Skip to content

fix(rsc): require minimal versions for RSC to address CVE-2025-55182 #10833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gr2m merged 2 commits into from
Dec 3, 2025
Merged

fix(rsc): require minimal versions for RSC to address CVE-2025-55182 #10833

gr2m merged 2 commits into from
Dec 3, 2025
+44 −48

Conversation

@gr2m
Copy link
Collaborator

@gr2m gr2m commented Dec 3, 2025

@vercel-ai-sdk vercel-ai-sdk bot added the ai/rsc label Dec 3, 2025
gr2m
gr2m commented Dec 3, 2025
View reviewed changes
packages/rsc/package.json
},
"peerDependencies": {
"react": "^18 || ^19 || ^19.0.0-rc",
"react": "^18 || ~19.0.1 || ~19.1.2 || ^19.2.1",
Copy link
Collaborator Author

@gr2m gr2m Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since the CVE is only related to server components, I don't think we need to update the peer dependency version range in the react package, rsc should suffice.

@gr2m gr2m added the backport label Dec 3, 2025
gr2m
gr2m commented Dec 3, 2025
View reviewed changes
packages/rsc/package.json
"zod": "3.25.76"
},
"peerDependencies": {
"react": "^18 || ^19 || ^19.0.0-rc",
Copy link
Collaborator Author

@gr2m gr2m Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to drop support for 19-rc in ai v6. We can keep supporting it in v5 though

vercel[bot]
vercel bot reviewed Dec 3, 2025
View reviewed changes
@gr2m gr2m requested a review from a team December 3, 2025 17:26
@gr2m gr2m added the bug Something isn't working as documented label Dec 3, 2025
@gr2m gr2m merged commit af65ab6 into main Dec 3, 2025
21 checks passed
@gr2m gr2m deleted the fix-rsc-react-versions branch December 3, 2025 18:03
vercel-ai-sdk bot pushed a commit that referenced this pull request Dec 3, 2025
@gr2m @vercel-ai-sdk
Backport conflicts for PR #10833 to release-v5.0
a850973
@vercel-ai-sdk vercel-ai-sdk bot mentioned this pull request Dec 3, 2025
Merged
@vercel-ai-sdk vercel-ai-sdk bot removed the backport label Dec 3, 2025
@vercel-ai-sdk
Copy link
Contributor

vercel-ai-sdk bot commented Dec 3, 2025

⚠️ Backport to release-v5.0 created but has conflicts: #10836

gr2m added a commit that referenced this pull request Dec 10, 2025
@vercel-ai-sdk @gr2m
Backport: fix(rsc): require minimal versions for RSC to address CVE-2…
52e8efe 
…025-55182 (#10836)

This is an automated backport of #10833 to the release-v5.0 branch.

---------

Co-authored-by: Gregor Martynus <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

@vercel-ai-sdk vercel-ai-sdk[bot] vercel-ai-sdk[bot] approved these changes

Assignees

@gr2m gr2m

Labels

ai/rsc bug Something isn't working as documented

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gr2m