Created
December 8, 2025 03:02
-
-
Save matrosov/b3893a5a1a3dd219f19bdbecb726ae1b to your computer and use it in GitHub Desktop.
Tiny ripgrep-based inventory scanner for React2Shell-affected React Server Components.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| # Vulnerable RSC versions (React2Shell) | |
| VULN='19\.0\.0|19\.1\.0|19\.1\.1|19\.2\.0' | |
| PKG='react-server-dom-(webpack|parcel|turbopack)' | |
| echo "=== React2Shell(CVE-2025-55182) RSC dependency inventory ===" | |
| echo | |
| for file in package.json package-lock.json yarn.lock pnpm-lock.yaml; do | |
| case "$file" in | |
| package.json) | |
| # "react-server-dom-xxx": "^19.1.0" | |
| DESC="declared deps" | |
| RG="\"$PKG\"\\s*:\\s*\"[^\"]*($VULN)[^\"]*\"" | |
| ;; | |
| package-lock.json) | |
| # { | |
| # "name": "react-server-dom-xxx", | |
| # "version": "19.1.0", | |
| # ... | |
| # } | |
| DESC="resolved npm deps" | |
| RG="\"name\"\\s*:\\s*\"$PKG\"(?s).*?\"version\"\\s*:\\s*\"($VULN)\"" | |
| ;; | |
| yarn.lock) | |
| # react-server-dom-xxx@^19.1.0: | |
| DESC="resolved yarn deps" | |
| RG="$PKG@[^:]*($VULN)" | |
| ;; | |
| pnpm-lock.yaml) | |
| # /[email protected]: | |
| DESC="resolved pnpm deps" | |
| RG="/?$PKG@($VULN)" | |
| ;; | |
| esac | |
| echo "[$file] $DESC:" | |
| rg -n -U -P "$RG" --glob "$file" . || echo " none" | |
| echo | |
| done | |
| echo "=== Done. Patch any matches above to 19.0.1 / 19.1.2 / 19.2.1+ ===" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment