fix: bump next to 15.3.9 (CVE-2025-66478)#520
Open
mvanhorn wants to merge 1 commit into
Open
Conversation
Addresses CVE-2025-66478 (React Server Components RCE, CVSS 10.0). The reporter cited 15.3.6 as the minimum; this PR uses 15.3.9 because yarn audit flagged 15.3.6 as also vulnerable to a secondary issue documented at https://nextjs.org/blog/security-update-2025-12-11. Both yarn.lock and package-lock.json are present in this repo; packageManager declares yarn@1.22.22 so yarn.lock is canonical and that's the one regenerated here. package-lock.json is left untouched to avoid scope creep. Fixes AsyncFuncAI#500
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the next framework from version 15.3.1 to 15.3.9 and introduces a comprehensive set of dependencies for math rendering, including katex, remark-math, and rehype-katex. Feedback indicates that eslint-config-next should also be updated to version 15.3.9 to ensure compatibility and consistent linting rules with the new framework version.
| "dependencies": { | ||
| "mermaid": "^11.4.1", | ||
| "next": "15.3.1", | ||
| "next": "15.3.9", |
Contributor
There was a problem hiding this comment.
While you've correctly updated the next dependency, the corresponding eslint-config-next in devDependencies is still at version 15.3.1. To ensure compatibility and that you're using the correct linting rules for this version of Next.js, please also update eslint-config-next to 15.3.9.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps
nextfrom 15.3.1 to 15.3.9 to address CVE-2025-66478 (React Server Components RCE, CVSS 10.0) reported in #500.The reporter cited 15.3.6 as the minimum patched version. This PR uses 15.3.9 instead because
yarn auditflagged 15.3.6 as also vulnerable to a separate issue documented at https://nextjs.org/blog/security-update-2025-12-11. 15.3.9 is the latest 15.3.x and addresses both.Verified locally:
yarn installregeneratedyarn.lock(canonical perpackageManager: yarn@1.22.22)node_modules/next/package.jsonreports installed version15.3.9yarn auditno longer flagsnextfor CVE-2025-66478 or the 2025-12-11 issuepackage-lock.jsonis also present in the repo (dual lockfile) but left untouched in this PR sincepackageManagerdeclares yarn as canonical. The dual-lockfile state is worth a follow-up cleanup but out of scope here.15.4.x has additional security patches per
yarn audit. That's a minor-version bump - happy to do it as a follow-up if you'd like.Fixes #500