rayan/next-learn
1
0
Fork 0
mirror of https://github.com/vercel/next-learn.git synced 2026-06-11 09:51:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
220 Commits 28 Branches 0 Tags
8cf1326979fd02712e48337c539933f1d29ea335
Commit Graph

58 Commits

Author SHA1 Message Date
vercel[bot]
8cf1326979 Update dependencies for React Flight RCE advisory (#1144) 
# React Flight / Next.js RCE Advisory Patch

## Summary
Successfully patched the React Flight / Next.js RCE vulnerability across all affected Next.js projects in the vercel/next-learn repository.

## Analysis Results

### Projects Affected:
The repository contains multiple Next.js projects. Analysis determined:

**Updated to patched versions:**
- 2 projects using Next.js 15.1.x → Updated to 15.1.9
- 10 projects using Next.js "latest" → Pinned to 16.0.7
- 1 project already on Next.js 16.0.7 → No changes needed

**Not affected (no changes made):**
- 1 project using Next.js 13.0.2 (too old, predates vulnerability)
- 1 root workspace using Next.js 14.2.23 (stable release, not in affected range)
- No projects use react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack

## Changes Made

### Files Modified:

**SEO Projects (Next.js 15.1.x):**
- `seo/package.json` - Updated `next: ^15.1.6` → `next: 15.1.9`
- `seo/demo/package.json` - Updated `next: ^15.1.6` → `next: 15.1.9`

**Dashboard Projects (Next.js latest):**
- `dashboard/starter-example/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `dashboard/final-example/package.json` - Already at `next: 16.0.7` (no change)

**Basics Projects (Next.js latest):**
- `basics/api-routes-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/assets-metadata-css-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/basics-final/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/data-fetching-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/demo/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/dynamic-routes-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/dynamic-routes-step-1/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/learn-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`
- `basics/navigate-between-pages-starter/package.json` - Pinned `next: latest` → `next: 16.0.7`

**Lockfiles:**
- `pnpm-lock.yaml` - Updated root workspace lockfile
- `basics/learn-starter/pnpm-lock.yaml` - New lockfile created
- `seo/pnpm-lock.yaml` - New lockfile created

**Not Modified:**
- `basics/typescript-final/package.json` - Uses `next: ^13.0.2` (not affected)
- `package.json` (root) - Uses `next: ^14.0.0` resolving to 14.2.23 (not affected)

## Patch Strategy

### For Next.js 15.1.x projects:
Updated to **15.1.9** per advisory guidance:
- 15.1.x → 15.1.9 (patched version for 15.1 minor)
- Did not upgrade to React manually (Next.js supplies correct versions)

### For Next.js "latest" projects:
Pinned to **16.0.7** per advisory guidance:
- Changed from "latest" to explicit "16.0.7"
- This prevents automatic upgrades and ensures the patched version is used
- 16.x → 16.0.7 (patched version for 16.0 minor)
- Did not upgrade React manually (Next.js supplies correct versions)

### For unaffected projects:
- Next.js 13.x: Too old to be affected by this vulnerability
- Next.js 14.2.x: Stable releases before 14.3.0-canary.77 are not affected

## Verification

### Build Tests Performed:
 **basics/learn-starter** (Next.js 16.0.7):
- Compiled successfully
- Static pages generated
- Build completed without dependency errors

 **seo/** (Next.js 15.1.9):
- Linting and type checking passed
- Compiled successfully
- Static pages generated
- Build completed successfully

 **Root workspace** (pnpm install):
- All dependencies installed successfully
- Lockfile updated correctly
- No breaking changes introduced

⚠️ **dashboard/final-example** (Next.js 16.0.7):
- Next.js compilation successful
- Build failures due to missing PostgreSQL database (expected in sandbox)
- Not a dependency-related issue; application requires database for data fetching
- Dependency upgrade confirmed working

## Implementation Approach

1. **Detection Phase:**
   - Scanned all package.json files in the repository
   - Identified Next.js versions and determined affected projects
   - Checked for React Flight packages (none found)

2. **Update Phase:**
   - Updated package.json files with appropriate patched versions
   - Maintained version constraints per advisory guidelines
   - Did not upgrade across major versions

3. **Lockfile Phase:**
   - Ran `pnpm install` at root to update workspace lockfile
   - Individual project lockfiles created/updated as needed
   - All dependencies resolved to patched versions

4. **Verification Phase:**
   - Tested builds on representative projects
   - Confirmed Next.js 15.1.9 builds successfully
   - Confirmed Next.js 16.0.7 builds successfully
   - Verified no breaking changes introduced

## Why This Approach:

**Version Selection:**
- 15.1.x → 15.1.9: Official patched version for 15.1 minor per advisory
- 16.0.x → 16.0.7: Official patched version for 16.0 minor per advisory
- Did not upgrade React/React-DOM manually: Next.js manages these dependencies

**"latest" → Pinned Version:**
- Changed from "latest" to explicit version numbers
- Ensures projects use patched versions
- Prevents accidental use of vulnerable versions if "latest" tag moves

**Selective Updates:**
- Only updated projects in affected version ranges
- Left Next.js 13.x and 14.2.x unchanged (not vulnerable)
- Followed advisory guidance precisely

## Advisory Compliance:

 Detected if project is affected (checked all package.json files)
 Updated Next.js 15.1.x to 15.1.9
 Updated Next.js 16.x to 16.0.7
 Did not upgrade across major versions
 Did not manually upgrade React/React-DOM (Next.js manages these)
 Updated lockfiles and reinstalled dependencies
 Verified builds work with patched versions
 Did not modify application logic
 No React Flight packages found (not applicable)

## References:
- React Flight / Next.js RCE Advisory
- CVE-2025-66478 (Next.js RCE)
- CVE-2025-55182 (React Flight RCE)
- GitHub Advisory: GHSA-9qr9-h5gf-34mp

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
 2025-12-05 17:40:13 -06:00
Joseph
799cd79739 chore: regenerate lock files (#1138) 
* chore: bump packages

* chore: update tsconfig starter-example
 2025-11-26 23:32:09 +01:00
Joseph
7a05b718a1 learn: update to use proxy (#1120) 
* learn: update to use proxy

* learn: prettier fix to tsconfig
 2025-11-04 08:52:46 +01:00
Joseph
5bea28a64d feat: nodejs runtime for middleware (#1087) 2025-08-21 09:34:02 +02:00
Joseph
1041eeac0e chore: add sharp to pnpm built dependencies (#1066) 2025-05-26 12:47:07 -05:00
Joseph
3829633600 Upgrade packages in next-learn/dashboard (#1061) 
* chore: Bump packages in starter-example

* chore: Bump packages in final-example

* chore: allow bcrypt to build

* chore: prettier fixes
 2025-05-22 11:30:38 +02:00
zviedris
b9c5ac3ed6 fixed missing query files (#992) 2025-01-29 20:41:04 -06:00
Lee Robinson
46d15fa2e5 Move from @vercel/postgres to postgres (provider-agnostic) (#989) 
* Postgres

* fix

* fix

* prettier-fix

---------

Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
 2025-01-29 11:39:32 -06:00
Lee Robinson
fc3a4e3faa Update deps on SEO and Pages Router courses (#987) 2025-01-23 08:16:22 -06:00
Lee Robinson
fc6c41c8d1 Update auth chapter (#983) 2025-01-21 12:09:06 -06:00
Lee Robinson
c5f12f9e3c React 19 stable. (#946) 2024-12-05 15:22:59 -06:00
Lee Robinson
0e41ddce78 Update dependencies (#941) 2024-12-02 11:34:21 -06:00
Lee Robinson
e73e821f30 Update to Next 15 stable (#888) 2024-10-21 17:17:11 -05:00
Lee Robinson
1011f2f19f Move to canary until we cut a new RC version. 2024-07-06 11:56:38 -05:00
Lee Robinson
d379162091 Cleanup from previous simplification PR. 2024-07-05 22:15:52 -05:00
Lee Robinson
bab4ed6723 Fix test 2024-06-23 22:52:12 -05:00
Lee Robinson
f535c37750 Update the Learn codebase (#764) 2024-06-23 22:48:40 -05:00
wnhlee
9daf946b78 Remove unused getUser (#533) 
* remove unused getUser

* fixup
 2024-06-23 18:01:57 -05:00
howiesommerfeld
8022bb32a2 Add index to key for uniqueness (#640) 
Using only the page as a key does not preserve uniqueness across updates. This caused, for example, an ellipsis to appear before the pagination elements when navigating from a page in the middle back to the first page.
 2024-06-23 18:00:24 -05:00
Artur Comunello
fe35ffe0be Fix missing type (#624) 
Co-authored-by: Artur Comunello <artur.comunello@corel.com>
 2024-06-23 17:58:42 -05:00
Bartosz Trusiński
63b4f71f5a Fix: make UI skeleton look like its actual component (#620) 2024-06-23 17:57:59 -05:00
Delba de Oliveira
f8d9f39f44 Remove old team members (#744) 2024-06-23 11:33:55 -05:00
Delba de Oliveira
de76b00263 Replace useFormStatus and useFormState with useActionState (#748) 2024-06-19 03:41:51 -05:00
Delba de Oliveira
deca7c766f Add PPR (#745) 
* Update to next v15, switch to pnpm

* Delete package-lock.json

* Add PPR

* Update to next@canary

* Update starter-example to next@canary

* Update file extension

* Update ts compiler options to match CNA

* Fix ts errors
 2024-06-19 08:50:40 +01:00
Delba de Oliveira
58f9a68c6a Update Next 15 RC, React 19 RC, and use pnpm (#743) 
* Update to next v15, switch to pnpm

* Delete package-lock.json
 2024-06-11 13:28:44 -05:00
Max
646898bc52 Fix: Typo in comment (#544) 
* Fix: Typo in comment

Added missing word 'to'.

* Update comment in final-example

---------

Co-authored-by: Delba de Oliveira <delbabrown@gmail.com>
 2024-01-08 12:36:50 +00:00
Balázs Orbán
e75f71499f chore: bump next-auth (#491) 
* chore: bump `next-auth`

* shorten message
 2023-11-29 12:44:04 +00:00
Ryota Murakami
7fc5092ca2 Update CustomersTable type definition (#466) 
* Update CustomersTable type definition

* Update import statement in CustomersTable
component

* Update definition everywhere

---------

Co-authored-by: Delba de Oliveira <delbabrown@gmail.com>
Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
 2023-11-28 10:32:07 +00:00
warin
069263d2bc Update latest-invoices.tsx (#483) 
* Update latest-invoices.tsx

removed "lg:col-span-4" tailwind class since there's already "md:col-span-4"

* Remove extra lg classnames

---------

Co-authored-by: Delba de Oliveira <delbabrown@gmail.com>
 2023-11-28 09:57:04 +00:00
Delba de Oliveira
10684e2468 Papercuts (#472) 2023-11-20 09:50:11 -06:00
Delba de Oliveira
9d8df63d7e Fix radio input when system preference is set to dark (#458) 
* Remove Tailwind dark: classes and focus:ring-gray

* Prettier fix
 2023-11-17 16:35:52 +00:00
Mohammed Elzanaty
9874174ed4 feature: add prettier config (#452) 
* chore: fix dashboard readme

* feat: add prettier config

* chore: update Node version requirement to 18.17.0

* Remove extra space

* Update @tailwind/forms

* Testing

---------

Co-authored-by: mohamed.elzanaty3 <mohamed.elzanaty3@vodafone.com>
Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
Co-authored-by: Delba de Oliveira <delbabrown@gmail.com>
 2023-11-16 17:52:29 +00:00
Stephanie Dietz
32607c93c9 Edits based on feedback (#410) 
* remove Link component from page. This will be added later

* re-add the Link component. Turns out is was supposed to be there

* replace flex-grow with the new utility grow

* issue: https://github.com/vercel/next-learn/pull/415

* Add missing step

---------

Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
Co-authored-by: Delba de Oliveira <delbabrown@gmail.com>
 2023-11-16 09:22:40 -06:00
Luther Tchofo Safo
3d31555920 Update data.ts (#408) 
* Update data.ts

Just a typo for 'Failed to fetch card data.'

* Update wording in final-example

---------

Co-authored-by: Delba de Oliveira <delbabrown@gmail.com>
Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
 2023-11-16 15:02:16 +00:00
Delba de Oliveira
53f754109b Fix typo (#451) 2023-11-16 15:00:07 +00:00
Shinya Fujino
fc5605ca55 Fix newline placement in app/page.tsx (#376) 
* Fix newline placement in app/page.tsx

* Fix import order

---------

Co-authored-by: Delba de Oliveira <delbabrown@gmail.com>
Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
 2023-11-16 14:48:36 +00:00
Othella
03e5a415dd Fixed Sign out button full width in sidenav (#365) 
* Fixed Sign out button with on sidenav

* Fix button width for final-example

---------

Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
Co-authored-by: Delba de Oliveira <delbabrown@gmail.com>
 2023-11-16 14:42:36 +00:00
Delba de Oliveira
45fcde471b Improve Form Error Accessibility (#450) 2023-11-16 08:27:20 -06:00
Ansul Agrawal
7dbcd94d4c Fix: Button Import (#298) 
* Added Cursor Pointer and Fix Button Import

* Removed Cursor Pointer from text Input

* Removed From edit form also

* Prettier fix

---------

Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
Co-authored-by: Delba de Oliveira <delbabrown@gmail.com>
 2023-11-16 14:16:48 +00:00
Delba de Oliveira
18221b2f80 Update node versions for v14 (#446) 
* Update minimum node version for server actions

* Update min node version for Next.js 14

* Update root
 2023-11-15 19:58:21 +00:00
Delba de Oliveira
0a2b32dfc0 Upgrade Next.js + Papercuts (#441) 
* Remove 'use client' as users will add it in the course

* Use consistent variable names as per React docs

* Remove alt tag

- This will error in the demo, to show them how `npm run lint` works

* Fix capitalization

* Upgrade next
 2023-11-14 15:40:18 +00:00
Tyler Howard
c64f396fa9 Fix SQL formatting convention (#390) (#421) 
Co-authored-by: Tyler Howard <22920537+Tyler98ky@users.noreply.github.com>
Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
 2023-11-14 14:24:26 +00:00
Krystian Mateusiak
6a9c3366fb Update page.tsx - fix typo (#433) 2023-11-13 17:08:08 +00:00
Wes
afe1f5d71a Fix the typo in the comments of seed.js (#402) 2023-11-07 12:17:55 +00:00
Alan Chou
a9077215a0 fix: typo (#358) 2023-11-03 09:26:01 -05:00
Steven Tey
888a13524a Fix Middleware matcher to make profile pics work (#355) 2023-11-03 12:27:23 +00:00
Delba de Oliveira
a910ad8f58 Rename Cards component to CardWrapper (#329) 
* Rename <Cards/> to <CardWrapper/>

* Update starter-example
 2023-10-31 11:15:00 -05:00
Delba de Oliveira
5a65b98034 Use bind instead of hidden field (#311) 
* Use bind instead of hidden field

* Update actions.ts
 2023-10-31 11:14:37 -05:00
Delba de Oliveira
8543a0d55f Fix .env filename (#330) 2023-10-31 09:25:29 -05:00
YukiOnishi
7a81783cb0 fix: revised to add env sample (#324) 2023-10-31 11:46:47 +00:00