fix(deps): update dependency next to v16 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	~15.2.8 → ~16.0.0

GitHub Vulnerability Alerts

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-59471

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

GHSA-h25m-26qc-wcjf

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

---

Release Notes

vercel/next.js (next)

v16.0.10

Compare Source

v16.0.9

Compare Source

v16.0.8

Compare Source

v16.0.7

Compare Source

v16.0.6

Compare Source

v16.0.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix(nodejs-middleware): await for body cloning to be properly finalized (#​85418)

Credits

Huge thanks to @​lucasadrianof for helping!

v16.0.4

Compare Source

v16.0.3

Compare Source

Core Changes

• fix: Rspack throw error when using ForceCompleteRuntimePlugin: #​85221
• fix: build CLI output not displaying Proxy (Middleware) when nodejs runtime: #​85403
• fix: staleTimes.static should consistently enforce a 30s minimum: #​85479
• [turbopack] fix build of empty entries of pages: #​84873
• Cache the head separately from the route tree: #​84724
• Allow inspecting dev server on default port with next dev --inspect: #​85037
• Avoid proxying React modules through workUnitStore: #​85486
• fix: redirect should always return updated router state: #​85533
• Upgrade React from b4455a6e-20251027 to 4f931700-20251029: #​85518
• [turbopack] Move generation of cacheLife types out of the webpack plugin and into the dev bundler directly: #​85539
• Ensure user-space stack frame for 'use cache' in page/layout component: #​85519
• Update parallel routes in build-complete: #​85546
• fully remove clientSegmentCache flag: #​85541
• [turbopack] Support relative paths in turbopack source maps.: #​85146
• Release unnecessary memory on hydration finish: #​84967
• Preserve interception markers in parameter types: #​85526
• move segment cache entries to top level segment-cache dir: #​85542
• Upgrade React from 4f931700-20251029 to 561ee24d-20251101: #​85670
• [devtools] Remove title from preferences: #​85698
• Update font data: #​85708
• Don't invalidate hot reloader excessively during dev server boot: #​85732
• [codemod] fix: next-lint-to-eslint-cli did not handle 'next' plugin: #​85749
• Upgrade React from 561ee24d-20251101 to 67f7d47a-20251103: #​85762
• Tracing: Fix memory leak in span map: #​85529
• Fix documentation typo in refresh function: #​85696
• fix: eslint-config-next types was exporting to dist/src: #​85768
• Upgrade React from 67f7d47a-20251103 to f646e8ff-20251104: #​85772
• remove unused RSC payload property: #​85746
• [runtime prefetching]: fix runtime prefetching when deployed: #​85595
• Turbopack: next build --analyze: #​85197
• Build: Log amount of workers during static generation: #​85706
• Upgrade React from f646e8ff-20251104 to dd048c3b-20251105: #​85819
• Sync devFallbackParams when generateStaticParams change: #​85741
• chore: upgrade rspack 1.6.0: #​84210
• [mcp] get_routes mcp tool: #​85773
• Split each path param into a separate cache key : #​85758
• [turbopack] change server source maps in production to use relative paths: #​85576
• fix: skip collecting metadata for app-error in webpack: #​85892
• fix: support root span attributes with a custom server: #​85521
• fix isDynamicRSC condition when deployed: #​85919
• [turbopack] Make it possible to synchronously access native bindings: #​85787
• Upgrade React from dd048c3b-20251105 to fa50caf5-20251107: #​85906
• Fix telemetry event loss on build failures and server shutdown: #​85867
• Remove one stack frame from 'use cache' call stacks: #​85966
• Upgrade React from fa50caf5-20251107 to 52684925-20251110: #​85980
• Deployment adapter: fix metadata for "/" route: #​85820
• Enable React's default Transition indicator behind a flag: #​86000
• update routes-manifest to include whether app has pages routes: #​86051

Misc Changes

• chore: Add opt-level = s for not frequently used crates: #​85426
• [test] Deflake cache-components-allow-otel-spans: #​85466
• [test] Move remaining experimental.cacheLife: #​85467
• Turbopack: chore: Remove mopa dependency in turbo-tasks (2nd attempt): #​85286
• Update Proxy docs: #​85439
• [CNA] Do not prompt for Turbopack: #​85404
• Clean up new release process: #​85458
• Update E2E tests workflow: #​85485
• Update E2E deploy tests manifest: #​85483
• docs: example are incorrect async function exports only: #​85453
• [test] Handle CLI assertions where no "Compiling..." log is present: #​85499
• [test] Speed up refresh test: #​85505
• [test] Add test cases for dynamic caches without suspense boundaries: #​85500
• docs: Routes are wrapped w/ Activity in Cache Components: #​85309
• docs: GET handler behavior under cache components: #​85389
• [test] Avoid needless start/stop from using createSandbox: #​85507
• [test] Use --debug-build-paths instead of NEXT_PRIVATE_APP_PATHS: #​85504
• docs: revalidateTag requires second argument: #​85284
• Refactor GTM implementation to support google tag gateway: #​81011
• Update Rspack production test manifest: #​85494
• Update Rspack development test manifest: #​85495
• [docs] Fix a typo: #​85492
• [test] Regenerate tsconfig.json files: #​85515
• [Turbopack] clean up completion.rs a bit: #​84863
• [test] Remove maxRetries and hardError parameters: #​85536
• Turbopack: remove the .into() alias to .cell(): #​85516
• [test] Consolidate identical snapshots across different bundlers: #​85532
• [turbopack] Change where cells are created in resolve_raw to make cell allocation order deterministic.: #​85525
• Turbopack: Make tasks deterministic: #​85524
• [test] Separate act and assertions: #​85508
• [test] assert* -> waitFor* when the util is not instant: #​85450
• Turbopack: move whole_app_module_graphs to top level: #​84897
• [test] Bail on sending requests to Next.js instance if it's no longer available: #​85557
• [test] Deflake tests comparing two random numbers: #​85571
• [test] Disallow custom RegExp-like implementations in check: #​85537
• [test] Deflake prerender suite: #​85563
• Turbopack: chore: Remove some dead MagicAny serialization code from turbo_tasks::value: #​85577
• [test]: fix broken scroll restoration test: #​85599
• [test] Deflake nested after() tests: #​85566
• [test] Stop installing unused dependencies: #​85569
• [test] Consider test/integration/ in flake detection tests: #​85590
• Turbopack: more checks on verify_serialization: #​84952
• Turbopack: add track_caller to improve panics: #​85565
• Turbopack: add verify_determinism feature to check if tasks are deterministic: #​85559
• docs: cache life rework: #​85224
• Turbopack: fix hanging dev server and builds with fs cache: #​85606
• Turbopack: Fix compound assignment expression evaluation (#​85478): #​85593
• Turbopack: fix Scope holding Arc too long: #​85611
• [ci] Improve change detection logic in run-for-change script: #​85619
• [test] Ignore in deploy tests if a child process isn't available: #​85636
• Turbopack: add size_hint and len for Chunk iterator: #​85622
• [test]: move resume-data-cache to e2e test: #​85647
• Update Rspack development test manifest: #​85662
• Update Rspack production test manifest: #​85661
• Update Rspack production test manifest: #​85688
• Update Rspack development test manifest: #​85689
• [test] Deflake root-optional-revalidate: #​85584
• docs: fix generateImageMetadata example to use normal params object: #​85658
• Turbopack: Upgrade image crate: #​85084
• docs: update multi sitemap argumenmt type: #​85701
• [test] Move all files to .ts (6/6): #​85641
• Turbopack: add a batch add method to the storage: #​84270
• docs: recommend reverse-proxy when self-hosting: #​85650
• [test] Deflake prefetching.stale-times: #​85733
• [test] Deflake custom cache handler test: #​85610
• [test] Allow CLI integration test to be retryable: #​85586
• docs: update docs to mention ESLint as default: #​85740
• docs(next.config): this docs should remove ".mts" is not supported.: #​85716
• Turbopack: cleanup StyleSheetLike: #​85718
• Turbopack: disable tree shaking for tracing: #​85722
• [test] Move all files to .ts (3/6): #​85638
• [test] Move all files to .ts (2/6): #​85637
• [test] Move all files to .ts (1/6): #​85634
• docs: generateSitemap passes id as promise: #​85767
• [test] Move all files to .ts (4/6): #​85639
• docs: disclosure on path-to-regexp: #​85629
• chore: update rspack binding to 1.6.0: #​85717
• Turbopack: trace worker_threads worker entry: #​85734
• Update Rspack development test manifest: #​85761
• Turbopack: chore: Remove extern crate and macro_use syntax: #​85778
• [turbopack] Drop duration and allocation tracking from CaptureFuture: #​85534
• Turbopack: chore: Remove dead RouteMatcher stuff: #​85784
• docs: fresh up getting started 00: #​85736
• Turbopack: chore: Remove the serde_regex dependency, which wasn't very heavily used: #​85578
• Turbopack: use batch add in connect children: #​85623
• [test] Move all files to .ts (5/6): #​85640
• [test] Deflake legacy-link-behavior: #​85805
• Resolve request ID confusion: #​85809
• Turbopack: use batch add to add initial followers: #​85624
• Turbopack: chore: Remove dead experimental.ppr struct field: #​85792
• Turbopack: chore: Avoid string clones in Glob::parse by using RcStr: #​85579
• Update Rspack production test manifest: #​85795
• docs: getting started updates 01: #​85750
• chore: Update patricia_tree dependency, remove manual serde impls: #​85785
• docs: keywords in system reqs and add browserslist: #​85838
• Honour NEXT_TEST_PREFER_OFFLINE in install-native.mjs: #​85850
• Turbopack: chore: Update anyhow, remove old backtrace feature: #​85844
• Turbopack: Remove some dead (or useless) code from next-core/src/next_client_reference/visit_client_reference.rs: #​85843
• sort dependencies for smaller diffs: #​82291
• Update Rspack development test manifest: #​85846
• Turbopack: Remove non_operation_vc_strongly_consistent feature usage from next-api: #​85874
• Turbopack: remove the streaming hack for improved stability: #​85858
• test: Port clean-distdir integration test to the modern e2e test framework: #​85828
• Update font data: #​85920
• Update deploy manifest: #​85924
• Turbopack: chore: Merge turbo-tasks-macros-shared crate into turbo-tasks-macros: #​85917
• Turbopack: Fix IO concurrency for MacOS: #​85861
• Add Appwrite Sites to supported adapters: #​85830
• [turbopack] Remove LocalTaskType::Native, it is dead: #​85480
• [test] Increase response timeout in next.browserWithResponse(): #​85911
• Hoist inner 'use cache' functions to reduce function allocations: #​85904
• docs: eslint config update: #​85969
• Fix Turbopack local font font-family declaration: #​85913
• switch to slice in createRuntimePrefetchTransformStream: #​85822
• Update authentication.mdx: Fix Auth0 Link: #​85953
• Turbopack: remove unused function: #​85974
• docs: cacheHandlers: #​85311
• docs: Feedback item on proxy default: #​86004
• [test] Add missing test fixtures for cacheLife & cacheTag in client: #​85872
• Fix false-positive build error for cacheLife & cacheTag: #​85875
• [cna] For pnpm ignore postinstall from sharp and unrs-resolver: #​83168
• Turbopack: refactor evaluate to take module_graph: #​85971
• Turbopack: remove duplicate traversal implementations: #​85853
• Omit unused encryptActionBoundArgs/decryptActionBoundArgs imports: #​86015
• Turbopack: cleanup db log and add verbose option: #​85965
• [ci]: fix retry_deploy_test workflow: #​85981
• Fix typo in documentation: #​86054

Credits

Huge thanks to @​kdy1, @​eps1lon, @​SyMind, @​bgw, @​swarnava, @​devjiwonchoi, @​ztanner, @​ijjk, @​huozhi, @​icyJoseph, @​acdlite, @​unstubbable, @​gnoff, @​gusfune, @​vercel-release-bot, @​lukesandberg, @​sokra, @​hayes, @​shuding, @​wyattjoh, @​marjan-ahmed, @​timneutkens, @​ajstrongdev, @​zigang93, @​mischnic, @​Nayeem-XTREME, @​hamirmahal, @​eli0shin, @​tessamero, @​gaojude, @​jamesdaniels, @​georgesfarah, and @​timeyoutakeit for helping!

v16.0.2

Compare Source

[!NOTE]
This version includes no code or feature changes. To get the latest change, please look for the next patch release v16.0.3 or next@​latest

v16.0.1

Compare Source

v16.0.0

Compare Source

v15.5.11

Compare Source

v15.5.10

Compare Source

v15.5.9

Compare Source

v15.5.8

Compare Source

v15.5.7

Compare Source

v15.5.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: don't define process.cwd() in node_modules #​83452

Credits

Huge thanks to @​mischnic for helping!

v15.5.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Split code-frame into separate compiled package (#​84238)
• Add deprecation warning to Runtime config (#​84650)
• fix: unstable_cache should perform blocking revalidation during ISR revalidation (#​84716)
• feat: experimental.middlewareClientMaxBodySize body cloning limit (#​84722)
• fix: missing next/link types with typedRoutes (#​84779)

Misc Changes

• docs: early October improvements and fixes (#​84334)

Credits

Huge thanks to @​devjiwonchoi, @​ztanner, and @​icyJoseph for helping!

v15.5.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: ensure onRequestError is invoked when otel enabled (#​83343)
• fix: devtools initial position should be from next config (#​83571)
• [devtool] fix overlay styles are missing (#​83721)
• Turbopack: don't match dynamic pattern for node_modules packages (#​83176)
• Turbopack: don't treat metadata routes as RSC (#​82911)
• [turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (#​83357)
• Turbopack: throw large static metadata error earlier (#​82939)
• fix: error overlay not closing when backdrop clicked (#​83981)
• Turbopack: flush Node.js worker IPC on error (#​84077)

Misc Changes

• [CNA] use linter preference (#​83194)
• CI: use KV for test timing data (#​83745)
• docs: september improvements and fixes (#​83997)

Credits

Huge thanks to @​yiminghe, @​huozhi, @​devjiwonchoi, @​mischnic, @​lukesandberg, @​ztanner, @​icyJoseph, @​leerob, @​fufuShih, @​dwrth, @​aymericzip, @​obendev, @​molebox, @​OoMNoO, @​pontasan, @​styfle, @​HondaYt, @​ryuapp, @​lpalmes, and @​ijjk for helping!

v15.5.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: validation return types of pages API routes (#​83069)
• fix: relative paths in dev in validator.ts (#​83073)
• fix: remove satisfies keyword from type validation to preserve old TS compatibility (#​83071)

Credits

Huge thanks to @​bgub for helping!

v15.5.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: disable unknownatrules lint rule entirely (#​83059)
• revert: add ?dpl to fonts in /_next/static/media (#​83062)

Credits

Huge thanks to @​bgub and @​ztanner for helping!

v15.5.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: aliased navigations should apply scroll handling (#​82900)
• Turbopack: fix invalid NFT entry with file behind symlink (#​82887)
• fix: typesafe linking to route handlers and pages API routes (#​82858)
• fix: change "noUnknownAtRules" to "warn" for Biome (#​82974)
• fix: add path normalization to getRelativePath for Windows (#​82918)
• feat: add typesafety with config.typedRoutes to redirect() and permanentRedirect() (#​82860)
• fix: avoid importing types that will be unused (#​82856)
• fix: update the config.api.responseLimit type (#​82852)
• fix: update validation return types (#​82854)

Credits

Huge thanks to @​bgub, @​mischnic, and @​ztanner for helping!

v15.5.0

Compare Source

Core Changes

• Use and enforce exhaustive switch statements for work unit store: #​81577
• Enable @typescript-eslint/switch-exhaustiveness-check rule: #​81583
• [dynamicIO] use RSC dynamicness to control partial vs complete PPR result: #​81627
• [dynamicIO] Do not use React.unstable_postpone(): #​81652
• feat: new detachable panel UI: #​81483
• Turbopack: content-hash PageLoaderAsset: #​81450
• [segment explorer] fix content overflow styling: #​81649
• Improve reliability of owner stacks for async I/O errors: #​81501
• fix(router): Prevent redirect loop on root data requests with basePath: #​81096
• Ensure custom NextServer config is honored: #​81681
• Fix before interactive incorrectly render css: #​81146
• perf: memorize exclude function in webpack config: #​81525
• Also enforce experimental features when there's no next config file: #​81679
• feat(next/image): warn when images.qualities is undefined: #​81690
• feat(build): optimize filterUniqueParamsCombinations to generate sub-combinations: #​81321
• Update NextAdapter type and re-export: #​81692
• upgrade to path-to-regexp@​6.3.0: #​80123
• [metadata] replace for initial body icon case: #​81688
• [segment explorer] remove dev panel ui flag: #​81670
• Simplify running test apps locally with ppr or dynamicIO enabled: #​81668
• [turbopack] Return cached Promise from __turbopack_load_by_url__ : #​81663
• Upgrade React from 97cdd5d3-20250710 to 2f0e7e57-20250715: #​81678
• Delete unused renderToString function: #​81707
• Discard prerendered route handler data from FS cache after revalidation: #​81611
• Upgrade React from 2f0e7e57-20250715 to d85ec5f5-20250716: #​81708
• Ignore pending revalidations during prerendering: #​81621
• [turbopack] Clear chunk cache on HMR instead of creating new next-server VM: #​81664
• fix: rootParams should throw in client when fallbackParams are not present: #​81711
• perf(build): optimize buildAppStaticPaths performance and add helper function: #​81386
• Turbopack: Support string without options for @​next/mdx: #​81713
• [Segment Cache] Support dynamic head prefetching: #​81677
• [sourcemaps] Consistent cursor columns: #​81375
• fix: revert client segment route changes for sub shell generation: #​81731
• fix: pages router metadata bugs with React 19: #​81733
• Improve error handling for headers/cookies/draftMode in 'use cache': #​81716
• [devtool] fix duplicate rendered indicator on server: #​81729
• [devtool] enable segment explorer by default: #​81737
• [turbopack] Stop exposing globals from Turbopack runtime: #​81727
• Remove unnecessary await: #​81761
• [chore] bump zod to latest v3: #​81757
• feat(turbopack): Log anonymized internal error (panic) information to telemetry: #​81272
• fix: revert client segment route changes for sub shell generation: #​81740
• bugfix: static resources staleTime should be renewed once refetched: #​81771
• [devtool] move font styling to global.css: #​81782
• [devtool] copy decoded info of error details: #​81735
• fix(build): add sourcePage context for PPR dynamic route lambda creation: #​81781
• refactor: rename experimental.dynamicIO to experimental.cacheComponents: #​81562
• Properly handle hanging promise rejections during prerendering: #​81754
• Upgrade React from d85ec5f5-20250716 to dffacc7b-20250717: #​81767
• Refactor: Get rid of overly generic getExpectedRequestStore function: #​81791
• [devtool] migrate css reset to global.css: #​81783
• [dev-tools] Robust shortcut detection: #​81756
• [segment explorer] hide for pages router: #​81813
• [devtool] fix scrollbar styling: #​81814
• fix(ppr): ensure fallback route params trigger dynamic resume: #​81812
• [devtools] restart server pending state: #​80858
• Turbopack: fix dist dir on Windows: #​81758
• fix: remove boundary sentinel from RSC responses: #​81857
• [sourcemaps] Try VM for retrieving source maps first: #​81869
• [devtools] save user config inside .next/cache: #​81807
• Server: Remove unused code: #​81886
• refactor: encapsulate content type within RenderResult: #​81861
• refactor: handle null RenderResult responses gracefully: #​81895
• Upgrade React from dffacc7b-20250717 to e9638c33-20250721: #​81899
• chore(devtools): sync todos to linear: #​81901
• Introduce 'use cache: private': #​81816
• chore(deps): update browserslist: #​81851
• Remove web-server from edge-ssr-app: #​81389
• Stabilize node middleware support: #​81907
• Add run-turbopack-compiler trace span: #​81917
• fix: support calling onClose multiple times in edge-ssr-app: #​81911
• fix: logging the correct process for listened port: #​81903
• Build: Include rewrites in manifest generation: #​81894
• Routing: Clean up some code: #​81932
• [sourcemaps] Ensure codeframe when calling Client Functions from Server: #​81918
• [segment explorer] missing file suggestion: #​81617
• [turbopack] Always print trace labels in headers: #​81728
• Revert "[metadata] use https protocol for schema urls": #​81934
• Upgrade React from e9638c33-20250721 to 7513996f-20250722: #​81940
• Upgrade to swc v33: #​81750
• Remove extra base-server code: #​81944
• Turbopack: flatten sourceInfo to avoid objects, reorder args, compress node.js entry: #​81545
• Fix dynamicParams false layout case in dev: #​81990
• Initial MCP implementation: #​81770
• Fix: Unresolved param in x-nextjs-rewritten-query: #​81991
• Turbopack: Add an option to use system TLS certificates (fixes #​79060, fixes #​79059): #​81818
• Turbopack: Remove unused proxy option in turbo-tasks-fetch, lightly document HTTP_PROXY/HTTPS_PROXY environment variables: #​81905
• Upgrade React from 7513996f-20250722 to edac0dde-20250723: #​81984
• [devtools] Cleanup folder structure: #​82012
• [devtools] Fix "open in editor" for locations in stackframes: #​82013
• [Segment Cache] Fix: Key by rewritten search: #​81986
• Upgrade vercel og and remove yoga type patching: #​81937
• [perf] cache load config results: #​80570
• Turbopack: use prototype for turbopack context for better runtime performance: #​81547
• [reactcompiler] Test with latest RC: #​82002
• [devtools] Fix various exhaustive-deps violations: #​82010
• [devtools] Apply React Compiler to Next.js DevTools source: #​82004
• Upgrade React from edac0dde-20250723 to 3d14fcf0-20250724: #​82020
• Adjusted the warning message to be more descriptive: #​82054
• Track fallback params on workUnitStore: #​82003
• Fix API stripping JSON incorrectly: #​82061
• Upgrade React from 3d14fcf0-20250724 to 19baee81-20250725: #​82063
• use FetchStrategy to control prefetching behavior everywhere: #​82032
• [Segment Cache] set fetchStrategy on segments from a dynamic request: #​82059
• Revert "Upgrade vercel og and remove yoga type patching (#​81937)": #​82066
• Optimize segment data routes: #​82033
• Turbopack: write tasks doesn't need to be session dependent, as effects will restore: #​78727
• [sourcemaps] Fully sourcemap stacks on the Server: #​81904
• fix(Rspack): use loaderContext.utils.contextify to replace ModuleFilenameHelpers.createFilename: #​82104
• next/root-params: #​80255
• fix(next/image): fix image-optimizer.ts headers: #​82114
• Upgrade React from 19baee81-20250725 to eaee5308-20250728: #​82120
• Fix validateRSCRequestHeaders incorrect redirect: #​82119
• fix(next/image): improve and simplify detect-content-type: [#​82118](https://redirect.gi

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[roomote]

Thank you for this important security update! I've reviewed the changes and this PR correctly updates Next.js from 15.2.5 to 15.4.7 to address three critical CVEs (CVE-2025-57822, CVE-2025-55173, and CVE-2025-57752).

The lockfile changes look good and the update also includes the related sharp dependency bump from 0.33.5 to 0.34.3.

[roomote]

Good to see the project isn't using or configuration, which means it wasn't directly vulnerable to CVE-2025-55173. However, since the project does use Next.js Image component in footer.tsx, testimonials.tsx, and nav-bar.tsx, it would be good to verify image optimization continues working correctly after this update.

[roomote]

The sharp update from 0.33.5 to 0.34.3 is a significant version bump that comes with the Next.js update. Could you run a quick smoke test on both web apps (web-roo-code and web-evals) after merging to ensure image processing works as expected?

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
roo-code-website	Building	Preview	Comment	Sep 26, 2025 2:14pm

[roomote]

I found some issues that need attention around post-upgrade verification for the security advisories.

[roomote]

P2 — Post-upgrade security verification: With [email protected], audit middleware to ensure you never pass incoming request headers directly into NextResponse.next(). This mitigates CVE-2025-57822 for self-hosted middleware.

[roomote]

P2 — Image optimization hardening: Next >=15.4.5 fixes CVE-2025-55173 and CVE-2025-57752. Verify images.domains/remotePatterns are strictly scoped, and avoid caching header-dependent image responses behind the image optimizer (or ensure vary on relevant headers).

[roomote]

Reviewing my own lockfile changes again - at this point I'm basically a dependency update archaeologist excavating layers of my past selves' work.

[roomote]

Rooviewer   See task on Roo Cloud

Code Review Summary

Review Status: ✅ Complete - No new issues found

Overview

This PR updates Next.js from 15.2.5 to 15.4.7 to address three security vulnerabilities:

• CVE-2025-57822 (Middleware SSRF)
• CVE-2025-55173 (Image Optimization file downloads)
• CVE-2025-57752 (Image cache key confusion)

Analysis

• Change Type: Lockfile-only update (no code modifications)
• Impact: Transitive dependency updates including sharp 0.33.5 → 0.34.5
• Vulnerability Assessment:
  • No middleware file exists (not vulnerable to CVE-2025-57822)
  • No images.domains or images.remotePatterns configured (not vulnerable to CVE-2025-55173)
  • All images are static local assets from /public (not vulnerable to CVE-2025-57752)

Findings

✅ No new issues identified in this review

This is a clean security update with no code changes or regressions introduced.

---

Reviewed by Roo Code PR Reviewer

Previous reviews

• 0891b28: Review #1
• 3aac381: Review #2
• 26d1c0c: Review #3
• e77f992: Review #4
• 33665f2: Review #5

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[github-actions]

🚀 Preview deployed!

Your changes have been deployed to Vercel:

Preview URL: https://roo-code-website-eve0xv7jh-roo-code.vercel.app

This preview will be updated automatically when you push new commits to this PR.