#!/usr/bin/env bash
set -euo pipefail

# Vulnerable RSC versions (React2Shell)
VULN='19\.0\.0|19\.1\.0|19\.1\.1|19\.2\.0'
PKG='react-server-dom-(webpack|parcel|turbopack)'

echo "=== React2Shell(CVE-2025-55182) RSC dependency inventory ==="
echo

for file in package.json package-lock.json yarn.lock pnpm-lock.yaml; do
  case "$file" in
    package.json)
      # "react-server-dom-xxx": "^19.1.0"
      DESC="declared deps"
      RG="\"$PKG\"\\s*:\\s*\"[^\"]*($VULN)[^\"]*\""
      ;;
    package-lock.json)
      # {
      #   "name": "react-server-dom-xxx",
      #   "version": "19.1.0",
      #   ...
      # }
      DESC="resolved npm deps"
      RG="\"name\"\\s*:\\s*\"$PKG\"(?s).*?\"version\"\\s*:\\s*\"($VULN)\""
      ;;
    yarn.lock)
      # react-server-dom-xxx@^19.1.0:
      DESC="resolved yarn deps"
      RG="$PKG@[^:]*($VULN)"
      ;;
    pnpm-lock.yaml)
      # /react-server-dom-xxx@19.1.0:
      DESC="resolved pnpm deps"
      RG="/?$PKG@($VULN)"
      ;;
  esac

  echo "[$file] $DESC:"
  rg -n -U -P "$RG" --glob "$file" . || echo "  none"
  echo
done

echo "=== Done. Patch any matches above to 19.0.1 / 19.1.2 / 19.2.1+ ==="