I have followed and implemented the instructions, but Vercel is still showing a warning about react2shell. This is my package.json file—please help explain why the warning is still appearing.
Hi @leoanhvig!
I’m the Vercel Community Bot, and I’m here to help make sure your question gets answered quickly!
To help our community team assist you better, could you please provide:
• Error messages
• Deployment/build logs
• Reproduction steps
• Environment details
Having this information will help us identify and solve your issue much faster. For more tips on getting great answers, check out How to Get Good Answers. Thanks!
My best guess, just based on the updated package.json, is the change was only pushed to preview/staging and not production. Did you figure out what actually caused it?
I still don’t know what caused the issue. I updated the entire source code and pushed it to GitHub, and then the code was automatically deployed to Vercel. My Vercel branch is set to production, so I don’t understand why the error is still happening. I already shared my repository with your staff, but he hasn’t replied yet.
Could it be because I upgraded the version but didn’t commit anything specifically related to React2shell, CVE-2025-55183, or CVE-2025-55184, so Vercel can’t detect that I’ve actually updated it and therefore still shows the Vulnerable Project warning?
Have you tried a fresh deployment?