@lobehub/lobehub 2.0.0-next.155 → 2.0.0-next.156

package/CHANGELOG.md

@@ -2,6 +2,31 @@
 
 # Changelog
 
+## [Version 2.0.0-next.156](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.155...v2.0.0-next.156)
+
+<sup>Released on **2025-12-04**</sup>
+
+#### 🐛 Bug Fixes
+
+- **misc**: Fix React CVE issue.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's fixed
+
+- **misc**: Fix React CVE issue, closes [#10593](https://github.com/lobehub/lobe-chat/issues/10593) ([abd850f](https://github.com/lobehub/lobe-chat/commit/abd850f))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
 ## [Version 2.0.0-next.155](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.154...v2.0.0-next.155)
 
 <sup>Released on **2025-12-03**</sup>

package/changelog/v1.json

@@ -1,4 +1,13 @@
 [
+  {
+    "children": {
+      "fixes": [
+        "Fix React CVE issue."
+      ]
+    },
+    "date": "2025-12-04",
+    "version": "2.0.0-next.156"
+  },
   {
     "children": {
       "fixes": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobehub/lobehub",
-  "version": "2.0.0-next.155",
+  "version": "2.0.0-next.156",
   "description": "LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.",
   "keywords": [
     "framework",
@@ -239,7 +239,7 @@
     "mdast-util-to-markdown": "^2.1.2",
     "model-bank": "workspace:*",
     "nanoid": "^5.1.6",
-    "next": "16.0.5",
+    "next": "^16.0.7",
     "next-auth": "5.0.0-beta.30",
     "next-mdx-remote": "^5.0.0",
     "nextjs-toploader": "^3.9.17",
@@ -267,10 +267,10 @@
     "query-string": "^9.3.1",
     "random-words": "^2.0.1",
     "rc-util": "^5.44.4",
-    "react": "19.2.0",
+    "react": "^19.2.1",
     "react-confetti": "^6.4.0",
     "react-diff-view": "^3.3.2",
-    "react-dom": "19.2.0",
+    "react-dom": "^19.2.1",
     "react-fast-marquee": "^1.6.5",
     "react-hotkeys-hook": "^5.2.1",
     "react-i18next": "^15.7.4",

package/scripts/migrateServerDB/index.ts

@@ -1,4 +1,5 @@
 import * as dotenv from 'dotenv';
+import dotenvExpand from 'dotenv-expand';
 import { migrate as neonMigrate } from 'drizzle-orm/neon-serverless/migrator';
 import { migrate as nodeMigrate } from 'drizzle-orm/node-postgres/migrator';
 import { join } from 'node:path';
@@ -6,9 +7,15 @@ import { join } from 'node:path';
 // @ts-ignore tsgo handle esm import cjs and compatibility issues
 import { DB_FAIL_INIT_HINT, DUPLICATE_EMAIL_HINT, PGVECTOR_HINT } from './errorHint';
 
-// Read the `.env` file if it exists, or a file specified by the
-// dotenv_config_path parameter that's passed to Node.js
-dotenv.config();
+// Load environment variables in priority order:
+// 1. .env (lowest priority)
+// 2. .env.[env] (medium priority, overrides .env)
+// 3. .env.[env].local (highest priority, overrides previous)
+// Use dotenv-expand to support ${var} variable expansion
+const env = process.env.NODE_ENV || 'development';
+dotenvExpand.expand(dotenv.config()); // Load .env
+dotenvExpand.expand(dotenv.config({ override: true, path: `.env.${env}` })); // Load .env.[env] and override
+dotenvExpand.expand(dotenv.config({ override: true, path: `.env.${env}.local` })); // Load .env.[env].local and override
 
 const migrationsFolder = join(__dirname, '../../packages/database/migrations');