vercel
React Version Update Required for create-next-app Template
Link to the code that reproduces this issue
https://github.com/shiqocred/16.0.7-next
To Reproduce
bun x create-next-app@latest ✔ What is your project named? … 16.0.7 ✔ Would you like to use the recommended Next.js defaults? › Yes, use recommended defaults Creating a new Next.js app in /Users/macbookpro/Documents/project/nextjs/16.0.7.
Using bun.
Initializing project with template: app-tw
Installing dependencies:
- next
- react
- react-dom
Installing devDependencies:
- @tailwindcss/postcss
- @types/node
- @types/react
- @types/react-dom
- eslint
- eslint-config-next
- tailwindcss
- typescript
bun install v1.2.17 (282dda62)
- @tailwindcss/[email protected]
- @types/[email protected] (v24.10.1 available)
- @types/[email protected]
- @types/[email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
349 packages installed [6.51s]
Current vs. Expected behavior
Given the recent security issues (react & next.js), I expected the template to use React v19.2.1, but it is still using React v19.2.0. Is this still safe?
Provide environment information
Operating System:
Platform: darwin
Arch: arm64
Version: Darwin Kernel Version 25.1.0: Mon Oct 20 19:32:47 PDT 2025; root:xnu-12377.41.6~2/RELEASE_ARM64_T8103
Available memory (MB): 8192
Available CPU cores: 8
Binaries:
Node: 24.11.1
npm: 11.6.2
Yarn: N/A
pnpm: N/A
Relevant Packages:
next: 16.0.7 // Latest available version is detected (16.0.7).
eslint-config-next: N/A
react: 19.2.0
react-dom: 19.2.0
typescript: 5.9.3
Next.js Config:
output: N/A
Which area(s) are affected? (Select all that apply)
create-next-app
Which stage(s) are affected? (Select all that apply)
Other (Deployed)
Additional context
No response
This is exactly what I was wondering. However, in their official blog, the React team mentions the vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
Does that mean client-only react and react-dom packages are not affected? I'm not entirely sure, but the React team mentions "a fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1" in their blog above, and that mentions the client-only libraries as well. So, I'm confused if the specific patched Next.js versions handle these internally, or if they actually overlooked updating the react and react-dom versions to their respective patched versions in the create-next-app template.
I checked the latest canary version, 16.1.0-canary.15, and it has already been updated to React 19.2.1. After reviewing the changes from 19.2.0 to 19.2.1, it appears that the updates are limited to the packages shown in the image.
I also checked the Next.js package and it does not seem to use those packages directly. Hopefully, these changes do not impact Next.js.
Just released in version 16.0.8! https://github.com/vercel/next.js/releases/tag/v16.0.8
As per the react/react-dom version in your App Router projects, Next.js manages the React version used internally, through a vendored and compiled dependency. https://nextjs.org/docs#react-version-handling
That's why, even though the issue is within React packages, upgrading Next.js is necessary, yet sufficient, but it doesn't hurt to update your react and react-dom dependencies to latest either.
Regarding the versioning in OP:
https://github.com/vercel/next.js/issues/86944 is similar report
The packages that have been patched by the React team are versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
Next.js manages these for you in:
- packages/next/src/compiled/react-server-dom-webpack
- packages/next/src/compiled/react-server-dom-turbopack
These have been patched to use the React team security fixes.