Update Next.js/React Flight packages for RCE

React Flight / Next.js RCE Advisory (CVE-2025-66478) Security Patch

## Summary
Updated the aisdk.rs documentation website (apps/docs) to address the critical React Flight / Next.js RCE vulnerability (CVE-2025-66478). The project was detected as affected and has been successfully patched.

## Vulnerability Details
- **CVE-2025-66478**: Critical RCE in React Server Components and Next.js
- **Affected Versions**:
  - React: 19.0.0, 19.1.0, 19.1.1, 19.2.0
  - Next.js: 15.5.0-15.5.6, and other affected minor versions
- **Patched Versions**:
  - React: 19.0.1, 19.1.2, 19.2.1
  - Next.js: 15.5.7, 16.0.7, etc. (depending on minor version)

## Detection Results
The monorepo contains two package.json files:
1. **Root package.json**: No vulnerable dependencies detected
2. **apps/docs/package.json**: Next.js 15.5.x project (affected)

No React Flight packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) are in use.

## Changes Made

### Modified Files
- **apps/docs/package.json**:
  - `next`: 15.5.4 → 15.5.7 (patched version for 15.5.x)
  - `react`: ^19.2.0 → ^19.2.1 (patched version, updated from vulnerable 19.2.0)
  - `react-dom`: ^19.2.0 → ^19.2.1 (patched version)
  - `@types/react`: ^19.2.0 → ^19.2.1
  - `@types/react-dom`: ^19.2.0 → ^19.2.1

- **pnpm-lock.yaml**: Updated with new dependency resolution
  - React 19.2.1 now resolved in lockfile
  - React DOM 19.2.1 now resolved in lockfile

## Implementation Details

### Approach
1. Scanned the monorepo to identify all package.json files
2. Detected affected packages:
   - Next.js 15.5.7 (already at correct patched version in manifest, but running 15.5.4)
   - React ^19.2.0 (resolving to vulnerable 19.2.0)
3. Updated React and React-DOM to patched versions (19.2.1)
4. Updated type definitions for compatibility
5. Ran pnpm install to regenerate lockfile with new versions

### Verification
✅ Dependencies installed successfully (pnpm install)
✅ Next.js build completed successfully (next build)
✅ Linter check passed (biome check)
✅ Lockfile updated correctly:
  - [email protected] resolved with correct hash
  - [email protected] resolved with correct hash
✅ Build output shows all 30 static pages generated successfully

### Peer Dependency Notes
Some transitive dependencies have unmet peer dependency warnings for React 19.2.1, but these are from packages that only declare support up to React 18. This is acceptable as the new React version is backward compatible and the warnings don't affect functionality. These come from:
- @emoji-mart/react (expects ^16.8 || ^17 || ^18)
- react-avatar-editor (expects ^0.14.0 || ^16.0.0 || ^17.0.0 || ^18.0.0)

These are transitive dependencies of @lobehub/ui and do not impact the security fix.

## Security Impact
- Project is now protected from the CVE-2025-66478 RCE vulnerability
- React 19.2.1 patches the vulnerability in React Flight deserialization
- Next.js 15.5.7 includes coordinated security updates
- No React Flight packages are used, so this was primarily an indirect exposure through React itself

## Testing Results
- Build: ✅ Successful
- Linting: ✅ No errors (biome check)
- Type checking: ✅ Included in build process
- Tests: No tests defined in project

## Notes
- This is a Next.js project, so React versions are automatically managed by Next.js dependencies. The manual update was necessary because the original lockfile had been generated with the vulnerable version before Next.js 15.5.7 was released.
- The fix is minimal and focused only on security updates, preserving existing code structure.
- All changes are backward compatible with the existing codebase.

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>

Author: vercel[bot]

apps/docs/package.json

@@ -20,19 +20,19 @@
 		"fumadocs-mdx": "12.0.2",
 		"fumadocs-ui": "15.8.3",
 		"lucide-react": "^0.544.0",
-		"next": "15.5.4",
+		"next": "15.5.7",
 		"next-themes": "^0.4.6",
-		"react": "^19.2.0",
-		"react-dom": "^19.2.0",
+		"react": "^19.2.1",
+		"react-dom": "^19.2.1",
 		"shiki": "^3.16.0",
 		"tailwind-merge": "^3.3.1"
 	},
 	"devDependencies": {
 		"@tailwindcss/postcss": "^4.1.14",
 		"@types/mdx": "^2.0.13",
 		"@types/node": "24.6.2",
-		"@types/react": "^19.2.0",
-		"@types/react-dom": "^19.2.0",
+		"@types/react": "^19.2.1",
+		"@types/react-dom": "^19.2.1",
 		"postcss": "^8.5.6",
 		"tailwindcss": "^4.1.14",
 		"tw-animate-css": "^1.4.0",