Next.js Discord

Discord Forum

CVE fix `npm i next@15.5.7` doesn't change the React version (19.0.0). Is this fine? npm audit is ok

Answered
Champagne D’Argent posted this in #help-forum
Open in Discord
Champagne D’ArgentOP
Hey! I ran the fix for the CVE, npm i next@15.5.7 And next did get updated, and the npm audit got resolved, but the react version is still 19.0.0. Nothing else has changed in the package.json file, but the next version.
Answered by LucetTin5
I searched that difference because I found sentry's react version was 19.2-canary-x. At that time I installed react 19.1. "Why my react version is different from I installed?"
Then I found app router use compiled react canary version. I don't know why and what feature is needed.
View full answer

6 Replies

LucetTin5
Beside react version, next has own compiled react version
Also 15.5.7, i found that it includes 19.2.0 canary series of react, and react-*
LucetTin5
I found them inside node_modules/next/dist/compiled/react/cjs/???.js (don't remember which file)
maybe file with exports.version =
@LucetTin5 Beside react version, next has own compiled react version Also 15.5.7, i found that it includes 19.2.0 canary series of react, and react-*
Nile tilapia
Same in 15.3.6 it's a canary of 19.2 even if we specified 19.0.1 for react version
LucetTin5
I searched that difference because I found sentry's react version was 19.2-canary-x. At that time I installed react 19.1. "Why my react version is different from I installed?"
Then I found app router use compiled react canary version. I don't know why and what feature is needed.
Answer
Nile tilapia
So i guess we are fine and the compiled version is fixed