Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Upgrade Next.js and React to patch CVE #3190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
steven-tey merged 4 commits into from
Dec 3, 2025
Merged

Upgrade Next.js and React to patch CVE #3190

steven-tey merged 4 commits into from
Dec 3, 2025

Conversation

@steven-tey
Copy link
Collaborator

@steven-tey steven-tey commented Dec 3, 2025
edited by coderabbitai bot
Loading

Reference: https://vercel.com/changelog/cve-2025-55182

Summary by CodeRabbit

  • Chores
    • Updated framework and library dependencies to their latest patch versions for improved stability and performance.

✏️ Tip: You can customize this high-level summary in your review settings.

Summary by CodeRabbit

  • Chores

    • Updated Next.js, React, and React DOM to latest patch versions across web, UI, and utilities packages for improved stability and alignment.
    • Adjusted dev/peer dependency declarations for consistency.

  • Refactor

    • Reorganized internal middleware and utility imports and removed several centralized re-exports; no runtime behavior or public API changes.

✏️ Tip: You can customize this high-level summary in your review settings.

@vercel
Copy link
Contributor

vercel bot commented Dec 3, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
dub Ready Ready Preview Dec 3, 2025 10:16pm

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 3, 2025
edited
Loading

Walkthrough

Dependency bumps (Next, React, React‑DOM) across three package.json files and a broad refactor of middleware imports/exports: barrel re-exports removed, many modules now import utilities from dedicated relative paths instead of aggregated barrels. No functional logic or exported signatures were changed.

Changes

Cohort / File(s) Summary
Package manifests
apps/web/package.json, packages/ui/package.json, packages/utils/package.json		 Bumped next 15.5.4 → 15.5.7 and react 19.1.1 → 19.1.2; added/updated react-dom entries (added/updated in some manifests, removed from one dependency list).
Middleware barrel exports removed
apps/web/lib/middleware/index.ts, apps/web/lib/middleware/utils/index.ts		 Removed re-exports/exported entries for multiple middleware and utility modules (deleted aggregated barrels).
Middleware import adjustments
apps/web/lib/middleware/*.ts
apps/web/lib/middleware/admin.ts, api.ts, app.ts, create-link.ts, embed.ts, link.ts, new-link.ts, partners.ts, workspaces.ts		 Replaced aggregated/alias imports with explicit relative imports to individual utility modules (e.g., ./utils/parse, ./utils/get-identity-hash, etc.). No behavioral changes.
Top-level middleware wiring
apps/web/middleware.ts		 Replaced barrel imports with explicit per-module imports (AdminMiddleware, ApiMiddleware, AppMiddleware, CreateLinkMiddleware, LinkMiddleware, PartnersMiddleware) and explicit parse import. No runtime logic changes.
Tracking and tinybird changes
apps/web/app/(ee)/api/track/open/route.ts, apps/web/app/(ee)/api/track/visit/route.ts, apps/web/lib/tinybird/record-click.ts		 Updated imports to reference dedicated utility modules (e.g., get-identity-hash, detect-bot, detect-qr) instead of the aggregated utils barrel. No functional changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

  • Pay attention to removed barrels: ensure all consumers updated to the new paths (middleware index and utils index removals).
  • Verify build/resolution in monorepo tooling (TypeScript path aliases, bundler) for the new relative imports.
  • Confirm package.json peer/dev placements for react/react-dom are consistent across packages and lockfile updated.

Possibly related PRs

Suggested reviewers

  • devkiran

Poem

🐇 I hopped through modules, neat and spry,

swapped barrels for paths, gave versions a try.
Next and React climbed one small stair,
imports now local, tidy as a pair.
I nibble a carrot — build passes, sigh of pie. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately reflects the main changes: upgrading Next.js and React to patch versions, which directly addresses the stated security vulnerability (CVE-2025-55182).
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch upgrade-next-react
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 734498e and 1d39fc9.

📒 Files selected for processing (15)
  • apps/web/app/(ee)/api/track/open/route.ts (1 hunks)
  • apps/web/app/(ee)/api/track/visit/route.ts (1 hunks)
  • apps/web/lib/middleware/admin.ts (1 hunks)
  • apps/web/lib/middleware/api.ts (1 hunks)
  • apps/web/lib/middleware/app.ts (1 hunks)
  • apps/web/lib/middleware/create-link.ts (1 hunks)
  • apps/web/lib/middleware/embed.ts (1 hunks)
  • apps/web/lib/middleware/index.ts (0 hunks)
  • apps/web/lib/middleware/link.ts (1 hunks)
  • apps/web/lib/middleware/new-link.ts (1 hunks)
  • apps/web/lib/middleware/partners.ts (1 hunks)
  • apps/web/lib/middleware/utils/index.ts (0 hunks)
  • apps/web/lib/middleware/workspaces.ts (1 hunks)
  • apps/web/lib/tinybird/record-click.ts (1 hunks)
  • apps/web/middleware.ts (1 hunks)
💤 Files with no reviewable changes (2)
  • apps/web/lib/middleware/index.ts
  • apps/web/lib/middleware/utils/index.ts
🧰 Additional context used
🧠 Learnings (4)
📚 Learning: 2025-08-18T02:31:22.282Z 
Learnt from: steven-tey
Repo: dubinc/dub PR: 2756
File: apps/web/ui/webhooks/webhook-header.tsx:20-20
Timestamp: 2025-08-18T02:31:22.282Z
Learning: The Next.js redirect() function can be used in both Server Components and Client Components, as well as Route Handlers and Server Actions. It is not server-only as previously thought.

Applied to files:

  • apps/web/lib/middleware/partners.ts
📚 Learning: 2025-08-18T02:31:22.282Z 
Learnt from: steven-tey
Repo: dubinc/dub PR: 2756
File: apps/web/ui/webhooks/webhook-header.tsx:20-20
Timestamp: 2025-08-18T02:31:22.282Z
Learning: The Next.js redirect() function can be used in both Server Components and Client Components, as well as Route Handlers and Server Actions, according to the official Next.js documentation. It is not server-only.

Applied to files:

  • apps/web/lib/middleware/partners.ts
📚 Learning: 2025-08-26T15:05:55.081Z 
Learnt from: TWilson023
Repo: dubinc/dub PR: 2736
File: apps/web/lib/swr/use-bounty.ts:11-16
Timestamp: 2025-08-26T15:05:55.081Z
Learning: In the Dub codebase, workspace authentication and route structures prevent endless loading states when workspaceId or similar route parameters are missing, so gating SWR loading states on parameter availability is often unnecessary.

Applied to files:

  • apps/web/lib/middleware/workspaces.ts
📚 Learning: 2025-08-25T21:03:24.285Z 
Learnt from: TWilson023
Repo: dubinc/dub PR: 2736
File: apps/web/app/app.dub.co/(dashboard)/[slug]/(ee)/program/bounties/bounty-card.tsx:1-1
Timestamp: 2025-08-25T21:03:24.285Z
Learning: In Next.js App Router, Server Components that use hooks can work without "use client" directive if they are only imported by Client Components, as they get "promoted" to run on the client side within the Client Component boundary.

Applied to files:

  • apps/web/lib/tinybird/record-click.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build
🔇 Additional comments (13)
apps/web/lib/tinybird/record-click.ts (1)

13-15: Explicit util imports keep behavior while reducing barrel coupling

Switching from a barrel import to direct imports for detectBot, detectQr, and getIdentityHash is a clean, low-risk refactor and should be behaviorally identical as long as these modules expose the same named exports. Looks good and aligns with the broader middleware utils restructuring.

apps/web/lib/middleware/embed.ts (1)

2-2: LGTM! Clean import path refactoring.

The import path is now more explicit and aligns with the per-module import pattern being adopted across the middleware layer.

apps/web/lib/middleware/new-link.ts (1)

5-5: LGTM! Consistent with the import refactoring pattern.

The explicit import path improves module clarity and aligns with the changes across other middleware files.

apps/web/lib/middleware/admin.ts (1)

5-5: LGTM! Migration from absolute to relative imports.

The change from an absolute path alias to a relative import is part of the broader refactoring to per-module imports and improves module boundaries.

apps/web/lib/middleware/workspaces.ts (1)

6-7: LGTM! Per-module imports properly utilized.

Both isValidInternalRedirect and parse are used in the middleware logic (lines 15 and 10 respectively). The explicit imports improve code clarity.

apps/web/lib/middleware/create-link.ts (1)

3-3: LGTM! Consistent refactoring to relative imports.

The migration to a relative import path aligns with the broader middleware refactoring effort.

apps/web/lib/middleware/api.ts (1)

2-2: LGTM! Consistent import refactoring.

The explicit import path is consistent with the per-module import pattern applied across the middleware layer.

apps/web/lib/middleware/link.ts (1)

28-36: LGTM! Comprehensive expansion of barrel import.

This is the most significant refactoring change in the PR, expanding a single aggregated import into six per-module imports. All imported utilities are actively used throughout the file, and the explicit imports improve code clarity and tree-shaking.

apps/web/lib/middleware/app.ts (1)

12-12: LGTM! Final piece of the import refactoring.

The migration to a relative import path completes the consistent refactoring pattern applied across all middleware files.

apps/web/app/(ee)/api/track/open/route.ts (1)

8-8: Scoped getIdentityHash import looks correct

Importing getIdentityHash from its dedicated utils module is consistent with the new middleware utils layout; usage below remains unchanged and type-compatible.

apps/web/app/(ee)/api/track/visit/route.ts (1)

8-8: Consistent getIdentityHash module import

Switching to the specific get-identity-hash utils module matches the broader middleware refactor and keeps the existing call site intact.

apps/web/lib/middleware/partners.ts (1)

4-5: Localizing middleware utils imports is appropriate

Pulling isValidInternalRedirect and parse from their concrete ./utils/... modules clarifies dependencies and aligns with the new middleware structure without changing behavior.

apps/web/middleware.ts (1)

12-18: Explicit middleware and parse imports match new layout

Switching from aggregated middleware/utils barrels to direct imports from ./lib/middleware/... and ./lib/middleware/utils/parse makes dependencies clearer and should work transparently with the existing routing logic.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@socket-security
Copy link

socket-security bot commented Dec 3, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedreact@​19.1.1 ⏵ 19.1.21001008498 +1100
Updatedreact-dom@​19.1.1 ⏵ 19.1.2100 +11009298 +1100
Updatednext@​15.5.4 ⏵ 15.5.7100 +18100100 +10100 +3100 +31

View full report

coderabbitai[bot]
coderabbitai bot reviewed Dec 3, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
packages/utils/package.json (1)

19-20: Update peerDependencies to match bumped devDependencies versions.

The peerDependencies are still pinned to the older versions (next 15.5.4, react ^19.1.1) while devDependencies have been updated to 15.5.7 and ^19.1.2. This creates a version mismatch that could cause conflicts for consumers or cause the package to behave differently when tested locally versus when consumed.

Apply this diff to align peerDependencies with the patch updates:

  "peerDependencies": {
-   "next": "15.5.4",
-   "react": "^19.1.1"
+   "next": "15.5.7",
+   "react": "^19.1.2"
  },
packages/ui/package.json (1)

36-38: Update peerDependencies to match the bumped versions and reflect the CVE patch.

The peerDependencies still declare the older versions (next 15.5.4, react/react-dom 19.1.1), while devDependencies have been bumped to the patch versions. Since this is a published package (@dub/ui), peerDependencies should reflect the versions the package was built and tested against. This mismatch could confuse consumers about which versions are actually supported.

Apply this diff to update peerDependencies:

  "peerDependencies": {
-   "next": "15.5.4",
-   "react": "19.1.1",
-   "react-dom": "19.1.1"
+   "next": "15.5.7",
+   "react": "19.1.2",
+   "react-dom": "19.1.2"
  },
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5fc7c3a and 7230c89.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (3)
  • apps/web/package.json (2 hunks)
  • packages/ui/package.json (1 hunks)
  • packages/utils/package.json (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build

@steven-tey steven-tey merged commit fc76f7c into main Dec 3, 2025
7 of 8 checks passed
@steven-tey steven-tey deleted the upgrade-next-react branch December 3, 2025 22:20
@coderabbitai coderabbitai bot mentioned this pull request Dec 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steven-tey