Skip to content

Fix: cve/next-update #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
skyblue1232 merged 2 commits into from
Dec 6, 2025
Merged

Fix: cve/next-update #157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0b3b228
fix/cve/next-update
skyblue1232 Dec 6, 2025
45d29ea
fix/dependencies
skyblue1232 Dec 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 5 additions & 7 deletions next.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
// ๐Ÿ”ฅ Next.js 16์—์„œ Turbopack ๋น„ํ™œ์„ฑํ™” ๊ณต์‹ ๋ฐฉ์‹
export const buildMode = "webpack";

import path from 'path';
import type { NextConfig } from 'next';
import withPWA from 'next-pwa';
Expand All @@ -18,12 +21,6 @@ const baseConfig: NextConfig = {
},

images: {
domains: [
'geulda-ai-video-bucket.s3.ap-southeast-2.amazonaws.com',
'example.com',
'www.bucheon.go.kr',
'www.bcf.or.kr',
],
remotePatterns: [
{ protocol: 'https', hostname: 'mblogthumb-phinf.pstatic.net' },
{ protocol: 'https', hostname: 'blogfiles.pstatic.net' },
Expand All @@ -32,6 +29,7 @@ const baseConfig: NextConfig = {
],
},

// ์ด webpack ์„ค์ •์ด ์กด์žฌํ•˜๋ฉด Next 16์€ Turbopack ๋Œ€์‹  Webpack ๋นŒ๋“œ ์‚ฌ์šฉ
webpack: (config) => {
const svgRule = config.module.rules.find(
// @ts-ignore
Expand All @@ -58,7 +56,7 @@ const baseConfig: NextConfig = {
});

return config;
},
}
};

const withPWABundle = withPWA({
Expand Down
4 changes: 2 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"private": true,
"scripts": {
"dev": "next dev",
"build": "next build",
"build": "next build --webpack",
"start": "next start",
"lint": "eslint",
"icons:clean": "svgo -r -f src/shared/icons/source --config=./svgo.config.mjs --multipass",
Expand All @@ -17,7 +17,7 @@
"clsx": "^2.1.1",
"jwt-decode": "^4.0.0",
"lottie-react": "^2.4.1",
"next": "15.5.4",
"next": "16.0.7",
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

โš ๏ธ Potential issue | ๐Ÿ”ด Critical

๐Ÿงฉ Analysis chain

๐ŸŒ Web query:

Next.js 16 release notes breaking changes migration guide

๐Ÿ’ก Result:

Quick summary of the important breaking changes in Next.js 16 and a short migration checklist.

Breaking changes (highโ€‘impact)

  • Async Request APIs: cookies(), headers(), draftMode(), params, searchParams are now asynchronous (must await / mark functions async). [1][3]
  • Node/TypeScript min versions: Node.js >= 20.9 (drop Node 18); TypeScript >= 5.x required. [1][2]
  • Removed/renamed features: AMP removed; serverRuntimeConfig/publicRuntimeConfig removed (use env vars); next lint command removed (use ESLint); old legacy image imports removed/changed. middleware.ts renamed to proxy.ts (edge proxy semantics). [1][2][3]
  • Caching & APIs: new Cache Components and updated cache/tag APIs (revalidateTag/updateTag changes). [2][3]
  • Tooling defaults: Turbopack as default bundler; React 19 compatibility (View Transitions, new React APIs). [2][6]

Minimal migration checklist

  1. Read the official upgrade guide and scan for projectโ€‘specific notes. [1]
  2. Upgrade runtime/tooling: update Node on CI/hosts to >=20.9 and TypeScript to >=5.x. Test locally first. [1][2]
  3. Run the automated codemod, then fix remaining issues manually:
    • npx @next/codemod@canary upgrade latest
    • or follow docsโ€™ recommended codemod commands. [2][3]
  4. Convert any pages/layouts/routes using params/searchParams/cookies/headers/draftMode to async (add async/await and adjust types). Use npx next typegen if you need generated types. [1][3]
  5. Replace removed features:
    • Remove AMP configs and legacy image imports โ†’ use next/image and remotePatterns.
    • Move runtime config usage to environment variables (NEXT_PUBLIC_ for client).
    • Replace middleware.ts usage with proxy.ts patterns and validate edge behavior. [1][2][3]
  6. Update caching code to new cache/tag APIs and check revalidation semantics. [2][6]
  7. Run full test suite and endโ€‘toโ€‘end checks; test build and deploy pipeline (Turbopack behavior may differ). [2][6]
  8. Fix any CI/linting scripts (next lint removed โ€” call ESLint directly). [1][6]

Useful references

  • Official Next.js upgrade notes (Version 16) โ€” primary migration doc. [1]
  • InfoQ summary / release analysis (breaking changes, Node/TS requirements). [2]
  • Community migration notes and common breakages (examples & codemod tips). [3]

If you want, I can:

  • run the codemod command suggestions tailored to your repo (give me package.json and a short file list), or
  • generate an automated checklist of code changes for your codebase (need repo link or copy of key files).

Sources:
[1] Next.js โ€” Upgrading: Version 16 (official docs).
[2] InfoQ article: Vercelโ€™s Next.js 16 release summary.
[3] Community migration writeup (examples of common breakages and codemod usage).

๐ŸŒ Web query:

eslint-config-next version compatibility with next package

๐Ÿ’ก Result:

Short answer: eslint-config-next is the ESLint preset shipped by the Next.js repo and is intended to match the Next.js release series โ€” use the eslint-config-next version that ships with (or is installed by) the same Next.js release. The package also has separately evolving peer-dependencies (notably ESLint v7/8 โ†’ v9 migration), so mismatching eslint-config-next, Next.js, or ESLint versions can cause peer-dep warnings or runtime errors. [1][2][3]

Practical guidance:

  • The simplest approach: let create-next-app / next lint install eslint + eslint-config-next for you (they will pick compatible versions). [1]
  • If you manage versions manually, install the eslint-config-next version published alongside your next version (or use the one documented on the Next.js docs/npm page). If you see peer-dep warnings, check eslint-config-nextโ€™s package.json for its eslint peerDependency and align ESLint accordingly. [1][3]
  • If you upgrade Next.js to a major/canary release, also upgrade eslint-config-next (and ESLint) to the matching versions to avoid incompatibilities. Community issues describe errors when ESLint or eslint-config-next versions diverge. [2][3]

Sources:

  • Next.js docs โ€” ESLint / eslint-config-next. [1]
  • vercel/next.js GitHub issues on eslint-config-next / ESLint peer-dependency changes. [2]
  • npm package page for eslint-config-next (shows published versions). [3]

๐ŸŒ Web query:

Next.js 16 React 19 compatibility requirements

๐Ÿ’ก Result:

Short answer โ€” Next.js 16 is designed to work with React 19, but you must meet a few platform/version requirements:

  • React: 19.x (React 19.2 features are referenced in the Next.js 16 docs; upgrade to the latest 19.x patch recommended). [1][2]
  • Node.js: minimum 20.9.0 for Next.js 16 (Node 18 is no longer supported). [1]
  • TypeScript: minimum 5.x (docs show 5.1+ required). [1]
  • Tooling/runtime notes: Next.js 16 includes firstโ€‘class support for the React Compiler and newer React 19 features (view transitions, useEffectEvent, Activity), but some React 19 interactions were patched after initial releases โ€” keep React and Next.js patched to the latest 19.x / 16.x maintenance releases. [2][4]
  • Support window: Next.js 16 is the active major; follow the Next.js support policy for LTS/patches. [3]

If you want, I can check your project's package.json and CI/node versions and give an exact upgrade checklist.

eslint-config-next must match the Next.js major version.

next was updated to 16.0.7, but eslint-config-next at line 41 remains at 15.5.4. The eslint-config-next package is versioned alongside each Next.js release and mismatching major versions causes peer-dependency warnings and ESLint configuration errors. Update eslint-config-next to 16.0.7 to match.

Additionally, Next.js 16 introduces significant breaking changes requiring migration: async Request APIs (cookies, headers, params, searchParams must be awaited), Node.js โ‰ฅ20.9 requirement (Node 18 no longer supported), TypeScript โ‰ฅ5.x requirement, and the next lint command removal (use ESLint directly). The PR description should document which breaking changes apply to this codebase and confirm that automated migration via npx @next/codemod@canary upgrade latest was performed.

โš ๏ธ Potential issue | ๐Ÿ”ด Critical

๐Ÿงฉ Analysis chain

๐Ÿ Script executed:

cat -n package.json | head -30

Repository: geulDa/FE

Length of output: 1122

๐Ÿ Script executed:

git log --oneline -20

Repository: geulDa/FE

Length of output: 80

๐Ÿ Script executed:

git diff HEAD~1 package.json | head -50

Repository: geulDa/FE

Length of output: 239

๐Ÿ Script executed:

git log --all --oneline | head -20

Repository: geulDa/FE

Length of output: 121

๐Ÿ Script executed:

git show --name-only HEAD

Repository: geulDa/FE

Length of output: 7546

๐Ÿ Script executed:

find . -type f -name "next.config.*" | head -5

Repository: geulDa/FE

Length of output: 69

๐Ÿ Script executed:

rg -l "next/router|useRouter|getServerSideProps|getStaticProps|getInitialProps" --type ts --type tsx --type js --type jsx

Repository: geulDa/FE

Length of output: 80

๐Ÿ Script executed:

rg "useRouter|getServerSideProps|getStaticProps|getInitialProps" --type ts --type js -A 2 | head -50

Repository: geulDa/FE

Length of output: 2487

๐Ÿ Script executed:

cat -n next.config.ts | head -40

Repository: geulDa/FE

Length of output: 1338

๐Ÿ Script executed:

cat -n src/pages/_app.tsx | head -50

Repository: geulDa/FE

Length of output: 1612

๐Ÿ Script executed:

cat -n src/pages/_document.tsx

Repository: geulDa/FE

Length of output: 957

๐ŸŒ Web query:

Next.js 15 to 16 breaking changes migration

๐Ÿ’ก Result:

Summary checklist to migrate from Next.js 15 โ†’ 16

  1. Upgrade core deps
  • Install Next 16 + matching React/Reactโ€‘DOM and update @types if using TS. [1][2]
  1. Platform requirements
  • Node.js >= 20.9.0 and TypeScript >= 5.1 required; update CI/deploy images. [2][3]
  1. Run the automated codemods (first step)
  • npx @next/codemod@canary upgrade latest โ€” handles many mechanical changes (turbopack config, middleware โ†’ proxy, removing unstable_ prefixes, lint CLI, etc.). Run and review diffs. [1][2]
  1. Async Request APIs (major breaking change)
  • cookies(), headers(), draftMode(), and route props like params and searchParams are now async only (synchronous access removed). Convert affected pages/layouts/routes/components to async and await these APIs (codemod covers many cases but manual fixes likely needed). Use npx next typegen to regenerate PageProps/LayoutProps/RouteContext for TS. [1][3][6]
  1. Middleware / network boundary rename
  • Rename middleware.ts โ†’ proxy.ts and follow new proxy semantics; update any custom logic accordingly. [2][8]
  1. Removed / changed features
  • AMP support removed โ€” remove AMP flags and APIs. [2]
  • next lint command removed โ€” switch to running ESLint/Biome directly; codemod available to migrate lint invocation. [2]
  • Deprecated devIndicators and runtime config options removed โ€” replace with env vars and adjust config. [2]
  1. Caching / PPR changes
  • experimental.ppr / experimental.dynamicIO merged/renamed into cacheComponents / explicit cache APIs; review caching and ISR logic (revalidate APIs may have updated signatures). [1][2][8]
  1. Turbopack / build config
  • Turbopack config moved out of experimental to top-level turbopack; review next.config.* changes and custom bundler settings. [1][2]
  1. Test and CI
  • Run full test suite, lint (with ESLint/BIOME), endโ€‘toโ€‘end checks, and a staging deploy using Node 20.9+.
  • Search codebase for synchronous uses of params/searchParams/cookies/headers/draftMode and verify theyโ€™re awaited.

Quick commands

  • Automated codemod: npx @next/codemod@canary upgrade latest. [1]
  • Type generation (TS): npx next typegen. [1]

Primary references

  • Next.js upgrade docs (Version 16) โ€” migration notes & codemod. [1]
  • Next.js 16 blog / release notes โ€” version requirements and removals. [2]
  • Next.js 16 beta blog (breaking async APIs explained). [3]
  • Coverage/analysis articles and migration experiences (summary of common breakages). [8][6]

Want: I can run the codemod suggestions against a sample file or scan a repo diff for likely async-API failures โ€” upload a file or paste code and Iโ€™ll show exactly what to change.

๐ŸŒ Web query:

React CVE security issues 2025 Next.js upgrade

๐Ÿ’ก Result:

Short summary and immediate actions

  • A critical RCE in React Server Components (CVE-2025-55182, "React2Shell") was disclosed Dec 3, 2025; it affects react-server-dom-* packages in React 19.0.0, 19.1.0/1 and 19.2.0 and is rated critical (CVSS ~10). React recommends immediate upgrade. [1][2]

  • Next.js (App Router) implementations were also affected (tracked separately; public advisories list vulnerable Next.js 15.x/16.x Appโ€‘Router releases) and patched Next.js releases are available โ€” upgrade Next.js to the patched 15.x/16.x versions listed by vendors. [3][4]

What you must do now (minimum required)

  1. Upgrade React packages to patched versions: 19.0.1 / 19.1.2 / 19.2.1 (whichever line you use). Rebuild and redeploy. [1][3]
  2. Upgrade Next.js to the vendor-published patched release for your minor version (follow the Next.js advisory / changelog for exact patched 15.x/16.x version numbers you use) and rebuild/redeploy. [3][4]
  3. Check transitive dependencies and frameworks (Vite/Parcel RSC plugins, Redwood, Waku, etc.) โ€” ensure no lockfile or package pins keep vulnerable react-server-dom packages. Update or patch any third-party frameworks that bundle RSC. [2][5]
  4. Rebuild CI/CD artifacts, clear caches, redeploy server images/containers and serverless bundles so the patched packages are used at runtime. [3][6]
  5. Add runtime mitigations where possible: WAF rules to detect malformed RSC payloads, tighten network exposure of RSC endpoints, and enable sandboxing / runtime isolation. These are defenseโ€‘inโ€‘depth; they do not replace upgrading. [3][4]

How to verify

  • Confirm installed versions with npm/yarn (npm ls react react-dom next) and check for vulnerable react-server-dom packages. [3]
  • Use available scanners/indicators-of-compromise published for CVE-2025-55182 to test staging environments (do not run PoCs against production). [5]

References
[1] React official advisory: Critical Security Vulnerability in React Server Components (Dec 3, 2025).
[2] Canadian Cyber Centre / security advisory referencing CVE-2025-55182 (Dec 3, 2025).
[3] Vendor/security writeups and Next.js remediation guidance (patch lists & upgrade commands).
[4] Cisco / industry advisories summarizing CVE-2025-55182 impact and remediation.
[5] Public scanners / detection pages for CVE-2025-55182 (detection guidance).
[6] Snyk/Dev posts with practical mitigation steps and rebuild guidance.

If you want, tell me your project's package.json or npm ls output and I will check which vulnerable packages you have and give exact upgrade commands.

๐Ÿ Script executed:

grep -r "app/" src/ --include="*.tsx" --include="*.ts" | head -20

Repository: geulDa/FE

Length of output: 35

๐Ÿ Script executed:

find src -name "middleware.ts" -o -name "proxy.ts"

Repository: geulDa/FE

Length of output: 35

๐Ÿ Script executed:

rg "useCache|getCookie|getHeader|draftMode" --type ts --type tsx

Repository: geulDa/FE

Length of output: 80

๐Ÿ Script executed:

cat pnpm-lock.yaml | grep -A 5 "react@19.1.0"

Repository: geulDa/FE

Length of output: 15530

React 19.1.0์€ CVE-2025-55182(React Server Components RCE) ์ทจ์•ฝ์ ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ์ฆ‰์‹œ ์—…๊ทธ๋ ˆ์ด๋“œ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

ํ˜„์žฌ ์„ค์น˜๋œ React 19.1.0์€ December 3, 2025์— ๊ณต๊ฐœ๋œ CVE-2025-55182 "React2Shell"์— ์ทจ์•ฝํ•ฉ๋‹ˆ๋‹ค. ์ด๋Š” React Server Components์˜ ์›๊ฒฉ ์ฝ”๋“œ ์‹คํ–‰(RCE) ์ทจ์•ฝ์ ์œผ๋กœ CVSS 10.0 ๋“ฑ๊ธ‰์˜ ์‹ฌ๊ฐํ•œ ๋ณด์•ˆ ๊ฒฐํ•จ์ž…๋‹ˆ๋‹ค.

์ฆ‰์‹œ ์กฐ์น˜ ์‚ฌํ•ญ:

  • React๋ฅผ 19.1.2(๋˜๋Š” 19.0.1/19.2.1)๋กœ ์—…๊ทธ๋ ˆ์ด๋“œ: pnpm update react@19.1.2 react-dom@19.1.2
  • ๋ณ€๊ฒฝ์‚ฌํ•ญ ํ™•์ธ ํ›„ ๋นŒ๋“œ ๋ฐ ๋ฐฐํฌ

๋ณธ ์ฝ”๋“œ๋ฒ ์ด์Šค๋Š” Pages Router๋ฅผ ์‚ฌ์šฉํ•˜๋ฏ€๋กœ Next.js 15โ†’16 ์ฃผ์š” ๋ฒ„์ „ ๋ณ€๊ฒฝ์— ๋”ฐ๋ฅธ async cookies(), headers(), ๋˜๋Š” middleware.ts ๋งˆ์ด๊ทธ๋ ˆ์ด์…˜์ด ๋ถˆํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. Next.js 16.0.7์€ ์ด๋ฏธ ํ˜ธํ™˜๋˜๋Š” ์ƒํƒœ์ž…๋‹ˆ๋‹ค. ์ด PR์˜ ์ฃผ์š” ๋ชฉ์ ์€ ๋ณด์•ˆ ์ทจ์•ฝ์ (React CVE) ํ•ด๊ฒฐ์ด๋ฉฐ, Next.js ์ž์ฒด์˜ ์ฃผ์š” ๋ณ€๊ฒฝ์‚ฌํ•ญ ๋Œ€์‘์€ ํ˜„ ์ฝ”๋“œ์— ์ ์šฉ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

"next-pwa": "^5.6.0",
"react": "19.1.0",
"react-dom": "19.1.0",
Expand Down
90 changes: 45 additions & 45 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions public/sw.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions public/workbox-e9849328.js
View file
Open in desktop

Large diffs are not rendered by default.

Loading
Loading