Skip to content

fix: patch critical vulnerability in React Server Components #380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ngoiyaeric merged 2 commits into from
Dec 6, 2025
Merged

fix: patch critical vulnerability in React Server Components #380

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4e4d480
fix: patch critical vulnerability
google-labs-jules[bot] Dec 4, 2025
20f0e68
fix: patch critical vulnerability
google-labs-jules[bot] Dec 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 22 additions & 16 deletions bun.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,13 +62,13 @@
"lottie-react": "^2.4.1",
"lucide-react": "^0.507.0",
"mapbox-gl": "^3.11.0",
"next": "^15.3.3",
"next": "15.3.6",
"next-themes": "^0.3.0",
"open-codex": "^0.1.30",
"pg": "^8.16.2",
"radix-ui": "^1.3.4",
"react": "^19.1.0",
"react-dom": "^19.1.0",
"react": "19.1.2",
"react-dom": "19.1.2",
Comment on lines +65 to +71
Copy link
Copy Markdown

@charliecreates charliecreates Bot Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pinning next, react, and react-dom to exact versions (15.3.6 / 19.1.2) ensures the security patch is applied, but it also removes any ability to receive compatible patch updates automatically. That can make it easier to drift out of date and requires more manual maintenance, especially for security patches released after these versions.

Given this PR’s goal (patching a specific CVE), it would be safer long-term to keep the caret (^) range but set the minimum version to the patched one (e.g., ^15.3.6, ^19.1.2). That guarantees this fix while still allowing future non-breaking patch updates within the same major version.

Suggestion

Consider using caret ranges with the patched versions as the minimum, e.g.:

"next": "^15.3.6",
"react": "^19.1.2",
"react-dom": "^19.1.2"

This keeps you on secure, fixed minimum versions while still allowing safe patch-level updates in the same major line. Reply with "@CharlieHelps yes please" if you'd like me to add a commit with this suggestion.

"react-hook-form": "^7.56.2",
"react-icons": "^5.5.0",
"react-markdown": "^9.1.0",
Expand Down