Vercel Community

[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live)

[Help](/c/help/9)

# Should I manually update React/React-DOM after running npx fix-react2shell-next?

120 views · 1 like · 3 posts


farzigalib (@farzigalib) · 2025-12-12

Hi everyone,
I ran the command `npx fix-react2shell-next` mentioned in the recent Vercel [blog](https://vercel.com/kb/bulletin/react2shell) to check for vulnerabilities. After running it, I got this output:

```bash
Found 1 vulnerable file(s):

  package.json
     next: 15.4.8 -> 15.4.10 [CVE-2025-55184, CVE-2025-55183, CVE-2025-67779]

Apply fixes? [Y/n] Y

```

The tool successfully updated my **Next.js** version, but my **react** and **react-dom** versions are still the same (`19.1.0`).

**My question:**
Do I need to update `react` and `react-dom` manually, or does this tool only handle Next.js updates? What’s the recommended approach here?

Thanks!


Jacob Paris (@jacobparis) · 2025-12-12 · ♥ 1

Upgrading Next alone is ok to make you safe from the React2Shell exploit

Next.js bundles React internally on the server-side, and that contains the portion of React that had the vulnerability, so upgrading Next is all that's needed.

It's possible to have a Next.js app that has no `react` dependency in its package.json at all, which is why two separate CVEs were issued: one for react, and one for the bundled version of React inside Next.js. 

Modern developer tooling requires the package.json to specify all dependencies that are referenced in code, so having react in your package.json is normal, but the version that actually gets used on the server is controlled by Next.


farzigalib (@farzigalib) · 2025-12-12

Thanks, that makes sense.

I have one more doubt — what if I manually update `react` and `react-dom` to the patched versions anyway? Would that cause any issues or is it completely optional since Next already bundles the secure version internally?

Also, I’m using several other React-based npm packages in my project, such as:

```
react-beautiful-dnd: 13.1.0
react-datepicker: 6.1.0
react-dropzone: 14.2.3
react-fast-marquee: 1.6.2
react-google-recaptcha-v3: 1.10.1
react-multi-carousel: 2.8.4
react-xls: 0.1.1

```

…and many more.

Is there a recommended way to confirm whether all these third-party packages are safe from the current React2Shell vulnerability, or if any of them require updates as well?