Recursively scans all package.json files (handles monorepos)
Checks for vulnerable versions of:
- next
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Patches to the correct fixed version based on your current version
Refreshes your lockfile with the detected package manager

Affected Versions

Next.js

Current Version	Patched Version
15.0.0 – 15.0.4	15.0.5
15.1.0 – 15.1.8	15.1.9
15.2.0 – 15.2.5	15.2.6
15.3.0 – 15.3.5	15.3.6
15.4.0 – 15.4.7	15.4.8
15.5.0 – 15.5.6	15.5.7
16.0.0 – 16.0.6	16.0.7
15.x canaries	15.6.0-canary.58
16.x canaries	16.1.0-canary.12
14.3.0-canary.77+	Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5

React RSC Packages

Current Version	Patched Version
19.0.0	19.0.1
19.1.0, 19.1.1	19.1.2
19.2.0	19.2.1

Usage

Check & Fix (Interactive)

npx fix-react-2-shell

Auto-fix (CI / Non-interactive)

npx fix-react-2-shell --fix

Check Only (Dry Run)

npx fix-react-2-shell --dry-run

JSON Output (for scripting)

npx fix-react-2-shell --json

Example Output

🔍 fix-react-2-shell - CVE-2025-66478 vulnerability scanner

📂 Found 3 package.json file(s)

🚨 Found 2 vulnerable file(s):

  📄 package.json
     next: ^15.1.0 → 15.1.9

  📄 apps/web/package.json
     next: ^15.4.3 → 15.4.8
     react-server-dom-webpack: 19.1.0 → 19.1.2

🔧 Apply fixes? [Y/n] y

🔧 Applying fixes...

   ✓ Updated package.json
   ✓ Updated apps/web/package.json

📦 Package manager: pnpm
🔄 Refreshing lockfile...

$ pnpm install

✅ Successfully patched!
   Your project is no longer vulnerable to CVE-2025-66478.
   Remember to test your app and commit the changes.

Monorepo Support

The tool automatically finds all package.json files in your project, excluding:

node_modules
.next, .turbo, .vercel, .nuxt
dist, build, .output
coverage

Works with npm, yarn, pnpm, and bun workspaces.

Why No AI?

Fixing CVE-2025-66478 is purely a version bump - no code changes needed. The vulnerability is in React's flight protocol used by server components. Upgrading to the patched versions closes the RCE vector completely.

AI might help if the upgrade breaks your build, but that's a separate concern from security. This tool does one thing: patches the CVE deterministically.

Publishing

# 1. Publish main package first
npm publish

# 2. Publish alias packages (all depend on main)
cd packages/fix-react-2-shelll && npm publish   # typo (extra 'l')
cd ../fix-react-two-shell && npm publish        # alternate spelling
cd ../react-2-shell && npm publish              # short name
cd ../react-two-shell && npm publish            # short name alternate

The alias packages depend on the main package, so publish order matters.

References

License

MIT

Keywords

FAQs

What is fix-react-2-shell?

Is fix-react-2-shell popular?

Is fix-react-2-shell well maintained?

Package last updated on 06 Dec 2025

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

fix-react-2-shell