Skip to content

fix(deps): Update dependency next [SECURITY] #233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 22, 2025
Merged

fix(deps): Update dependency next [SECURITY] #233

merged 1 commit into from
Oct 22, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jun 15, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
next (source) 15.3.3 -> 15.4.7 age confidence
next (source) 14.2.29 -> 14.2.32 age confidence

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

  • Next.js (<14.1.1) is running in a self-hosted* manner.
  • The Next.js application makes use of Server Actions.
  • The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #​62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

  • The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
  • The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

CVE-2024-51479

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

CVE-2024-56332

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js 13.x, this issue is fixed in 13.5.9
  • For Next.js 12.x, this issue is fixed in 12.3.5
  • For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)

CVE-2025-48068

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

CVE-2025-32421

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

Release Notes

vercel/next.js (next)

v15.4.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix router handling when setting a location response header #​82588
Credits

Huge thanks to @​ztanner for helping!

v15.4.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#​82347)
  • fix: add ?dpl to fonts in /_next/static/media (#​82384)
Credits

Huge thanks to @​devjiwonchoi, @​ijjk, and @​styfle for helping!

v15.4.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix API stripping JSON incorrectly (#​82062)
  • Fix i18n fallback: false collision (#​82158)
  • Revert "Fix tracing of server actions imported by client components (#​82167)
  • Ensure setAssetPrefix updates config instance (#​82165)
  • Turbopack: update mimalloc (#​82166)
  • fix(next/image): fix image-optimizer.ts headers (#​82175)
  • fix(next/image): improve and simplify detect-content-type (#​82174)
Credits

Huge thanks to @​ijjk, @​sokra, and @​styfle for helping!

v15.4.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix dynamicParams false layout case in dev (#​82026)
  • Turbopack: fix scope hoisting variable renaming bug (#​81640)
  • Upgrade to swc v33 (#​81750)
  • Revert "[metadata] use https protocol for schema urls" (#​81934)
Credits

Huge thanks to @​bgw @​mischnic @​huozhi @​lukesandberg and @​ijjk for helping!

v15.4.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Turbopack: fix dist dir on Windows (#​81758)
Credits

Huge thanks to @​mischnic for helping!

v15.4.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • pages router metadata bugs with React 19 (#​81733)
  • [metadata] replace for initial body icon case (#​81688)
  • Ensure custom NextServer config is honored (#​81681)
Credits

Huge thanks to @​huozhi, @​ijjk, and @​ztanner for helping!

v15.4.1

Compare Source

[!TIP]
Check out our Next v15.4 Blog Post to learn more about this release.

Core Changes
  • [next-server] fix params duplicate in query after rewrite: #​77939
  • [next-server] preserve rsc query for rsc redirects: #​77963
  • Turbopack: fix a bug where marking a task a completed causes a panic when reading the output: #​77922
  • Turbopack warning spelling fix: #​77999
  • Allow URL schemes that include +, - or .: #​77932
  • [dev-overlay] Remove unused hydration error related code: #​77929
  • [dev-overlay] Unify error deduplication logic: #​78017
  • fix: use the match result after matching using the matched path header: #​77994
  • Upgrade React from 3fbfb9ba-20250409 to c44e4a25-20250409: #​78031
  • Move unhandled rejection handling to shared path: #​77997
  • fix: ensure app router not found works when deployed with pages i18n config: #​77905
  • Uninstall existing uncaughtException listeners to prevent the process from crashing: #​78042
  • Experimental bfcache: Restore state w/ : #​77992
  • Add graceful error fallback for bots requests: #​77916
  • Upgrade React from c44e4a25-20250409 to 1d6c8168-20250411: #​78067
  • [next-server] remove unnecessary query shallow copy: #​78003
  • [dev-overlay] disable copy button when clipboard is not available: #​78101
  • [dev-overlay] Stop stashing React error details on error instances: #​77975
  • [dynamicIO] Model invalid dynamic on empty shells: #​77270
  • fix: bump [email protected]: #​78149
  • Handle graceful fallback for custom error boundaries: #​78121
  • [dev-overlay] Stop squashing hydration related errors in App Router: #​78140
  • [test] Enable strictNullChecks in test utils: #​78142
  • Document Turbopack trace viewer: #​78184
  • [dev-overlay] Fix error dialog resizing logic: #​78144
  • Include types in published eslint-plugin-next: #​78109
  • [dev-overlay] Stop appending wrong Owner Stacks to SSR-only shell errors: #​77302
  • [dev-overlay] Add dedicated label for recoverable errors: #​78186
  • [chore] remove unused __NEXT_PRIVATE_RUNTIME_TYPE: #​78230
  • Preserve slashes when custom URL schemes are used in redirects: #​78176
  • ignore-list published sources if they have a sourcemap: #​78242
  • Upgrade React from 1d6c8168-20250411 to 39cad7af-20250411: #​78152
  • Turbopack: add test case for persistent caching: #​77030
  • Upgrade React from 39cad7af-20250411 to b04254fd-20250415: #​78253
  • fix: alternate bundler support for dropping client pages in AMP: #​77601
  • [errors] refactor default global-error into a separate file: #​78182
  • [metadata] render streaming metadata on the top level: #​77620
  • [metadata] skip head cache in default slot: #​78206
  • chore: Backport SWC-based RC optimization (#​78260)
  • fix: bump image-size@​1.2.1 (#​78164)
  • @next/mdx: Use stable turbopack config options: #​78261
  • Upgrade React from b04254fd-20250415 to 4a36d3ea-20250416: #​78297
  • Add graceful error boundary for bots requests: #​78298
  • make sure eslint-plugin-next is built when running 'pnpm dev': #​78305
  • Migrate pages API routes to handler interface: #​78166
  • Update middleware public/static matching: #​78325
  • Fix dynamic route param encoding: #​78326
  • [Turbopack] refactor persistent caching from log based to cow approach: #​76234
  • Add onInvalidate option to router.prefetch: #​77880
  • Reserve bandwidth for most recently hovered link : #​78362
  • fix: handle incremental PPR with client segment cache: #​78387
  • fix: amphtml-validator WASM errors (for real): #​78379
  • Turbopack: Remove next start --turbopack: #​78384
  • Upgrade React from 4a36d3ea-20250416 to bc6184dd-20250417: #​78322
  • [chore] remove dead code missing required error: #​78403
  • [ts-next-plugin] remove typescript vfs and related metadata plugin: #​78237
  • [ts-next-plugin] auto import metadata type: #​78258
  • [ts-next-plugin] warn to add correct type for metadata exports: #​78254
  • [ts-next-plugin] fix: validate metadata node before checking type: #​78414
  • [errors] fix edge server initial error is not sent via hmr: #​78415
  • misc: use correct capitals for React terms: #​78445
  • Skip empty prefetch request for dynamic routes: #​78436
  • Turbopack: don’t warn about webpack being configured when experimental.turbo is set: #​77998
  • Upgrade React from bc6184dd-20250417 to 914319ae-20250423: #​78468
  • Update turbopack to syn2: #​78385
  • [next-server] ensure prepare is done before preloading entry: #​78454
  • Upgrade React from 914319ae-20250423 to 197d6a04-20250424: #​78516
  • [dev-overlay] Move error.name to label: #​78198
  • [ts-next-plugin] update log for utils: #​78538
  • [ppr] Route Cardinality Updates: #​78476
  • Turbopack: support ignore comments for NFT fs access tracing: #​78460
  • Externalize manifest loading in pages-api: #​78358
  • Update font data: #​78525
  • refactor: skip the prospective render when there's a more specific route to be rendered: #​78555
  • fix: bodySizeLimit error responses + limit for non-multipart actions: #​77746
  • [dynamicIO] Do not skip dynamic validation when metadata is dynamic: #​78574
  • [dynamicIO] log dynamic validation errors consistently in dev: #​78575
  • [ts-next-plugin] clean up unused proxy: #​78539
  • [dynamicIO] Disallow only dynamic metadata: #​78576
  • fix: make webpack handle "use cache" in node_modules : #​78606
  • Use React's prerender function for "use cache" with Dynamic IO: #​78382
  • Use node: prefixed in ESM emit of standalone server.js: #​78624
  • feat: add ravendb library to server-external-packages.json: #​78319
  • docs: fix typo in ppr.ts: #​78590
  • Pre-compile busboy dependency: #​78634
  • Pages API handler interface follow-ups: #​78638
  • Repeat fix in #​78387 for routes without params: #​78568
  • [dev-tools] Fix width transition logic: #​78635
  • [ts-next-plugin] fix: warn only if no type: #​78628
  • [ts-next-plugin] fix: warn only if no type for separate export: #​78629
  • chore: Drop @swc/counter: #​78674
  • Turbopack: use small thread local collector that flushes to global collector: #​78343
  • Upgrade React from 197d6a04-20250424 to 5dc00d6b-20250428: #​78640
  • Fix bad decoding for x-matched-path header: #​78677
  • Fix pages API rewrite case: #​78644
  • chore: update rspack to 1.3.8: #​78485
  • Always apply render preparations after running an action: #​77898
  • Exclude config package from bundling: #​78671
  • Upgrade builtin babel packages: #​78673
  • Upgrade loader-utils v2 to latest patch: #​78707
  • [Link] Add prefetch="auto" option: #​78689
  • [build-sourcemaps] Ensure errors during prerender can be sourcemapped: #​78709
  • Upgrade React from 5dc00d6b-20250428 to 408d055a-20250430: #​78715
  • build: Fix minifier options for webpack builds: #​78717
  • refactor(next-swc): Do not amend minifier options from Rust code: #​78719
  • Change stylistic ESLint TypeScript defaults: #​78679
  • fix: replace original request body after middleware execution: #​77662
  • remove draft.isEnabled setter from exotic draftMode wrappers: #​77972
  • Turbopack: limit compaction merging by size instead of count: #​78669
  • [build-sourcemaps] Include codeframes in prod when sourcemaps are enabled: #​78710
  • feat: build lifecycle hooks - afterProductionCompile: #​77345
  • fix: make sure that the patched fetch cache set promise is properly awaited: #​75971
  • [dev-overlay] Make badge draggable: #​78716
  • Turbopack: fix ESM project in standalone mode: #​78774
  • Revert "[Link] Add prefetch="auto" option": #​78820
  • Downgrade React from 408d055a-20250430 to 197d6a04-20250424: #​78834
  • Reland "[Link] Add prefetch="auto" option": #​78821
  • build: Update @swc/core npm package to v1.11.24: #​77668
  • Turbopack: Implement regex support for matching webpack loaders: #​78733
  • Turbopack: Add support for extension regex in @next/mdx: #​78734
  • backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#​78488) (#​78883)
  • @​next/mdx: Use stable turbopack config options (#​78880)
  • Fix react-compiler: Fix detection of interest (#​78879)
  • Fix turbopack: Backport sourcemap bugfix (#​78881)
  • [next-server] preserve rsc query for rsc redirects (#​78876)
  • Update middleware public/static matching (#​78875)
  • [dev-overlay] Polish mobile view: #​78863
  • [dev-overlay] Consider scrollbar width for drag positioning: #​78865
  • Add handling for setting deployment id via cookie: #​78841
  • Run export child process with runtime's default max-old-space-size: #​78712
  • [dynamicIO] cache tracking for import(): #​74152
  • [dev-overlay] solidate the line number parsing: #​78868
  • Update send to v0.18.0: #​78816
  • Scope runInCleanSnapshot to Work Store: #​78930
  • Removes onNavigate from transition scope: #​78605
  • Add nonce handling from CSP in pages router: #​78936
  • Ensure manual nonce on Script works as expected: #​78939
  • Treat _debugInfo as a wellknown property for sync request data access purposes: #​78942
  • chore(CI): Run rspack tests in build_and_test.yml: #​78757
  • bugfix: Fix a bug that caused conflicting assets when adding a child compiler: #​78011
  • [Fix] Inverse prefetch segment for Pages routes: #​78932
  • Fix tracing of server actions imported by client components: #​78968
  • Revert "fix: alternate bundler support for dropping client page": #​78974
  • Fix --no-mangling for "use cache" functions: #​78993
  • chore: update rspack to 1.3.9: #​78984
  • [not-found] Add global-not-found convention: #​78783
  • [not-found] support metadata exports of global-not-found: #​78961
  • Prevent "use cache" timeout errors from being caught in userland code: #​78998
  • patch react via recast instead of string replacements: #​78916
  • [link] Avoid inlining of LinkProps in emitted declarations: #​78773
  • [next-config-ts] fix: read tsconfig file using TypeScript API: #​79055
  • Replace node:url usage in server-utils: #​79094
  • [build-sourcemaps] Remove unused static workers: #​79107
  • fix: cli test failed when using rspack: #​79081
  • [build-sourcemaps] Allow inspecting prerender worker: #​79098
  • Add initial modifyConfig hook: #​79162
  • Re-land updated bundler for pre-bundling: #​79164
  • [dynamicIO] model pathname access in metadata as async : #​79136
  • Update font data: #​79179
  • bugfix (pages): assetPrefix should not cause hard nav in development: #​79176
  • Reland "Ensure mangling is disabled for dev runtime builds (#​75297)": #​79201
  • docs: add graceful error boundary example: #​77781
  • turbo-tasks: Encode location information into panics: #​78945
  • feat(turbopack): Add basic compilation event support: #​78785
  • chore(dev-overlay): Minor cleanups to useDelayedRender hook: #​79119
  • Update font data: #​79227
  • Rename define-env-plugin.ts to define-env.ts: #​79224
  • Always pass implicit/soft tags into the CacheHandler.get method: #​79213
  • fix(dev-overlay): Ignore right clicks on the indicator draggable: #​79120
  • Fix dangling promise in unstable-cache: #​79248
  • Revert "Partial Fallback Prerendering Route Shells (#​69282)": #​79258
  • [devtool] initial support for segment explorer: #​78858
  • Client router should discard stale prefetch entries for static pages: #​79309
  • [dynamicIO] fix: do not apply import tracking transform in edge: #​79284
  • Turbopack build: Fix type: module with output: standalone: #​79292
  • [TypeScript Plugin] Moved the diagnostics' positions to the prop's type instead of the value for client-boundary warnings: #​79193
  • Use onPostpone to determine if segment prefetch is partial: #​79299
  • Enable ppr when dynamicIO is enabled: #​79302
  • fix: replaceIdentifiersInAst takes an expression, not a string: #​79196
  • Remove DIO w/o PPR branch from app-render.tsx: #​79303
  • Remove prospective fallback prerenders: #​79304
  • Fixed rewrite param parsing for interception routes in Vercel deployments: #​79204
  • [build-sourcemaps] Sourcemap errors during prerender if experimental.enablePrerenderSourceMaps is enabled: #​79109
  • [release] use @changesets/changelog-github for changelog format: #​79040
  • next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
  • Always show warning if fetch cache limit hit: #​79384
  • feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
  • [release] use @changesets/changelog-github for changelog format: #​79040
  • next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
  • Always show warning if fetch cache limit hit: #​79384
  • feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
  • Only share incremental cache for edge in next start (#​79389)
  • [TypeScript Plugin] Match method signature (someFunc(): void) type for client boundary warnings: #​79144
  • Only share incremental cache for edge in next start: #​79386
  • fix: rspack framework and lib cacheGroups: #​79172
  • Make sure bundle analyzer does not trigger warning with turbopack: #​79399
  • [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
  • Implement initial handler interface for pages routes: #​79260
  • [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
  • [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
  • Implement initial handler interface for pages routes: #​79260
  • [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
  • [Segment Cache] Fix: Skew during dynamic prefetch: #​79416
  • [dynamicIO] reimplement dynamicIO validation on prerender: #​79414
  • fix: remove redundant performance.measure usage: #​79475
  • [devtools] Add a very minimal API for restarting the dev server: #​79265
  • Model prerender store as separate server and client scopes: #​79429
  • fix: Merge link header from middleware with the ones from React (#​73431)
  • fix(edge): run after() if request is cancelled mid-streaming (#​76013)
  • gate segmentCache branch in base-server (#​79505)
  • Model prerender store as separate server and client scopes: #​79429
  • Use metadata for cache entry status code: #​79512
  • fix(dev-overlay): Better handle edge-case file paths in launchEditor: #​79526
  • [build-sourcemaps] Increase stacktrace limit during prerender: #​79498
  • fix: Rspack not skip .d.ts file: #​79285
  • Revert "[next-server] skip setting vary header for basic routes": #​79426
  • [ppr] Narrow condition for fallback shell generation at runtime: #​79565
  • Turbopack: derive de/serialize for loader config: #​79581
  • Update font data: #​79642
  • Avoid bundling dev overlay in page template: #​79641
  • Enable preview builds for forks: #​79648
  • misc: remove leftover clientInstrumentationHook type: #​79701
  • cleanup(turbopack): Embed Global vs Specific channel type in the Rust type system: #​79291
  • [dev-overlay] Show error overlay on any thrown value in /app: #​79658
  • [dev-overlay] Move error handlers into dispatcher in /app: #​79660
  • Verify cache-busting param during segment prefetch: #​79563
  • update(turbopack): Update the messaging UX for timing writing files to disk: #​79469
  • [dev-overlay] Move Redbox open/close into dispatcher: #​79698
  • chore: update rspack to 1.3.12: #​79428
  • Enable repeated tsc runs in packages/next without having to build first: #​79782
  • Run tsc in watch mode during pnpm dev: #​79785
  • Reinstate vary (#​79939)
  • fix(next-swc): Fix interestingness detection for React Compiler (#​79558)
  • fix(next-swc): Fix react compiler usefulness detector (#​79480)
  • fix(dev-overlay): Better handle edge-case file paths in launchEditor (#​79526)
  • Client router should discard stale prefetch entries for static pages (#​79362)
  • fix: preload fonts in template.js: #​79417
  • feat: using eval source map plugin for Rspack: #​79199
  • feat: using builtin CssChunkingPlugin for rspack: #​79762
  • fix(napi): Update generated types, add alias for RcStr: #​79915
  • [dev-overlay] Fix highlighted line cut off on scroll: #​79930
  • fix(next/font): allow custom font-family in declarations: #​76274
  • Remove subissues from Issue: #​79988
  • [devtools] Add a query parameter to restart endpoint to invalidate the persistent cache: #​79425
  • Implement handler interface for app-page: #​79568
  • Migrate app route to handler interface: #​80008
  • Turbopack Build: Fix underscore path tests: #​79778
  • Fix watchmode for taskr tasks: #​80020
  • Update font data: #​80036
  • Fix defunct ESLint overrides: #​80053
  • [devtools] Add an endpoint to poll for server status: #​80005
  • [dynamicIO] Only report client sync IO errors if they are above a Suspense boundary: #​80026
  • [dev-overlay] Parse stacks in reducer not during dispatch: #​79788
  • Remove obsolete @ts-expect-error: #​80065
  • [dev-tools] Navigation header replaces close button: #​80097
  • [dev-overlay] Inject get*Stack implementation: #​79789
  • [dev-overlay] Fix dark‐mode styling for <option> in Preferences dropdowns: #​80025
  • Use relative sources in require() instead of next/dist/ if possible: #​80054
  • [dev-overlay] Inject isRecoverableError implementation: #​80003
  • [devtool] fix explorer flag consuming and style: #​80110
  • [dev-tools] add restart dev server button to error overlay: #​80060
  • [dev-tools] add restart dev server button on dev-tools indicator preferences: #​80072
  • [chore] remove legacy useEarlyImport flag: #​80112
  • [testmode] Fix types of wrapRequestHandler: #​80055
  • Extend bot list with googleweblight, Storebot-Google, Google-Inspecti…: #​77728
  • [dev-overlay] Inject getSquashedHydrationErrorDetails implementation: #​80046
  • [dev-tools] better description for restart server button: #​80118
  • [dev-tools] style: preferences section title: #​80120
  • [metadata] refactor to remove async metadata: #​78495
  • [dynamicIO] Document client component remediations for sync IO: #​79787
  • [dynamicIO] prioritize preprocessing RSC rows when prerendering: #​80125
  • [dev-overlay] Remove unused onError in /pages: #​79982
  • Remove unused vendored server-inserted-metadata module: #​80143
  • Webpack Build: Use name-contenthash instead of name-chunkhash for dynamic imports: #​80153
  • [dev-overlay] Remove unnecessary code from /pages dev error boundary: #​79983
  • Turbopack Build: Implement helpful error for missing sass package: #​80155
  • [global-not-found] fix shared css imports not being picked: #​80151
  • Add experimental flag for RSC request validation: #​80157
  • [dev-overlay] Remove indirection in app dev error boundary : #​79984
  • Docs: preload entries impact on memory consumption: #​80098
  • [dev-overlay] Move building indicator into Dev Overlay state: #​79985
  • [metadata] only render one metadata outlet: #​80146
  • Add a regions property to the Functions Config Manifest file: #​80104
  • [metadata] fix nonce prop for hoist script: #​80174
  • docs: fix grammar in Code of Conduct section ('them' → 'it') : #​80181
  • [error-overlay] remove footer message: #​80169
  • Turbopack: Log persistent cache store time: #​80149
  • fix(turbopack): Next.js package not found panics in Turbopack: #​79572
  • [turbopack] Compute Import Traces for Issues: #​79351
  • Typecheck require() calls: #​80056
  • Revert "[turbopack] Compute Import Traces for Issues": #​80215
  • remove unique metadata prop from initial RSC payload #​79388
  • Replay redirect if RSC parameter is missing: #​80180
  • [devtool] style the segment explorer as nested view: #​80212
  • Prerender with streaming metadata during revalidation: #​80245
  • fix: invalid middleware configs should fail the build: #​80221
  • [dev-overlay] Render /app Dev Overlay with a separate React instance: #​79699
  • [devtool] display segment explorer as tree view: #​80261
  • [dev-overlay] Use same bundle for Pages and App Router: #​80019
  • Revert "Revert "[turbopack] Compute Import Traces for Issues"": #​80220
  • [dev-overlay] Publish as production bundle: #​80295
  • [metadata] only serve block streaming metadata for html bots: #​80272
  • Update font data: #​80301
  • Update font data: #​80340
  • [dev-overlay] fix duplicate re-render of errors: #​80322
  • [build-sourcemaps] Only compute codeframe once: #​80326
  • [test] Fix Dev Overlay Storybook: #​80288
  • [test] Fix crashes in Dev Overlay Stories: #​80292
  • [metadata] use https protocol for schema urls: #​80356
  • [dev-overlay] Remove positive tab-index: #​80289
  • [devtools] Implement default /.well-known/appspecific/com.chrome.devtools.json endpoint in dev: #​80260
  • [dev-overlay] Fix outstanding a11y issues reported by Axe: #​80290
  • provide declarations for server-only/client-only: #​80361
  • [test] Stop opening browser by default in local Dev Overlay Storybook: #​80291
  • [dev-overlay] Move hot reloader client code out of react-dev-overlay: #​80278
  • [dev-overlay] Remove unused code: #​80279
  • [dev-overlay]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@vercel vercel bot temporarily deployed to Preview – lcapi-examples-api June 15, 2025 03:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-nuxt June 15, 2025 03:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-sveltekit June 15, 2025 03:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-next-15 June 15, 2025 03:03 Inactive
@vercel
Copy link

vercel bot commented Jun 15, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
lcapi-examples-api Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-astro Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-next-13 Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-next-14 Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-next-15 Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-next-16 Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-next-canary Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-next-enterprise Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-nuxt Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-studio Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-sveltekit Ready Ready Preview Comment Oct 22, 2025 6:49pm
lcapi-examples-tanstack-start Ready Ready Preview Comment Oct 22, 2025 6:49pm

@vercel vercel bot temporarily deployed to Preview – lcapi-examples-astro June 15, 2025 03:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-next-enterprise June 15, 2025 03:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-tanstack-start June 15, 2025 03:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-studio June 15, 2025 03:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-next-13 June 15, 2025 03:03 Inactive
@socket-security
Copy link

socket-security bot commented Jun 15, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednext@​15.3.3 ⏵ 15.4.782 -1100 +16909870
Updatednext@​15.3.3 ⏵ 14.2.3282 -1100 +1695 +49870

View full report

@socket-security
Copy link

socket-security bot commented Jun 15, 2025
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 32a1144 to 174b155 Compare August 10, 2025 15:53
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 174b155 to 434e9a6 Compare August 13, 2025 12:37
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 7d5f521 to b170cb5 Compare October 22, 2025 18:03
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-studio October 22, 2025 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-next-13 October 22, 2025 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-astro October 22, 2025 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-next-15 October 22, 2025 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-tanstack-start October 22, 2025 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-next-16 October 22, 2025 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-nuxt October 22, 2025 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-next-canary October 22, 2025 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-api October 22, 2025 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – lcapi-examples-sveltekit October 22, 2025 18:03 Inactive
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from b170cb5 to 18a25d4 Compare October 22, 2025 18:48
@stipsan stipsan merged commit 448cea6 into main Oct 22, 2025
16 checks passed
@stipsan stipsan deleted the renovate/npm-next-vulnerability branch October 22, 2025 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🤖 bot 📦 deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stipsan