1ac2f6bb03
React Flight / Next.js RCE Advisory - Vulnerability Fix and Update Report ## Summary The umami repository was affected by the React Flight / Next.js RCE advisory. The repository had Next.js 15.5.3, which is vulnerable. This has been updated to the patched version 15.5.7. ## Affected Package Detection Inspected all package.json files in the repository: - Root package.json: ./package.json - Monorepo: Not a monorepo (pnpm workspace configured but only root package.json with meaningful dependencies) ## Changes Applied ### Next.js Vulnerability Fix ✅ **PATCHED** - Updated next from 15.5.3 to 15.5.7 - Previous version: next@15.5.3 (vulnerable) - Updated version: next@15.5.7 (patched) - This is the correct patch version for the 15.5.x line per the advisory - Addresses the React Flight RCE vulnerability (CVE impact on Next.js) ### React Flight Packages Status ✅ **NOT AFFECTED** - Project does not use React Flight packages - Project does NOT use react-server-dom-webpack - Project does NOT use react-server-dom-parcel - Project does NOT use react-server-dom-turbopack - No React Flight specific patches required ### React & React-DOM Status ✅ **NO MANUAL CHANGES NEEDED** - Project uses React 19.2.0 and React-DOM 19.2.0 - These versions remain unchanged (correctly per the advisory) - react and react-dom themselves are not vulnerable - Next.js 15.5.7 provides the necessary security patches - Per the advisory: "For Next.js projects, do not manually upgrade react or react-dom" ## Files Modified 1. **package.json** - Changed: `"next": "15.5.3"` → `"next": "15.5.7"` 2. **pnpm-lock.yaml** - Updated dependency locks to reflect Next.js 15.5.7 - Cleaned up unused transitive dependencies (previous versions of sharp and emnapi) ## Verification Performed ✅ **Build Verification**: Next.js build completed successfully with `npm run build-app` - Output shows all pages compiled correctly - No build errors introduced by the package update ✅ **Lockfile Verification**: pnpm-lock.yaml correctly resolves to: - next@15.5.7 (with expected dependencies) - react@19.2.0 (unchanged as recommended) - react-dom@19.2.0 (unchanged as recommended) ## Conclusion The vulnerability has been successfully patched. The repository now uses the secure version of Next.js (15.5.7) that addresses the React Flight RCE advisory. The build completes successfully, confirming compatibility with the patched version. No other changes were required as the project does not use any React Flight packages. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com> |
||
|---|---|---|
| .github | ||
| .husky | ||
| cypress | ||
| db | ||
| docker | ||
| podman | ||
| prisma | ||
| public | ||
| scripts | ||
| src | ||
| .dockerignore | ||
| .eslintignore | ||
| .eslintrc.json | ||
| .gitignore | ||
| .prettierignore | ||
| .prettierrc.json | ||
| .stylelintrc.json | ||
| app.json | ||
| cypress.config.ts | ||
| docker-compose.yml | ||
| Dockerfile | ||
| jest.config.ts | ||
| LICENSE | ||
| netlify.toml | ||
| next-env.d.ts | ||
| next.config.ts | ||
| package.components.json | ||
| package.json | ||
| pnpm-lock.yaml | ||
| pnpm-workspace.yaml | ||
| postcss.config.js | ||
| README.md | ||
| rollup.tracker.config.js | ||
| tsconfig.json | ||
| tsconfig.prisma.json | ||
| tsup.config.js | ||
Umami
Umami is a simple, fast, privacy-focused alternative to Google Analytics.
🚀 Getting Started
A detailed getting started guide can be found at umami.is/docs.
🛠 Installing from Source
Requirements
- A server with Node.js version 18.18 or newer
- A database. Umami supports PostgreSQL (minimum v12.14) databases.
Get the Source Code and Install Packages
git clone https://github.com/umami-software/umami.git
cd umami
pnpm install
Configure Umami
Create an .env file with the following:
DATABASE_URL=connection-url
The connection URL format:
postgresql://username:mypassword@localhost:5432/mydb
Build the Application
pnpm run build
The build step will create tables in your database if you are installing for the first time. It will also create a login user with username admin and password umami.
Start the Application
pnpm run start
By default, this will launch the application on http://localhost:3000. You will need to either proxy requests from your web server or change the port to serve the application directly.
🐳 Installing with Docker
To build the Umami container and start up a Postgres database, run:
docker compose up -d
Alternatively, to pull just the Umami Docker image with PostgreSQL support:
docker pull docker.umami.is/umami-software/umami:latest
🔄 Getting Updates
Warning
If you are updating from Umami V2, image "postgresql-latest" is deprecated. You must change it to "latest". e.g., rename
docker.umami.is/umami-software/umami:postgresql-latesttodocker.umami.is/umami-software/umami:latest.
To get the latest features, simply do a pull, install any new dependencies, and rebuild:
git pull
pnpm install
pnpm run build
To update the Docker image, simply pull the new images and rebuild:
docker compose pull
docker compose up --force-recreate -d
🛟 Support
