RepoJournal
Vercel

@vercel

Next.js + the Vercel platform — frontend infrastructure for the web

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

MODELCONTEXTPROTOCOL REDOS PATCH SHIPS AS NEXT-DEVTOOLS TIGHTENS PLAYWRIGHT SCHEMA

By RepoJournal · Filed · About Vercel

A critical ReDoS vulnerability in your MCP dependencies just got patched, but your browser_eval wrapper is already broken by an upstream schema change.

Next-devtools-mcp shipped an emergency bump to @modelcontextprotocol/sdk 1.25.2 [1] that patches CVE-2026-0621, a ReDoS vulnerability in the UriTemplate class where nested quantifiers cause catastrophic backtracking on crafted resource URIs. Deploy this immediately if you're running devtools in production. Separately, @playwright/[email protected] renamed field schemas across browser_eval actions (ref becomes target, fill_form shape changed), breaking the wrapper's forwarding logic [2]. This landed and is already auto-installing, so your next browser_navigate or browser_click call will fail with InputValidationError unless you align your wrapper code. The team also added Chromium browser support for Linux arm64 , fixing a gap where certain platforms couldn't use browser_eval at all. On the CLI side, Vercel shipped step-up auth for vc env pull [3], letting you retry after a challenge_required response using device-code flow with stored refresh tokens. A separate PR simplified @vercel/vc-native's install model [4], moving to opencode-style postinstall to eliminate multiple platform binaries.

Action items

References

  1. [1] fix(deps): bump @modelcontextprotocol/sdk to 1.25.2 (CVE-2026-0621 ReDoS) (#140) vercel/next-devtools-mcp
  2. [2] fix(browser_eval): align tool args with Playwright MCP 0.0.75 schema (target fields + fill_form) ↗ vercel/next-devtools-mcp
  3. [3] [CLI] changing logic for calling vc env pull with vca ↗ vercel/vercel
  4. [4] [CLI] Removing multiple installs for PNPM and NPM ↗ vercel/vercel

FAQ

What changed in Vercel on June 1, 2026?
A critical ReDoS vulnerability in your MCP dependencies just got patched, but your browser_eval wrapper is already broken by an upstream schema change.
What should Vercel teams do about it?
Patch @modelcontextprotocol/sdk to 1.25.2 immediately (CVE-2026-0621) • Align browser_eval wrapper to @playwright/mcp 0.0.75 schema (ref -> target, fill_form shape) • Upgrade Vercel CLI to pick up vc env pull challenge flow and lighter install model
Which Vercel repositories shipped on June 1, 2026?
vercel/next-devtools-mcp, vercel/vercel

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.