Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (audit-react2shell) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
audit-react2shell
audit-react2shell is a high-performance CLI security auditor designed to secure the front-end ecosystem. It recursively scans your local machine or your entire GitHub organization to identify and auto-patch critical Next.js and React vulnerabilities (including the December 2025 Flight protocol exploits).
Key Features
- Fleet-Wide Scanning: Scan hundreds of projects across your entire hard drive in seconds.
- Zero-Clone GitHub Audit: Audit remote repositories via the GitHub API without downloading a single byte of source code.
- Interactive Patching: Selectively update vulnerable projects to safe, verified versions using your preferred package manager (npm or yarn).
- Monorepo Support: Automatically detects individual
package.jsonfiles within complex directory structures.
Installation
Since this is an open-source tool, you can run it directly via npx or
install it globally:
# Run without installing
npx audit-react2shell
# Or install globally
npm install -g audit-react2shellUsage
1. Local Audit (Default)
Scan your current directory (and all sub-directories) for vulnerable Next.js versions:
audit-react2shell scanTarget a specific directory:
audit-react2shell scan ~/path/to/projects2. Auto-Patch Mode
Find vulnerabilities and enter an interactive menu to fix them
immediately. This command updates your package.json and lock files to
the safest available version.
audit-react2shell scan --fix3. GitHub Cloud Audit
Audit your entire GitHub profile or a specific organization. Requires a GitHub Personal Access Token (PAT) with repo read permissions.
# Audit your personal repositories
audit-react2shell github
# Audit a specific organization
audit-react2shell github --org your-org-nameHow it Works
The tool compares your package.json dependencies against a hardcoded
map of known vulnerable ranges and their corresponding safe patches:
| Current Version Range | Recommended Safe Version |
|---|---|
13.3.0 to 14.2.x |
14.2.35 |
15.0.x |
15.0.7 |
15.1.x |
15.1.11 |
15.2.x |
15.2.8 |
15.3.x |
15.3.8 |
15.4.x |
15.4.10 |
15.5.x |
15.5.9 |
16.0.x |
16.0.10 |
Canary |
15.6.0-canary.60 |
Security & Privacy
- Local Data: No project data or source code is uploaded to any server.
- GitHub Tokens: Used only for the current session and never stored on disk.
- Safe Patching: Uses exact version locking (
--save-exact/--exact) to ensure verified safe versions.
Configuration (For Developers)
Project structure:
audit-react2shell/
├── bin/
│ └── index.js # CLI Command Definitions
├── lib/
│ ├── scanner.js # Recursive File System Logic
│ ├── auditor.js # Version Validation & Logic
│ ├── github.js # API Integration
│ └── patcher.js # Dependency Update Engine
└── package.json🤝 Contributing
- Fork the repository.
- Update
NEXT_RULESinlib/auditor.jsas new CVEs are released. - Submit a Pull Request.
Built for the community by developers who care about a secure web.