fix(deps): resolve next.js security vulnerability CVE-2025-66478

[marcusquinn]

Summary

Fixes the next.js security vulnerability (CVE-2025-66478) that was causing npm install warnings.

Changes

• Update dspyground to ^0.3.10
• Add npm overrides to force next@^16.1.1 (patched version)
• Rename npm-postinstall.js to .cjs for ES module compatibility

Remaining Issues

4 moderate severity vulnerabilities remain in prismjs (via dspyground → react-syntax-highlighter → refractor → prismjs). These:

• Have no upstream fix available
• Only affect client-side DOM rendering
• Are not exploitable in our CLI context

Testing

npm install  # No more "security vulnerability" warning for next.js
npm ls next  # Shows next@16.1.1

Summary by CodeRabbit

• Chores
  • Updated project dependencies and build configuration to improve stability and compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request updates package dependencies, specifically bumping dspyground from ^0.2.0 to ^0.3.10, converts the postinstall script from JavaScript to CommonJS format (.cjs extension), and adds a Next.js version override constraint to ^16.1.1.

Changes

Cohort / File(s)	Change Summary
Dependency & Package Configuration package.json	Updated dspyground dependency to ^0.3.10; added overrides field pinning next to ^16.1.1; refactored postinstall script reference from npm-postinstall.js to npm-postinstall.cjs; updated files array to include new .cjs script file

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🚀 Dependencies ascend with grace,
Scripts transition to new place,
From .js to .cjs we go,
Versions bloom, quality will grow! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: resolving a Next.js security vulnerability (CVE-2025-66478) through dependency updates and overrides.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0eaaf91 and 9f7fd2b.

📒 Files selected for processing (2)

• package.json
• scripts/npm-postinstall.cjs

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Codacy Static Code Analysis
• GitHub Check: 🤖 Monitor & Auto-Fix Code Quality

🔇 Additional comments (4)

package.json (4)

22-22: LGTM! Correct ESM/CJS handling.

The .cjs extension is the right approach for CommonJS scripts in an ES module project ("type": "module"). This ensures Node.js correctly interprets the script as CommonJS.

---

67-67: LGTM! Files array correctly updated.

The files array properly reflects the renamed postinstall script, ensuring it's included in the published package.

---

43-45: Next.js override correctly addresses CVE-2025-66478.

The overrides mechanism correctly forces the transitive next dependency to ^16.1.1, which includes the patch for CVE-2025-66478 (critical RCE in React Server Components / Flight protocol). This is the standard npm approach for patching vulnerable transitive dependencies.

---

40-40: Verify dspyground 0.3.10 compatibility before merging—version jump spans 0.1.3 to 0.3.10 with no published changelog.

The project actively uses dspyground CLI commands (init, dev, build) via the helper script and npm tasks. Since the public changelog for v0.3.10 is unavailable and the jump from 0.1.3 to 0.3.10 crosses multiple minor versions, test the following before deployment:

• Run ./.agent/scripts/dspyground-helper.sh install and verify dspyground --version outputs 0.3.10
• Execute npm run dspy:init, npm run dspy:dev, and npm run dspy:build in a test environment
• Confirm the DSPyGround web UI loads at http://localhost:3000 without errors

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on enhancing the project's security posture by resolving a critical Next.js vulnerability. It achieves this through a combination of dependency updates and explicit version overrides, alongside a minor adjustment to a postinstall script for improved module compatibility.

Highlights

• Next.js Security Fix: Addressed CVE-2025-66478 by updating dependencies and explicitly overriding the next package version to ^16.1.1.
• Dependency Update: The dspyground dependency has been updated from ^0.2.0 to ^0.3.10.
• Script Renaming: The npm-postinstall.js script was renamed to npm-postinstall.cjs to ensure proper ES module compatibility.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[augmentcode]

🤖 Augment PR Summary

Summary: Updates dependencies to address the Next.js security advisory (CVE-2025-66478) and remove related install warnings.

Changes:

• Bumps dspyground to ^0.3.10
• Adds npm overrides to pin next to ^16.1.1 (patched)
• Renames the postinstall script to npm-postinstall.cjs and updates references for ESM/CommonJS compatibility

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

[gemini-code-assist]

Code Review

This pull request effectively addresses a security vulnerability in next.js by updating dspyground and adding an npm override for next. The changes are logical and well-implemented, including the rename of the postinstall script to .cjs for ES module compatibility. I have one point of feedback regarding the dspyground dependency update, which carries a potential risk of breaking changes due to it being a minor version bump on a pre-1.0.0 package. Overall, this is a good fix.

[gemini-code-assist]

The update of dspyground from ^0.2.0 to ^0.3.10 is a minor version bump for a pre-1.0.0 package. According to semantic versioning conventions for pre-1.0.0 releases, this could introduce breaking changes. While this update is necessary for the security fix, it's worth being aware of the potential for regressions in functionality that depends on dspyground.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 260 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Jan 14 01:42:36 UTC 2026: Code review monitoring started
Wed Jan 14 01:42:37 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 260
Wed Jan 14 01:42:37 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Wed Jan 14 01:42:39 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 260
• VULNERABILITIES: 0

Generated on: Wed Jan 14 01:43:19 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring