npm Was Broken So I Switched to pnpm [React2Shell Vulnerability]
Background
In the previous article, I left extensive notes about the React2Shell vulnerability (CVE-2025-55182 / CVE-2025-66478). Figuring I could just run an update and be done with it, I proceeded carelessly — and this happened.
I was trying to apply these updates:
- Next.js 16.0.3 → 16.0.7
- React 19.2.0 → 19.2.1
- react-dom 19.2.0 → 19.2.1
The Problem
npm install kept crashing repeatedly with this error:
npm error Cannot read properties of null (reading 'matches')Things I Tried (All Failed)
npm install→ failednpm install --force→ failed- Delete
node_modulesandpackage-lock.json, then clean install → failed
All failing with the same internal error. Most likely an npm bug or cache corruption.
Solution: Switch to pnpm
pnpm installResult: completed normally in 20 seconds
dependencies:
- next 16.0.3
+ next 16.0.7
- react 19.2.0
+ react 19.2.1
- react-dom 19.2.0
+ react-dom 19.2.1
Done in 20sBuild succeeded too:
✓ Next.js 16.0.7 (Turbopack)
✓ Compiled successfully in 2.9s
✓ Generating static pages (8/8)Summary
| Item | Result |
|---|---|
| Vulnerability fix | Done (CVE-2025-55182 / CVE-2025-66478) |
| Package manager | Changed from npm to pnpm |
| Build | Working normally |
Honestly don’t know the root cause. Could be environment-specific.
That said, npm has been getting hit with supply chain attacks and other contamination lately, and pnpm feels like the safer choice. I’m already using pnpm in other projects anyway, so this was a good opportunity to standardize.
The Git repository itself wasn’t compromised, so updating and pushing is the quick fix. Migrating to pnpm just happened to be the path that actually worked.