# React Flight / Next.js RCE Advisory Fix
## Summary
Updated the Osborne repository to address the React Flight / Next.js RCE advisory by upgrading Next.js to a patched version.
## Vulnerability Assessment
✅ **Project is affected**: Uses Next.js 15.2.4
❌ **Not using React Flight packages**: No react-server-dom-* packages detected
## Changes Made
### Modified Files
1. **client/package.json**
- Upgraded `next` from `^15.2.4` to `15.2.6` (exact version pin)
- This is the patched version for Next.js 15.2.x per the advisory guidelines
- React versions (`react@18.3.1`, `react-dom@18.3.1`) were not modified as they are managed by Next.js
2. **client/package-lock.json**
- Updated lockfile to reflect Next.js 15.2.6 installation
- All dependency resolutions verified
## Verification
✅ Dependencies installed successfully with `npm install`
✅ Next.js version confirmed: `next@15.2.6` (verified via `npm list next`)
✅ Production build completed successfully with `next build`
✅ Linter passed with no errors or warnings (`next lint`)
✅ React versions remain at 18.3.1 (compatible with Next.js 15.2.6)
## Implementation Details
- Only modified Next.js version as this is a Next.js project
- Did not modify React versions as Next.js handles React dependency management
- Used exact version pinning (15.2.6) instead of caret to ensure the patched version is used
- No application logic changes were made
## Notes
- The project structure is a monorepo with a Next.js client (`./client`) and a Go server
- Only the client application required updates
- The server component (written in Go) has no Node.js dependencies
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
