mirror of
https://github.com/arkorty/Osborne.git
synced 2026-03-17 16:51:44 +00:00
cdca35584c
# React Flight / Next.js RCE Advisory Fix ## Summary Updated the Osborne repository to address the React Flight / Next.js RCE advisory by upgrading Next.js to a patched version. ## Vulnerability Assessment ✅ **Project is affected**: Uses Next.js 15.2.4 ❌ **Not using React Flight packages**: No react-server-dom-* packages detected ## Changes Made ### Modified Files 1. **client/package.json** - Upgraded `next` from `^15.2.4` to `15.2.6` (exact version pin) - This is the patched version for Next.js 15.2.x per the advisory guidelines - React versions (`react@18.3.1`, `react-dom@18.3.1`) were not modified as they are managed by Next.js 2. **client/package-lock.json** - Updated lockfile to reflect Next.js 15.2.6 installation - All dependency resolutions verified ## Verification ✅ Dependencies installed successfully with `npm install` ✅ Next.js version confirmed: `next@15.2.6` (verified via `npm list next`) ✅ Production build completed successfully with `next build` ✅ Linter passed with no errors or warnings (`next lint`) ✅ React versions remain at 18.3.1 (compatible with Next.js 15.2.6) ## Implementation Details - Only modified Next.js version as this is a Next.js project - Did not modify React versions as Next.js handles React dependency management - Used exact version pinning (15.2.6) instead of caret to ensure the patched version is used - No application logic changes were made ## Notes - The project structure is a monorepo with a Next.js client (`./client`) and a Go server - Only the client application required updates - The server component (written in Go) has no Node.js dependencies Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>