Skip to content

fix(deps): update dependency next to v16 [security] #7543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency next to v16 [security] #7543

renovate wants to merge 1 commit into from
+216 −195

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 29, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
next (source) ~15.2.8~16.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-59471

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

  1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

  2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

GHSA-h25m-26qc-wcjf

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

Release Notes

vercel/next.js (next)

v16.0.10

Compare Source

v16.0.9

Compare Source

v16.0.8

Compare Source

v16.0.7

Compare Source

v16.0.6

Compare Source

v16.0.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix(nodejs-middleware): await for body cloning to be properly finalized (#​85418)
Credits

Huge thanks to @​lucasadrianof for helping!

v16.0.4

Compare Source

v16.0.3

Compare Source

Core Changes
  • fix: Rspack throw error when using ForceCompleteRuntimePlugin: #​85221
  • fix: build CLI output not displaying Proxy (Middleware) when nodejs runtime: #​85403
  • fix: staleTimes.static should consistently enforce a 30s minimum: #​85479
  • [turbopack] fix build of empty entries of pages: #​84873
  • Cache the head separately from the route tree: #​84724
  • Allow inspecting dev server on default port with next dev --inspect: #​85037
  • Avoid proxying React modules through workUnitStore: #​85486
  • fix: redirect should always return updated router state: #​85533
  • Upgrade React from b4455a6e-20251027 to 4f931700-20251029: #​85518
  • [turbopack] Move generation of cacheLife types out of the webpack plugin and into the dev bundler directly: #​85539
  • Ensure user-space stack frame for 'use cache' in page/layout component: #​85519
  • Update parallel routes in build-complete: #​85546
  • fully remove clientSegmentCache flag: #​85541
  • [turbopack] Support relative paths in turbopack source maps.: #​85146
  • Release unnecessary memory on hydration finish: #​84967
  • Preserve interception markers in parameter types: #​85526
  • move segment cache entries to top level segment-cache dir: #​85542
  • Upgrade React from 4f931700-20251029 to 561ee24d-20251101: #​85670
  • [devtools] Remove title from preferences: #​85698
  • Update font data: #​85708
  • Don't invalidate hot reloader excessively during dev server boot: #​85732
  • [codemod] fix: next-lint-to-eslint-cli did not handle 'next' plugin: #​85749
  • Upgrade React from 561ee24d-20251101 to 67f7d47a-20251103: #​85762
  • Tracing: Fix memory leak in span map: #​85529
  • Fix documentation typo in refresh function: #​85696
  • fix: eslint-config-next types was exporting to dist/src: #​85768
  • Upgrade React from 67f7d47a-20251103 to f646e8ff-20251104: #​85772
  • remove unused RSC payload property: #​85746
  • [runtime prefetching]: fix runtime prefetching when deployed: #​85595
  • Turbopack: next build --analyze: #​85197
  • Build: Log amount of workers during static generation: #​85706
  • Upgrade React from f646e8ff-20251104 to dd048c3b-20251105: #​85819
  • Sync devFallbackParams when generateStaticParams change: #​85741
  • chore: upgrade rspack 1.6.0: #​84210
  • [mcp] get_routes mcp tool: #​85773
  • Split each path param into a separate cache key : #​85758
  • [turbopack] change server source maps in production to use relative paths: #​85576
  • fix: skip collecting metadata for app-error in webpack: #​85892
  • fix: support root span attributes with a custom server: #​85521
  • fix isDynamicRSC condition when deployed: #​85919
  • [turbopack] Make it possible to synchronously access native bindings: #​85787
  • Upgrade React from dd048c3b-20251105 to fa50caf5-20251107: #​85906
  • Fix telemetry event loss on build failures and server shutdown: #​85867
  • Remove one stack frame from 'use cache' call stacks: #​85966
  • Upgrade React from fa50caf5-20251107 to 52684925-20251110: #​85980
  • Deployment adapter: fix metadata for "/" route: #​85820
  • Enable React's default Transition indicator behind a flag: #​86000
  • update routes-manifest to include whether app has pages routes: #​86051
Misc Changes
  • chore: Add opt-level = s for not frequently used crates: #​85426
  • [test] Deflake cache-components-allow-otel-spans: #​85466
  • [test] Move remaining experimental.cacheLife: #​85467
  • Turbopack: chore: Remove mopa dependency in turbo-tasks (2nd attempt): #​85286
  • Update Proxy docs: #​85439
  • [CNA] Do not prompt for Turbopack: #​85404
  • Clean up new release process: #​85458
  • Update E2E tests workflow: #​85485
  • Update E2E deploy tests manifest: #​85483
  • docs: example are incorrect async function exports only: #​85453
  • [test] Handle CLI assertions where no "Compiling..." log is present: #​85499
  • [test] Speed up refresh test: #​85505
  • [test] Add test cases for dynamic caches without suspense boundaries: #​85500
  • docs: Routes are wrapped w/ Activity in Cache Components: #​85309
  • docs: GET handler behavior under cache components: #​85389
  • [test] Avoid needless start/stop from using createSandbox: #​85507
  • [test] Use --debug-build-paths instead of NEXT_PRIVATE_APP_PATHS: #​85504
  • docs: revalidateTag requires second argument: #​85284
  • Refactor GTM implementation to support google tag gateway: #​81011
  • Update Rspack production test manifest: #​85494
  • Update Rspack development test manifest: #​85495
  • [docs] Fix a typo: #​85492
  • [test] Regenerate tsconfig.json files: #​85515
  • [Turbopack] clean up completion.rs a bit: #​84863
  • [test] Remove maxRetries and hardError parameters: #​85536
  • Turbopack: remove the .into() alias to .cell(): #​85516
  • [test] Consolidate identical snapshots across different bundlers: #​85532
  • [turbopack] Change where cells are created in resolve_raw to make cell allocation order deterministic.: #​85525
  • Turbopack: Make tasks deterministic: #​85524
  • [test] Separate act and assertions: #​85508
  • [test] assert* -> waitFor* when the util is not instant: #​85450
  • Turbopack: move whole_app_module_graphs to top level: #​84897
  • [test] Bail on sending requests to Next.js instance if it's no longer available: #​85557
  • [test] Deflake tests comparing two random numbers: #​85571
  • [test] Disallow custom RegExp-like implementations in check: #​85537
  • [test] Deflake prerender suite: #​85563
  • Turbopack: chore: Remove some dead MagicAny serialization code from turbo_tasks::value: #​85577
  • [test]: fix broken scroll restoration test: #​85599
  • [test] Deflake nested after() tests: #​85566
  • [test] Stop installing unused dependencies: #​85569
  • [test] Consider test/integration/ in flake detection tests: #​85590
  • Turbopack: more checks on verify_serialization: #​84952
  • Turbopack: add track_caller to improve panics: #​85565
  • Turbopack: add verify_determinism feature to check if tasks are deterministic: #​85559
  • docs: cache life rework: #​85224
  • Turbopack: fix hanging dev server and builds with fs cache: #​85606
  • Turbopack: Fix compound assignment expression evaluation (#​85478): #​85593
  • Turbopack: fix Scope holding Arc too long: #​85611
  • [ci] Improve change detection logic in run-for-change script: #​85619
  • [test] Ignore in deploy tests if a child process isn't available: #​85636
  • Turbopack: add size_hint and len for Chunk iterator: #​85622
  • [test]: move resume-data-cache to e2e test: #​85647
  • Update Rspack development test manifest: #​85662
  • Update Rspack production test manifest: #​85661
  • Update Rspack production test manifest: #​85688
  • Update Rspack development test manifest: #​85689
  • [test] Deflake root-optional-revalidate: #​85584
  • docs: fix generateImageMetadata example to use normal params object: #​85658
  • Turbopack: Upgrade image crate: #​85084
  • docs: update multi sitemap argumenmt type: #​85701
  • [test] Move all files to .ts (6/6): #​85641
  • Turbopack: add a batch add method to the storage: #​84270
  • docs: recommend reverse-proxy when self-hosting: #​85650
  • [test] Deflake prefetching.stale-times: #​85733
  • [test] Deflake custom cache handler test: #​85610
  • [test] Allow CLI integration test to be retryable: #​85586
  • docs: update docs to mention ESLint as default: #​85740
  • docs(next.config): this docs should remove ".mts" is not supported.: #​85716
  • Turbopack: cleanup StyleSheetLike: #​85718
  • Turbopack: disable tree shaking for tracing: #​85722
  • [test] Move all files to .ts (3/6): #​85638
  • [test] Move all files to .ts (2/6): #​85637
  • [test] Move all files to .ts (1/6): #​85634
  • docs: generateSitemap passes id as promise: #​85767
  • [test] Move all files to .ts (4/6): #​85639
  • docs: disclosure on path-to-regexp: #​85629
  • chore: update rspack binding to 1.6.0: #​85717
  • Turbopack: trace worker_threads worker entry: #​85734
  • Update Rspack development test manifest: #​85761
  • Turbopack: chore: Remove extern crate and macro_use syntax: #​85778
  • [turbopack] Drop duration and allocation tracking from CaptureFuture: #​85534
  • Turbopack: chore: Remove dead RouteMatcher stuff: #​85784
  • docs: fresh up getting started 00: #​85736
  • Turbopack: chore: Remove the serde_regex dependency, which wasn't very heavily used: #​85578
  • Turbopack: use batch add in connect children: #​85623
  • [test] Move all files to .ts (5/6): #​85640
  • [test] Deflake legacy-link-behavior: #​85805
  • Resolve request ID confusion: #​85809
  • Turbopack: use batch add to add initial followers: #​85624
  • Turbopack: chore: Remove dead experimental.ppr struct field: #​85792
  • Turbopack: chore: Avoid string clones in Glob::parse by using RcStr: #​85579
  • Update Rspack production test manifest: #​85795
  • docs: getting started updates 01: #​85750
  • chore: Update patricia_tree dependency, remove manual serde impls: #​85785
  • docs: keywords in system reqs and add browserslist: #​85838
  • Honour NEXT_TEST_PREFER_OFFLINE in install-native.mjs: #​85850
  • Turbopack: chore: Update anyhow, remove old backtrace feature: #​85844
  • Turbopack: Remove some dead (or useless) code from next-core/src/next_client_reference/visit_client_reference.rs: #​85843
  • sort dependencies for smaller diffs: #​82291
  • Update Rspack development test manifest: #​85846
  • Turbopack: Remove non_operation_vc_strongly_consistent feature usage from next-api: #​85874
  • Turbopack: remove the streaming hack for improved stability: #​85858
  • test: Port clean-distdir integration test to the modern e2e test framework: #​85828
  • Update font data: #​85920
  • Update deploy manifest: #​85924
  • Turbopack: chore: Merge turbo-tasks-macros-shared crate into turbo-tasks-macros: #​85917
  • Turbopack: Fix IO concurrency for MacOS: #​85861
  • Add Appwrite Sites to supported adapters: #​85830
  • [turbopack] Remove LocalTaskType::Native, it is dead: #​85480
  • [test] Increase response timeout in next.browserWithResponse(): #​85911
  • Hoist inner 'use cache' functions to reduce function allocations: #​85904
  • docs: eslint config update: #​85969
  • Fix Turbopack local font font-family declaration: #​85913
  • switch to slice in createRuntimePrefetchTransformStream: #​85822
  • Update authentication.mdx: Fix Auth0 Link: #​85953
  • Turbopack: remove unused function: #​85974
  • docs: cacheHandlers: #​85311
  • docs: Feedback item on proxy default: #​86004
  • [test] Add missing test fixtures for cacheLife & cacheTag in client: #​85872
  • Fix false-positive build error for cacheLife & cacheTag: #​85875
  • [cna] For pnpm ignore postinstall from sharp and unrs-resolver: #​83168
  • Turbopack: refactor evaluate to take module_graph: #​85971
  • Turbopack: remove duplicate traversal implementations: #​85853
  • Omit unused encryptActionBoundArgs/decryptActionBoundArgs imports: #​86015
  • Turbopack: cleanup db log and add verbose option: #​85965
  • [ci]: fix retry_deploy_test workflow: #​85981
  • Fix typo in documentation: #​86054
Credits

Huge thanks to @​kdy1, @​eps1lon, @​SyMind, @​bgw, @​swarnava, @​devjiwonchoi, @​ztanner, @​ijjk, @​huozhi, @​icyJoseph, @​acdlite, @​unstubbable, @​gnoff, @​gusfune, @​vercel-release-bot, @​lukesandberg, @​sokra, @​hayes, @​shuding, @​wyattjoh, @​marjan-ahmed, @​timneutkens, @​ajstrongdev, @​zigang93, @​mischnic, @​Nayeem-XTREME, @​hamirmahal, @​eli0shin, @​tessamero, @​gaojude, @​jamesdaniels, @​georgesfarah, and @​timeyoutakeit for helping!

v16.0.2

Compare Source

[!NOTE]
This version includes no code or feature changes. To get the latest change, please look for the next patch release v16.0.3 or next@​latest

v16.0.1

Compare Source

v16.0.0

Compare Source

v15.5.11

Compare Source

v15.5.10

Compare Source

v15.5.9

Compare Source

v15.5.8

Compare Source

v15.5.7

Compare Source

v15.5.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Turbopack: don't define process.cwd() in node_modules #​83452
Credits

Huge thanks to @​mischnic for helping!

v15.5.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Split code-frame into separate compiled package (#​84238)
  • Add deprecation warning to Runtime config (#​84650)
  • fix: unstable_cache should perform blocking revalidation during ISR revalidation (#​84716)
  • feat: experimental.middlewareClientMaxBodySize body cloning limit (#​84722)
  • fix: missing next/link types with typedRoutes (#​84779)
Misc Changes
  • docs: early October improvements and fixes (#​84334)
Credits

Huge thanks to @​devjiwonchoi, @​ztanner, and @​icyJoseph for helping!

v15.5.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: ensure onRequestError is invoked when otel enabled (#​83343)
  • fix: devtools initial position should be from next config (#​83571)
  • [devtool] fix overlay styles are missing (#​83721)
  • Turbopack: don't match dynamic pattern for node_modules packages (#​83176)
  • Turbopack: don't treat metadata routes as RSC (#​82911)
  • [turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (#​83357)
  • Turbopack: throw large static metadata error earlier (#​82939)
  • fix: error overlay not closing when backdrop clicked (#​83981)
  • Turbopack: flush Node.js worker IPC on error (#​84077)
Misc Changes
  • [CNA] use linter preference (#​83194)
  • CI: use KV for test timing data (#​83745)
  • docs: september improvements and fixes (#​83997)
Credits

Huge thanks to @​yiminghe, @​huozhi, @​devjiwonchoi, @​mischnic, @​lukesandberg, @​ztanner, @​icyJoseph, @​leerob, @​fufuShih, @​dwrth, @​aymericzip, @​obendev, @​molebox, @​OoMNoO, @​pontasan, @​styfle, @​HondaYt, @​ryuapp, @​lpalmes, and @​ijjk for helping!

v15.5.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: validation return types of pages API routes (#​83069)
  • fix: relative paths in dev in validator.ts (#​83073)
  • fix: remove satisfies keyword from type validation to preserve old TS compatibility (#​83071)
Credits

Huge thanks to @​bgub for helping!

v15.5.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: disable unknownatrules lint rule entirely (#​83059)
  • revert: add ?dpl to fonts in /_next/static/media (#​83062)
Credits

Huge thanks to @​bgub and @​ztanner for helping!

v15.5.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: aliased navigations should apply scroll handling (#​82900)
  • Turbopack: fix invalid NFT entry with file behind symlink (#​82887)
  • fix: typesafe linking to route handlers and pages API routes (#​82858)
  • fix: change "noUnknownAtRules" to "warn" for Biome (#​82974)
  • fix: add path normalization to getRelativePath for Windows (#​82918)
  • feat: add typesafety with config.typedRoutes to redirect() and permanentRedirect() (#​82860)
  • fix: avoid importing types that will be unused (#​82856)
  • fix: update the config.api.responseLimit type (#​82852)
  • fix: update validation return types (#​82854)
Credits

Huge thanks to @​bgub, @​mischnic, and @​ztanner for helping!

v15.5.0

Compare Source

Core Changes
  • Use and enforce exhaustive switch statements for work unit store: #​81577
  • Enable @typescript-eslint/switch-exhaustiveness-check rule: #​81583
  • [dynamicIO] use RSC dynamicness to control partial vs complete PPR result: #​81627
  • [dynamicIO] Do not use React.unstable_postpone(): #​81652
  • feat: new detachable panel UI: #​81483
  • Turbopack: content-hash PageLoaderAsset: #​81450
  • [segment explorer] fix content overflow styling: #​81649
  • Improve reliability of owner stacks for async I/O errors: #​81501
  • fix(router): Prevent redirect loop on root data requests with basePath: #​81096
  • Ensure custom NextServer config is honored: #​81681
  • Fix before interactive incorrectly render css: #​81146
  • perf: memorize exclude function in webpack config: #​81525
  • Also enforce experimental features when there's no next config file: #​81679
  • feat(next/image): warn when images.qualities is undefined: #​81690
  • feat(build): optimize filterUniqueParamsCombinations to generate sub-combinations: #​81321
  • Update NextAdapter type and re-export: #​81692
  • upgrade to path-to-regexp@​6.3.0: #​80123
  • [metadata] replace for initial body icon case: #​81688
  • [segment explorer] remove dev panel ui flag: #​81670
  • Simplify running test apps locally with ppr or dynamicIO enabled: #​81668
  • [turbopack] Return cached Promise from __turbopack_load_by_url__ : #​81663
  • Upgrade React from 97cdd5d3-20250710 to 2f0e7e57-20250715: #​81678
  • Delete unused renderToString function: #​81707
  • Discard prerendered route handler data from FS cache after revalidation: #​81611
  • Upgrade React from 2f0e7e57-20250715 to d85ec5f5-20250716: #​81708
  • Ignore pending revalidations during prerendering: #​81621
  • [turbopack] Clear chunk cache on HMR instead of creating new next-server VM: #​81664
  • fix: rootParams should throw in client when fallbackParams are not present: #​81711
  • perf(build): optimize buildAppStaticPaths performance and add helper function: #​81386
  • Turbopack: Support string without options for @​next/mdx: #​81713
  • [Segment Cache] Support dynamic head prefetching: #​81677
  • [sourcemaps] Consistent cursor columns: #​81375
  • fix: revert client segment route changes for sub shell generation: #​81731
  • fix: pages router metadata bugs with React 19: #​81733
  • Improve error handling for headers/cookies/draftMode in 'use cache': #​81716
  • [devtool] fix duplicate rendered indicator on server: #​81729
  • [devtool] enable segment explorer by default: #​81737
  • [turbopack] Stop exposing globals from Turbopack runtime: #​81727
  • Remove unnecessary await: #​81761
  • [chore] bump zod to latest v3: #​81757
  • feat(turbopack): Log anonymized internal error (panic) information to telemetry: #​81272
  • fix: revert client segment route changes for sub shell generation: #​81740
  • bugfix: static resources staleTime should be renewed once refetched: #​81771
  • [devtool] move font styling to global.css: #​81782
  • [devtool] copy decoded info of error details: #​81735
  • fix(build): add sourcePage context for PPR dynamic route lambda creation: #​81781
  • refactor: rename experimental.dynamicIO to experimental.cacheComponents: #​81562
  • Properly handle hanging promise rejections during prerendering: #​81754
  • Upgrade React from d85ec5f5-20250716 to dffacc7b-20250717: #​81767
  • Refactor: Get rid of overly generic getExpectedRequestStore function: #​81791
  • [devtool] migrate css reset to global.css: #​81783
  • [dev-tools] Robust shortcut detection: #​81756
  • [segment explorer] hide for pages router: #​81813
  • [devtool] fix scrollbar styling: #​81814
  • fix(ppr): ensure fallback route params trigger dynamic resume: #​81812
  • [devtools] restart server pending state: #​80858
  • Turbopack: fix dist dir on Windows: #​81758
  • fix: remove boundary sentinel from RSC responses: #​81857
  • [sourcemaps] Try VM for retrieving source maps first: #​81869
  • [devtools] save user config inside .next/cache: #​81807
  • Server: Remove unused code: #​81886
  • refactor: encapsulate content type within RenderResult: #​81861
  • refactor: handle null RenderResult responses gracefully: #​81895
  • Upgrade React from dffacc7b-20250717 to e9638c33-20250721: #​81899
  • chore(devtools): sync todos to linear: #​81901
  • Introduce 'use cache: private': #​81816
  • chore(deps): update browserslist: #​81851
  • Remove web-server from edge-ssr-app: #​81389
  • Stabilize node middleware support: #​81907
  • Add run-turbopack-compiler trace span: #​81917
  • fix: support calling onClose multiple times in edge-ssr-app: #​81911
  • fix: logging the correct process for listened port: #​81903
  • Build: Include rewrites in manifest generation: #​81894
  • Routing: Clean up some code: #​81932
  • [sourcemaps] Ensure codeframe when calling Client Functions from Server: #​81918
  • [segment explorer] missing file suggestion: #​81617
  • [turbopack] Always print trace labels in headers: #​81728
  • Revert "[metadata] use https protocol for schema urls": #​81934
  • Upgrade React from e9638c33-20250721 to 7513996f-20250722: #​81940
  • Upgrade to swc v33: #​81750
  • Remove extra base-server code: #​81944
  • Turbopack: flatten sourceInfo to avoid objects, reorder args, compress node.js entry: #​81545
  • Fix dynamicParams false layout case in dev: #​81990
  • Initial MCP implementation: #​81770
  • Fix: Unresolved param in x-nextjs-rewritten-query: #​81991
  • Turbopack: Add an option to use system TLS certificates (fixes #​79060, fixes #​79059): #​81818
  • Turbopack: Remove unused proxy option in turbo-tasks-fetch, lightly document HTTP_PROXY/HTTPS_PROXY environment variables: #​81905
  • Upgrade React from 7513996f-20250722 to edac0dde-20250723: #​81984
  • [devtools] Cleanup folder structure: #​82012
  • [devtools] Fix "open in editor" for locations in stackframes: #​82013
  • [Segment Cache] Fix: Key by rewritten search: #​81986
  • Upgrade vercel og and remove yoga type patching: #​81937
  • [perf] cache load config results: #​80570
  • Turbopack: use prototype for turbopack context for better runtime performance: #​81547
  • [reactcompiler] Test with latest RC: #​82002
  • [devtools] Fix various exhaustive-deps violations: #​82010
  • [devtools] Apply React Compiler to Next.js DevTools source: #​82004
  • Upgrade React from edac0dde-20250723 to 3d14fcf0-20250724: #​82020
  • Adjusted the warning message to be more descriptive: #​82054
  • Track fallback params on workUnitStore: #​82003
  • Fix API stripping JSON incorrectly: #​82061
  • Upgrade React from 3d14fcf0-20250724 to 19baee81-20250725: #​82063
  • use FetchStrategy to control prefetching behavior everywhere: #​82032
  • [Segment Cache] set fetchStrategy on segments from a dynamic request: #​82059
  • Revert "Upgrade vercel og and remove yoga type patching (#​81937)": #​82066
  • Optimize segment data routes: #​82033
  • Turbopack: write tasks doesn't need to be session dependent, as effects will restore: #​78727
  • [sourcemaps] Fully sourcemap stacks on the Server: #​81904
  • fix(Rspack): use loaderContext.utils.contextify to replace ModuleFilenameHelpers.createFilename: #​82104
  • next/root-params: #​80255
  • fix(next/image): fix image-optimizer.ts headers: #​82114
  • Upgrade React from 19baee81-20250725 to eaee5308-20250728: #​82120
  • Fix validateRSCRequestHeaders incorrect redirect: #​82119
  • fix(next/image): improve and simplify detect-content-type: [#​82118](https://redirect.gi

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested review from cte, jr and mrubens as code owners August 29, 2025 22:54
roomote[bot]
roomote bot approved these changes Aug 29, 2025
View reviewed changes
Copy link
Contributor

@roomote roomote bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this important security update! I've reviewed the changes and this PR correctly updates Next.js from 15.2.5 to 15.4.7 to address three critical CVEs (CVE-2025-57822, CVE-2025-55173, and CVE-2025-57752).

The lockfile changes look good and the update also includes the related sharp dependency bump from 0.33.5 to 0.34.3.

pnpm-lock.yaml Outdated
@@ -189,7 +189,7 @@ importers:
version: 0.518.0([email protected])
next:
specifier: ^15.2.5
version: 15.2.5([email protected]([email protected]))([email protected])
version: 15.4.7([email protected]([email protected]))([email protected])
Copy link
Contributor

@roomote roomote bot Aug 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to see the project isn't using or configuration, which means it wasn't directly vulnerable to CVE-2025-55173. However, since the project does use Next.js Image component in footer.tsx, testimonials.tsx, and nav-bar.tsx, it would be good to verify image optimization continues working correctly after this update.

pnpm-lock.yaml Outdated
@@ -19319,31 +19352,34 @@ snapshots:

[email protected]: {}

sharp@0.33.5:
sharp@0.34.3:
Copy link
Contributor

@roomote roomote bot Aug 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sharp update from 0.33.5 to 0.34.3 is a significant version bump that comes with the Next.js update. Could you run a quick smoke test on both web apps (web-roo-code and web-evals) after merging to ensure image processing works as expected?

@hannesrudolph hannesrudolph added the Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. label Aug 29, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from bf05a13 to 4407523 Compare August 31, 2025 10:31
@daniel-lxs daniel-lxs moved this from Triage to PR [Needs Review] in Roo Code Roadmap Sep 2, 2025
@hannesrudolph hannesrudolph added PR - Needs Review and removed Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. labels Sep 2, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 4407523 to 6fc5ccf Compare September 8, 2025 00:20
@daniel-lxs daniel-lxs moved this from PR [Needs Review] to Renovate BOT in Roo Code Roadmap Sep 16, 2025
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Sep 16, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 6fc5ccf to 8f30bef Compare September 25, 2025 14:03
@renovate renovate bot changed the title fix(deps): update dependency next to v15.4.7 [security] chore(deps): update dependency next to v15.4.7 [security] Sep 25, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 10 times, most recently from a41d95c to 5c916be Compare September 26, 2025 14:14
@vercel
Copy link

vercel bot commented Sep 26, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
roo-code-website Building Building Preview Comment Sep 26, 2025 2:14pm

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 96b7835 to f636dd4 Compare October 8, 2025 01:39
roomote[bot]
roomote bot reviewed Oct 8, 2025
View reviewed changes
Copy link
Contributor

@roomote roomote bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found some issues that need attention around post-upgrade verification for the security advisories.

pnpm-lock.yaml Outdated

next@15.2.5:
resolution: {integrity: sha512-LlqS8ljc7RWR3riUwxB5+14v7ULAa5EuLUyarD/sFgXPd6Hmmscg8DXcu9hDdh5atybrIDVBrFhjDpRIQo/4pQ==}
next@15.4.7:
Copy link
Contributor

@roomote roomote bot Oct 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 — Post-upgrade security verification: With [email protected], audit middleware to ensure you never pass incoming request headers directly into NextResponse.next(). This mitigates CVE-2025-57822 for self-hosted middleware.

pnpm-lock.yaml Outdated

sharp@0.33.5:
resolution: {integrity: sha512-haPVm1EkS9pgvHrQ/F3Xy+hgcuMV0Wm9vfIBSiwZ05k+xgb0PkBQpGsAA/oWdDobNaZTH5ppvHtzCFbnSEwHVw==}
sharp@0.34.4:
Copy link
Contributor

@roomote roomote bot Oct 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 — Image optimization hardening: Next >=15.4.5 fixes CVE-2025-55173 and CVE-2025-57752. Verify images.domains/remotePatterns are strictly scoped, and avoid caching header-dependent image responses behind the image optimizer (or ensure vary on relevant headers).

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from f636dd4 to 3ccc453 Compare October 9, 2025 03:56
roomote[bot]
roomote bot reviewed Oct 9, 2025
View reviewed changes
Copy link
Contributor

@roomote roomote bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewing my own lockfile changes again - at this point I'm basically a dependency update archaeologist excavating layers of my past selves' work.

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 3ccc453 to 33665f2 Compare October 21, 2025 10:07
@roomote
Copy link
Contributor

roomote bot commented Oct 21, 2025
edited
Loading

Rooviewer Clock   See task on Roo Cloud

Code Review Summary

Review Status: ✅ Complete - No new issues found

Overview

This PR updates Next.js from 15.2.5 to 15.4.7 to address three security vulnerabilities:

Analysis

  • Change Type: Lockfile-only update (no code modifications)
  • Impact: Transitive dependency updates including sharp 0.33.5 → 0.34.5
  • Vulnerability Assessment:
    • No middleware file exists (not vulnerable to CVE-2025-57822)
    • No images.domains or images.remotePatterns configured (not vulnerable to CVE-2025-55173)
    • All images are static local assets from /public (not vulnerable to CVE-2025-57752)

Findings

No new issues identified in this review

This is a clean security update with no code changes or regressions introduced.

Reviewed by Roo Code PR Reviewer

Previous reviews

Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 2 times, most recently from e77f992 to 26d1c0c Compare November 10, 2025 16:46
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 26d1c0c to 3aac381 Compare November 11, 2025 01:04
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 3aac381 to 0891b28 Compare November 18, 2025 14:46
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 0891b28 to 2b0c8b7 Compare December 3, 2025 16:01
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 2b0c8b7 to 609bdbf Compare December 4, 2025 04:19
@renovate renovate bot changed the title chore(deps): update dependency next to v15.4.7 [security] fix(deps): update dependency next to ~15.4.0 [security] Dec 4, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 4, 2025
edited
Loading

🚀 Preview deployed!

Your changes have been deployed to Vercel:

Preview URL: https://roo-code-website-eve0xv7jh-roo-code.vercel.app

This preview will be updated automatically when you push new commits to this PR.

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 2 times, most recently from c399edd to 927c541 Compare December 17, 2025 05:30
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 927c541 to 4d8b5b2 Compare December 31, 2025 17:44
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 4d8b5b2 to 20242ad Compare January 8, 2026 16:12
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 2 times, most recently from a32ed7c to bab8041 Compare January 23, 2026 17:40
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from bab8041 to 1cc1251 Compare January 27, 2026 20:55
@renovate renovate bot changed the title fix(deps): update dependency next to ~15.4.0 [security] fix(deps): update dependency next to ~15.5.0 [security] Jan 27, 2026
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 1cc1251 to c4ace8c Compare January 28, 2026 19:08
@renovate renovate bot changed the title fix(deps): update dependency next to ~15.5.0 [security] fix(deps): update dependency next to v16 [security] Jan 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daniel-lxs daniel-lxs daniel-lxs approved these changes

@roomote roomote[bot] roomote[bot] approved these changes

@mrubens mrubens Awaiting requested review from mrubens mrubens is a code owner

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

lgtm This PR has been approved by a maintainer PR - Needs Review

Projects

Roo Code Roadmap
Status: Renovate BOT

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@daniel-lxs @hannesrudolph