Skip to content

Updating after a while#4185

Open
sambrucejoseph wants to merge 4 commits into
umami-software:masterfrom
sambrucejoseph:master
Open

Updating after a while#4185
sambrucejoseph wants to merge 4 commits into
umami-software:masterfrom
sambrucejoseph:master

Conversation

@sambrucejoseph
Copy link
Copy Markdown

@sambrucejoseph sambrucejoseph commented Apr 19, 2026

No description provided.

sambrucejoseph and others added 4 commits November 2, 2024 09:39
@sambrucejoseph
Update schema.prisma
d3614a5
@sambrucejoseph
Merge branch 'umami-software:master' into master
9d54281
@vercel
Fix React Server Components CVE vulnerabilities
6983ae7 
Updated dependencies to fix Next.js and React CVE vulnerabilities.

The fix-react2shell-next tool automatically updated the following packages to their secure versions:
- next
- react-server-dom-webpack
- react-server-dom-parcel  
- react-server-dom-turbopack

All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory.

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@sambrucejoseph
Merge pull request #1 from sambrucejoseph/vercel/react-server-compone…
cbd1234 
…nts-cve-vu-cxtmax

Fix React Server Components CVE vulnerabilities
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 19, 2026

@sambrucejoseph is attempting to deploy a commit to the Umami Software Team on Vercel.

A member of the Team first needs to authorize it.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 19, 2026
edited
Loading

Greptile Summary

This PR upgrades next from 15.3.1 to 15.3.8 to address the critical React Server Components CVE (CVE-2025-55182, CVSS 9.5) per the December 2025 Next.js security advisory, and also includes fork-specific distinctId schema additions to Session and SessionData that are unrelated to the CVE fix.

  • The Next.js version bump to 15.3.8 is the correct patched version for the 15.3.x line, and pnpm-lock.yaml is consistent with it.
  • The db/postgresql/schema.prisma changes (fork-specific distinctId fields) are unrelated to the security patch and should be submitted separately to upstream with proper migrations.
  • eslint-config-next remains pinned to ^14.0.4 (resolves to 14.2.28) while next is now 15.x, creating a linting coverage gap for Next.js 15 patterns.

Confidence Score: 4/5

Safe to merge the CVE fix itself, but the bundled fork-specific schema changes need to be reviewed or separated before upstreaming

The Next.js version bump is correct and addresses a critical CVE. All findings are P2: the eslint-config-next major-version mismatch affects only linting, and the schema bundling is a process concern rather than a runtime defect. No P0/P1 issues found, but the mixed-concern nature of the PR warrants attention before merging upstream.

db/postgresql/schema.prisma — contains fork-specific distinctId additions unrelated to the CVE fix that should not be merged into upstream umami without separate migrations and review

Important Files Changed

Filename Overview
package.json Bumps next from 15.3.1 to 15.3.8, correctly addressing the December 2025 React Server Components CVE security advisory; however eslint-config-next remains pinned to ^14.0.4, creating a major-version mismatch with Next.js 15.x
db/postgresql/schema.prisma Includes fork-specific distinctId field additions to Session and SessionData models that are unrelated to the CVE security fix and not present in upstream umami; bundling these with a security patch complicates review
pnpm-lock.yaml Lock file correctly reflects the resolved next@15.3.8 version, consistent with the package.json change

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR: Updating after a while] --> B[Merge commit cbd12344]
    B --> C[Parent 1: fork master 9d542818]
    B --> D[Parent 2: CVE fix branch 6983ae7e]
    C --> E[Schema changes\ndistinctId on Session\ndistinctId on SessionData]
    D --> F[package.json\nnext 15.3.1 → 15.3.8\nCVE-2025-55182 fix]
    F --> G[pnpm-lock.yaml\nupdated to next@15.3.8]
    E --> H[⚠️ Fork-specific changes\nnot in upstream umami]
    F --> I[✅ Correct patched version\nper Dec 2025 advisory]
    G --> J[✅ Lock file consistent]
Loading

Comments Outside Diff (2)

  1. package.json, line 149 (link)

    P2 eslint-config-next version lags behind next

    eslint-config-next is constrained to ^14.0.4 (resolves to 14.2.28 in the lock file) while next itself is now at 15.3.8. The ESLint config for Next.js should track the same major version as the framework — using the 14.x config with a 15.x runtime means new Next.js 15 rules, features, and server-action/server-component patterns won't be linted correctly. Update the constraint to ^15.0.0 (or match the specific minor) and let pnpm re-resolve it.

  2. db/postgresql/schema.prisma, line 42 (link)

    P2 Fork-specific schema changes bundled with security fix

    The distinctId field on Session (line 42) and SessionData (line 169) appear to originate from commits in the author's fork (de54290a, c5efc27c) and are not part of the upstream umami schema. Mixing custom schema additions with a CVE security patch makes the security change harder to review and cherry-pick. These fields should ideally be submitted as a separate PR with accompanying migrations and application-layer changes, rather than bundled with the Next.js version bump.

    Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Reviews (1): Last reviewed commit: "Merge pull request #1 from sambrucejosep..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sambrucejoseph