Skip to content

fix(security): upgrade react and react-dom to 19.1.2 for CVE-2025-55182 #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
trask merged 1 commit into from
Dec 4, 2025
Merged

fix(security): upgrade react and react-dom to 19.1.2 for CVE-2025-55182 #169

trask merged 1 commit into from
Dec 4, 2025

Conversation

@trask
Copy link
Member

@trask trask commented Dec 4, 2025

No description provided.

@trask trask marked this pull request as ready for review December 4, 2025 03:28
Copilot AI review requested due to automatic review settings December 4, 2025 03:28
Copilot AI reviewed Dec 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability (CVE-2025-55182) by upgrading React and React-DOM from version 19.0.0/19.1.1 to 19.1.2 across the project.

  • Updates React and React-DOM dependencies to 19.1.2 in both sample and main library packages
  • Updates the npm shrinkwrap lockfile with new package versions and integrity hashes
  • Modifies peer dependency constraint to require React >= 19.1.2

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
sample/applicationinsights-react-sample/package.json Updates React and React-DOM dependencies to ^19.1.2 for the sample application
common/config/rush/npm-shrinkwrap.json Updates lockfile entries for React 19.1.2 and React-DOM 19.1.2 with new integrity hashes
applicationinsights-react-js/package.json Updates devDependencies to ^19.1.2 and peerDependencies constraint to >= 19.1.2 for the main library
Files not reviewed (1)
  • common/config/rush/npm-shrinkwrap.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@trask
fix(security): upgrade react and react-dom to 19.1.2 for CVE-2025-55182
8d35e14 
Addresses critical security vulnerability CVE-2025-55182 (CVSS 10.0) -
unauthenticated remote code execution in React Server Components.
@trask trask force-pushed the security/cve-2025-55182-react-upgrade branch from af1197b to 8d35e14 Compare December 4, 2025 03:36
@trask
Copy link
Member Author

trask commented Dec 4, 2025

had to re-enable CodeQL workflow since it had been autodisabled due to lack of activity in the repo, closing and re-opening the PR to hopefully kickstart it

@trask trask closed this Dec 4, 2025
@trask trask reopened this Dec 4, 2025
@trask trask merged commit ce42e0e into main Dec 4, 2025
9 checks passed
@trask trask deleted the security/cve-2025-55182-react-upgrade branch December 4, 2025 03:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hectorhdzg hectorhdzg hectorhdzg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@trask @hectorhdzg