Fix React Server Components CVE vulnerabilities

[vercel]

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project system-designer. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

• GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
• React Advisory: CVE-2025-55182
• Next.js Advisory: CVE-2025-66478

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
system-designer	Ready	Preview, Comment	Mar 29, 2026 9:04pm

[Copilot]

Pull request overview

This PR aims to remediate the React Server Components/Next.js RCE advisory by bumping Next.js versions across several kit apps and updating associated lockfiles where present.

Changes:

• Upgraded next versions in multiple kit package.json files (14.x, 15.x, and one 16.x kit).
• Updated kits/agentic/system-design-analyzer/package-lock.json to match the new Next.js version.
• Added/expanded kits/agentic/generation/pnpm-lock.yaml (now a full lockfile).

Reviewed changes

Copilot reviewed 7 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
package-lock.json	Root lockfile metadata changed (name), still an otherwise empty lockfile.
kits/embed/sheets/package.json	Bumps Next.js from 15.2.4 → 15.2.8.
kits/embed/search/package.json	Bumps Next.js from 14.2.16 → 14.2.35.
kits/embed/chat/package.json	Bumps Next.js from 14.2.16 → 14.2.35.
kits/automation/hiring/package.json	Bumps Next.js from 15.2.4 → 15.2.8.
kits/agentic/system-design-analyzer/package.json	Bumps Next.js from 15.1.0 → 15.1.11.
kits/agentic/system-design-analyzer/package-lock.json	Lockfile updated to reflect Next.js upgrade and dependency graph changes.
kits/agentic/generation/package.json	Bumps Next.js from 16.0.0 → 16.0.10.
kits/agentic/generation/pnpm-lock.yaml	Expanded from minimal stub to full pnpm lockfile content.
kits/agentic/deep-search/package.json	Bumps Next.js from 15.2.4 → 15.2.8.

Files not reviewed (1)

• kits/agentic/system-design-analyzer/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

PR description states it upgrades both React and Next.js to patched versions, but this kit still pins react/react-dom to 18.3.1 (unchanged) while only next was bumped. Please confirm whether the advisory requires React/ReactDOM upgrades here as well, and if so, bump them (and the lockfile) to patched versions to match the PR’s stated remediation.

[Copilot]

kits/agentic/generation/package.json bumps next to 16.0.10, but the existing kits/agentic/generation/package-lock.json still pins next to 16.0.0. This can lead to inconsistent installs depending on which lockfile/package manager is used. Update the package-lock to match the new dependency version, or remove/stop tracking it if this kit is intended to be installed with pnpm instead of npm.

Suggested change

	"next": "16.0.10",
	"next": "16.0.0",

[Copilot]

This kit now includes a full pnpm-lock.yaml while also already tracking an npm package-lock.json (and the README instructs npm install). Having multiple lockfiles for different package managers is likely to cause drift and confusion. Please pick one package manager for this kit (and keep only its lockfile), and align the README/CI accordingly.