From b781b14b769e4dc87648b89c8d94fb83fef1da3d Mon Sep 17 00:00:00 2001 From: Gregor Martynus <39992+gr2m@users.noreply.github.com> Date: Wed, 3 Dec 2025 09:18:19 -0800 Subject: [PATCH 1/2] drop react 19-rc support. Require minimal versions for RSC to address CVE-2025-55182 https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components --- packages/react/package.json | 4 +- packages/rsc/package.json | 2 +- pnpm-lock.yaml | 80 ++++++++++++++++--------------------- 3 files changed, 38 insertions(+), 48 deletions(-) diff --git a/packages/react/package.json b/packages/react/package.json index e825c2e55ebe..25f9c8a88b97 100644 --- a/packages/react/package.json +++ b/packages/react/package.json @@ -49,13 +49,13 @@ "eslint-config-vercel-ai": "workspace:*", "jsdom": "^24.0.0", "msw": "2.6.4", - "react-dom": "^18 || ^19 || ^19.0.0-rc", + "react-dom": "^18 || ^19", "tsup": "^7.2.0", "typescript": "5.8.3", "zod": "3.25.76" }, "peerDependencies": { - "react": "^18 || ^19 || ^19.0.0-rc" + "react": "^18 || ^19" }, "engines": { "node": ">=18" diff --git a/packages/rsc/package.json b/packages/rsc/package.json index 93ade5bdb8b9..bb0cefba6c74 100644 --- a/packages/rsc/package.json +++ b/packages/rsc/package.json @@ -65,7 +65,7 @@ "zod": "3.25.76" }, "peerDependencies": { - "react": "^18 || ^19 || ^19.0.0-rc", + "react": "^18 || ~19.0.1 || ~19.1.2 || ^19.2.1", "zod": "^3.25.76 || ^4.1.8" }, "peerDependenciesMeta": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 8c471b286840..93a5d2f537d2 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -2479,11 +2479,11 @@ importers: specifier: workspace:* version: link:../ai react: - specifier: ^18 || ^19 || ^19.0.0-rc - version: 19.0.0-rc.1 + specifier: ^18 || ^19 + version: 18.3.1 swr: specifier: ^2.2.5 - version: 2.2.5(react@19.0.0-rc.1) + version: 2.2.5(react@18.3.1) throttleit: specifier: 2.1.0 version: 2.1.0 @@ -2496,7 +2496,7 @@ importers: version: 6.6.3 '@testing-library/react': specifier: ^16.0.1 - version: 16.0.1(@testing-library/dom@10.4.0)(@types/react-dom@18.3.0)(@types/react@18.3.3)(react-dom@19.0.0-rc.1(react@19.0.0-rc.1))(react@19.0.0-rc.1) + version: 16.0.1(@testing-library/dom@10.4.0)(@types/react-dom@18.3.0)(@types/react@18.3.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1) '@testing-library/user-event': specifier: ^14.5.2 version: 14.5.2(@testing-library/dom@10.4.0) @@ -2525,8 +2525,8 @@ importers: specifier: 2.6.4 version: 2.6.4(@types/node@20.17.24)(typescript@5.8.3) react-dom: - specifier: ^18 || ^19 || ^19.0.0-rc - version: 19.0.0-rc.1(react@19.0.0-rc.1) + specifier: ^18 || ^19 + version: 18.3.1(react@18.3.1) tsup: specifier: ^7.2.0 version: 7.2.0(postcss@8.5.6)(ts-node@10.9.2(@types/node@20.17.24)(typescript@5.8.3))(typescript@5.8.3) @@ -18874,7 +18874,7 @@ snapshots: dependencies: '@ampproject/remapping': 2.3.0 '@angular-devkit/architect': 0.2003.3(chokidar@4.0.3) - '@angular-devkit/build-webpack': 0.2003.3(chokidar@4.0.3)(webpack-dev-server@5.2.2(webpack@5.101.2))(webpack@5.101.2) + '@angular-devkit/build-webpack': 0.2003.3(chokidar@4.0.3)(webpack-dev-server@5.2.2(webpack@5.101.2))(webpack@5.101.2(esbuild@0.25.9)) '@angular-devkit/core': 20.3.3(chokidar@4.0.3) '@angular/build': 20.3.3(@angular/compiler-cli@20.3.2(@angular/compiler@20.3.2)(typescript@5.8.3))(@angular/compiler@20.3.2)(@angular/core@20.3.2(@angular/compiler@20.3.2)(rxjs@7.8.2)(zone.js@0.15.1))(@angular/platform-browser@20.3.2(@angular/common@20.3.2(@angular/core@20.3.2(@angular/compiler@20.3.2)(rxjs@7.8.2)(zone.js@0.15.1))(rxjs@7.8.2))(@angular/core@20.3.2(@angular/compiler@20.3.2)(rxjs@7.8.2)(zone.js@0.15.1)))(@types/node@20.17.24)(chokidar@4.0.3)(jiti@2.4.0)(less@4.4.0)(postcss@8.5.6)(tailwindcss@3.4.17(ts-node@10.9.2(@types/node@20.17.24)(typescript@5.8.3)))(terser@5.43.1)(tslib@2.8.1)(tsx@4.19.2)(typescript@5.8.3)(vitest@2.1.4(@edge-runtime/vm@5.0.0)(@types/node@22.7.4)(jsdom@26.0.0)(less@4.4.0)(msw@2.7.0(@types/node@22.7.4)(typescript@5.8.3))(sass@1.90.0)(terser@5.43.1))(yaml@2.7.0) '@angular/compiler-cli': 20.3.2(@angular/compiler@20.3.2)(typescript@5.8.3) @@ -18888,13 +18888,13 @@ snapshots: '@babel/preset-env': 7.28.3(@babel/core@7.28.3) '@babel/runtime': 7.28.3 '@discoveryjs/json-ext': 0.6.3 - '@ngtools/webpack': 20.3.3(@angular/compiler-cli@20.3.2(@angular/compiler@20.3.2)(typescript@5.8.3))(typescript@5.8.3)(webpack@5.101.2) + '@ngtools/webpack': 20.3.3(@angular/compiler-cli@20.3.2(@angular/compiler@20.3.2)(typescript@5.8.3))(typescript@5.8.3)(webpack@5.101.2(esbuild@0.25.9)) ansi-colors: 4.1.3 autoprefixer: 10.4.21(postcss@8.5.6) - babel-loader: 10.0.0(@babel/core@7.28.3)(webpack@5.101.2) + babel-loader: 10.0.0(@babel/core@7.28.3)(webpack@5.101.2(esbuild@0.25.9)) browserslist: 4.25.1 - copy-webpack-plugin: 13.0.1(webpack@5.101.2) - css-loader: 7.1.2(webpack@5.101.2) + copy-webpack-plugin: 13.0.1(webpack@5.101.2(esbuild@0.25.9)) + css-loader: 7.1.2(webpack@5.101.2(esbuild@0.25.9)) esbuild-wasm: 0.25.9 fast-glob: 3.3.3 http-proxy-middleware: 3.0.5 @@ -18902,22 +18902,22 @@ snapshots: jsonc-parser: 3.3.1 karma-source-map-support: 1.4.0 less: 4.4.0 - less-loader: 12.3.0(less@4.4.0)(webpack@5.101.2) - license-webpack-plugin: 4.0.2(webpack@5.101.2) + less-loader: 12.3.0(less@4.4.0)(webpack@5.101.2(esbuild@0.25.9)) + license-webpack-plugin: 4.0.2(webpack@5.101.2(esbuild@0.25.9)) loader-utils: 3.3.1 - mini-css-extract-plugin: 2.9.4(webpack@5.101.2) + mini-css-extract-plugin: 2.9.4(webpack@5.101.2(esbuild@0.25.9)) open: 10.2.0 ora: 8.2.0 picomatch: 4.0.3 piscina: 5.1.3 postcss: 8.5.6 - postcss-loader: 8.1.1(postcss@8.5.6)(typescript@5.8.3)(webpack@5.101.2) + postcss-loader: 8.1.1(postcss@8.5.6)(typescript@5.8.3)(webpack@5.101.2(esbuild@0.25.9)) resolve-url-loader: 5.0.0 rxjs: 7.8.2 sass: 1.90.0 - sass-loader: 16.0.5(sass@1.90.0)(webpack@5.101.2) + sass-loader: 16.0.5(sass@1.90.0)(webpack@5.101.2(esbuild@0.25.9)) semver: 7.7.2 - source-map-loader: 5.0.0(webpack@5.101.2) + source-map-loader: 5.0.0(webpack@5.101.2(esbuild@0.25.9)) source-map-support: 0.5.21 terser: 5.43.1 tree-kill: 1.2.2 @@ -18927,7 +18927,7 @@ snapshots: webpack-dev-middleware: 7.4.2(webpack@5.101.2) webpack-dev-server: 5.2.2(webpack@5.101.2) webpack-merge: 6.0.1 - webpack-subresource-integrity: 5.1.0(webpack@5.101.2) + webpack-subresource-integrity: 5.1.0(webpack@5.101.2(esbuild@0.25.9)) optionalDependencies: '@angular/core': 20.3.2(@angular/compiler@20.3.2)(rxjs@7.8.2)(zone.js@0.15.1) '@angular/platform-browser': 20.3.2(@angular/common@20.3.2(@angular/core@20.3.2(@angular/compiler@20.3.2)(rxjs@7.8.2)(zone.js@0.15.1))(rxjs@7.8.2))(@angular/core@20.3.2(@angular/compiler@20.3.2)(rxjs@7.8.2)(zone.js@0.15.1)) @@ -18957,7 +18957,7 @@ snapshots: - webpack-cli - yaml - '@angular-devkit/build-webpack@0.2003.3(chokidar@4.0.3)(webpack-dev-server@5.2.2(webpack@5.101.2))(webpack@5.101.2)': + '@angular-devkit/build-webpack@0.2003.3(chokidar@4.0.3)(webpack-dev-server@5.2.2(webpack@5.101.2))(webpack@5.101.2(esbuild@0.25.9))': dependencies: '@angular-devkit/architect': 0.2003.3(chokidar@4.0.3) rxjs: 7.8.2 @@ -23961,7 +23961,7 @@ snapshots: '@next/swc-win32-x64-msvc@15.6.0-canary.39': optional: true - '@ngtools/webpack@20.3.3(@angular/compiler-cli@20.3.2(@angular/compiler@20.3.2)(typescript@5.8.3))(typescript@5.8.3)(webpack@5.101.2)': + '@ngtools/webpack@20.3.3(@angular/compiler-cli@20.3.2(@angular/compiler@20.3.2)(typescript@5.8.3))(typescript@5.8.3)(webpack@5.101.2(esbuild@0.25.9))': dependencies: '@angular/compiler-cli': 20.3.2(@angular/compiler@20.3.2)(typescript@5.8.3) typescript: 5.8.3 @@ -26783,16 +26783,6 @@ snapshots: '@types/react': 18.3.3 '@types/react-dom': 18.3.0 - '@testing-library/react@16.0.1(@testing-library/dom@10.4.0)(@types/react-dom@18.3.0)(@types/react@18.3.3)(react-dom@19.0.0-rc.1(react@19.0.0-rc.1))(react@19.0.0-rc.1)': - dependencies: - '@babel/runtime': 7.25.7 - '@testing-library/dom': 10.4.0 - react: 19.0.0-rc.1 - react-dom: 19.0.0-rc.1(react@19.0.0-rc.1) - optionalDependencies: - '@types/react': 18.3.3 - '@types/react-dom': 18.3.0 - '@testing-library/svelte@5.2.7(svelte@5.32.1)(vite@6.2.7(@types/node@20.17.24)(jiti@2.4.0)(less@4.4.0)(sass@1.90.0)(terser@5.43.1)(tsx@4.19.2)(yaml@2.7.0))(vitest@3.0.7(@edge-runtime/vm@5.0.0)(@types/debug@4.1.12)(@types/node@20.17.24)(jiti@2.4.0)(jsdom@26.0.0)(less@4.4.0)(msw@2.7.0(@types/node@20.17.24)(typescript@5.8.3))(sass@1.90.0)(terser@5.43.1)(tsx@4.19.2)(yaml@2.7.0))': dependencies: '@testing-library/dom': 10.4.0 @@ -28561,7 +28551,7 @@ snapshots: transitivePeerDependencies: - supports-color - babel-loader@10.0.0(@babel/core@7.28.3)(webpack@5.101.2): + babel-loader@10.0.0(@babel/core@7.28.3)(webpack@5.101.2(esbuild@0.25.9)): dependencies: '@babel/core': 7.28.3 find-up: 5.0.0 @@ -29289,7 +29279,7 @@ snapshots: dependencies: is-what: 4.1.16 - copy-webpack-plugin@13.0.1(webpack@5.101.2): + copy-webpack-plugin@13.0.1(webpack@5.101.2(esbuild@0.25.9)): dependencies: glob-parent: 6.0.2 normalize-path: 3.0.0 @@ -29381,7 +29371,7 @@ snapshots: dependencies: postcss: 8.5.3 - css-loader@7.1.2(webpack@5.101.2): + css-loader@7.1.2(webpack@5.101.2(esbuild@0.25.9)): dependencies: icss-utils: 5.1.0(postcss@8.5.6) postcss: 8.5.6 @@ -33408,7 +33398,7 @@ snapshots: dependencies: readable-stream: 2.3.8 - less-loader@12.3.0(less@4.4.0)(webpack@5.101.2): + less-loader@12.3.0(less@4.4.0)(webpack@5.101.2(esbuild@0.25.9)): dependencies: less: 4.4.0 optionalDependencies: @@ -33435,7 +33425,7 @@ snapshots: prelude-ls: 1.2.1 type-check: 0.4.0 - license-webpack-plugin@4.0.2(webpack@5.101.2): + license-webpack-plugin@4.0.2(webpack@5.101.2(esbuild@0.25.9)): dependencies: webpack-sources: 3.3.3 optionalDependencies: @@ -34233,7 +34223,7 @@ snapshots: min-indent@1.0.1: {} - mini-css-extract-plugin@2.9.4(webpack@5.101.2): + mini-css-extract-plugin@2.9.4(webpack@5.101.2(esbuild@0.25.9)): dependencies: schema-utils: 4.3.2 tapable: 2.2.1 @@ -35682,7 +35672,7 @@ snapshots: tsx: 4.19.2 yaml: 2.7.0 - postcss-loader@8.1.1(postcss@8.5.6)(typescript@5.8.3)(webpack@5.101.2): + postcss-loader@8.1.1(postcss@8.5.6)(typescript@5.8.3)(webpack@5.101.2(esbuild@0.25.9)): dependencies: cosmiconfig: 9.0.0(typescript@5.8.3) jiti: 1.21.6 @@ -36614,7 +36604,7 @@ snapshots: safer-buffer@2.1.2: {} - sass-loader@16.0.5(sass@1.90.0)(webpack@5.101.2): + sass-loader@16.0.5(sass@1.90.0)(webpack@5.101.2(esbuild@0.25.9)): dependencies: neo-async: 2.6.2 optionalDependencies: @@ -36969,7 +36959,7 @@ snapshots: source-map-js@1.2.1: {} - source-map-loader@5.0.0(webpack@5.101.2): + source-map-loader@5.0.0(webpack@5.101.2(esbuild@0.25.9)): dependencies: iconv-lite: 0.6.3 source-map-js: 1.2.1 @@ -37372,11 +37362,11 @@ snapshots: csso: 5.0.5 picocolors: 1.1.1 - swr@2.2.5(react@19.0.0-rc.1): + swr@2.2.5(react@18.3.1): dependencies: client-only: 0.0.1 - react: 19.0.0-rc.1 - use-sync-external-store: 1.2.0(react@19.0.0-rc.1) + react: 18.3.1 + use-sync-external-store: 1.2.0(react@18.3.1) swrv@1.0.4(vue@3.5.13(typescript@5.8.3)): dependencies: @@ -38423,9 +38413,9 @@ snapshots: urlpattern-polyfill@8.0.2: {} - use-sync-external-store@1.2.0(react@19.0.0-rc.1): + use-sync-external-store@1.2.0(react@18.3.1): dependencies: - react: 19.0.0-rc.1 + react: 18.3.1 utif@2.0.1: dependencies: @@ -39077,7 +39067,7 @@ snapshots: webpack-sources@3.3.3: {} - webpack-subresource-integrity@5.1.0(webpack@5.101.2): + webpack-subresource-integrity@5.1.0(webpack@5.101.2(esbuild@0.25.9)): dependencies: typed-assert: 1.0.9 webpack: 5.101.2(esbuild@0.25.9) From 854811daa429b6f06c4c327ee441234601872745 Mon Sep 17 00:00:00 2001 From: Gregor Martynus <39992+gr2m@users.noreply.github.com> Date: Wed, 3 Dec 2025 09:28:40 -0800 Subject: [PATCH 2/2] docs: changeset --- .changeset/old-bulldogs-relate.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .changeset/old-bulldogs-relate.md diff --git a/.changeset/old-bulldogs-relate.md b/.changeset/old-bulldogs-relate.md new file mode 100644 index 000000000000..22ee75bb77ff --- /dev/null +++ b/.changeset/old-bulldogs-relate.md @@ -0,0 +1,6 @@ +--- +'@ai-sdk/react': patch +'@ai-sdk/rsc': patch +--- + +drop react 19-rc support. Require minimal versions for RSC to address CVE-2025-55182