From ca336be4bad4f5c18b6e95747f508cb381eeb97a Mon Sep 17 00:00:00 2001 From: sragss Date: Tue, 13 Jan 2026 12:09:30 -0500 Subject: [PATCH 1/2] Fix React Server Components CVE vulnerabilities in remaining templates Updates Next.js from 15.4.10 to 15.5.4 in: - templates/assistant-ui - templates/next-image - templates/next-video-template Addresses: - CVE-2025-55182: Node.js-only React Server Components RCE - CVE-2025-55183: Potential Authorization Bypass for RSC Actions - CVE-2025-55184: Potential Authorization Bypass for Server Function Co-Authored-By: Claude Opus 4.5 --- templates/assistant-ui/package.json | 4 ++-- templates/next-image/package.json | 4 ++-- templates/next-video-template/package.json | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/assistant-ui/package.json b/templates/assistant-ui/package.json index e8ea27165..3be9f1242 100644 --- a/templates/assistant-ui/package.json +++ b/templates/assistant-ui/package.json @@ -16,7 +16,7 @@ "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "lucide-react": "^0.539.0", - "next": "15.4.10", + "next": "15.5.4", "postcss": "^8.5.6", "react": "19.1.1", "react-dom": "19.1.1", @@ -30,7 +30,7 @@ "@types/react": "^19.1.10", "@types/react-dom": "^19.1.7", "eslint": "^9", - "eslint-config-next": "15.4.10", + "eslint-config-next": "15.5.4", "tw-animate-css": "^1.3.6", "typescript": "^5.9.2" }, diff --git a/templates/next-image/package.json b/templates/next-image/package.json index f472bcc2c..eaf44973e 100644 --- a/templates/next-image/package.json +++ b/templates/next-image/package.json @@ -24,7 +24,7 @@ "clsx": "^2.1.1", "lucide-react": "^0.263.1", "nanoid": "^5.1.5", - "next": "15.4.10", + "next": "15.5.4", "openai": "^5.20.3", "react": "19.1.0", "react-dom": "19.1.0", @@ -37,7 +37,7 @@ "@types/react": "19.1.10", "@types/react-dom": "^19", "eslint": "^9", - "eslint-config-next": "15.4.10", + "eslint-config-next": "15.5.4", "tailwindcss": "^4", "tw-animate-css": "^1.3.8", "typescript": "^5" diff --git a/templates/next-video-template/package.json b/templates/next-video-template/package.json index 48fbd738d..0045d628a 100644 --- a/templates/next-video-template/package.json +++ b/templates/next-video-template/package.json @@ -28,7 +28,7 @@ "clsx": "^2.1.1", "lucide-react": "^0.263.1", "nanoid": "^5.1.5", - "next": "15.4.10", + "next": "15.5.4", "openai": "^5.20.3", "react": "19.1.0", "react-dom": "19.1.0", @@ -41,7 +41,7 @@ "@types/react": "19.1.10", "@types/react-dom": "^19", "eslint": "^9", - "eslint-config-next": "15.4.10", + "eslint-config-next": "15.5.4", "tailwindcss": "^4", "tw-animate-css": "^1.3.8", "typescript": "^5" From 7706adc4e88f6e4f93952af071dfd89d85583bf5 Mon Sep 17 00:00:00 2001 From: sragss Date: Tue, 13 Jan 2026 12:12:29 -0500 Subject: [PATCH 2/2] Bump Next.js to 15.5.9 and add missing openai dependency - Updates Next.js from 15.5.4 to 15.5.9 to address CVE-2025-66478 - Adds openai dependency to assistant-ui template (required by echo-react-sdk) Co-Authored-By: Claude Opus 4.5 --- templates/assistant-ui/package.json | 5 +++-- templates/next-image/package.json | 4 ++-- templates/next-video-template/package.json | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/templates/assistant-ui/package.json b/templates/assistant-ui/package.json index 3be9f1242..418276960 100644 --- a/templates/assistant-ui/package.json +++ b/templates/assistant-ui/package.json @@ -16,7 +16,8 @@ "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "lucide-react": "^0.539.0", - "next": "15.5.4", + "next": "15.5.9", + "openai": "^4.77.0", "postcss": "^8.5.6", "react": "19.1.1", "react-dom": "19.1.1", @@ -30,7 +31,7 @@ "@types/react": "^19.1.10", "@types/react-dom": "^19.1.7", "eslint": "^9", - "eslint-config-next": "15.5.4", + "eslint-config-next": "15.5.9", "tw-animate-css": "^1.3.6", "typescript": "^5.9.2" }, diff --git a/templates/next-image/package.json b/templates/next-image/package.json index eaf44973e..2909fc222 100644 --- a/templates/next-image/package.json +++ b/templates/next-image/package.json @@ -24,7 +24,7 @@ "clsx": "^2.1.1", "lucide-react": "^0.263.1", "nanoid": "^5.1.5", - "next": "15.5.4", + "next": "15.5.9", "openai": "^5.20.3", "react": "19.1.0", "react-dom": "19.1.0", @@ -37,7 +37,7 @@ "@types/react": "19.1.10", "@types/react-dom": "^19", "eslint": "^9", - "eslint-config-next": "15.5.4", + "eslint-config-next": "15.5.9", "tailwindcss": "^4", "tw-animate-css": "^1.3.8", "typescript": "^5" diff --git a/templates/next-video-template/package.json b/templates/next-video-template/package.json index 0045d628a..79349840f 100644 --- a/templates/next-video-template/package.json +++ b/templates/next-video-template/package.json @@ -28,7 +28,7 @@ "clsx": "^2.1.1", "lucide-react": "^0.263.1", "nanoid": "^5.1.5", - "next": "15.5.4", + "next": "15.5.9", "openai": "^5.20.3", "react": "19.1.0", "react-dom": "19.1.0", @@ -41,7 +41,7 @@ "@types/react": "19.1.10", "@types/react-dom": "^19", "eslint": "^9", - "eslint-config-next": "15.5.4", + "eslint-config-next": "15.5.9", "tailwindcss": "^4", "tw-animate-css": "^1.3.8", "typescript": "^5"