fix: React(CVE-2025-55182), Next.js(CVE-2025-66478)

[shiv-shi]

Emergency Security Vulnerability Fix

Refer to the vulnerability descriptions for React (CVE-2025-55182) and Next.js (CVE-2025-66478 ), upgrade the React and Next.js dependencies referenced in the project and its dependent modules to secure versions.

Critical Security Vulnerability in React Server Components

The current fixes are verified on Ubuntu 24.04.1 LTS (pnpm-lock.yaml):

• [email protected]: 19.0.1
• [email protected]: 19.1.2
• [email protected]: 19.1.2
• [email protected]: 19.2.1
• [email protected]: 19.0.1
• [email protected]: 19.1.2
• [email protected]: 19.1.2
• [email protected]: 19.2.1

Summary by CodeRabbit

• Chores
  • Updated dependency version management for React, React DOM, and Next.js to improve compatibility and ensure consistent behavior across the platform.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

Someone is attempting to deploy a commit to the Coderax's projects Team on Vercel.

A member of the Team first needs to authorize it.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

shi-wei seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

The changes update dependency resolution settings across two configuration files. package.json introduces pnpm override mappings for React, React DOM, and Next.js versions to enforce specific resolutions. pnpm-workspace.yaml updates the React and React DOM catalog version constraints to more granular ranges.

Changes

Cohort / File(s)	Summary
React & React DOM Version Overrides package.json	Adds 8 pnpm override mappings targeting specific React and React DOM versions (19.0.0, 19.1.0, 19.1.1, 19.2.0) redirecting them to patched versions (19.0.1, 19.1.2, 19.2.1)
Next.js Version Overrides package.json	Adds 7 pnpm override mappings for Next.js version ranges (15.0.0 through 16.0.0) enforcing specific patch versions (15.0.5 through 16.0.7)
Catalog Version Constraints pnpm-workspace.yaml	Updates React and React DOM catalog entries from caret range ^19.0.0 to compound version constraint ">=19.1.2 <19.2.0 || >=19.2.1"

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review focuses on verifying version override mappings align with security/stability requirements
• Ensure version constraints in catalog don't conflict with override rules
• Confirm version ranges are intentional and documented (if applicable)

Poem

🐰 With whiskers twitching, I've patched the way,
React versions dancing, Next.js at play,
Overrides declaring which builds are best,
Dependencies tamed through the catalog's test! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the security vulnerabilities (CVE-2025-55182 and CVE-2025-66478) being fixed and clearly conveys the main change: addressing critical security issues in React and Next.js dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2b8bcf1 and bd28c85.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)

🔇 Additional comments (4)

pnpm-workspace.yaml (1)

10-10: Verify catalog constraint coverage for 19.0.x versions.

The updated catalog constraint ">=19.1.2 <19.2.0 || >=19.2.1" excludes 19.2.0 correctly but does not exclude 19.0.0 (which is listed as vulnerable in the PR description). While the package.json overrides map [email protected] → 19.0.1, overrides only apply to dependencies that explicitly request that exact version. Dependencies requesting ^19.0.0 or similar semver ranges might still resolve to 19.0.0 if it's the only available version in that range.

Consider updating the catalog constraint to exclude vulnerable 19.0.x versions as well:

react: ">=19.0.1 <19.1.0 || >=19.1.2 <19.2.0 || >=19.2.1"
react-dom: ">=19.0.1 <19.1.0 || >=19.1.2 <19.2.0 || >=19.2.1"

Alternatively, if 19.0.x is intentionally excluded from the catalog (perhaps because the project uses only 19.1+), clarify this approach in the commit message.

Also applies to: 12-12

package.json (3)

73-79: Confirm Next.js version range coverage aligns with project usage.

The overrides include Next.js 15.x and 16.x versions. Verify that:

1. The project currently uses Next.js versions within these ranges (or may in the near future).
2. No unexpected version jumps or major upgrades are forced on dependencies that declare Next.js ^15 or ^16 with versions not listed here.

If the project only uses 15.x, consider whether 16.x overrides are necessary now or should be added reactively when 16.x support is planned.

---

64-80: Verify pnpm lock file synchronization with new overrides.

The overrides in package.json mix exact versions ([email protected]) and range constraints (next@>=15.0.0 <15.0.5). Before merging:

1. Confirm pnpm-lock.yaml was regenerated with these overrides applied—all sub-dependencies for React, React-DOM, and Next.js must be pinned to the specified versions.
2. Review pnpm-workspace.yaml to ensure the catalog version ranges complement rather than conflict with these overrides.
3. Test on the same environment (Ubuntu 24.04.1 with pnpm) to ensure the lock file reflects the intended pinning.

Run pnpm install --frozen-lockfile locally to verify consistency between lock file and overrides.

---

65-79: All patched version numbers are correct per official security advisories.

React / React DOM patched versions 19.0.1, 19.1.2, and 19.2.1 confirmed for CVE-2025-55182. Next.js patched versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7 confirmed for CVE-2025-66478. The override entries correctly target vulnerable version ranges and map to the appropriate patched releases.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lindesvard]

Don't see a reason to add overrides here. Just update the apps/public which use nextjs. Please sign SLA as well

[shiv-shi]

After the AI safety scan, a dangerous warning was still issued. So, to avoid potential security risks, upgrading is being considered.

#	Risk Factor	File Location	Severity
1	Next.js App Router uses RSC	apps/public/src/app/**/page.tsx	🔴 High
2	OG image generation uses React JSX	apps/public/src/app/og/[...og]/route.tsx	🔴 High
3	TanStack Start Server Functions	apps/start/src/**/*.tsx	🟡 Medium
4	SSR data serialization	apps/start/src/integrations/	🟡 Medium

BTW, I've already signed the SLA, but it seems there's an issue somewhere as the status hasn't been updated.