-
-
Save sjarmak/094db4e4f95498f9faddcda039eb710a to your computer and use it in GitHub Desktop.
Batch Changes script for example update addressing CVE-2025-55182
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: 2 | |
| name: react-rsc-cve-2025-55182-test | |
| description: Test upgrade of React Server Components deps to patched versions for CVE-2025-55182 in a single repo. | |
| on: | |
| - repositoriesMatchingQuery: > | |
| repo:^github\.com/sourcegraph-community/react-rsc-cve-test$ | |
| file:package.json | |
| react-server-dom "\"19.0.0\"" OR "\"19.1.0\"" OR "\"19.1.1\"" OR "\"19.2.0\"" | |
| steps: | |
| - run: | | |
| set -euo pipefail | |
| files="${{ join repository.search_result_paths " " }}" | |
| for file in $files; do | |
| echo "Patching $file" | |
| node -e ' | |
| const fs = require("fs"); | |
| const path = process.argv[1]; | |
| const text = fs.readFileSync(path, "utf8"); | |
| const pkg = JSON.parse(text); | |
| const bump = (obj, name, newVersion) => { | |
| if (!obj) return false; | |
| if (!Object.prototype.hasOwnProperty.call(obj, name)) return false; | |
| obj[name] = newVersion; | |
| return true; | |
| }; | |
| const bumpAll = (name, newVersion) => { | |
| let changed = false; | |
| changed = bump(pkg.dependencies, name, newVersion) || changed; | |
| changed = bump(pkg.devDependencies, name, newVersion) || changed; | |
| changed = bump(pkg.peerDependencies, name, newVersion) || changed; | |
| return changed; | |
| }; | |
| const targetVersion = "^19.2.1"; | |
| let anyChanged = false; | |
| anyChanged = bumpAll("react-server-dom-webpack", targetVersion) || anyChanged; | |
| anyChanged = bumpAll("react-server-dom-parcel", targetVersion) || anyChanged; | |
| anyChanged = bumpAll("react-server-dom-turbopack", targetVersion) || anyChanged; | |
| if (!anyChanged) { | |
| console.log(`No react-server-dom-* deps found in ${path}, skipping`); | |
| process.exit(0); | |
| } | |
| fs.writeFileSync(path, JSON.stringify(pkg, null, 2) + "\n"); | |
| ' "$file" | |
| done | |
| if [ -f package-lock.json ]; then | |
| npm install --package-lock-only || true | |
| elif [ -f pnpm-lock.yaml ]; then | |
| pnpm install --lockfile-only || true | |
| elif [ -f yarn.lock ]; then | |
| yarn install --mode update-lockfile || yarn install --mode update-lockfile || true | |
| fi | |
| container: node:22 | |
| changesetTemplate: | |
| title: "chore: upgrade React RSC deps for CVE-2025-55182" | |
| body: | | |
| Upgrade React Server Components transport packages to patched versions | |
| to mitigate CVE-2025-55182. | |
| branch: security/react-rsc-cve-2025-55182-test | |
| commit: | |
| message: "chore: upgrade React RSC deps for CVE-2025-55182" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment