chore(nextjs): Bump nextjs version for RSC CVEs

[dominic-clerk]

Description

As a react2shell follow-up, this upgrades the dev version and also the peer dependency so clerk installations aren't vulnerable to react2shell.

See also

• https://github.com/clerk/javascript/security/dependabot/454
• https://github.com/clerk/javascript/security/dependabot/460

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Chores

  • Bumped Next.js dev dependency to 15.2.8 and broadened Next.js peer constraints for wider compatibility.
  • Expanded peer React and react-dom version constraints in workspace configuration to support additional React 19 patch/minor releases.

• Security

  • Added a patch changeset documenting a dependency update (CVE-2025-55182).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: f71deff

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@clerk/nextjs	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Dec 15, 2025 10:54am

[coderabbitai]

Walkthrough

Bumped Next.js in the Next package to 15.2.8 and expanded its peer constraint set, added a changeset for a patch referencing a peerDependency/CVE update, and widened peer React/react-dom ranges in pnpm-workspace.yaml.

Changes

Cohort / File(s)	Summary
Next.js package packages/nextjs/package.json	Updated devDependencies: next 15.2.3 → 15.2.8. Expanded peerDependencies next constraint from `^15.2.3
Changeset (release note) .changeset/fuzzy-geese-guess.md	Added a changeset marking a patch for @clerk/nextjs documenting an update to a peerDependency related to CVE-2025-55182; no code or API changes.
Workspace peer React constraint pnpm-workspace.yaml	Broadened peer constraints for catalogs.peer-react.react and catalogs.peer-react.react-dom from `^18.0.0

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify semver syntax and consistency between devDependencies and peerDependencies in packages/nextjs/package.json.
• Confirm .changeset/fuzzy-geese-guess.md references and patch type match release tooling expectations.
• Check pnpm-workspace.yaml formatting for the expanded React/react-dom ranges.

Poem

🐇 I hopped through versions, light and spry,
Tuned Next and React beneath the sky.
A tiny changeset tucked with care,
CVE noted — breeze through the air.
Carrots safe, I twirl — code patched with flair.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the main change: a Next.js version bump to address CVE-2025-55182 security vulnerability.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dc-bump-next

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• CVE-2025: Entity not found: Issue - Could not find referenced Issue.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7423

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7423

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7423

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7423

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7423

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7423

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7423

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7423

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7423

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7423

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7423

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7423

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7423

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7423

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7423

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7423

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7423

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7423

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7423

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7423

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7423

commit: f71deff

[dominic-clerk]

I wasn't sure if this was a patch or minor?

[nikosdouvlis]

In this case its a patch as Core 3 already has a major release planned (so its going to go out as a major either way)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/fuzzy-geese-guess.md (1)

1-5: Changeset format is correct; consider enhancing the description for clarity.

The changeset follows the correct format with proper YAML frontmatter and a patch-level bump designation. However, the description is minimal and could be more informative for release notes and consumers of this package.

Consider expanding the description to specify the Next.js version bump details and the nature of the CVE fix:

---
'@clerk/nextjs': patch
---

-Updating peerDependency for CVE-2025-55182
+Bump Next.js to 15.2.6 to address CVE-2025-55182 (react2shell vulnerability)

This provides clearer context for users reviewing release notes.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f49baec and 429107b.

📒 Files selected for processing (1)

• .changeset/fuzzy-geese-guess.md (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (26)

• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

.changeset/fuzzy-geese-guess.md (1)

2-2: Package.json changes are correctly aligned with the changeset.

The Next.js versions in packages/nextjs/package.json have been properly updated to address CVE-2025-55182: devDependencies specifies 15.2.6 and peerDependencies allows ^15.2.6 || ^16. The versions are consistent across both dependency types, supporting the patch-level bump documented in the changeset.

[nikosdouvlis]

In this case its a patch as Core 3 already has a major release planned (so its going to go out as a major either way)

[dominic-clerk]

This PR focused on the next version we had as a devDependency but to be more rigorous with the version ranges we'd probably need to go with

diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json
index 9098b8f69..96b233367 100644
--- a/packages/nextjs/package.json
+++ b/packages/nextjs/package.json
@@ -95,7 +95,7 @@
     "next": "15.2.6"
   },
   "peerDependencies": {
-    "next": "^15.2.6 || ^16",
+    "next": "^15.2.6 || ^15.3.6 || ^15.4.8 || ^15.5.7 || ^15.6.0-0 || ^16.0.7 || ^16.1.0-0",
     "react": "catalog:peer-react",
     "react-dom": "catalog:peer-react"
   },
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 7c7484abc..124daef63 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -3,7 +3,7 @@ packages:
 
 catalogs:
   peer-react:
-    react: ^18.0.0 || ^19.0.0 || ^19.0.0-0
+    react: ^18.0.0 || ^19.0.1 || ^19.1.2 || ^19.2.1 || ^19.0.1-0
     react-dom: ^18.0.0 || ^19.0.0 || ^19.0.0-0
   react:
     '@types/react': 18.3.26

WDYT @nikosdouvlis ? Or maybe I'm getting carried away here 😅

[Ephem]

We should likely update this to cover the new set of CVEs too while we are at it?

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

[dominic-clerk]

I pushed a new commit with the versions based on https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components and https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#how-to-upgrade-and-protect-your-next.js-app for the new CVEs

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 429107b and 0106fcc.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .changeset/fuzzy-geese-guess.md (1 hunks)
• packages/nextjs/package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/nextjs/package.json
• .changeset/fuzzy-geese-guess.md

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• pnpm-workspace.yaml

**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

• pnpm-workspace.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (25)

• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

pnpm-workspace.yaml (1)

6-6: Verify the rationale for the expanded React version constraints.

The change pins React to specific minor versions (^19.0.3, ^19.1.4, ^19.2.3, ^19.3.0-0) rather than the broader ^19.0.0 || ^19.0.0-0. The PR objective is addressing CVE-2025-55182 in Next.js, but the connection to these specific React versions is unclear.

Confirm:

• Are these React versions related to the CVE fix, or is this a separate hardening effort?
• If separate, consider decoupling this change from the security patch PR to simplify review and minimize risk.