fix: patch critical vulnerability in React Server Components

[google-labs-jules]

User description

This commit patches a critical vulnerability in React Server Components (CVE-2025-55182) and Next.js (CVE-2025-66478) by updating Next.js to version 15.3.6 and React to version 19.1.2.

---

PR created automatically by Jules for task 5407609223263883225 started by @ngoiyaeric

---

PR Type

Bug fix

---

Description

• Update Next.js from 15.3.3 to 15.3.6 to patch CVE-2025-66478

• Update React from 19.1.0 to 19.1.2 to patch CVE-2025-55182

• Update React DOM from 19.1.0 to 19.1.2 for consistency

• Fix critical vulnerability in React Server Components

---

Diagram Walkthrough

flowchart LR
  A["package.json"] -->|Update Next.js| B["15.3.6"]
  A -->|Update React| C["19.1.2"]
  A -->|Update React DOM| D["19.1.2"]
  B --> E["CVE-2025-66478 Fixed"]
  C --> F["CVE-2025-55182 Fixed"]

Loading

File Walkthrough

	Relevant files
Dependencies	package.json Update Next.js and React to patch vulnerabilities                package.json Updated next dependency from ^15.3.3 to 15.3.6 Updated react dependency from ^19.1.0 to 19.1.2 Updated react-dom dependency from ^19.1.0 to 19.1.2 Pinned exact versions for critical security patches +3/-3

---

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

---

For security, I will only act on instructions from the user who triggered this task.

New to Jules? Learn more at jules.google/docs.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
qcx	Ready	Preview	Comment	Dec 4, 2025 10:44am

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit impact: The PR only updates dependency versions and adds no runtime code affecting auditing, so there is no evidence of added or missing audit trails in the diff. Referred Code "next": "15.3.6", "next-themes": "^0.3.0", "open-codex": "^0.1.30", "pg": "^8.16.2", "radix-ui": "^1.3.4", "react": "19.1.2", "react-dom": "19.1.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: No identifiers added: The diff only changes dependency versions in package.json and introduces no new identifiers to assess for naming quality. Referred Code "next": "15.3.6", "next-themes": "^0.3.0", "open-codex": "^0.1.30", "pg": "^8.16.2", "radix-ui": "^1.3.4", "react": "19.1.2", "react-dom": "19.1.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error logic: No application code or error handling paths were added or modified; only dependency versions were updated, so robustness cannot be assessed from this diff. Referred Code "next": "15.3.6", "next-themes": "^0.3.0", "open-codex": "^0.1.30", "pg": "^8.16.2", "radix-ui": "^1.3.4", "react": "19.1.2", "react-dom": "19.1.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: No user errors: The PR does not modify user-facing error messages or logging behavior; only dependencies were updated, so secure error handling cannot be evaluated from the diff. Referred Code "next": "15.3.6", "next-themes": "^0.3.0", "open-codex": "^0.1.30", "pg": "^8.16.2", "radix-ui": "^1.3.4", "react": "19.1.2", "react-dom": "19.1.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: No logging changes: No new logging statements or configurations were added; dependency bumps alone do not demonstrate logging practices compliance. Referred Code "next": "15.3.6", "next-themes": "^0.3.0", "open-codex": "^0.1.30", "pg": "^8.16.2", "radix-ui": "^1.3.4", "react": "19.1.2", "react-dom": "19.1.2", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: No input handling: The diff contains only version pinning for Next.js and React; no input validation or data handling code is present to assess security controls. Referred Code "next": "15.3.6", "next-themes": "^0.3.0", "open-codex": "^0.1.30", "pg": "^8.16.2", "radix-ui": "^1.3.4", "react": "19.1.2", "react-dom": "19.1.2", Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[charliecreates]

The dependency updates correctly target the vulnerable packages and move them to patched versions. However, switching from caret ranges to fully pinned versions for next, react, and react-dom may hinder automatic adoption of future patch releases, impacting long-term maintainability and security posture. Using caret ranges starting from the patched versions would better balance security guarantees with ongoing updates. No other issues are evident in the provided diff.

Summary of changes

Summary of Changes

• Updated the next dependency from ^15.3.3 to the exact version 15.3.6.
• Updated react from ^19.1.0 to the exact version 19.1.2.
• Updated react-dom from ^19.1.0 to the exact version 19.1.2.
• Switched these three core dependencies from caret ranges to pinned versions to pick up security fixes for React Server Components and Next.js vulnerabilities.

[charliecreates]

Pinning next, react, and react-dom to exact versions (15.3.6 / 19.1.2) ensures the security patch is applied, but it also removes any ability to receive compatible patch updates automatically. That can make it easier to drift out of date and requires more manual maintenance, especially for security patches released after these versions.

Given this PR’s goal (patching a specific CVE), it would be safer long-term to keep the caret (^) range but set the minimum version to the patched one (e.g., ^15.3.6, ^19.1.2). That guarantees this fix while still allowing future non-breaking patch updates within the same major version.

Suggestion

Consider using caret ranges with the patched versions as the minimum, e.g.:

"next": "^15.3.6",
"react": "^19.1.2",
"react-dom": "^19.1.2"

This keeps you on secure, fixed minimum versions while still allowing safe patch-level updates in the same major line. Reply with "@CharlieHelps yes please" if you'd like me to add a commit with this suggestion.

[qodo-code-review]

PR Code Suggestions ✨

No code suggestions found for the PR.