Update Next.js/React Flight RCE vulnerability patches

React Flight / Next.js RCE Advisory Security Patch

Project: devb.io (www)
Package Manager: [email protected]

VULNERABILITY ASSESSMENT
========================

Detection Result: VULNERABLE
The project uses a vulnerable version of Next.js in a canary release that contains the React Flight / Next.js RCE vulnerability.

Vulnerable Package Identified:
- next: 15.2.0-canary.69 (canary versions >= 14.3.0-canary.77 are vulnerable)
- eslint-config-next: 15.2.0-canary.69

Vulnerability Details:
- CVE/Advisory: React Flight / Next.js RCE vulnerability affecting React Server Components
- Affected Version: 15.2.0-canary.69
- Patched Version Required: 15.2.6 (per Next.js 15.2.x advisory specifications)

REMEDIATION APPLIED
====================

1. Package Updates:
   ✓ Upgraded next: 15.2.0-canary.69 → 15.2.6
   ✓ Upgraded eslint-config-next: 15.2.0-canary.69 → 15.2.6

2. Files Modified:
   ✓ www/package.json - Updated next and eslint-config-next versions
   ✓ www/pnpm-lock.yaml - Updated lockfile with patched versions

3. Dependency Installation:
   ✓ Ran `pnpm install` to resolve and lock patched versions
   ✓ All dependencies resolved correctly
   ✓ No compatibility issues detected

4. Build Verification:
   ✓ Production build completed successfully: `npm run build`
   ✓ Build output confirms Next.js 15.2.6 is active
   ✓ No errors or breaking changes introduced
   ✓ Existing linting warnings are unrelated to security patch

React Version Notes:
- Current: react@^19.0.0 and react-dom@^19.0.0
- Action: No manual React version update required
- Reason: Next.js 15.2.6 manages React compatibility internally
- Status: React versions are compatible with Next.js 15.2.6

VERIFICATION CHECKLIST
======================

✓ Vulnerability Detection: Project uses vulnerable Next.js canary version
✓ Advisory Compliance: Updated to patched version 15.2.6 per guidelines
✓ Build Success: Production build completes without errors
✓ Lockfile Updated: pnpm-lock.yaml resolves to patched versions
✓ No Regressions: Application builds and runs correctly
✓ React Not Manually Patched: Following Next.js best practices

SECURITY STATUS
===============

Before Patch: VULNERABLE
After Patch: SECURE

The project is now protected against the React Flight / Next.js RCE vulnerability.
Next.js 15.2.6 includes all necessary security fixes for React Server Components.

No further action required.

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>

Author: vercel[bot]

www/package.json

@@ -25,7 +25,7 @@
     "lodash": "^4.17.21",
     "lucide-react": "^0.475.0",
     "motion": "^12.4.13",
-    "next": "15.2.0-canary.69",
+    "next": "15.2.6",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "react-intersection-observer": "^9.15.1",
@@ -43,7 +43,7 @@
     "@types/react-dom": "^19",
     "@types/xml2js": "^0.4.14",
     "eslint": "^9",
-    "eslint-config-next": "15.2.0-canary.69",
+    "eslint-config-next": "15.2.6",
     "prettier": "^3.5.2",
     "tailwindcss": "^4",
     "typescript": "^5"