Update deps next, zod, ...

[arnaudpfu]

Update dependencies, rename middleware.ts into proxy.ts (for next canary 16 support), add clean cmd, add creatorem.com link in README file

[vercel]

@arnaudpfu is attempting to deploy a commit to the Vercel Team on Vercel.

A member of the Team first needs to authorize it.

[diorwave]

Changes requested

[vercel]

Additional Suggestion:

The code uses deprecated z.string().email() pattern instead of the modern z.email() API introduced in Zod 4

View Details

📝 Patch Details

diff --git a/app/(login)/actions.ts b/app/(login)/actions.ts
index 532adc0..0219e6e 100644
--- a/app/(login)/actions.ts
+++ b/app/(login)/actions.ts
@@ -45,7 +45,7 @@ async function logActivity(
 }
 
 const signInSchema = z.object({
-  email: z.string().email().min(3).max(255),
+  email: z.email().min(3).max(255),
   password: z.string().min(8).max(100)
 });
 
@@ -101,7 +101,7 @@ export const signIn = validatedAction(signInSchema, async (data, formData) => {
 });
 
 const signUpSchema = z.object({
-  email: z.string().email(),
+  email: z.email(),
   password: z.string().min(8),
   inviteId: z.string().optional()
 });
@@ -340,7 +340,7 @@ export const deleteAccount = validatedActionWithUser(
 
 const updateAccountSchema = z.object({
   name: z.string().min(1, 'Name is required').max(100),
-  email: z.string().email('Invalid email address')
+  email: z.email('Invalid email address')
 });
 
 export const updateAccount = validatedActionWithUser(
@@ -392,7 +392,7 @@ export const removeTeamMember = validatedActionWithUser(
 );
 
 const inviteTeamMemberSchema = z.object({
-  email: z.string().email('Invalid email address'),
+  email: z.email('Invalid email address'),
   role: z.enum(['member', 'owner'])
 });
 

Analysis

Bug Analysis

The Issue

The code uses the deprecated Zod email validation pattern z.string().email() which was the standard in Zod v3 and earlier. In Zod v4, a more direct and cleaner API z.email() was introduced. While z.string().email() still works in Zod 4.1.12, it's now considered deprecated and is expected to be removed in Zod v5.

Where It Manifests

Four instances were found in app/(login)/actions.ts:

• Line 48: z.string().email().min(3).max(255) in signInSchema
• Line 104: z.string().email() in signUpSchema
• Line 343: z.string().email('Invalid email address') in updateAccountSchema
• Line 395: z.string().email('Invalid email address') in inviteTeamMemberSchema

Impact

Currently no functional impact in Zod 4.1.12, as the old API still works. However, this creates technical debt and will break when upgrading to Zod v5. The code won't follow best practices for the current version.

Fix Applied

Replaced all 4 instances with the modern Zod 4 API:

• z.string().email() → z.email()
• z.string().email().min(...) → z.email().min(...)
• z.string().email(msg) → z.email(msg)

The new z.email() API:

• Is the recommended pattern in Zod 4
• Is more concise and readable
• Will remain compatible with Zod v5
• Accepts all the same parameters (min, max, error messages, etc.)
• Behaves identically to the old pattern functionally

[vercel]

React 19.1.0 and react-dom 19.1.0 are vulnerable to CVE-2025-55182, a critical RCE vulnerability in React Server Components

View Details

📝 Patch Details

diff --git a/package.json b/package.json
index 1d1d6d2..18ef3ac 100644
--- a/package.json
+++ b/package.json
@@ -29,8 +29,8 @@
     "postcss": "^8.5.3",
     "postgres": "^3.4.5",
     "radix-ui": "^1.4.3",
-    "react": "19.1.0",
-    "react-dom": "19.1.0",
+    "react": "19.1.2",
+    "react-dom": "19.1.2",
     "server-only": "^0.0.1",
     "stripe": "^19.1.0",
     "swr": "^2.3.3",

Analysis

Bug Explanation:

CVE-2025-55182 is a critical Remote Code Execution (RCE) vulnerability affecting React Server Components. The vulnerable versions include:

• React 19.0.0, 19.1.0, 19.1.1, 19.2.0
• react-dom versions matching the same releases

The package.json contained both "react": "19.1.0" and "react-dom": "19.1.0", which are in the affected version range. This vulnerability could allow attackers to execute arbitrary code on the server in environments using React Server Components.

Fix Applied:

Both React and react-dom have been upgraded from version 19.1.0 to 19.1.2:

• Changed "react": "19.1.0" to "react": "19.1.2" (line 32)
• Changed "react-dom": "19.1.0" to "react-dom": "19.1.2" (line 33)

Version 19.1.2 is a patched version that addresses the CVE-2025-55182 vulnerability. Both packages must be updated together to maintain compatibility.

[vercel]

Suggested change

	ppr: true,
	ppr: true,

Line 7 in next.config.ts has incorrect indentation - uses 6 spaces instead of 4 spaces for the ppr property

View Details

📝 Patch Details

diff --git a/next.config.ts b/next.config.ts
index 09e35ab..085e0a9 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -4,7 +4,7 @@ const nextConfig: NextConfig = {
   experimental: {
     cacheComponents: true,
     clientSegmentCache: true,
-      ppr: true,
+    ppr: true,
   }
 };
 

Analysis

Bug Description

The ppr: true, property on line 7 of next.config.ts had 6 spaces of indentation instead of the consistent 4 spaces used for other properties in the same object. This inconsistency suggests a merge conflict resolution error where the indentation was not properly normalized.

While this doesn't cause a functional JavaScript/TypeScript error, it violates code style consistency and will likely fail automated formatting checks (e.g., Prettier, ESLint with indentation rules). It also makes the code harder to read and maintain.

Fix Applied

Changed line 7 from:

      ppr: true,

to:

    ppr: true,

This aligns the ppr property with the 4-space indentation used by cacheComponents and clientSegmentCache properties in the same object block, maintaining consistent code formatting throughout the file.

[vercel]

Suggested change

	"next": "16.0.0-canary.13",
	"next": "16.0.10",

Next.js version 16.0.0-canary.13 is vulnerable to CVE-2025-55182, a critical RCE vulnerability in React Server Components affecting Next.js ≥16.

View Details

📝 Patch Details

diff --git a/package.json b/package.json
index 1d1d6d2..95165e6 100644
--- a/package.json
+++ b/package.json
@@ -25,7 +25,7 @@
     "drizzle-orm": "^0.44.6",
     "jose": "^6.1.0",
     "lucide-react": "^0.511.0",
-    "next": "16.0.0-canary.13",
+    "next": "16.0.10",
     "postcss": "^8.5.3",
     "postgres": "^3.4.5",
     "radix-ui": "^1.4.3",

Analysis

Bug Analysis

Why it happens:
The package.json specifies Next.js version 16.0.0-canary.13, which is vulnerable to CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability in React Server Components. This vulnerability affects all Next.js versions ≥16.0.0.

The vulnerability was introduced into the codebase through a merge conflict resolution. The security fix commit 6e33e58 (merged on 2025-12-11) upgraded Next.js to 15.6.0-canary.59 to address the CVE, but when the update-deps branch (which contained 16.0.0-canary.13) was merged on 2026-01-16, the merge resolution incorrectly kept the vulnerable canary version instead of using a patched Next.js 16.x version.

Impact:

• The application is vulnerable to critical RCE attacks through React Server Components
• This bypasses all security measures and allows attackers to execute arbitrary code on the server
• Production deployment with this version could result in complete system compromise

When it manifests:

• Any production deployment using this version and exposing RSC functionality is at risk
• The vulnerability can be exploited remotely with no authentication required

Fix Applied

Upgraded Next.js from the vulnerable 16.0.0-canary.13 to 16.0.10, which contains the security patch for CVE-2025-55182.

The patched version 16.0.10 is the stable release that includes the necessary security fixes to address the RCE vulnerability in React Server Components. This maintains the intent of using Next.js 16.x (from the update-deps branch) while ensuring the application is not vulnerable to this critical security issue.