Fix Next.js DoS vulnerability (GHSA-h25m-26qc-wcjf)#569
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>
github-actions
Bot
added
dependencies
There was a problem hiding this comment.
Pull request overview
Updates the Next.js adapter dependency constraints and lockfile to remediate the GHSA-h25m-26qc-wcjf DoS vulnerability by moving off vulnerable Next.js (<15.0.8) versions.
Changes:
- Bumped
@objectstack/nextjspeer/dev dependency onnextfrom^14.0.0to^15.0.8. - Bumped
@objectstack/nextjspeer/dev dependency onreact-domto align with the existing React 19 version. - Regenerated
pnpm-lock.yamlto reflect the updated Next.js dependency tree.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
packages/adapters/nextjs/package.json |
Raises Next.js peer/dev dependency floor to patched versions and aligns React DOM peer/dev dependency. |
pnpm-lock.yaml |
Updates resolved Next.js and transitive dependencies to remove vulnerable 14.x from the tree. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
| "react-dom": "^19.2.4", | ||
| "typescript": "^5.0.0" |
There was a problem hiding this comment.
This PR changes published package peer/dev dependency requirements for @objectstack/nextjs (Next/React versions). If this is intended to ship to consumers, add a Changeset so the version/changelog get bumped appropriately (or apply the repo’s skip-changeset process if you intentionally don’t want a release).
| "react-dom": "^19.2.4", | |
| "typescript": "^5.0.0" | |
| "react-dom": "^19.2.4" |
| "next": "^15.0.8", | ||
| "react": "^19.2.4", | ||
| "react-dom": "^18.3.1" | ||
| "react-dom": "^19.2.4" |
There was a problem hiding this comment.
@objectstack/nextjs doesn’t import react/react-dom directly (it only uses next/server). Pinning react/react-dom to ^19.2.4 as peer deps unnecessarily blocks consumers on React 18, which Next 15 still supports. Consider removing these peer deps or widening them to match Next’s supported peer range (and keep them only in devDependencies for local builds).
| next@15.5.12: | ||
| resolution: {integrity: sha512-Fi/wQ4Etlrn60rz78bebG1i1SR20QxvV8tVp6iJspjLUSHcZoeUXCt+vmWoEcza85ElZzExK/jJ/F6SvtGktjA==} | ||
| engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0} |
There was a problem hiding this comment.
next@15.5.12 now requires Node ^18.18.0 || ^19.8.0 || >=20.0.0 (per engines). The repo-level documented/declared minimum is currently >=18.0.0, which is no longer sufficient to install/run this workspace without warnings or potential failures. Consider bumping the repo (and/or package) Node engine requirement to at least >=18.18.0 to match Next 15.
CI failing on
pnpm auditdue to high-severity vulnerability in Next.js <15.0.8: HTTP request deserialization can trigger DoS in React Server Components.Changes
packages/adapters/nextjs/package.json
next:^14.0.0→^15.0.8(resolves to 15.5.12)react-dom:^18.3.1→^19.2.4(align with React 19, eliminate peer dep warning)pnpm-lock.yaml
Security Status
@objectstack/nextjs: 15.5.12 (patched)@objectstack/docs: 16.1.6 (unaffected)Advisory: GHSA-h25m-26qc-wcjf
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.