-
-
Save sjarmak/216656b1db388a6c364dbd6eeb7894b5 to your computer and use it in GitHub Desktop.
General batch script that can be applied to remediate vulnerabilities from CVE 2025 55182
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: 2 | |
| name: react-rsc-cve-2025-55182 | |
| description: Upgrade React Server Components transport deps to patched versions for CVE-2025-55182. | |
| on: | |
| # Match any repo with a package.json that has a vulnerable RSC transport version. | |
| # Mirrors the Part 1 query, generalized across all repositories. | |
| - repositoriesMatchingQuery: > | |
| file:package.json | |
| patterntype:regexp | |
| "react-server-dom-(webpack|parcel|turbopack)":\s*"[~^]?(19\.0(\.0)?|19\.1\.[01]|19\.2\.0)" | |
| steps: | |
| - run: | | |
| set -euo pipefail | |
| # All matching files from the search above | |
| files="${{ join repository.search_result_paths " " }}" | |
| for file in $files; do | |
| echo "Patching $file" | |
| SG_FILE="$file" node -e ' | |
| const fs = require("fs"); | |
| const path = process.env.SG_FILE; | |
| if (!path) process.exit(0); | |
| const text = fs.readFileSync(path, "utf8"); | |
| const pkg = JSON.parse(text); | |
| const bumpField = (obj, name, newVersion) => { | |
| if (!obj) return false; | |
| if (!Object.prototype.hasOwnProperty.call(obj, name)) return false; | |
| obj[name] = newVersion; | |
| return true; | |
| }; | |
| const bumpAll = (name, newVersion) => { | |
| let changed = false; | |
| changed = bumpField(pkg.dependencies, name, newVersion) || changed; | |
| changed = bumpField(pkg.devDependencies, name, newVersion) || changed; | |
| changed = bumpField(pkg.peerDependencies, name, newVersion) || changed; | |
| return changed; | |
| }; | |
| // Target patched React 19 RSC transport line. | |
| const target = "^19.2.1"; | |
| let changed = false; | |
| changed = bumpAll("react-server-dom-webpack", target) || changed; | |
| changed = bumpAll("react-server-dom-parcel", target) || changed; | |
| changed = bumpAll("react-server-dom-turbopack", target) || changed; | |
| if (!changed) { | |
| console.log(`No react-server-dom-* deps changed in ${path}, skipping write`); | |
| process.exit(0); | |
| } | |
| fs.writeFileSync(path, JSON.stringify(pkg, null, 2) + "\n"); | |
| ' | |
| done | |
| # Best-effort lockfile refresh per repo; tolerate failures. | |
| if [ -f package-lock.json ]; then | |
| npm install --package-lock-only || true | |
| elif [ -f pnpm-lock.yaml ]; then | |
| pnpm install --lockfile-only || true | |
| elif [ -f yarn.lock ]; then | |
| yarn install --mode update-lockfile || yarn install --mode update-lockfile || true | |
| fi | |
| container: node:22 | |
| changesetTemplate: | |
| title: "chore: upgrade React RSC deps for CVE-2025-55182" | |
| body: | | |
| Upgrade React Server Components transport packages to patched versions | |
| to mitigate CVE-2025-55182. | |
| This batch change updates any of the following to ^19.2.1 where present: | |
| - react-server-dom-webpack | |
| - react-server-dom-parcel | |
| - react-server-dom-turbopack | |
| branch: security/react-rsc-cve-2025-55182 | |
| commit: | |
| message: "chore: upgrade React RSC deps for CVE-2025-55182" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment