chore(deps): update dependency next to v15 [security] #9966
Conversation
|
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughA Next.js dependency version was updated from 14.2.33 to 15.0.0 in the React Next 14 integration package configuration, with no associated code or logic changes. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
No actionable comments were generated in the recent review. 🎉 Comment |
|
View your CI Pipeline Execution ↗ for commit 0bbf93b
☁️ Nx Cloud last updated this comment at |
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
0e75fda to
bcd89cf
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
integrations/react-next-14/package.json (1)
10-12: Consider upgrading React to 19 to use Next.js 16's new features.React 18.2.0 remains compatible with Next.js 16, but Next.js 16 is designed for React 19 and includes first-class support for React 19 features like React Compiler and View Transitions. Update
reactandreact-domto^19.0.0to take full advantage of Next.js 16's capabilities.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (2)
integrations/react-next-14/package.jsonintegrations/react-next-15/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
- integrations/react-next-15/package.json
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-09-02T17:57:33.184Z
Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.
Applied to files:
integrations/react-next-14/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Preview
- GitHub Check: Test
🔇 Additional comments (1)
integrations/react-next-14/package.json (1)
10-10: No action needed. The integration code is compatible with Next.js 16.0.0 without modifications. The example uses only basic React Query patterns (client-side hooks and providers) that are unaffected by Next.js 15→16 breaking changes.
| "@tanstack/react-query": "workspace:*", | ||
| "@tanstack/react-query-devtools": "workspace:*", | ||
| "next": "^14.2.33", | ||
| "next": "^16.0.0", |
There was a problem hiding this comment.
Package naming inconsistency: "react-next-14" now uses Next.js 16.
The package is named react-next-14 but now depends on next: ^16.0.0. This creates confusion about which Next.js version this integration example demonstrates. Consider either:
- Renaming the package/folder to
react-next-16, or - Creating a separate
react-next-16integration example while keeping this one on Next.js 14
🤖 Prompt for AI Agents
integrations/react-next-14/package.json lines 10-10: the package folder/name
indicates Next.js 14 but package.json depends on "next": "^16.0.0"; either
rename the package/folder to react-next-16 or downgrade the dependency to a
Next.js 14 release. To fix, choose one approach and apply these steps: if
renaming to react-next-16, rename the directory, update the "name" field in
package.json, update any README/docs and CI/workflow references to the new
path/name; if keeping as react-next-14, change the next dependency to a 14.x
compatible version (and run install/test to confirm compatibility), update
lockfile, and verify any code uses Next 14 APIs.
bcd89cf to
aff4bbd
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
aff4bbd to
934f2cd
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
934f2cd to
1eb4cf5
Compare
size-limit report 📦
|
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
3 times, most recently
from
0d99633 to
ca8241b
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@integrations/react-next-15/package.json`:
- Line 12: Add an "engines" entry to package.json to require Node >=20.9.0
(Next.js 16 requirement) and update the "next" dependency update to ^16.0.0;
then audit and migrate integration code for Next.js 16 breaking changes: search
for any App Router page handlers that access params/searchParams synchronously
and convert them to support async params/searchParams, check
build/bundler-related config for Turbopack assumptions (and adjust Next.js
config or build scripts if you rely on webpack-specific behavior), review usages
of next/image for default/prop/security changes and update image imports/props,
and remove or replace any AMP and next lint-specific code paths; ensure React
19.2.1 remains specified if needed.
| "@tanstack/react-query": "workspace:*", | ||
| "@tanstack/react-query-devtools": "workspace:*", | ||
| "next": "^15.4.8", | ||
| "next": "^16.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Next.js 16.0.0 release notes breaking changes minimum Node.js version
💡 Result:
Next.js 16.0.0 — minimum Node.js version
- Minimum Node.js: 20.9.0+ (LTS)
- Node.js 18 is no longer supported. [1][2]
Notable breaking changes (from the official 16 release notes / upgrade guide)
middleware.ts→proxy.tsfor Node.js request interception (Edgemiddlewareremains but is deprecated for this use). [1][2]- Turbopack is now the default for
next devandnext build(custom webpack setups may require opting out with--webpack). [1][2] - Async Request APIs / async params change (e.g.,
params/searchParamsand related APIs are now treated as async in the App Router). [2] next/imagedefault / security-related changes (e.g., local images with query strings require config; defaults likeminimumCacheTTLchanged). [2]- Removals: AMP support removed,
next lintremoved, and other previously-deprecated options/APIs removed or renamed. [2]
Sources: Next.js 16 release post [1], official “Upgrading: Version 16” guide [2].
🏁 Script executed:
cat integrations/react-next-15/package.jsonRepository: TanStack/query
Length of output: 529
Add engines field and review Next.js 16 breaking changes.
Next.js 16.0.0 requires Node.js 20.9.0+ (Node.js 18 no longer supported). Add "engines": { "node": ">=20.9.0" } to enforce this. React 19.2.1 is compatible. However, this upgrade has breaking changes requiring migration:
- Async
paramsandsearchParamsin App Router - Turbopack is now the default bundler
next/imagedefaults and security changes- AMP and
next lintremoved
Review the integration code for required updates to these areas before merging.
🤖 Prompt for AI Agents
In `@integrations/react-next-15/package.json` at line 12, Add an "engines" entry
to package.json to require Node >=20.9.0 (Next.js 16 requirement) and update the
"next" dependency update to ^16.0.0; then audit and migrate integration code for
Next.js 16 breaking changes: search for any App Router page handlers that access
params/searchParams synchronously and convert them to support async
params/searchParams, check build/bundler-related config for Turbopack
assumptions (and adjust Next.js config or build scripts if you rely on
webpack-specific behavior), review usages of next/image for
default/prop/security changes and update image imports/props, and remove or
replace any AMP and next lint-specific code paths; ensure React 19.2.1 remains
specified if needed.
ca8241b to
60bad45
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
60bad45 to
058fc84
Compare
renovate
bot
changed the title
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@integrations/react-next-14/package.json`:
- Around line 10-12: package.json lists "next": "^15.0.0" but still pins "react"
and "react-dom" to "^18.2.0"; update the React deps to match Next.js 15 by
changing the dependency values for "react" and "react-dom" to a React 19 range
(e.g., "^19.0.0") and run install/lockfile update and a quick build to verify
peer dependency resolution; ensure both dependency keys "react" and "react-dom"
are updated together to avoid mismatches with "next".
| "next": "^15.0.0", | ||
| "react": "^18.2.0", | ||
| "react-dom": "^18.2.0" |
There was a problem hiding this comment.
React version incompatibility with Next.js 15.
Next.js 15 requires React 19 for full support, but this package still specifies React 18.2.0. This mismatch may cause build failures or runtime errors due to incompatible peer dependencies.
Update the React dependencies to React 19:
🔧 Proposed fix
- "next": "^15.0.0",
- "react": "^18.2.0",
- "react-dom": "^18.2.0"
+ "next": "^15.0.0",
+ "react": "^19.0.0",
+ "react-dom": "^19.0.0"
},
"devDependencies": {
- "@types/react": "^18.2.79",
- "@types/react-dom": "^18.2.25"
+ "@types/react": "^19.0.0",
+ "@types/react-dom": "^19.0.0"Does Next.js 15 require React 19?
🤖 Prompt for AI Agents
In `@integrations/react-next-14/package.json` around lines 10 - 12, package.json
lists "next": "^15.0.0" but still pins "react" and "react-dom" to "^18.2.0";
update the React deps to match Next.js 15 by changing the dependency values for
"react" and "react-dom" to a React 19 range (e.g., "^19.0.0") and run
install/lockfile update and a quick build to verify peer dependency resolution;
ensure both dependency keys "react" and "react-dom" are updated together to
avoid mismatches with "next".
058fc84 to
4d6a94c
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
4d6a94c to
49424b7
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
49424b7 to
0bbf93b
Compare
This PR contains the following updates:
^14.2.33→^15.0.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-59471
A DoS vulnerability exists in self-hosted Next.js applications that have
remotePatternsconfigured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires thatremotePatternsis configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
GHSA-h25m-26qc-wcjf
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
Release Notes
vercel/next.js (next)
v15.5.10Compare Source
Please refer the following changelogs for more information about this security release:
v15.5.9Compare Source
v15.5.8Compare Source
v15.5.7Compare Source
v15.5.6Compare Source
Core Changes
Credits
Huge thanks to @mischnic for helping!
v15.5.5Compare Source
Core Changes
experimental.middlewareClientMaxBodySizebody cloning limit (#84722)Misc Changes
Credits
Huge thanks to @devjiwonchoi, @ztanner, and @icyJoseph for helping!
v15.5.4Compare Source
Core Changes
Misc Changes
Credits
Huge thanks to @yiminghe, @huozhi, @devjiwonchoi, @mischnic, @lukesandberg, @ztanner, @icyJoseph, @leerob, @fufuShih, @dwrth, @aymericzip, @obendev, @molebox, @OoMNoO, @pontasan, @styfle, @HondaYt, @ryuapp, @lpalmes, and @ijjk for helping!
v15.5.3Compare Source
Core Changes
Credits
Huge thanks to @bgub for helping!
v15.5.2Compare Source
Core Changes
Credits
Huge thanks to @bgub and @ztanner for helping!
v15.5.1Compare Source
Core Changes
Credits
Huge thanks to @bgub, @mischnic, and @ztanner for helping!
v15.5.0Compare Source
Core Changes
@typescript-eslint/switch-exhaustiveness-checkrule: #81583React.unstable_postpone(): #81652images.qualitiesis undefined: #81690pprordynamicIOenabled: #81668__turbopack_load_by_url__: #8166397cdd5d3-20250710to2f0e7e57-20250715: #81678renderToStringfunction: #817072f0e7e57-20250715tod85ec5f5-20250716: #81708next-serverVM: #81664headers/cookies/draftModein'use cache': #81716d85ec5f5-20250716todffacc7b-20250717: #81767getExpectedRequestStorefunction: #81791.next/cache: #81807dffacc7b-20250717toe9638c33-20250721: #81899'use cache: private': #81816browserslist: #81851run-turbopack-compilertrace span: #81917e9638c33-20250721to7513996f-20250722: #819407513996f-20250722toedac0dde-20250723: #81984exhaustive-depsviolations: #82010edac0dde-20250723to3d14fcf0-20250724: #820203d14fcf0-20250724to19baee81-20250725: #8206319baee81-20250725toeaee5308-20250728: #82120eaee5308-20250728to9be531cd-20250729: #82159@next/codemod: update docs url in README: #82135@next/codemod: Addexperimental.turbototurbopackcodemod for Next.js configs: #82134NextRequesttypes: #821729be531cd-20250729to9784cb37-20250730: #82207TURBOPACKenv before loading config: #82162outputFileTracingRootorturbopack.rootoption is provided: #821649784cb37-20250730toc260b38d-20250731: #82247eslint-plugin-react-hooksin React sync: #82294c260b38d-20250731tobe11cb5c-20250804: #82339_errorpage'sreq.urlcan be overwritten to dynamic param on minimal mode: #82347asPathfor query-only navigation withuseRouter: #82236?dplto fonts in/_next/static/media: #82384be11cb5c-20250804to7deda941-20250804: #82373pathto Image documentation: #823297deda941-20250804to3958d5d8-20250807: #824473958d5d8-20250807tof1e70b5e-20250811: #82534f1e70b5e-20250811toac7820a9-20250811: #82543image-sizepkg as additional format detector: #82538?dplto fonts in/_next/static/mediapart 2: #82488componentStackFramesfield: #82395skipMetadata: #82569ac7820a9-20250811to1dc3bdea-20250812: #82575Mapsupport fromnext/dynamictransform: #82487window.next.turbopackinstead: #825801dc3bdea-20250812tof1222f76-20250812: #82595f1222f76-20250812to379a083b-20250813: #82642turbo_tasks::spawn: #82634379a083b-20250813toa96a0f39-20250815: #82691turbopack.rootvalue foroutputFileTracingRootto have consistent tracing root: #82653Example Changes
with-supabaseexample to usegetClaims(): #81383Misc Changes
beforePageLoadto be async: #81650ImportedBindingeffect creation to avoid as much special-casing of SimpleAssignTarget: #81653use-cachetest suite in the Cache Components tests: #81610app-staticdeploy test: #81712requireto load chunks in our node runtime: #81738experimental.strictNextHead: #81882current_valueset/restore mutation pattern with a saferwith_pat_valuehelper: #81696global-not-found: #81803next build --turbopack: #81704lint-eslinton a specific directory: #82009rcstr!allocated Rcstr values as 'static' and stop refcounting them: #81994hash: #82084constcompatible hash routine performance: #82088Path/PathBuffor all of the invalidation logic: #82132O(n)traversals when finding child paths: #82133ignored_subpathsfeature from DiskWatcher: #82210Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.