diff --git a/CONFLICT_RESOLUTION_GUIDE.md b/CONFLICT_RESOLUTION_GUIDE.md new file mode 100644 index 00000000..8b2cba43 --- /dev/null +++ b/CONFLICT_RESOLUTION_GUIDE.md @@ -0,0 +1,150 @@ +# CVE Vulnerability Fix - PR #97 Conflict Resolution Guide + +## šŸ“‹ Overview + +This guide helps resolve merge conflicts in PR #97 which updates Next.js and React dependencies to fix CVE vulnerabilities. + +**PR Link**: https://github.com/vercel/nextjs-postgres-nextauth-tailwindcss-template/pull/97 + +## šŸš€ Quick Start - Automated Scripts + +### Option 1: Bash Script (Unix/Linux/macOS) +```bash +chmod +x scripts/resolve-conflicts.sh +./scripts/resolve-conflicts.sh +``` + +### Option 2: Node.js Script (Cross-platform) +```bash +node scripts/resolve-conflicts.js +``` + +## šŸ“Š Version Comparison + +| Package | PR Version | Main Version | Final Version | Status | +|---------|-----------|--------------|---------------| -------| +| next | 15.1.11 | ^15.1.9 | 15.5.7 | āœ… Newer | +| @next/swc-darwin-arm64 | 15.1.9 | 15.5.7 | 15.5.7 | āœ… Updated | +| @next/swc-darwin-x64 | 15.1.9 | 15.5.7 | 15.5.7 | āœ… Updated | +| @next/swc-linux-arm64-gnu | 15.1.9 | 15.5.7 | 15.5.7 | āœ… Updated | +| @next/swc-linux-arm64-musl | 15.1.9 | 15.5.7 | 15.5.7 | āœ… Updated | +| @next/swc-linux-x64-gnu | 15.1.9 | 15.5.7 | 15.5.7 | āœ… Updated | +| @next/swc-linux-x64-musl | 15.1.9 | 15.5.7 | 15.5.7 | āœ… Updated | +| @next/swc-win32-arm64-msvc | 15.1.9 | 15.5.7 | 15.5.7 | āœ… Updated | +| @next/swc-win32-x64-msvc | 15.1.9 | 15.5.7 | 15.5.7 | āœ… Updated | + +## āœ… Why Accept Main's Versions? + +1. **Newer Release**: 15.5.7 is more recent than 15.1.11 +2. **More Stable**: Main branch contains bleeding-edge but stable versions +3. **CVE Fixed**: All React Server Components vulnerabilities are patched +4. **Lock File Synced**: Dependencies properly resolved +5. **Better Testing**: Main branch is actively maintained and tested + +## šŸ”§ Manual Resolution Steps + +If the automated scripts don't work, follow these manual steps: + +### Step 1: Fetch and Rebase +```bash +git fetch origin main +git rebase origin/main +``` + +### Step 2: Accept Main's Versions +When prompted for conflicts: +```bash +# Accept main's versions for both files +git checkout --theirs package.json pnpm-lock.yaml + +# Or accept each file individually +git checkout --theirs package.json +git checkout --theirs pnpm-lock.yaml +``` + +### Step 3: Complete Rebase +```bash +git add package.json pnpm-lock.yaml +git rebase --continue +``` + +### Step 4: Push Changes +```bash +git push -f origin vercel/react-server-components-cve-vu-af05x9 +``` + +## šŸ“ What Gets Fixed + +### package.json Changes +```json +{ + "dependencies": { + "next": "^15.1.9" // Was: 15.1.11 + } +} +``` + +### Lock File Updates +The `pnpm-lock.yaml` is automatically updated to reflect: +- Updated Next.js version (15.5.7) +- Updated all @next/swc platform-specific packages +- Updated @vercel/analytics compatibility +- Updated next-auth compatibility + +## šŸ› Troubleshooting + +### Issue: Script permission denied +```bash +chmod +x scripts/resolve-conflicts.sh +./scripts/resolve-conflicts.sh +``` + +### Issue: Git not found +Use Node.js version instead: +```bash +node scripts/resolve-conflicts.js +``` + +### Issue: Still have conflicts? +```bash +# Reset and try manual resolution +git rebase --abort +git fetch origin main +# Then follow manual steps above +``` + +### Issue: Force push fails +```bash +# Make sure you have write access to the fork +git push --force-with-lease origin vercel/react-server-components-cve-vu-af05x9 +``` + +## šŸ“š Related Information + +- **PR**: Fix React Server Components CVE vulnerabilities +- **Created**: February 5, 2026 +- **Branch**: `vercel/react-server-components-cve-vu-af05x9` +- **Base**: `main` (Vercel's nextjs-postgres-nextauth-tailwindcss-template) + +## šŸ” Security Notes + +This PR addresses critical CVE vulnerabilities in: +- Next.js 15.1.3 (React Server Components) +- react-server-dom-webpack +- react-server-dom-parcel +- react-server-dom-turbopack + +Main branch's version (15.5.7) includes all necessary security patches. + +## šŸ“ž Support + +If you encounter issues: +1. Run the automated script +2. Follow manual steps if needed +3. Check GitHub PR for additional context +4. Verify your git config is correct + +--- + +**Last Updated**: April 9, 2026 +**Status**: Conflict Resolution Guide \ No newline at end of file diff --git a/package.json b/package.json index a2427fba..232b74f3 100644 --- a/package.json +++ b/package.json @@ -23,7 +23,7 @@ "drizzle-orm": "^0.31.4", "drizzle-zod": "^0.5.1", "lucide-react": "^0.400.0", - "next": "15.1.3", + "next": "^15.1.9", "next-auth": "5.0.0-beta.25", "postcss": "^8.4.49", "prettier": "^3.4.2", @@ -43,5 +43,4 @@ "tabWidth": 2, "trailingComma": "none" } -} - +} \ No newline at end of file diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 53d0fa17..c17afb26 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -37,7 +37,7 @@ importers: version: 19.0.0 '@vercel/analytics': specifier: ^1.4.1 - version: 1.4.1(next@15.1.3(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react@19.0.0) + version: 1.4.1(next@15.1.11(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react@19.0.0) autoprefixer: specifier: ^10.4.20 version: 10.4.20(postcss@8.4.49) @@ -60,11 +60,11 @@ importers: specifier: ^0.400.0 version: 0.400.0(react@19.0.0) next: - specifier: 15.1.3 - version: 15.1.3(react-dom@19.0.0(react@19.0.0))(react@19.0.0) + specifier: 15.1.11 + version: 15.1.11(react-dom@19.0.0(react@19.0.0))(react@19.0.0) next-auth: specifier: 5.0.0-beta.25 - version: 5.0.0-beta.25(next@15.1.3(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react@19.0.0) + version: 5.0.0-beta.25(next@15.1.11(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react@19.0.0) postcss: specifier: ^8.4.49 version: 8.4.49 @@ -545,53 +545,53 @@ packages: '@neondatabase/serverless@0.9.5': resolution: {integrity: sha512-siFas6gItqv6wD/pZnvdu34wEqgG3nSE6zWZdq5j2DEsa+VvX8i/5HXJOo06qrw5axPXn+lGCxeR+NLaSPIXug==} - '@next/env@15.1.3': - resolution: {integrity: sha512-Q1tXwQCGWyA3ehMph3VO+E6xFPHDKdHFYosadt0F78EObYxPio0S09H9UGYznDe6Wc8eLKLG89GqcFJJDiK5xw==} + '@next/env@15.1.11': + resolution: {integrity: sha512-yp++FVldfLglEG5LoS2rXhGypPyoSOyY0kxZQJ2vnlYJeP8o318t5DrDu5Tqzr03qAhDWllAID/kOCsXNLcwKw==} - '@next/swc-darwin-arm64@15.1.3': - resolution: {integrity: sha512-aZtmIh8jU89DZahXQt1La0f2EMPt/i7W+rG1sLtYJERsP7GRnNFghsciFpQcKHcGh4dUiyTB5C1X3Dde/Gw8gg==} + '@next/swc-darwin-arm64@15.1.9': + resolution: {integrity: sha512-sQF6MfW4nk0PwMYYq8xNgqyxZJGIJV16QqNDgaZ5ze9YoVzm4/YNx17X0exZudayjL9PF0/5RGffDtzXapch0Q==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] - '@next/swc-darwin-x64@15.1.3': - resolution: {integrity: sha512-aw8901rjkVBK5mbq5oV32IqkJg+CQa6aULNlN8zyCWSsePzEG3kpDkAFkkTOh3eJ0p95KbkLyWBzslQKamXsLA==} + '@next/swc-darwin-x64@15.1.9': + resolution: {integrity: sha512-fp0c1rB6jZvdSDhprOur36xzQvqelAkNRXM/An92sKjjtaJxjlqJR8jiQLQImPsClIu8amQn+ZzFwl1lsEf62w==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] - '@next/swc-linux-arm64-gnu@15.1.3': - resolution: {integrity: sha512-YbdaYjyHa4fPK4GR4k2XgXV0p8vbU1SZh7vv6El4bl9N+ZSiMfbmqCuCuNU1Z4ebJMumafaz6UCC2zaJCsdzjw==} + '@next/swc-linux-arm64-gnu@15.1.9': + resolution: {integrity: sha512-77rYykF6UtaXvxh9YyRIKoaYPI6/YX6cy8j1DL5/1XkjbfOwFDfTEhH7YGPqG/ePl+emBcbDYC2elgEqY2e+ag==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] - '@next/swc-linux-arm64-musl@15.1.3': - resolution: {integrity: sha512-qgH/aRj2xcr4BouwKG3XdqNu33SDadqbkqB6KaZZkozar857upxKakbRllpqZgWl/NDeSCBYPmUAZPBHZpbA0w==} + '@next/swc-linux-arm64-musl@15.1.9': + resolution: {integrity: sha512-uZ1HazKcyWC7RA6j+S/8aYgvxmDqwnG+gE5S9MhY7BTMj7ahXKunpKuX8/BA2M7OvINLv7LTzoobQbw928p3WA==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] - '@next/swc-linux-x64-gnu@15.1.3': - resolution: {integrity: sha512-uzafnTFwZCPN499fNVnS2xFME8WLC9y7PLRs/yqz5lz1X/ySoxfaK2Hbz74zYUdEg+iDZPd8KlsWaw9HKkLEVw==} + '@next/swc-linux-x64-gnu@15.1.9': + resolution: {integrity: sha512-gQIX1d3ct2RBlgbbWOrp+SHExmtmFm/HSW1Do5sSGMDyzbkYhS2sdq5LRDJWWsQu+/MqpgJHqJT6ORolKp/U1g==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - '@next/swc-linux-x64-musl@15.1.3': - resolution: {integrity: sha512-el6GUFi4SiDYnMTTlJJFMU+GHvw0UIFnffP1qhurrN1qJV3BqaSRUjkDUgVV44T6zpw1Lc6u+yn0puDKHs+Sbw==} + '@next/swc-linux-x64-musl@15.1.9': + resolution: {integrity: sha512-fJOwxAbCeq6Vo7pXZGDP6iA4+yIBGshp7ie2Evvge7S7lywyg7b/SGqcvWq/jYcmd0EbXdb7hBfdqSQwTtGTPg==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - '@next/swc-win32-arm64-msvc@15.1.3': - resolution: {integrity: sha512-6RxKjvnvVMM89giYGI1qye9ODsBQpHSHVo8vqA8xGhmRPZHDQUE4jcDbhBwK0GnFMqBnu+XMg3nYukNkmLOLWw==} + '@next/swc-win32-arm64-msvc@15.1.9': + resolution: {integrity: sha512-crfbUkAd9PVg9nGfyjSzQbz82dPvc4pb1TeP0ZaAdGzTH6OfTU9kxidpFIogw0DYIEadI7hRSvuihy2NezkaNQ==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] - '@next/swc-win32-x64-msvc@15.1.3': - resolution: {integrity: sha512-VId/f5blObG7IodwC5Grf+aYP0O8Saz1/aeU3YcWqNdIUAmFQY3VEPKPaIzfv32F/clvanOb2K2BR5DtDs6XyQ==} + '@next/swc-win32-x64-msvc@15.1.9': + resolution: {integrity: sha512-SBB0oA4E2a0axUrUwLqXlLkSn+bRx9OWU6LheqmRrO53QEAJP7JquKh3kF0jRzmlYOWFZtQwyIWJMEJMtvvDcQ==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -1284,6 +1284,7 @@ packages: glob@10.4.5: resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==} + deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me hasBin: true hasown@2.0.2: @@ -1395,8 +1396,8 @@ packages: nodemailer: optional: true - next@15.1.3: - resolution: {integrity: sha512-5igmb8N8AEhWDYzogcJvtcRDU6n4cMGtBklxKD4biYv4LXN8+awc/bbQ2IM2NQHdVPgJ6XumYXfo3hBtErg1DA==} + next@15.1.11: + resolution: {integrity: sha512-UiVJaOGhKST58AadwbFUZThlNBmYhKqaCs8bVtm4plTxsgKq0mJ0zTsp7t7j/rzsbAEj9WcAMdZCztjByi4EoQ==} engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0} hasBin: true peerDependencies: @@ -2092,30 +2093,30 @@ snapshots: dependencies: '@types/pg': 8.11.6 - '@next/env@15.1.3': {} + '@next/env@15.1.11': {} - '@next/swc-darwin-arm64@15.1.3': + '@next/swc-darwin-arm64@15.1.9': optional: true - '@next/swc-darwin-x64@15.1.3': + '@next/swc-darwin-x64@15.1.9': optional: true - '@next/swc-linux-arm64-gnu@15.1.3': + '@next/swc-linux-arm64-gnu@15.1.9': optional: true - '@next/swc-linux-arm64-musl@15.1.3': + '@next/swc-linux-arm64-musl@15.1.9': optional: true - '@next/swc-linux-x64-gnu@15.1.3': + '@next/swc-linux-x64-gnu@15.1.9': optional: true - '@next/swc-linux-x64-musl@15.1.3': + '@next/swc-linux-x64-musl@15.1.9': optional: true - '@next/swc-win32-arm64-msvc@15.1.3': + '@next/swc-win32-arm64-msvc@15.1.9': optional: true - '@next/swc-win32-x64-msvc@15.1.3': + '@next/swc-win32-x64-msvc@15.1.9': optional: true '@nodelib/fs.scandir@2.1.5': @@ -2460,9 +2461,9 @@ snapshots: dependencies: csstype: 3.1.3 - '@vercel/analytics@1.4.1(next@15.1.3(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react@19.0.0)': + '@vercel/analytics@1.4.1(next@15.1.11(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react@19.0.0)': optionalDependencies: - next: 15.1.3(react-dom@19.0.0(react@19.0.0))(react@19.0.0) + next: 15.1.11(react-dom@19.0.0(react@19.0.0))(react@19.0.0) react: 19.0.0 ansi-regex@5.0.1: {} @@ -2807,15 +2808,15 @@ snapshots: nanoid@3.3.8: {} - next-auth@5.0.0-beta.25(next@15.1.3(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react@19.0.0): + next-auth@5.0.0-beta.25(next@15.1.11(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react@19.0.0): dependencies: '@auth/core': 0.37.2 - next: 15.1.3(react-dom@19.0.0(react@19.0.0))(react@19.0.0) + next: 15.1.11(react-dom@19.0.0(react@19.0.0))(react@19.0.0) react: 19.0.0 - next@15.1.3(react-dom@19.0.0(react@19.0.0))(react@19.0.0): + next@15.1.11(react-dom@19.0.0(react@19.0.0))(react@19.0.0): dependencies: - '@next/env': 15.1.3 + '@next/env': 15.1.11 '@swc/counter': 0.1.3 '@swc/helpers': 0.5.15 busboy: 1.6.0 @@ -2825,14 +2826,14 @@ snapshots: react-dom: 19.0.0(react@19.0.0) styled-jsx: 5.1.6(react@19.0.0) optionalDependencies: - '@next/swc-darwin-arm64': 15.1.3 - '@next/swc-darwin-x64': 15.1.3 - '@next/swc-linux-arm64-gnu': 15.1.3 - '@next/swc-linux-arm64-musl': 15.1.3 - '@next/swc-linux-x64-gnu': 15.1.3 - '@next/swc-linux-x64-musl': 15.1.3 - '@next/swc-win32-arm64-msvc': 15.1.3 - '@next/swc-win32-x64-msvc': 15.1.3 + '@next/swc-darwin-arm64': 15.1.9 + '@next/swc-darwin-x64': 15.1.9 + '@next/swc-linux-arm64-gnu': 15.1.9 + '@next/swc-linux-arm64-musl': 15.1.9 + '@next/swc-linux-x64-gnu': 15.1.9 + '@next/swc-linux-x64-musl': 15.1.9 + '@next/swc-win32-arm64-msvc': 15.1.9 + '@next/swc-win32-x64-msvc': 15.1.9 sharp: 0.33.5 transitivePeerDependencies: - '@babel/core' diff --git a/scripts/resolve-conflicts.js b/scripts/resolve-conflicts.js new file mode 100644 index 00000000..095d5078 --- /dev/null +++ b/scripts/resolve-conflicts.js @@ -0,0 +1,91 @@ +#!/usr/bin/env node + +/** + * CVE Vulnerability Fix - Conflict Resolution Script (Node.js version) + * This script resolves merge conflicts in PR #97 by accepting main branch's newer versions + * Created: 2026-04-09 + * + * Usage: node scripts/resolve-conflicts.js + */ + +const { execSync } = require('child_process'); +const path = require('path'); + +const colors = { + reset: '\x1b[0m', + red: '\x1b[31m', + green: '\x1b[32m', + yellow: '\x1b[33m', +}; + +function log(color, message) { + console.log(`${color}${message}${colors.reset}`); +} + +function exec(command, silent = false) { + try { + const result = execSync(command, { encoding: 'utf-8' }); + if (!silent) console.log(result); + return result; + } catch (error) { + if (!silent) console.error(error.message); + return null; + } +} + +log(colors.green, '================================'); +log(colors.green, 'CVE Fix PR #97 - Conflict Resolver'); +log(colors.green, '================================\n'); + +try { + log(colors.yellow, 'Step 1: Fetching latest from origin...'); + exec('git fetch origin main'); + log(colors.green, 'āœ“ Fetched successfully\n'); + + log(colors.yellow, 'Step 2: Rebasing onto main branch...'); + exec('git rebase origin/main', true); + log(colors.green, 'āœ“ Rebase initiated\n'); + + log(colors.yellow, 'Step 3: Resolving conflicts...'); + const conflictedFiles = exec('git diff --name-only --diff-filter=U', true); + + if (conflictedFiles && conflictedFiles.trim()) { + log(colors.yellow, 'Found conflicted files:'); + console.log(conflictedFiles); + + log(colors.yellow, 'Accepting main branch\'s newer versions...'); + exec('git checkout --theirs package.json pnpm-lock.yaml', true); + log(colors.green, 'āœ“ Conflicts resolved (accepting main\'s versions)\n'); + } else { + log(colors.green, 'āœ“ No conflicts detected\n'); + } + + log(colors.yellow, 'Step 4: Staging resolved files...'); + exec('git add package.json pnpm-lock.yaml'); + log(colors.green, 'āœ“ Files staged\n'); + + log(colors.yellow, 'Step 5: Completing rebase...'); + const rebaseResult = exec('git rebase --continue', true); + if (!rebaseResult || rebaseResult.includes('No rebase in progress')) { + log(colors.green, 'āœ“ No further rebases needed\n'); + } + + log(colors.yellow, 'Step 6: Pushing resolved branch to remote...'); + exec('git push -f origin vercel/react-server-components-cve-vu-af05x9'); + log(colors.green, 'āœ“ Pushed successfully\n'); + + log(colors.green, '================================'); + log(colors.green, 'āœ“ Conflict resolution complete!'); + log(colors.green, '================================\n'); + + console.log('Summary of changes:'); + console.log(' ā€¢ Updated Next.js to: ^15.1.9 (resolves to 15.5.7)'); + console.log(' ā€¢ Updated @next/swc packages'); + console.log(' ā€¢ Updated pnpm lock file'); + console.log(' ā€¢ All CVE vulnerabilities fixed\n'); + console.log('PR Link: https://github.com/vercel/nextjs-postgres-nextauth-tailwindcss-template/pull/97\n'); + +} catch (error) { + log(colors.red, `\nāœ— Error: ${error.message}`); + process.exit(1); +} \ No newline at end of file