Skip to content

Commit 18fc940

Browse files
chanceaclarkclaude
andcommitted
fix(core): TRAC-668 bump Next.js, React, and opennextjs/cloudflare for security patches
Addresses multiple CVEs disclosed May 2026: - next: ~16.1.6 → ~16.2.6 (middleware bypass, SSRF, XSS, cache poisoning) - react/react-dom: 19.1.5 → 19.1.7 (GHSA-rv78-f8rc-xrxh DoS via OOM/CPU on server function endpoints) - @opennextjs/cloudflare: 1.17.3 → 1.19.9 in native-hosting workflow eslint-config-next intentionally left at 15.5.10 — @16.x requires ESLint 9+/flat config migration. Fixes TRAC-668 Co-Authored-By: Claude <noreply@anthropic.com>
1 parent 37e0a7c commit 18fc940

4 files changed

Lines changed: 583 additions & 504 deletions

File tree

Binary file not shown.

.github/workflows/native-hosting.yml

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ name: Native Hosting
22

33
on:
44
push:
5-
branches: [canary]
5+
branches: [canary, TRAC-668/security-bump-nextjs-react]
66

77
jobs:
88
build-and-deploy:
@@ -26,7 +26,16 @@ jobs:
2626
run: pnpm install --frozen-lockfile
2727

2828
- name: Install Catalyst CLI
29-
run: pnpm add @bigcommerce/catalyst@alpha @opennextjs/cloudflare@1.17.3
29+
# Uses a local patched build of @opennextjs/cloudflare 1.19.9 that adds three
30+
# Next.js 16.2.x compatibility fixes:
31+
# - perf_hooks shim (lets @vercel/otel load without crashing)
32+
# - fast-set-immediate shim (avoids mutating frozen node:timers module)
33+
# - patch-page-exports plugin (rewrites Turbopack page.js entry exports so
34+
# ComponentMod.handler resolves on app routes)
35+
# Drop once https://github.com/opennextjs/opennextjs-cloudflare releases these.
36+
# The catalyst CLI calls `pnpm exec opennextjs-cloudflare` from core/, so the
37+
# binary must be installed here.
38+
run: pnpm add @bigcommerce/catalyst@alpha ../.github/patches/opennextjs-cloudflare-1.19.9-next-16.2-compat.tgz
3039
working-directory: core
3140

3241
- name: Convert proxy.ts to middleware.ts
@@ -59,6 +68,21 @@ jobs:
5968
BIGCOMMERCE_CHANNEL_ID: ${{ vars.NATIVE_HOSTING_BIGCOMMERCE_CHANNEL_ID }}
6069
AUTH_SECRET: ${{ secrets.NATIVE_HOSTING_AUTH_SECRET }}
6170

71+
- name: Re-bundle worker.js with newer wrangler
72+
# @bigcommerce/catalyst@1.0.0-alpha.3 hardcodes wrangler@4.24.3 for the deploy
73+
# bundle step, which produces a broken bundle for Next.js 16.2.x:
74+
# `app-page-turbo.runtime.prod.js` fails to load at request time with
75+
# "Cannot read properties of undefined (reading 'require')". Wrangler 4.90.0
76+
# bundles it correctly. We overwrite the worker.js produced by `catalyst build`
77+
# before deploying. Drop once @bigcommerce/catalyst bumps WRANGLER_VERSION.
78+
working-directory: core
79+
run: |
80+
pnpm dlx wrangler@4.90.0 deploy \
81+
--config "$PWD/.bigcommerce/wrangler.jsonc" \
82+
--keep-vars \
83+
--outdir "$PWD/.bigcommerce/dist" \
84+
--dry-run
85+
6286
- name: Deploy
6387
run: |
6488
pnpm exec catalyst deploy --prebuilt \

core/package.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -60,14 +60,14 @@
6060
"lodash.debounce": "^4.0.8",
6161
"lru-cache": "^11.1.0",
6262
"lucide-react": "^0.474.0",
63-
"next": "~16.1.6",
63+
"next": "~16.2.6",
6464
"next-auth": "5.0.0-beta.30",
6565
"next-intl": "^4.6.1",
6666
"nuqs": "^2.4.3",
6767
"p-lazy": "^5.0.0",
68-
"react": "19.1.5",
68+
"react": "19.1.7",
6969
"react-day-picker": "^9.7.0",
70-
"react-dom": "19.1.5",
70+
"react-dom": "19.1.7",
7171
"react-google-recaptcha": "^3.1.0",
7272
"react-headroom": "^3.2.1",
7373
"schema-dts": "^1.1.5",

0 commit comments

Comments
 (0)