Skip to content

chore(deps): update dependency next to v15.5.10 [security] #1029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency next to v15.5.10 [security] #1029

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 4, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
next (source) 15.5.015.5.10 age confidence

GitHub Vulnerability Alerts

GHSA-9qr9-h5gf-34mp

A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

1 The affected React packages are:

  • react-server-dom-parcel
  • react-server-dom-turbopack
  • react-server-dom-webpack

CVE-2025-59471

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

Release Notes

vercel/next.js (next)

v15.5.10

Compare Source

Please refer the following changelogs for more information about this security release:

v15.5.9

Compare Source

v15.5.8

Compare Source

v15.5.7

Compare Source

v15.5.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Turbopack: don't define process.cwd() in node_modules #​83452
Credits

Huge thanks to @​mischnic for helping!

v15.5.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Split code-frame into separate compiled package (#​84238)
  • Add deprecation warning to Runtime config (#​84650)
  • fix: unstable_cache should perform blocking revalidation during ISR revalidation (#​84716)
  • feat: experimental.middlewareClientMaxBodySize body cloning limit (#​84722)
  • fix: missing next/link types with typedRoutes (#​84779)
Misc Changes
  • docs: early October improvements and fixes (#​84334)
Credits

Huge thanks to @​devjiwonchoi, @​ztanner, and @​icyJoseph for helping!

v15.5.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: ensure onRequestError is invoked when otel enabled (#​83343)
  • fix: devtools initial position should be from next config (#​83571)
  • [devtool] fix overlay styles are missing (#​83721)
  • Turbopack: don't match dynamic pattern for node_modules packages (#​83176)
  • Turbopack: don't treat metadata routes as RSC (#​82911)
  • [turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (#​83357)
  • Turbopack: throw large static metadata error earlier (#​82939)
  • fix: error overlay not closing when backdrop clicked (#​83981)
  • Turbopack: flush Node.js worker IPC on error (#​84077)
Misc Changes
  • [CNA] use linter preference (#​83194)
  • CI: use KV for test timing data (#​83745)
  • docs: september improvements and fixes (#​83997)
Credits

Huge thanks to @​yiminghe, @​huozhi, @​devjiwonchoi, @​mischnic, @​lukesandberg, @​ztanner, @​icyJoseph, @​leerob, @​fufuShih, @​dwrth, @​aymericzip, @​obendev, @​molebox, @​OoMNoO, @​pontasan, @​styfle, @​HondaYt, @​ryuapp, @​lpalmes, and @​ijjk for helping!

v15.5.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: validation return types of pages API routes (#​83069)
  • fix: relative paths in dev in validator.ts (#​83073)
  • fix: remove satisfies keyword from type validation to preserve old TS compatibility (#​83071)
Credits

Huge thanks to @​bgub for helping!

v15.5.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: disable unknownatrules lint rule entirely (#​83059)
  • revert: add ?dpl to fonts in /_next/static/media (#​83062)
Credits

Huge thanks to @​bgub and @​ztanner for helping!

v15.5.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: aliased navigations should apply scroll handling (#​82900)
  • Turbopack: fix invalid NFT entry with file behind symlink (#​82887)
  • fix: typesafe linking to route handlers and pages API routes (#​82858)
  • fix: change "noUnknownAtRules" to "warn" for Biome (#​82974)
  • fix: add path normalization to getRelativePath for Windows (#​82918)
  • feat: add typesafety with config.typedRoutes to redirect() and permanentRedirect() (#​82860)
  • fix: avoid importing types that will be unused (#​82856)
  • fix: update the config.api.responseLimit type (#​82852)
  • fix: update validation return types (#​82854)
Credits

Huge thanks to @​bgub, @​mischnic, and @​ztanner for helping!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel
Copy link

vercel bot commented Dec 4, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ui-www Ready Ready Preview, Comment Feb 5, 2026 5:32pm

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 92dc17f to 5c3b1e6 Compare December 31, 2025 15:34
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 5c3b1e6 to b1ff468 Compare January 8, 2026 19:10
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from b1ff468 to d41958b Compare January 19, 2026 19:32
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from d41958b to e265962 Compare January 23, 2026 19:51
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from e265962 to bdc8b9d Compare January 29, 2026 13:49
@renovate renovate bot changed the title chore(deps): update dependency next to v15.5.7 [security] fix(deps): update dependency next to v16 [security] Jan 29, 2026
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from bdc8b9d to e3aa716 Compare February 5, 2026 17:29
@renovate renovate bot changed the title fix(deps): update dependency next to v16 [security] chore(deps): update dependency next to v15.5.10 [security] Feb 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants