Muhammed Talić logo

MUHAMMED TALIĆ

Back to blog

How I Solved Critical React/Next.js Vulnerabilities

How I Solved Critical React/Next.js Vulnerabilities

React Security Vulnerabilities

One morning I received an email from the Next.js security team about critical vulnerabilities in my production applications. Instead of panicking, I turned this into an opportunity to build a robust vulnerability management system.

The Wake-Up Call

When you receive an email from the Next.js team about security vulnerabilities, you know it's serious. The email detailed critical issues that could potentially expose user data or allow remote code execution. I immediately knew I needed to act fast and implement a long-term solution.

Step 1: Scanning Vulnerabilities with npm audit

The first step in any vulnerability management process is understanding what you're dealing with. The npm audit command is your best friend here:

  • npm audit - scans your project for known vulnerabilities and provides a detailed report
  • npm audit --json - outputs the report in JSON format, perfect for automation
  • npm audit fix - automatically fixes vulnerabilities where possible
  • npm audit fix --force - forces updates even if they include breaking changes (use with caution!)

When I ran npm audit on my project, I found several critical and high-severity vulnerabilities. Some were in direct dependencies (like Next.js itself), while others were nested deep in the dependency tree.

Step 2: Immediate Fix

For the critical vulnerabilities flagged by Next.js, the solution was straightforward:

  • Updated Next.js to the latest patched version
  • Ran npm audit fix to automatically resolve compatible updates
  • For stubborn vulnerabilities, I used npm audit fix --force after carefully reviewing what would change
  • Tested the application thoroughly after updates to ensure nothing broke

The key lesson here: always keep your dependencies updated, and don't ignore security emails from framework maintainers.

Step 3: Building an Automated Security Workflow

Fixing vulnerabilities once isn't enough. I needed a system that would catch issues before they became emergencies. Here's the GitHub Actions workflow I created:

The workflow script does the following:

  • Runs npm audit --json to get machine-readable output
  • Parses the JSON to count critical and high-severity vulnerabilities
  • Uses GitHub Actions scheduled triggers (cron) for automated runs
  • Sends notifications to Slack based on severity levels

Step 4: Slack Integration

The notification strategy is simple but effective:

  • Critical vulnerabilities: Notify on Slack every day until resolved
  • High vulnerabilities: Notify on Slack once per week
  • Moderate/Low: Include in weekly summary, no urgent alerts

This prevents alert fatigue while ensuring critical issues get immediate attention. The Slack webhook integration makes it easy to send formatted messages with vulnerability details, including links to the affected packages and recommended actions.

The Results

Since implementing this system:

  • Zero critical vulnerabilities have gone unnoticed
  • Average time to patch critical issues dropped from days to hours
  • The team is more security-conscious and proactive
  • We've avoided several potential security incidents

Key Takeaways

  • Don't ignore security emails - they exist for a reason
  • Automate vulnerability scanning - manual checks are too easy to forget
  • Use tiered notifications - not all vulnerabilities deserve the same urgency
  • Document your process - makes onboarding new team members easier
  • Test after fixing - npm audit fix --force can introduce breaking changes

Security isn't a one-time task—it's an ongoing process. Building automated systems helps you stay ahead of vulnerabilities without burning out on constant manual checks.