From e02e2f2eba8877ccba9a20069b501321cc4e1978 Mon Sep 17 00:00:00 2001 From: Vercel Date: Tue, 27 Jan 2026 17:41:14 +0000 Subject: [PATCH 1/2] Fix React Server Components CVE vulnerabilities Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e946c0b..062b81c 100644 --- a/package.json +++ b/package.json @@ -11,7 +11,7 @@ "dependencies": { "@vercel/analytics": "^1.5.0", "axios": "^1.9.0", - "next": "15.3.2", + "next": "15.3.8", "next-pwa": "^5.6.0", "react": "^19.0.0", "react-dom": "^19.0.0" From ce2d1da21184e22199c426d642596377f53d037b Mon Sep 17 00:00:00 2001 From: Vercel Date: Mon, 9 Feb 2026 22:36:31 +0000 Subject: [PATCH 2/2] Fix: Next.js 15.3.8 does not contain the security patch for CVE-2025-55182/CVE-2025-66478 - the patched version for the 15.3.x line is 15.3.9 Co-authored-by: Moikapy --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 062b81c..c61a9d6 100644 --- a/package.json +++ b/package.json @@ -11,7 +11,7 @@ "dependencies": { "@vercel/analytics": "^1.5.0", "axios": "^1.9.0", - "next": "15.3.8", + "next": "15.3.9", "next-pwa": "^5.6.0", "react": "^19.0.0", "react-dom": "^19.0.0" @@ -24,7 +24,7 @@ "@types/react-dom": "^19", "daisyui": "^5.0.35", "eslint": "^9", - "eslint-config-next": "15.3.2", + "eslint-config-next": "15.3.9", "prettier": "^3.5.3", "tailwindcss": "^4", "typescript": "^5"