(CVE-2025-55182)

[softmarshmallow]

fix CVE-2025-55182

---

Note

Upgrade monorepo to React 19.2.1 and Next 15.3.6 (with aligned tooling and lockfile updates) across apps and internal packages.

• Dependencies (monorepo-wide):
  • Bump react/react-dom to 19.2.1 and next to 15.3.6; align eslint-config-next to 15.3.6 and add pnpm overrides.
  • Update lockfile to reflect dependency graph (Sentry, Docusaurus, Radix UI, visx, etc.).
• Apps:
  • apps/backgrounds, apps/viewer: upgrade next, react, react-dom, eslint-config-next.
  • apps/blog, apps/docs: upgrade react, react-dom.
  • desktop: upgrade react, react-dom.
  • editor: upgrade next, react, react-dom and related libs to compatible versions.
• Packages:
  • Internal packages switch dev react to ^19.0.0 and keep peer ranges supporting ^18 || ^19.

^{Written by Cursor Bugbot for commit 0b78889. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• Chores
  • Updated core framework and library versions across the application stack, including Next.js 15.3.6 and React 19.2.1, to improve stability and performance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
backgrounds	Ready	Preview	Comment	Dec 6, 2025 6:06am
blog	Ready	Preview	Comment	Dec 6, 2025 6:06am
docs	Ready	Preview	Comment	Dec 6, 2025 6:06am
grida	Ready	Preview	Comment	Dec 6, 2025 6:06am
viewer	Ready	Preview	Comment	Dec 6, 2025 6:06am

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
code	Ignored			Dec 6, 2025 6:06am
legacy	Ignored			Dec 6, 2025 6:06am

[coderabbitai]

Walkthrough

Dependency version updates across the monorepo: React and React-DOM upgraded from 19.0.0 to 19.2.1; Next.js packages updated from 15.3.2 to 15.3.6; internal packages changed from exact to caret version constraints; pnpm.overrides added to the root package.json.

Changes

Cohort / File(s)	Summary
Next.js-dependent apps apps/backgrounds/package.json, apps/viewer/package.json, editor/package.json	Updated next, @next/third-parties, react, react-dom from 15.3.2→15.3.6 and 19.0.0→19.2.1; updated eslint-config-next 15.3.2→15.3.6
React-only app updates apps/blog/package.json, apps/docs/package.json, desktop/package.json	Updated react and react-dom from 19.0.0 to 19.2.1
Root monorepo config package.json	Added pnpm.overrides for next (15.3.6), react (19.2.1), and react-dom (19.2.1)
Internal packages (version constraint relaxation) packages/grida-canvas-pixelgrid/package.json, packages/grida-canvas-react-timeline/package.json, packages/grida-canvas-ruler/package.json, packages/grida-canvas-transparency-grid/package.json, packages/grida-number-input/package.json, packages/react-p-queue/package.json	Changed react devDependency from exact version "19.0.0" to caret range "^19.0.0"

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Verify version consistency across all package.json files
• Confirm pnpm.overrides are appropriate for the chosen versions
• Check that internal package version relaxation (exact to caret) aligns with compatibility requirements

Possibly related PRs

• [draft] daily release #343: Updates same dependency declarations (react, react-dom, next, and related tooling) across overlapping packages and apps in the monorepo.

Poem

🐰 Hops through package.json with glee,
Nineteen point two-one, can't you see?
Fifteen-point-six for Next to dance,
Version bumps across the expanse,
Fresh dependencies in their place—
A monorepo at a modern pace! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title '(CVE-2025-55182)' is not descriptive of the actual changes; it only references a CVE identifier without explaining what the fix accomplishes.	Replace the title with a descriptive summary of the changes, such as 'Bump React to 19.2.1 and Next.js to 15.3.6 (CVE-2025-55182)' to clearly communicate the main changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch CVE-2025-55182

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 969e2ea and 0b78889.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (13)

• apps/backgrounds/package.json (2 hunks)
• apps/blog/package.json (1 hunks)
• apps/docs/package.json (1 hunks)
• apps/viewer/package.json (2 hunks)
• desktop/package.json (1 hunks)
• editor/package.json (3 hunks)
• package.json (1 hunks)
• packages/grida-canvas-pixelgrid/package.json (1 hunks)
• packages/grida-canvas-react-timeline/package.json (1 hunks)
• packages/grida-canvas-ruler/package.json (1 hunks)
• packages/grida-canvas-transparency-grid/package.json (1 hunks)
• packages/grida-number-input/package.json (1 hunks)
• packages/react-p-queue/package.json (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

package.json

📄 CodeRabbit inference engine (AGENTS.md)

Use Node.js 22 as the main runtime for most apps

Files:

• package.json

🧠 Learnings (8)

📓 Common learnings

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T00:21:48.564Z
Learning: Applies to **/*.{tsx,jsx} : Use React.js 19 for web UI development

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T00:21:48.564Z
Learning: Applies to {editor,apps}/**/app/**/*.{ts,tsx} : Use Next.js 15 as the web framework

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T00:21:48.564Z
Learning: Applies to package.json : Use Node.js 22 as the main runtime for most apps

📚 Learning: 2025-12-01T00:21:48.564Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T00:21:48.564Z
Learning: Applies to **/*.{tsx,jsx} : Use React.js 19 for web UI development

Applied to files:

• apps/docs/package.json
• apps/blog/package.json
• packages/grida-canvas-react-timeline/package.json
• apps/viewer/package.json
• packages/grida-canvas-pixelgrid/package.json
• package.json
• packages/grida-canvas-ruler/package.json
• packages/grida-canvas-transparency-grid/package.json
• packages/react-p-queue/package.json
• packages/grida-number-input/package.json
• desktop/package.json
• editor/package.json
• apps/backgrounds/package.json

📚 Learning: 2025-12-01T00:21:48.564Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T00:21:48.564Z
Learning: Applies to package.json : Use Node.js 22 as the main runtime for most apps

Applied to files:

• apps/blog/package.json
• desktop/package.json
• editor/package.json

📚 Learning: 2025-12-01T00:21:48.564Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T00:21:48.564Z
Learning: Applies to {editor,apps}/**/app/**/*.{ts,tsx} : Use Next.js 15 as the web framework

Applied to files:

• apps/viewer/package.json
• package.json
• editor/package.json
• apps/backgrounds/package.json

📚 Learning: 2025-12-01T00:21:48.564Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T00:21:48.564Z
Learning: Applies to **/*.{ts,tsx,css} : Use Tailwind CSS 4 for styling

Applied to files:

• apps/viewer/package.json
• apps/backgrounds/package.json

📚 Learning: 2025-12-01T00:22:41.045Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: editor/AGENTS.md:0-0
Timestamp: 2025-12-01T00:22:41.045Z
Learning: Applies to editor/**/next-env.d.ts : Include `next-env.d.ts` file in git for the project to avoid requiring dev/build runs for typechecking in CI environments

Applied to files:

• apps/viewer/package.json
• package.json
• editor/package.json
• apps/backgrounds/package.json

📚 Learning: 2025-12-01T00:21:48.564Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-01T00:21:48.564Z
Learning: Applies to **/*.{ts,tsx} : Use TypeScript 5 as the main language for most apps

Applied to files:

• apps/viewer/package.json
• package.json
• apps/backgrounds/package.json

📚 Learning: 2025-12-01T00:22:19.083Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: crates/grida-canvas-wasm/AGENTS.md:0-0
Timestamp: 2025-12-01T00:22:19.083Z
Learning: Applies to crates/grida-canvas-wasm/**/main.rs : Update `grida-canvas-wasm.d.ts` TypeScript definitions file when new APIs are introduced via `main.rs`

Applied to files:

• packages/grida-canvas-ruler/package.json
• packages/grida-canvas-transparency-grid/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cargo test
• GitHub Check: test

🔇 Additional comments (13)

packages/grida-canvas-pixelgrid/package.json (1)

42-43: Caret range strategy for library devDependency is appropriate.

Allowing ^19.0.0 instead of pinning to 19.0.0 is a reasonable approach for library packages, enabling patch/minor updates while peer dependencies remain flexible. The peer dependency declaration (^18.0.0 || ^19.0.0) correctly permits both React 18 and 19.

packages/grida-number-input/package.json (1)

63-65: Caret range is consistent with library package strategy.

The change from "19.0.0" to "^19.0.0" aligns with the monorepo pattern for library devDependencies, allowing patch/minor version flexibility. Peer dependencies remain compatible with both React 18 and 19.

apps/docs/package.json (1)

32-33: Production dependency upgrade to React 19.2.1 is a stable patch release.

Upgrading from 19.0.0 to 19.2.1 is a safe patch-level update. React 19.2.1 includes stability improvements and bug fixes without breaking changes. Pinning exact versions for production dependencies is the right approach.

packages/grida-canvas-react-timeline/package.json (1)

6-7: Caret range for devDependency aligns with monorepo pattern.

Consistent with other library packages; ^19.0.0 allows flexible patch/minor updates while the security fix (19.2.1) becomes available through transitive resolution.

packages/grida-canvas-ruler/package.json (1)

41-42: Caret range follows established pattern for library devDependencies.

Consistent with other packages in the monorepo. Peer dependencies remain flexible for both React 18 and 19.

desktop/package.json (1)

27-28: Production React upgrade to 19.2.1 is appropriate for Electron app.

Safe patch-level update. TypeScript definitions properly aligned (^19 for @types/react and @types/react-dom). Electron 36.2.0 is compatible with React 19.2.1.

packages/react-p-queue/package.json (1)

38-39: Caret range strategy maintains compatibility across React versions.

Consistent with library pattern in the monorepo. Broad peer dependency support (^18.0.0 || ^19.0.0) remains intact and flexible.

apps/blog/package.json (1)

23-24: Production upgrade to React 19.2.1 is stable and consistent.

Safe patch-level update aligned with apps/docs. Docusaurus 3.7.0 is compatible with React 19.2.1. Consistent version strategy across the app ecosystem.

packages/grida-canvas-transparency-grid/package.json (1)

49-49: Version constraint appropriately broadened for React 19.

Updating the devDependency from an exact "19.0.0" to a caret range "^19.0.0" is appropriate for a library package. The peer dependencies correctly allow both React 18 and 19, maintaining backward compatibility.

editor/package.json (1)

59-60: Consistent dependency bumps across Next.js and React ecosystem.

All Next.js packages (mdx, third-parties, next, eslint-config-next) are updated from 15.3.2 to 15.3.6; React and React-DOM upgraded from 19.0.0 to 19.2.1. The type definitions (@types/react, @types/react-dom) already use caret ranges (^19), ensuring compatibility. This is a coordinated patch/minor update across the framework stack.

Please verify that React 19.2.1 and Next.js 15.3.6 are the correct versions that address CVE-2025-55182. Consider confirming:

1. The CVE advisory recommends these specific versions.
2. No other packages in dependencies/devDependencies have conflicting constraints.
3. These versions are stable and not beta/RC releases.

Also applies to: 177-177, 183-183, 187-187, 269-269

apps/viewer/package.json (1)

16-16: Framework and runtime versions aligned with editor package.

Next.js, React, and React-DOM are updated consistently with the editor app. The pattern of updating next and eslint-config-next to 15.3.6 and react/react-dom to 19.2.1 is uniform across the repository.

Also applies to: 18-19, 30-30

package.json (1)

38-41: pnpm.overrides correctly enforces monorepo-wide React and Next.js versions.

The root package.json now pins next (15.3.6), react (19.2.1), and react-dom (19.2.1) via pnpm.overrides. This ensures all transitive dependencies across the monorepo resolve to these versions unless explicitly overridden in individual package.json files. This is the appropriate mechanism for enforcing a CVE fix across a monorepo.

Verify that no package.json in the monorepo has conflicting exact version pins for next, react, or react-dom that would bypass these overrides. You can run pnpm ls next react react-dom to confirm the resolved versions match the override targets.

apps/backgrounds/package.json (1)

14-14: Dependency updates aligned with other app packages.

The @next/third-parties, next, react, and react-dom versions are updated following the same pattern as editor and viewer apps. eslint-config-next is synchronized with the new Next.js version (15.3.6).

Also applies to: 19-21, 34-34

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}