Fix React Server Components CVE vulnerabilities#194
Merged
sidneyswift merged 1 commit intomainfrom Feb 3, 2026
Merged
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Contributor
Author
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the
Important Action Needed: IP Allowlist UpdateIf your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:
Failure to add the new IP will result in interrupted reviews. Comment |
Braintrust eval reportCatalog Opportunity Analysis Evaluation (HEAD-1770088738)
Catalog Songs Count Evaluation (HEAD-1770088739)
First Week Album Sales Evaluation (HEAD-1770088738)
Memory & Storage Tools Evaluation (HEAD-1770088738)
Monthly Listeners Tracking Evaluation (HEAD-1770088738)
Search Web Tool Evaluation (HEAD-1770088738)
Social Scraping Evaluation (HEAD-1770088738)
Spotify Followers Evaluation (HEAD-1770088738)
Spotify Tools Evaluation (HEAD-1770088738)
TikTok Analytics Questions Evaluation (HEAD-1770088738)
|
sweetmantech
approved these changes
Feb 3, 2026
sweetmantech
added a commit
that referenced
this pull request
Feb 3, 2026
* Fix React Server Components CVE vulnerabilities (#194) Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com> * feat: update POST /api/sandboxes to use command execution - Change request body from { prompt } to { command, args?, cwd? } - Add account snapshot support for creating sandboxes from snapshots - Update trigger payload to include command, args, cwd, sandboxId, accountId - Return runId in response from triggered task - Update tests to reflect new API structure Co-Authored-By: Claude Opus 4.5 <[email protected]> * fix: use correct source parameter for snapshot in Sandbox.create The Vercel Sandbox SDK requires snapshotId to be passed via the source parameter with type: 'snapshot', not as a direct property. Co-Authored-By: Claude Opus 4.5 <[email protected]> * test: update triggerRunSandboxCommand tests to use command payload Update test payloads to match new API: command, args, cwd, sandboxId, accountId Co-Authored-By: Claude Opus 4.5 <[email protected]> * refactor: use CreateSandboxParams from @vercel/sandbox SDK - Export CreateSandboxParams type extracted from Sandbox.create signature - Accept full SDK params instead of custom snapshotId option - Apply sensible defaults for timeout, resources, and runtime - Update handler to pass source object for snapshots - Add tests for new parameter combinations Co-Authored-By: Claude Opus 4.5 <[email protected]> * fix: handle union type for CreateSandboxParams Use 'in' operator to check for runtime/resources properties since they don't exist on the snapshot variant of the union type. Co-Authored-By: Claude Opus 4.5 <[email protected]> * fix: simplify createSandbox to spread defaults before params Spread defaults first, then override with params. This avoids type conflicts between snapshot and base param variants. Co-Authored-By: Claude Opus 4.5 <[email protected]> * fix: handle trigger failure gracefully and always return response - Wrap triggerRunSandboxCommand in try-catch to prevent hanging - Return 200 with sandbox info even if trigger fails (runId omitted) - Update JSDoc to document new command/args/cwd request format - Update tests to reflect new graceful failure behavior Co-Authored-By: Claude Opus 4.5 <[email protected]> * debug: add extensive logging to trace request flow Add console.log at each step to identify where the request is hanging: - Request received - Validation - Snapshot lookup - Sandbox creation - DB insert - Task trigger - Response building Co-Authored-By: Claude Opus 4.5 <[email protected]> * chore: remove debug logging Co-Authored-By: Claude Opus 4.5 <[email protected]> * refactor: rename selectAccountSnapshot.ts to selectAccountSnapshots.ts Follow the select[TableName].ts naming convention where the table name is account_snapshots (plural). Function name unchanged. Co-Authored-By: Claude Opus 4.5 <[email protected]> * refactor: rename function to selectAccountSnapshots and return array - Rename function from selectAccountSnapshot to selectAccountSnapshots - Remove .limit(1).single() to return full array - Update handler to get first element from array - Update tests with new function name and array return values Co-Authored-By: Claude Opus 4.5 <[email protected]> * refactor: use Tables type from Supabase schema for account_snapshots - Regenerate types with supabase gen types to include account_snapshots table - Replace local AccountSnapshot interface with Tables<"account_snapshots"> - DRY: single source of truth for type definitions Co-Authored-By: Claude Opus 4.5 <[email protected]> --------- Co-authored-by: vercel[bot] <35613825+vercel[bot]@users.noreply.github.com> Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project recoup-api. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | [email protected]