Skip to content

Block vulnerable nextjs versions.#442

Merged
annajowang merged 5 commits intomainfrom
vuln
Dec 3, 2025
Merged

Block vulnerable nextjs versions.#442
annajowang merged 5 commits intomainfrom
vuln

Conversation

@annajowang
Copy link
Copy Markdown
Collaborator

@annajowang annajowang commented Dec 3, 2025

No description provided.

@annajowang
Copy link
Copy Markdown
Collaborator Author

annajowang commented Dec 3, 2025

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 3, 2025
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a check to block vulnerable versions of Next.js during the build process. The changes include updating the semver dependency, adding a checkNextJSVersion utility function with corresponding tests, and updating the starter project to a safe Next.js version.

My review focuses on improving the robustness of the new version check and fixing an issue in the tests. I've suggested using a more robust condition to handle unspecified versions and extracting the version range string into a constant for better maintainability. I also found a bug in the new tests where assertions for non-throwing cases were not correctly implemented.

@annajowang
Copy link
Copy Markdown
Collaborator Author

annajowang commented Dec 3, 2025

/gemini review

@annajowang annajowang marked this pull request as ready for review December 3, 2025 22:30
gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 3, 2025
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a mechanism to block deployments using vulnerable versions of Next.js. It adds a version check at build time and updates dependencies in starter templates to safe versions. My review focuses on improving the clarity and maintainability of the implementation. I've suggested refactoring the list of safe versions for better readability and correcting a potentially misleading error message that contains placeholder CVE information.

packages/@apphosting/adapter-nextjs/src/utils.ts
Comment on lines +31 to +33
throw new Error(
`CVE-2025-55182: Vulnerable Next version ${version} detected. Deployment blocked. Update your app's dependencies to a patched Next.js version and redeploy:https://nextjs.org/blog/CVE-2025-66478#fixed-versions`,
);
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The CVE identifiers and URL in the error message appear to be placeholders and are likely incorrect. CVE-2025-55182 and CVE-2025-66478 reference a future year, and the CVEs are different in the message body and the URL. This could cause confusion for users who encounter this error.

To avoid providing misleading information, consider using a more generic error message until the correct CVE details and a valid advisory link are available.

    throw new Error(
      `Vulnerable Next.js version ${version} detected. Deployment blocked. Please update your app's dependencies to a patched Next.js version and redeploy. For more details, see the relevant security advisory.`,
    );

@annajowang annajowang merged commit eb69b26 into main Dec 3, 2025
10 checks passed
@gavinsharp
Copy link
Copy Markdown

gavinsharp commented Dec 3, 2025
edited
Loading

@annajowang I think this change broke my builds, I am seeing the following error in App Hosting Cloud Build logs:

Running "npm exec --prefix /layers/google.nodejs.firebasenextjs/npm_modules apphosting-adapter-nextjs-build"
node:internal/modules/package_json_reader:314
  throw new ERR_MODULE_NOT_FOUND(packageName, fileURLToPath(base), null);
        ^
Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'semver' imported from /layers/google.nodejs.firebasenextjs/npm_modules/node_modules/@apphosting/adapter-nextjs/dist/utils.js
    at Object.getPackageJSONURL (node:internal/modules/package_json_reader:314:9)
    at packageResolve (node:internal/modules/esm/resolve:767:81)
    at moduleResolve (node:internal/modules/esm/resolve:853:18)
    at defaultResolve (node:internal/modules/esm/resolve:983:11)
    at #cachedDefaultResolve (node:internal/modules/esm/loader:731:20)
    at ModuleLoader.resolve (node:internal/modules/esm/loader:708:38)
    at ModuleLoader.getModuleJobForImport (node:internal/modules/esm/loader:310:38)
    at ModuleJob._link (node:internal/modules/esm/module_job:182:49) {
  code: 'ERR_MODULE_NOT_FOUND'
}

richwear1307 pushed a commit to richwear1307/horse-tipping-app that referenced this pull request Feb 27, 2026
@annajowang
Block vulnerable nextjs versions. (firebase#442)
66cd5f5 
* Block vulnerable nextjs versions.

* test

* some cleanup

* lint

* more tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yuangwang Yuangwang Yuangwang approved these changes

@sjjj986 sjjj986 Awaiting requested review from sjjj986 sjjj986 is a code owner

@jamesdaniels jamesdaniels Awaiting requested review from jamesdaniels jamesdaniels is a code owner

@blidd-google blidd-google Awaiting requested review from blidd-google

@taeold taeold Awaiting requested review from taeold taeold is a code owner

@leoortizz leoortizz Awaiting requested review from leoortizz

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@annajowang @gavinsharp @Yuangwang