Security alert not dismissing after patched PR was merged and deployed

Hi Vercel Support,

The “Vulnerable Dependencies” security alert in my dashboard is still showing a React2Shell warning even though the fix has already been applied.

Project: oharu121/rag-demo

What happened:

1. Vercel automatically created PR #4 to fix React Server Components CVE vulnerabilities
2. I merged PR #4 on December 23, 2025
3. The fix was deployed to production (deployment DiTqqrqot, commit d72731a)
4. Multiple deployments have occurred since then
5. Current production (FcKskfUZd) is running the patched code

Evidence that the vulnerability is patched:

• PR #4: Fix React Server Components CVE vulnerabilities by vercel[bot] · Pull Request #4 · oharu121/rag-demo · GitHub (merged)
• Current versions: Next.js 16.1.1, React 19.2.3 (both patched)
• npm audit shows 0 vulnerabilities
• npx fix-react2shell-next confirms “No vulnerable packages found”

Issue:
The security alert UI shows “View Pull Request” (pointing to the already-merged PR #4) and a greyed-out “Redeploy” button. The alert should have auto-dismissed after the fix was deployed.

Could you please clear this stale alert or advise how I can dismiss it?

Thank you.

Hi @oharu121, welcome to the Vercel Community!

If the npx fix-react2shell-next command shows no vulnerability then your project is safe. However, you may have some unprotected preview deployments, which might be accessible. Can you try turning on the free Deployment protection from the project settings? I’m asking this to just confirm/narrow down the reasoning as to why the message is still there.

Once you confirm, I’ll check with our team about it.