🐛 FIX: CVE-2026-0969 — Upgrade next-mdx-remote to v6.0.0 (#169)

asharirfan · web-flow · commit f2b703dc66da · 2026-02-18T00:34:11.000+05:00
Upgrade next-mdx-remote from v5 to v6 to fix arbitrary code execution vulnerability (CVE-2026-0969) in the serialize function. The v6 release adds blockDangerousJS (enabled by default) to prevent dangerous JS operations like eval, Function, process, and require. Set blockJS: false in serialize options to preserve MDX annotation expressions used in docs content.
diff --git a/apps/baseai.dev/package.json b/apps/baseai.dev/package.json
@@ -47,7 +47,7 @@
 		"mdx-annotations": "^0.1.1",
 		"mxcn": "^2.0.0",
 		"next": "15.5.10",
-		"next-mdx-remote": "^5.0.0",
+		"next-mdx-remote": "^6.0.0",
 		"next-themes": "^0.2.1",
 		"react": "^19",
 		"react-dom": "^19",
diff --git a/apps/baseai.dev/src/lib/get-content-by-slug-on-dev.ts b/apps/baseai.dev/src/lib/get-content-by-slug-on-dev.ts
@@ -46,7 +46,8 @@ export async function getContentBySlugOnDev({
 				recmaPlugins: [...recmaPlugins],
 				rehypePlugins: [...rehypePlugins],
 				remarkPlugins: [...remarkPlugins]
-			}
+			},
+			blockJS: false
 		});
 
 		const docsSection = await formatString(section);
diff --git a/apps/baseai.dev/src/scripts/generate-content.js b/apps/baseai.dev/src/scripts/generate-content.js
@@ -36,7 +36,8 @@ async function fetchMDXContent({ slug, section, dirPath, baseUrl }) {
 			recmaPlugins: [...recmaPlugins],
 			rehypePlugins: [...rehypePlugins],
 			remarkPlugins: [...remarkPlugins]
-		}
+		},
+		blockJS: false
 	});
 
 	const docsSection = await formatString(section);
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
