React security vulnerability updates

[sbddesign]

Update React and Next.js packages to fix critical security vulnerabilities and ensure a successful build.

---

 

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[netlify]

✅ Deploy Preview for twelvecash ready!

Name	Link
🔨 Latest commit	3801a94
🔍 Latest deploy log	https://app.netlify.com/projects/twelvecash/deploys/693f45cec124630008858d2f
😎 Deploy Preview	https://deploy-preview-67--twelvecash.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[sbddesign]

@cursoragent the deploy failed:

The Netlify deploy errored, with the following guidance provided:

Diagnosis

• line 31 shows ERR_PNPM_OUTDATED_LOCKFILE.
• lines 34-38 list mismatched specs: next, react, react-dom, eslint-config-next versions differ between package.json and pnpm-lock.yaml.
  → The lockfile wasn’t regenerated after bumping package versions, so with CI’s default frozen-lockfile the install fails.

Solution

Run the install locally to refresh the lockfile and commit the change:

pnpm install

This will update pnpm-lock.yaml to match package.json. Commit and push the updated lockfile so Netlify can install dependencies with frozen-lockfile enabled.

The relevant error logs are:

Line 19: Enabling Node.js Corepack
Line 20: Started restoring cached build plugins
Line 21: Finished restoring cached build plugins
Line 22: Started restoring cached corepack dependencies
Line 23: Finished restoring cached corepack dependencies
Line 24: Started restoring cached pnpm cache
Line 25: Finished restoring cached pnpm cache
Line 26: No pnpm workspaces detected
Line 27: Started restoring cached node modules
Line 28: Finished restoring cached node modules
Line 29: Failed during stage 'Install dependencies': dependency_installation script returned non-zero exit code: 1
Line 30: Installing npm packages using pnpm version 10.24.0
Line 31:  ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with /package.
Line 32: Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install
Line 33: Failure reason:
Line 34: specifiers in the lockfile don't match specifiers in package.json:

• 4 dependencies are mismatched:
  Line 35: - next (lockfile: 16.0.7, manifest: 16.0.10)
  Line 36: - react (lockfile: 19.2.0, manifest: 19.2.3)
  Line 37: - react-dom (lockfile: 19.2.0, manifest: 19.2.3)
  Line 38: - eslint-config-next (lockfile: 16.0.7, manifest: 16.0.10)
  Line 39: Error during pnpm install
  Line 40: Failing build: Failed to install dependencies
  Line 41: Finished processing build request in 10.178s

[cursor]

Fixed Netlify deployment issue

Problem

Netlify failed because pnpm-lock.yaml was missing or out of sync with package.json. Netlify uses pnpm, but only yarn.lock existed.

Solution

1. Generated pnpm-lock.yaml by running pnpm install
2. Verified versions match package.json:
   • Next.js: 14.2.35
   • React: 18.3.1
   • React-dom: 18.3.1
   • eslint-config-next: 14.2.35
3. Verified build succeeds with pnpm

Files ready to commit

• pnpm-lock.yaml — newly generated and in sync with package.json

The lockfile is now in sync with package.json, which should resolve the Netlify deployment error. The build completes successfully with pnpm, so Netlify should be able to install dependencies with frozen-lockfile enabled.

Note: The error message mentioned Next.js 16.0.10 and React 19.2.3, but the current package.json has Next.js 14.2.35 and React 18.3.1. These versions address the security vulnerabilities (React2Shell, CVE-2025-55184, CVE-2025-55183). If you need Next.js 16 and React 19, that would be a separate upgrade.

---

 

_{Learn more about Cursor Agents}

[sbddesign]

Woops my prior comment was meant to go in another PR. Reverting previous commit.

[chdwlch]

It looks like 2 more issues were discovered on Dec 11
https://nextjs.org/blog/security-update-2025-12-11
These ones are fixed in 14.2.35

[sbddesign]

@chdwlch I bumped it

[chdwlch]

Nice, thanks @sbddesign !