chore(deps): update dependency next to v16.1.7 [security]#9966
chore(deps): update dependency next to v16.1.7 [security]#9966renovate[bot] wants to merge 1 commit intomainfrom
Conversation
|
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughA Next.js dependency version was updated from 14.2.33 to 15.0.0 in the React Next 14 integration package configuration, with no associated code or logic changes. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
📝 Coding Plan
Comment |
|
View your CI Pipeline Execution ↗ for commit dd78786
☁️ Nx Cloud last updated this comment at |
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
0e75fda to
bcd89cf
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
integrations/react-next-14/package.json (1)
10-12: Consider upgrading React to 19 to use Next.js 16's new features.React 18.2.0 remains compatible with Next.js 16, but Next.js 16 is designed for React 19 and includes first-class support for React 19 features like React Compiler and View Transitions. Update
reactandreact-domto^19.0.0to take full advantage of Next.js 16's capabilities.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (2)
integrations/react-next-14/package.jsonintegrations/react-next-15/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
- integrations/react-next-15/package.json
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-09-02T17:57:33.184Z
Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.
Applied to files:
integrations/react-next-14/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Preview
- GitHub Check: Test
🔇 Additional comments (1)
integrations/react-next-14/package.json (1)
10-10: No action needed. The integration code is compatible with Next.js 16.0.0 without modifications. The example uses only basic React Query patterns (client-side hooks and providers) that are unaffected by Next.js 15→16 breaking changes.
| "@tanstack/react-query": "workspace:*", | ||
| "@tanstack/react-query-devtools": "workspace:*", | ||
| "next": "^14.2.33", | ||
| "next": "^16.0.0", |
There was a problem hiding this comment.
Package naming inconsistency: "react-next-14" now uses Next.js 16.
The package is named react-next-14 but now depends on next: ^16.0.0. This creates confusion about which Next.js version this integration example demonstrates. Consider either:
- Renaming the package/folder to
react-next-16, or - Creating a separate
react-next-16integration example while keeping this one on Next.js 14
🤖 Prompt for AI Agents
integrations/react-next-14/package.json lines 10-10: the package folder/name
indicates Next.js 14 but package.json depends on "next": "^16.0.0"; either
rename the package/folder to react-next-16 or downgrade the dependency to a
Next.js 14 release. To fix, choose one approach and apply these steps: if
renaming to react-next-16, rename the directory, update the "name" field in
package.json, update any README/docs and CI/workflow references to the new
path/name; if keeping as react-next-14, change the next dependency to a 14.x
compatible version (and run install/test to confirm compatibility), update
lockfile, and verify any code uses Next 14 APIs.
bcd89cf to
aff4bbd
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
aff4bbd to
934f2cd
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
934f2cd to
1eb4cf5
Compare
size-limit report 📦
|
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
3 times, most recently
from
0d99633 to
ca8241b
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@integrations/react-next-15/package.json`:
- Line 12: Add an "engines" entry to package.json to require Node >=20.9.0
(Next.js 16 requirement) and update the "next" dependency update to ^16.0.0;
then audit and migrate integration code for Next.js 16 breaking changes: search
for any App Router page handlers that access params/searchParams synchronously
and convert them to support async params/searchParams, check
build/bundler-related config for Turbopack assumptions (and adjust Next.js
config or build scripts if you rely on webpack-specific behavior), review usages
of next/image for default/prop/security changes and update image imports/props,
and remove or replace any AMP and next lint-specific code paths; ensure React
19.2.1 remains specified if needed.
| "@tanstack/react-query": "workspace:*", | ||
| "@tanstack/react-query-devtools": "workspace:*", | ||
| "next": "^15.4.8", | ||
| "next": "^16.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Next.js 16.0.0 release notes breaking changes minimum Node.js version
💡 Result:
Next.js 16.0.0 — minimum Node.js version
- Minimum Node.js: 20.9.0+ (LTS)
- Node.js 18 is no longer supported. [1][2]
Notable breaking changes (from the official 16 release notes / upgrade guide)
middleware.ts→proxy.tsfor Node.js request interception (Edgemiddlewareremains but is deprecated for this use). [1][2]- Turbopack is now the default for
next devandnext build(custom webpack setups may require opting out with--webpack). [1][2] - Async Request APIs / async params change (e.g.,
params/searchParamsand related APIs are now treated as async in the App Router). [2] next/imagedefault / security-related changes (e.g., local images with query strings require config; defaults likeminimumCacheTTLchanged). [2]- Removals: AMP support removed,
next lintremoved, and other previously-deprecated options/APIs removed or renamed. [2]
Sources: Next.js 16 release post [1], official “Upgrading: Version 16” guide [2].
🏁 Script executed:
cat integrations/react-next-15/package.jsonRepository: TanStack/query
Length of output: 529
Add engines field and review Next.js 16 breaking changes.
Next.js 16.0.0 requires Node.js 20.9.0+ (Node.js 18 no longer supported). Add "engines": { "node": ">=20.9.0" } to enforce this. React 19.2.1 is compatible. However, this upgrade has breaking changes requiring migration:
- Async
paramsandsearchParamsin App Router - Turbopack is now the default bundler
next/imagedefaults and security changes- AMP and
next lintremoved
Review the integration code for required updates to these areas before merging.
🤖 Prompt for AI Agents
In `@integrations/react-next-15/package.json` at line 12, Add an "engines" entry
to package.json to require Node >=20.9.0 (Next.js 16 requirement) and update the
"next" dependency update to ^16.0.0; then audit and migrate integration code for
Next.js 16 breaking changes: search for any App Router page handlers that access
params/searchParams synchronously and convert them to support async
params/searchParams, check build/bundler-related config for Turbopack
assumptions (and adjust Next.js config or build scripts if you rely on
webpack-specific behavior), review usages of next/image for
default/prop/security changes and update image imports/props, and remove or
replace any AMP and next lint-specific code paths; ensure React 19.2.1 remains
specified if needed.
ca8241b to
60bad45
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
60bad45 to
058fc84
Compare
renovate
bot
changed the title
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@integrations/react-next-14/package.json`:
- Around line 10-12: package.json lists "next": "^15.0.0" but still pins "react"
and "react-dom" to "^18.2.0"; update the React deps to match Next.js 15 by
changing the dependency values for "react" and "react-dom" to a React 19 range
(e.g., "^19.0.0") and run install/lockfile update and a quick build to verify
peer dependency resolution; ensure both dependency keys "react" and "react-dom"
are updated together to avoid mismatches with "next".
| "next": "^15.0.0", | ||
| "react": "^18.2.0", | ||
| "react-dom": "^18.2.0" |
There was a problem hiding this comment.
React version incompatibility with Next.js 15.
Next.js 15 requires React 19 for full support, but this package still specifies React 18.2.0. This mismatch may cause build failures or runtime errors due to incompatible peer dependencies.
Update the React dependencies to React 19:
🔧 Proposed fix
- "next": "^15.0.0",
- "react": "^18.2.0",
- "react-dom": "^18.2.0"
+ "next": "^15.0.0",
+ "react": "^19.0.0",
+ "react-dom": "^19.0.0"
},
"devDependencies": {
- "@types/react": "^18.2.79",
- "@types/react-dom": "^18.2.25"
+ "@types/react": "^19.0.0",
+ "@types/react-dom": "^19.0.0"Does Next.js 15 require React 19?
🤖 Prompt for AI Agents
In `@integrations/react-next-14/package.json` around lines 10 - 12, package.json
lists "next": "^15.0.0" but still pins "react" and "react-dom" to "^18.2.0";
update the React deps to match Next.js 15 by changing the dependency values for
"react" and "react-dom" to a React 19 range (e.g., "^19.0.0") and run
install/lockfile update and a quick build to verify peer dependency resolution;
ensure both dependency keys "react" and "react-dom" are updated together to
avoid mismatches with "next".
058fc84 to
4d6a94c
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
4d6a94c to
49424b7
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
2 times, most recently
from
0bbf93b to
49a6885
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
49a6885 to
dbac152
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
dbac152 to
b174a7a
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
3 times, most recently
from
b3c0dbf to
983657d
Compare
renovate
bot
changed the title
🚀 Changeset Version Preview1 package(s) bumped directly, 0 bumped as dependents. 🟩 Patch bumps
|
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
983657d to
dd78786
Compare
renovate
bot
changed the title
This PR contains the following updates:
16.1.6→16.1.7^15.4.8→^16.0.0^14.2.33→^16.0.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-59471
A DoS vulnerability exists in self-hosted Next.js applications that have
remotePatternsconfigured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires thatremotePatternsis configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
GHSA-h25m-26qc-wcjf
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
CVE-2026-27977
Summary
In
next dev, cross-site protection for internal websocket endpoints could treatOrigin: nullas a bypass case even ifallowedDevOriginsis configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly.Impact
If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only.
Apps without a configured
allowedDevOriginsstill allow connections from any origin.Patches
Fixed by validating
Origin: nullthrough the same cross-site origin-allowance checks used for other origins.Workarounds
If upgrade is not immediately possible:
next devto untrusted networks./_next/webpack-hmrwhenOriginisnullat your proxy.CVE-2026-27978
Summary
origin: nullwas treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).
Patches
Fixed by treating
'null'as an explicit origin value and enforcing host/origin checks unless'null'is explicitly allowlisted inexperimental.serverActions.allowedOrigins.Workarounds
If upgrade is not immediately possible:
SameSite=Stricton sensitive auth cookies.'null'inserverActions.allowedOriginsunless intentionally required and additionally protected.CVE-2026-27979
Summary
A request containing the
next-resume: 1header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcingmaxPostponedStateSizein certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.Impact
In applications using the App Router with Partial Prerendering capability enabled (via
experimental.pprorcacheComponents), an attacker could send oversizednext-resumePOST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.Patches
Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded.
Workarounds
If upgrade is not immediately possible:
next-resumeheader, as this is never valid to be sent from an untrusted client.CVE-2026-29057
Summary
When Next.js rewrites proxy traffic to an external backend, a crafted
DELETE/OPTIONSrequest usingTransfer-Encoding: chunkedcould trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.Impact
An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.
Patches
The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so
content-length: 0is added only when bothcontent-lengthandtransfer-encodingare absent, andtransfer-encodingis no longer removed in that code path.Workarounds
If upgrade is not immediately possible:
DELETE/OPTIONSrequests on rewritten routes at your edge/proxy.CVE-2026-27980
Summary
The default Next.js image optimization disk cache (
/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.Impact
An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service.
Patches
Fixed by adding an LRU-backed disk cache with
images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. SettingmaximumDiskCacheSize: 0disables disk caching.Workarounds
If upgrade is not immediately possible:
.next/cache/images.images.localPatterns,images.remotePatterns, andimages.qualities)Release Notes
vercel/next.js (next)
v16.1.7Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.