Vuln: CVE-2025-66478 #1435
Vuln: CVE-2025-66478 #1435
Conversation
WalkthroughNext.js dependency bumped from 15.5.4 to 15.5.7 in three package.json files. No changes to public APIs or control flow; other fields and scripts remain unchanged. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (3)
🚧 Files skipped from review as they are similar to previous changes (2)
🧰 Additional context used📓 Path-based instructions (1)**/package.json📄 CodeRabbit inference engine (CLAUDE.md)
Files:
🧠 Learnings (3)📓 Common learnings📚 Learning: 2025-11-29T04:31:05.302ZApplied to files:
📚 Learning: 2025-11-29T04:31:05.302ZApplied to files:
🔇 Additional comments (2)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (3)
apps/web/package.json(1 hunks)packages/database/package.json(1 hunks)packages/web-backend/package.json(1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**/package.json
📄 CodeRabbit inference engine (CLAUDE.md)
**/package.json: Monorepo workspace dependencies must be listed correctly in package.json; avoid circular dependencies between packages
Use Node 20 as specified in package.json engines; maintain pnpm version 10.5.2 for consistency
Files:
packages/database/package.jsonpackages/web-backend/package.jsonapps/web/package.json
🧠 Learnings (9)
📓 Common learnings
Learnt from: CR
Repo: CapSoftware/Cap PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T04:31:05.289Z
Learning: Applies to **/package.json : Use Node 20 as specified in package.json engines; maintain pnpm version 10.5.2 for consistency
📚 Learning: 2025-11-29T04:31:05.302Z
Learnt from: CR
Repo: CapSoftware/Cap PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T04:31:05.302Z
Learning: Applies to **/package.json : Use Node 20 as specified in package.json engines; maintain pnpm version 10.5.2 for consistency
Applied to files:
packages/database/package.jsonpackages/web-backend/package.jsonapps/web/package.json
📚 Learning: 2025-11-29T04:31:05.302Z
Learnt from: CR
Repo: CapSoftware/Cap PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T04:31:05.302Z
Learning: Applies to apps/web/**/*.ts : Validate environment variables using cap/env modules; ensure DATABASE_URL, WEB_URL, NEXTAUTH_SECRET, NEXTAUTH_URL, and S3 credentials are properly configured
Applied to files:
packages/database/package.jsonpackages/web-backend/package.jsonapps/web/package.json
📚 Learning: 2025-11-29T04:31:05.302Z
Learnt from: CR
Repo: CapSoftware/Cap PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T04:31:05.302Z
Learning: Applies to packages/database/schema.ts : Always run pnpm db:generate before pnpm db:push when making database schema changes
Applied to files:
packages/database/package.json
📚 Learning: 2025-11-29T04:31:05.302Z
Learnt from: CR
Repo: CapSoftware/Cap PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T04:31:05.302Z
Learning: Applies to packages/database/schema.ts : Database schema changes must follow the flow: write schema.ts → pnpm db:generate → pnpm db:push → test changes
Applied to files:
packages/database/package.json
📚 Learning: 2025-11-29T04:31:23.924Z
Learnt from: CR
Repo: CapSoftware/Cap PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-29T04:31:23.924Z
Learning: For database operations, run `pnpm db:generate` → `pnpm db:push` → `pnpm db:studio` in order
Applied to files:
packages/database/package.json
📚 Learning: 2025-11-29T04:31:05.302Z
Learnt from: CR
Repo: CapSoftware/Cap PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T04:31:05.302Z
Learning: Applies to apps/web/**/*.{ts,tsx} : Use Drizzle ORM for all database operations; leverage shared services like Videos and VideosPolicy rather than ad-hoc queries
Applied to files:
packages/database/package.json
📚 Learning: 2025-11-29T04:31:23.924Z
Learnt from: CR
Repo: CapSoftware/Cap PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-29T04:31:23.924Z
Learning: Turborepo monorepo structure: `apps/desktop` (Tauri v2 + SolidStart), `apps/web` (Next.js), `apps/cli` (Rust CLI), `packages/*` for shared libs, `crates/*` for Rust crates
Applied to files:
packages/web-backend/package.json
📚 Learning: 2025-11-29T04:31:05.302Z
Learnt from: CR
Repo: CapSoftware/Cap PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T04:31:05.302Z
Learning: Applies to apps/web/**/*.{ts,tsx} : Memoize expensive work, code-split naturally, and use Next/Image for remote assets
Applied to files:
apps/web/package.json
🔇 Additional comments (5)
packages/web-backend/package.json (1)
31-31: Next.js security update to patched version.Next.js 15.5.7 is among the patched versions to upgrade to for CVE-2025-66478, and the version is correctly specified.
packages/database/package.json (2)
34-34: React and Next.js versions aligned with CVE-2025-66478 fix.Next.js 15.5.7 and React 19.1.1 correctly address the upstream React vulnerability (CVE-2025-55182). The versions are properly aligned and the caret pins allow reasonable patch updates.
Also applies to: 49-50
56-56: Node engine version meets guidelines.Node >=20 aligns with the repository's coding guideline for Node 20 consistency. As per coding guidelines, maintain pnpm version 10.5.2 for consistency across the monorepo.
Verify that pnpm version is pinned to 10.5.2 in the root package.json or .npmrc file.
apps/web/package.json (2)
116-117: Verify React version pinning strategy.React and React-DOM are pinned to exact versions (19.1.1) without carets, differing from the caret-pinned approach in packages/database/package.json (^19.1.1). Confirm this stricter pinning is intentional for the web app, as it may limit receiving critical patch updates.
161-161: Node engine version meets guidelines.Node >=20 aligns with repository guidelines. As per coding guidelines, maintain pnpm version 10.5.2 for consistency across the monorepo.
Verify that pnpm version is pinned to 10.5.2 in the root package.json or .npmrc file.
apps/web/package.json
Outdated
| "media-chrome": "^4.12.0", | ||
| "moment": "^2.30.1", | ||
| "motion": "^12.18.1", | ||
| "next": "15.5.7", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n apps/web/package.json | grep -A 2 -B 2 -E "(next|eslint-config-next)" | head -30Repository: CapSoftware/Cap
Length of output: 174
🏁 Script executed:
sed -n '100,170p' apps/web/package.jsonRepository: CapSoftware/Cap
Length of output: 174
🌐 Web query:
Next.js 15.5.7 release notes breaking changes ESLint
💡 Result:
Summary of ESLint-related breaking changes in Next.js 15.5.7 (Next.js 15 series):
- Next.js now supports ESLint v9 and updates eslint-plugin-react-hooks to v5.0.0 — this plugin version enforces that React component names must start with an uppercase letter (new violation). [1][2]
- When using ESLint 9, Next will apply an escape hatch (ESLINT_USE_FLAT_CONFIG=false) if your project hasn’t migrated to the flat config format. [1][3]
- Deprecated options like --ext and --ignore-path are removed from next lint; Next.js 15.5 marks deprecation of the next lint wrapper and migrates projects to run ESLint (or Biome) directly via package.json scripts.
next lintwill show deprecation warnings and be removed in Next.js 16. [4][1]
Sources:
- Next.js 15 blog / release notes (ESLint 9 support, escape hatch, plugin upgrade). [1]
- Next.js GitHub commit noting breaking change for [email protected] (disallows lowercase component names). [2]
- Next.js 15 RC / docs mention escape hatch and deprecated next lint options. [3][4]
If you want, I can fetch the exact commit/messages or show the codemod and migration commands to update your project.
🌐 Web query:
eslint-config-next version compatibility Next.js 15.5
💡 Result:
Short answer: Use eslint-config-next 15.x (the package is versioned with Next.js). For Next.js 15.5, install [email protected] (e.g. 15.5.2) — it’s the compatible release. [1][2]
Sources:
- Next.js docs/configuration for ESLint (eslint-config-next is the Next.js ESLint package). [1]
- npm package page showing eslint-config-next version 15.5.2. [2]
Align eslint-config-next patch version with Next.js 15.5.7.
eslint-config-next 15.5.3 and Next.js 15.5.7 are compatible within the 15.5.x line. However, staying on the latest patch version (15.5.7) ensures you have the latest bug fixes and aligns with Next.js updates.
Apply this diff:
- "eslint-config-next": "15.5.3",
+ "eslint-config-next": "15.5.7",Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In apps/web/package.json around line 109, the project pins Next.js to "15.5.7"
but eslint-config-next is not aligned to the matching patch; update the
eslint-config-next dependency to the 15.5.7 patch release to match Next.js
(i.e., change its version to 15.5.7) so both packages are on the same 15.5.x
patch level, then run npm/yarn install and verify no linting/version conflicts.
This reverts commit a853a4e.
1 participant
For full details: https://nextjs.org/blog/CVE-2025-66478
Version bumps automatically solved by a solution from Vercel https://github.com/vercel-labs/fix-react2shell-next
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.