency errors

 **seo/** (Next.js 15.1.9):
- Linting and type checking passed
- Compiled successfully
- Static pages generated
- Build completed successfully

 **Root workspace** (pnpm install):
- All dependencies installed successfully
- Lockfile updated correctly
- No breaking changes introduced

⚠️ **dashboard/final-example** (Next.js 16.0.7):
- Next.js compilation successful
- Build failures due to missing PostgreSQL database (expected in sandbox)
- Not a dependency-related issue; application requires database for data fetching
- Dependency upgrade confirmed working

## Implementation Approach

1. **Detection Phase:**
   - Scanned all package.json files in the repository
   - Identified Next.js versions and determined affected projects
   - Checked for React Flight packages (none found)

2. **Update Phase:**
   - Updated package.json files with appropriate patched versions
   - Maintained version constraints per advisory guidelines
   - Did not upgrade across major versions

3. **Lockfile Phase:**
   - Ran `pnpm install` at root to update workspace lockfile
   - Individual project lockfiles created/updated as needed
   - All dependencies resolved to patched versions

4. **Verification Phase:**
   - Tested builds on representative projects
   - Confirmed Next.js 15.1.9 builds successfully
   - Confirmed Next.js 16.0.7 builds successfully
   - Verified no breaking changes introduced

## Why This Approach:

**Version Selection:**
- 15.1.x → 15.1.9: Official patched version for 15.1 minor per advisory
- 16.0.x → 16.0.7: Official patched version for 16.0 minor per advisory
- Did not upgrade React/React-DOM manually: Next.js manages these dependencies

**"latest" → Pinned Version:**
- Changed from "latest" to explicit version numbers
- Ensures projects use patched versions
- Prevents accidental use of vulnerable versions if "latest" tag moves

**Selective Updates:**
- Only updated projects in affected version ranges
- Left Next.js 13.x and 14.2.x unchanged (not vulnerable)
- Followed advisory guidance precisely

## Advisory Compliance:

 Detected if project is affected (checked all package.json files)
 Updated Next.js 15.1.x to 15.1.9
 Updated Next.js 16.x to 16.0.7
 Did not upgrade across major versions
 Did not manually upgrade React/React-DOM (Next.js manages these)
 Updated lockfiles and reinstalled dependencies
 Verified builds work with patched versions
 Did not modify application logic
 No React Flight packages found (not applicable)

## References:
- React Flight / Next.js RCE Advisory
- CVE-2025-66478 (Next.js RCE)
- CVE-2025-55182 (React Flight RCE)
- GitHub Advisory: GHSA-9qr9-h5gf-34mp

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
 2025-12-05 17:40:13 -06:00
Lee Robinson
fc3a4e3faa Update deps on SEO and Pages Router courses (#987) 2025-01-23 08:16:22 -06:00
Michael Novotny
1725e58866 Moves prettier and lint to root of the project (#143) 2023-09-06 12:57:56 -05:00
Michael Novotny
3edf913e1c Updates node versions (#131) 2023-08-30 13:31:53 -05:00
Delba de Oliveira
be08bc6085 Update react version (#97) 2022-10-31 13:08:25 +00:00
Lee Robinson
3a1387166d Update all dependencies. (#56) 2021-11-09 10:59:56 -06:00
Delba de Oliveira
f3a215a416 Create monorepo and add SEO starter example. (#46) 2021-09-09 09:06:21 -05:00