1.0.18 is incorrectly affirming that, for example, ^15.5.2 in a package.json file is not vulnerable

[jookshub]

If you would have

  "next": "^15.5.2"

then 1.0.18 will yield

🔍 fix-react2shell-next - CVE-2025-66478 vulnerability scanner

📂 Found 28 package.json file(s)

✓ No vulnerable packages found!
  Your project is not affected by CVE-2025-66478.

while with a pinned version 15.5.2 it will yield

🔍 fix-react2shell-next - CVE-2025-66478 vulnerability scanner

📂 Found 28 package.json file(s)

🚨 Found 1 vulnerable file(s):

  📄 package.json
     next: 15.5.2 → 15.5.7

⚠️ The problem is, you cannot expect ^15.5.2 to not be vulnerable, as it depends on the e.g. package-lock.json contents or another lockfile - so this might be very misleading, if you are not aware of that. In this case the lockfile version was 15.5.6 - so a vulnerable version!

ℹ️ Checked with npx fix-react2shell-next on Node 22.16.0

💡 I would expect that the tool would warn in both cases, unless it verifies via the lockfiles, that the most recent version is installed.

🔗 See also Issue #12, which might be related, but I could not reproduce that behaviour.

[jookshub]

neat - you actually do check the installed version 🙌

however, not the lockfiles, which is what tripped me up, as you would have to install the project first and that seemed not necessary at first glance - however, while attempting to provide a fix, I saw that you do check the installed version

I guess a quick-fix would be an update to the README, to inform that you first have to install your dependencies 🤔