chore: update next/react packages #138
Conversation
WalkthroughUpdated Next.js, React, and React DOM dependencies to minor patch versions in the frontend package configuration. All updates are minor version increments that typically include bug fixes and performance improvements without breaking changes. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
frontend/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (1)
frontend/package.json(1 hunks)
| "graphql": "^16.9.0", | ||
| "isbot": "^5.1.28", | ||
| "next": "^15.3.5", | ||
| "next": "^15.3.6", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
security advisories next 15.3.6
💡 Result:
Which product do you mean by "next"? (example: Nextcloud, Next.js, Next-Auth, a Linux distro, a vendor product) Also confirm that "15.3.6" is the version number you want advisories for.
🌐 Web query:
security vulnerabilities react 19.1.2 react-dom
💡 Result:
Short answer: A critical RCE (CVE-2025-55182, aka "React2Shell") was disclosed for React Server Components; versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 were vulnerable. React released patched packages (including 19.1.2) on December 3, 2025 — so 19.1.2 is a security fix for that issue. [1][2][3]
What to do now (Dec 11, 2025):
- If you run any Server Components / React Server Function endpoints, upgrade to a patched React Server Components package (for example 19.1.2 or newer, or 19.2.1 as listed by React). Verify the specific package affected: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. [1][2]
- If you use Next.js or other frameworks that bundle RSC packages, apply their vendor patches (Next.js patched releases noted in advisories). [2][3]
- If you cannot patch immediately, block or restrict access to RSC endpoints and deploy WAF/IDS rules until patched. Monitor for public PoCs and active exploitation. [2][4]
Sources:
[1] React security advisory / blog (Dec 3, 2025). (react.dev)
[2] Wallarm / industry advisories summarizing CVE-2025-55182 and active exploitation. (lab.wallarm.com)
[3] Institutional advisory / notices summarizing impact and affected packages (e.g., CMU, vendor advisories). (cmu.edu)
If you want, I can: (a) check your project's package.json / lockfile for vulnerable packages, or (b) produce an npm upgrade/pinning plan and CI checks. Which do you prefer?
Citations:
- 1: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components?utm_source=openai
- 2: https://lab.wallarm.com/wallarm-blocks-exploitation-remote-code-execution-vulnerability-react-server-components/?utm_source=openai
- 3: https://www.cmu.edu/iso/news/2025/react2shell-critical-vulnerability.html?utm_source=openai
🌐 Web query:
next.js 15.3.6 latest patch version
💡 Result:
As of Dec 11, 2025 the patched release for the 15.3.x line is next@15.3.6. [1][2]
Sources:
- Next.js security advisory / blog (patched versions list). [1]
- vercel/next.js GitHub security advisory. [2]
🌐 Web query:
react 19.1.2 latest patch stable version
💡 Result:
Short answer: 19.1.2 is a stable security patch for the 19.1 line (released Dec 3, 2025), but the overall latest stable React release is 19.2.1 (released Dec 3, 2025). [1][2][3]
Sources:
- React security advisory / blog (patches 19.0.1, 19.1.2, 19.2.1). [1]
- React GitHub releases (19.1.2 and 19.2.1 tags, Dec 3, 2025). [2]
- endoflife.date listing showing latest 19.2.1. [3]
These are critical security patches for CVE-2025-55182 (React2Shell RCE), not routine maintenance updates.
The updates to react@19.1.2 and react-dom@19.1.2 address a critical remote code execution vulnerability in React Server Components (CVE-2025-55182) affecting versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. These patches were released on December 3, 2025. Similarly, next@15.3.6 is the patched version for the 15.3.x line for this same vulnerability.
These versions should be applied immediately if the project uses React Server Components or Server Functions with Next.js. Verify that:
- Any
react-server-dom-*packages (webpack, parcel, turbopack) are also updated to patched versions - Next.js is running a vendor-patched release that includes RSC fixes
- If RSC endpoints cannot be patched immediately, restrict access and monitor for active exploitation
The type definitions (@types/react@^19.1.8 and @types/react-dom@^19.1.6) remain compatible with these patched versions.
Also applies to: 29-30
🤖 Prompt for AI Agents
In frontend/package.json around line 25 (and also apply to lines 29-30), the
project pins vulnerable versions; update "next" to "15.3.6", bump "react" and
"react-dom" to "19.1.2" (and keep/update @types/react to ^19.1.8 and
@types/react-dom to ^19.1.6 if present), and update any react-server-dom-*
packages to their patched releases; after changing package.json, run your
package manager install (npm/yarn/pnpm), lockfile update, run tests/build, and
verify Next.js vendor-patched release is used—if you cannot immediately patch
RSC endpoints, restrict access and monitor traffic until patched.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.