Fix React Server Components CVE vulnerabilities#1
Draft
vercel[bot] wants to merge 1 commit into
Draft
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Author
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
prokesmic
added a commit
that referenced
this pull request
Jan 10, 2026
- Rewrite ProfileHeaderHero to match Screenshot #1 layout - Add dark glassmorphism left panel (bg-black/40 backdrop-blur-md) - Position avatar, name, meta, sport chip inside overlay panel - Move stats row inside overlay panel with border-t separator - Edit Profile button now absolute top-right on hero (z-20) - Fixed hero height: h-[280px] md:h-[320px] - Left-to-right dark gradient for image readability - Add data-testid attributes for regression testing: - profile-hero, profile-hero-image, profile-edit-btn 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
prokesmic
added a commit
that referenced
this pull request
Jan 10, 2026
ROOT CAUSE: Old ProfileHeaderHero relied on complex hero resolver that could fail, causing fallback to teal gradient. Identity block was not overlayed on the hero image. SOLUTION: - Create new ProfileHeroBanner.tsx with guaranteed-to-work design - Always uses real background image (Unsplash fallback if no bannerUrl) - Dark left overlay panel with avatar, name, meta, sport chip - Counts row INSIDE the hero (not below) - Edit Profile button positioned top-right on hero (z-20) - Remove dependency on getHeroForUserPrimarySport resolver Layout matches Screenshot #1: - Full-width hero with photo background (h-[280px]) - Left-to-right dark gradient (from-black/75 via-black/45 to-transparent) - Glassmorphism left panel (bg-black/35 backdrop-blur-md) - Stats row inside hero with border-t separator Data-testid attributes for regression testing: - profile-hero, profile-hero-image, profile-edit-btn 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
prokesmic
added a commit
that referenced
this pull request
Jan 12, 2026
PHASE 1 - Data Model: - Add MultiSport to seed-sports.ts (slug: multisport, category: GENERAL) - Create backfill script for existing users without primary sport PHASE 2 - Ribbon Config Registry (lib/ribbon/ribbonConfig.ts): - Define RibbonMetricKey enum (18 metric types) - Create sport-specific overrides for 20+ sports - Define category defaults for all 12 SportCategory values - Universal fallback config - Resolution order: sport override → category default → fallback - Tile #1 is ALWAYS Global Rank PHASE 3 - Sport Normalization: - Add multisport aliases (multi-sport, all-sports, general) - Kiteboarding → kitesurfing already handled PHASE 4 - Stats Computation (lib/ribbon/getRibbonViewModel.ts): - Compute global rank via Sport Index comparison - Fetch range-based stats (power, distance, elevation, etc.) - Compute variety count for MultiSport users - Format all metrics for UI display PHASE 5 - HeroRibbon UI: - Refactor to render dynamic metrics from config - Add sport badge showing current primary sport - Remove hardcoded metric tiles - Keep existing range switcher and glassmorphism styling PHASE 6 - Sport Picker: - Sort MultiSport to top of picker list - Update description to explain ribbon/ranking relationship PHASE 7 - Tests: - 15 unit tests for config resolution and normalization 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
prokesmic
added a commit
that referenced
this pull request
Jan 12, 2026
ROOT CAUSE: Two competing sources of truth for primary sport: 1. User.primarySportId - updated by profile API 2. UserSport.priority=0 - read by home page & ribbon The profile form updated #1 but the app read from #2. HOLISTIC FIX in /api/user/profile: 1. When primarySportId changes, also update UserSport.priority 2. If sport doesn't exist in UserSport, create it as primary 3. If sport is inactive, reactivate and make primary 4. If sport exists and active, shift priorities and make primary 5. Add revalidatePath() for /home, /profile/[username], /settings/profile Now changing primary sport in settings: - Updates User.primarySportId - Updates UserSport priorities - Revalidates affected pages - Home page and ribbon show correct sport immediately 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project evergo. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com