[공통] 보안 취약점 대응을 위한 next, react 버전 업

[ff1451]

연관 이슈

• Close [공통] 보안 취약점 대응을 위한 next, react 버전 업 #26

작업 내용 🔍

• 기능 : 라이브러리 버전 업
• issue : [공통] 보안 취약점 대응을 위한 next, react 버전 업 #26

작업 주요 내용 📝

RSC에서 보안취약점 발생하여 react, next 버전 업데이트 진행

배포 슬랙 알림 워크플로우 추가

Summary by CodeRabbit

• Chores
  • Updated Next.js from 16.1.6 to 16.2.3
  • Updated React and React-DOM from 19.2.4 to 19.2.5
  • Enhanced deployment workflow with automated notifications

[coderabbitai]

Warning

Rate limit exceeded

@ff1451 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 53 minutes and 39 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 53 minutes and 39 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 39b24c55-763a-4b4a-a07a-efb0cd5680a4

📥 Commits

Reviewing files that changed from the base of the PR and between 1c12dbf and 0261651.

📒 Files selected for processing (1)

• .github/workflows/nextjs.yml

📝 Walkthrough

Walkthrough

The PR introduces a new Slack notification workflow job that reports build and deployment status after the build-and-deploy step completes, and updates Next.js and React dependencies to address security vulnerabilities.

Changes

Cohort / File(s)	Summary
Workflow Notification Job .github/workflows/nextjs.yml	Adds a new notify job that resolves the deploying actor's name, constructs a deployment status payload, and sends it to a Slack API endpoint via curl.
Dependency Updates package.json	Updates next from 16.1.6 to 16.2.3, and react/react-dom from 19.2.4 to 19.2.5 for security vulnerability remediation.

Sequence Diagram(s)

sequenceDiagram
    participant GHA as GitHub Actions
    participant GHScript as GitHub Script Action
    participant FS as File System<br/>(reviewer.json)
    participant Slack as Slack API

    GHA->>GHA: Build and Deploy completes
    GHA->>GHA: Notify job triggered (if: always())
    GHA->>GHScript: Resolve actor name from<br/>github.actor
    GHScript->>FS: Read .github/workflows/<br/>reviewer.json
    FS-->>GHScript: Reviewer list
    GHScript->>GHScript: Match github.actor<br/>to githubName
    GHScript-->>GHA: Actor display name
    GHA->>GHA: Construct JSON payload<br/>(status, actor, commit,<br/>environment, run URL)
    GHA->>Slack: POST deployment notification
    Slack-->>GHA: 200 OK

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A workflow so neat, with notifications galore,
Dependencies patched to keep bugs at the door,
The rabbit applauds this security care,
With Slack updates flowing through GitHub's fresh air! 🌟

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes a new Slack notification workflow job in .github/workflows/nextjs.yml that is not mentioned in issue #26's stated objectives of updating React and Next.js versions.	Either move the Slack notification workflow to a separate PR aligned with a different issue, or update issue #26 to explicitly include this workflow addition as a requirement.
Linked Issues check	❓ Inconclusive	The PR updates React and Next.js versions as required by issue #26, but includes an out-of-scope Slack notification workflow that is not mentioned in the linked issue objectives.	Clarify whether the Slack notification workflow addition is intentional; if out-of-scope, move it to a separate PR or update the issue to include this requirement.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly relates to the main change: updating Next.js and React versions for security vulnerability mitigation, which is precisely what the package.json changes accomplish.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/#26/version-up

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/nextjs.yml (1)

103-115: Consider adding error handling for the Slack notification.

The curl command doesn't handle failure cases. While this may be acceptable since the job runs with if: always() and is just a notification, adding -f flag or checking the response would help with debugging if notifications fail silently.

💡 Optional: Add failure handling

-         curl -X POST https://api-slack.internal.bcsdlab.com/api/deploy/frontend \
+         curl -f -X POST https://api-slack.internal.bcsdlab.com/api/deploy/frontend \
          -H 'Content-Type: application/json' \
-         -d "$BODY"
+         -d "$BODY" || echo "::warning::Slack notification failed"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/nextjs.yml around lines 103 - 115, The Slack notification
curl call using the BODY variable lacks error handling; modify the invocation of
curl (the POST to https://api-slack.internal.bcsdlab.com/api/deploy/frontend) to
fail loudly and report errors: add the -f/--fail flag and capture curl’s exit
code and/or response body, then echo or write a useful error message including
the response or exit code (and the BODY context) when non-zero; ensure the
GitHub Actions step fails or logs clearly so failed notifications are visible in
workflow logs.

package.json (1)

15-17: Version updates are valid, but consider updating eslint-config-next for consistency.

The dependency upgrades to next@16.2.3, react@19.2.5, and react-dom@19.2.5 address the security objective. However, eslint-config-next on line 28 remains at 16.1.1 while next advances to 16.2.3. Updating eslint-config-next to 16.2.3 would align versions and ensure you pick up any new linting rules included in the Next.js release.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 15 - 17, The package.json currently upgrades
next/react/react-dom to 16.2.3/19.2.5 but leaves eslint-config-next at 16.1.1;
update the eslint-config-next dependency to "16.2.3" to match Next.js so lint
rules stay in sync—locate the "eslint-config-next" entry in package.json and
change its version string to 16.2.3, then run your install (e.g., npm/yarn) to
refresh lockfile and ensure no peer conflicts.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/nextjs.yml:
- Around line 77-78: The notify job references a non-existent job name
build-and-deploy; update the notify job's needs array to depend on the existing
deploy job instead (replace build-and-deploy with deploy) so notify runs after
the deploy job completes; check the notify job definition and the needs key to
ensure it uses "deploy" not "build-and-deploy".
- Around line 96-101: Update the job dependency reference from
needs.build-and-deploy.result to needs.deploy.result (affects STATUS assignment)
and eliminate command-injection risk when creating COMMIT_MSG: stop
interpolating the raw commit message directly into the shell; instead set the
commit message from a GitHub expression that escapes/serializes the value (use
toJson or assign it as an env var) and then safely extract the first line with a
quoted, non-evaluating shell command (e.g., use printf '%s' "$COMMIT_MSG_RAW" |
head -1), ensuring all variable uses (COMMIT_MSG, STATUS, ENVIRONMENT, RUN_URL,
ACTOR) are quoted to avoid word-splitting or expansion.

---

Nitpick comments:
In @.github/workflows/nextjs.yml:
- Around line 103-115: The Slack notification curl call using the BODY variable
lacks error handling; modify the invocation of curl (the POST to
https://api-slack.internal.bcsdlab.com/api/deploy/frontend) to fail loudly and
report errors: add the -f/--fail flag and capture curl’s exit code and/or
response body, then echo or write a useful error message including the response
or exit code (and the BODY context) when non-zero; ensure the GitHub Actions
step fails or logs clearly so failed notifications are visible in workflow logs.

In `@package.json`:
- Around line 15-17: The package.json currently upgrades next/react/react-dom to
16.2.3/19.2.5 but leaves eslint-config-next at 16.1.1; update the
eslint-config-next dependency to "16.2.3" to match Next.js so lint rules stay in
sync—locate the "eslint-config-next" entry in package.json and change its
version string to 16.2.3, then run your install (e.g., npm/yarn) to refresh
lockfile and ensure no peer conflicts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 200f5156-e06e-4753-92b3-612f024d055e

📥 Commits

Reviewing files that changed from the base of the PR and between 28c60fb and 1c12dbf.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .github/workflows/nextjs.yml
• package.json