Staying Ahead of Security Vulnerabilities in Production
Dec 19, 2025
The wake-up call
This week we patched a critical RCE vulnerability in Next.js (CVE in the React flight protocol). The fix took five minutes. Finding out about it could have taken much longer if we weren't paying attention.
Modern web apps pull in hundreds of transitive dependencies. Any one of them can introduce a vulnerability overnight.
Our approach
1. Regular audits
npm audit
Run this before every deploy, or better, in CI. It catches known vulnerabilities in your dependency tree and tells you exactly how to fix them.
2. Automated alerts
- Dependabot or Renovate for automated PRs when patches drop
- Vercel's built-in warnings flag vulnerable packages at deploy time
- GitHub's security advisories notify maintainers directly
3. Don't defer updates
The temptation is to batch dependency updates into a "maintenance sprint." The problem: critical patches can't wait. We treat security updates like production bugs—fix immediately, deploy same day.
What we patched
| Package | Issue | Severity |
|---|---|---|
next 15.5.0 → 15.5.9 | RCE in React flight protocol | Critical |
js-yaml | Prototype pollution in merge | Moderate |
mdast-util-to-hast | Unsanitized class attribute | Moderate |
The Next.js vulnerability allowed remote code execution—an attacker could potentially run arbitrary code on the server. Not theoretical; actively exploitable.
The fix
npm audit fix --force
git add package.json package-lock.json
git commit -m "Fix security vulnerabilities"
git push
Four commands. Under a minute. The hard part is knowing you need to run them.
Takeaways
- Audit often. Weekly at minimum, ideally on every PR.
- Automate alerts. Don't rely on remembering to check.
- Patch immediately. Security updates aren't technical debt—they're firefighting.
- Keep dependencies lean. Fewer packages means fewer attack surfaces.
Your dependency tree is part of your attack surface. Treat it that way.