Fix CVE-2025-55182 - React Server Components RCE Vulnerability (#2175)

### Summary

Fixes the **CVE-2025-55182 - React Server Components RCE Vulnerability**
by using `react-on-rails-rsc` package that patched that vulnerability
and upgrading `react` and `react-dom` packages to `v19.0.1` which
mitigated the vulnerability

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
  * Updated React and React-DOM to 19.0.1.
  * Updated react-on-rails-rsc to 19.0.3 (dev and peer dependencies).

* **Security**
* Added mitigation guidance for CVE-2025-55182 recommending updating
react, react-dom, and react-on-rails-rsc.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: AbanoubGhadban

packages/react-on-rails-pro/package.json

@@ -60,7 +60,7 @@
   "peerDependencies": {
     "react": ">= 16",
     "react-dom": ">= 16",
-    "react-on-rails-rsc": "19.0.2"
+    "react-on-rails-rsc": "19.0.3"
   },
   "peerDependenciesMeta": {
     "react-on-rails-rsc": {
@@ -78,8 +78,8 @@
   "devDependencies": {
     "@types/mock-fs": "^4.13.4",
     "mock-fs": "^5.5.0",
-    "react": "19.0.0",
-    "react-dom": "19.0.0",
-    "react-on-rails-rsc": "19.0.2"
+    "react": "^19.0.1",
+    "react-dom": "^19.0.1",
+    "react-on-rails-rsc": "^19.0.3"
   }
 }

pnpm-lock.yaml

@@ -48,6 +48,8 @@ _Add changes in master not yet tagged._
 
 ### Fixed
 
+- **SECURITY: CVE-2025-55182 - React Server Components RCE Vulnerability**: by updating `react-on-rails-rsc` peer dependency to `v19.0.3` which mitigates that vulnerability. Also, users should update `react` and `react-dom` package versions to `v19.0.1` to ensure complete mitigation. [PR 2175](https://github.com/shakacode/react_on_rails/pull/2175) by [AbanoubGhadban](https://github.com/AbanoubGhadban).
+
 - Fixed compatibility issue with httpx 1.6.x by explicitly requiring http-2 >= 1.1.1. [PR 2141](https://github.com/shakacode/react_on_rails/pull/2141) by [AbanoubGhadban](https://github.com/AbanoubGhadban).
 
 - **Node Renderer Worker Restart**: Fixed "descriptor closed" error that occurred when the node renderer restarts while handling an in-progress request (especially streaming requests). Workers now perform graceful shutdowns: they disconnect from the cluster to stop receiving new requests, wait for active requests to complete, then shut down cleanly. A configurable `gracefulWorkerRestartTimeout` ensures workers are forcibly killed if they don't shut down in time. [PR 1970](https://github.com/shakacode/react_on_rails/pull/1970) by [AbanoubGhadban](https://github.com/AbanoubGhadban).

react_on_rails_pro/CHANGELOG.md

@@ -46,13 +46,13 @@
     "postcss": "^8.4.31",
     "postcss-loader": "^7.1.0",
     "prop-types": "^15.7.2",
-    "react": "19.0.0",
-    "react-dom": "19.0.0",
+    "react": "^19.0.1",
+    "react-dom": "^19.0.1",
     "react-error-boundary": "^4.1.2",
     "react-helmet": "^6.0.0-beta.2",
     "react-on-rails-pro": "link:.yalc/react-on-rails-pro",
     "react-on-rails-pro-node-renderer": "link:.yalc/react-on-rails-pro-node-renderer",
-    "react-on-rails-rsc": "^19.0.2",
+    "react-on-rails-rsc": "^19.0.3",
     "react-proptypes": "^1.0.0",
     "react-redux": "^9.2.0",
     "react-refresh": "^0.11.0",