⬆️(dependencies) update next to v15.2.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	15.2.1 -> 15.2.3

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js versions 11.1.4 thru 13.5.6, consult the below workaround.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

---

Release Notes

vercel/next.js (next)

v15.2.3

Compare Source

v15.2.2

Compare Source

Core Changes

• [dev-overlay] fix styling on overflow error messages, add button hover state: #​76771
• Fix: respond 405 status code on OPTIONS request to SSG page: #​76767
• [dev-overlay] Always show relative paths: #​76742
• [metadata] remove the duplicate metadata in the error boundary: #​76791
• Upgrade React from d55cc79b-20250228 to 443b7ff2-20250303: #​76804
• [dev-overlay] Ignore animations on page load: #​76834
• fix: remove useless set-cookie in action-handler: #​76839
• Turbopack: handle task cancelation: #​76831
• Upgrade React from 443b7ff2-20250303 to e03ac20f-20250305: #​76842
• add types for __next_app__ module loading functions: #​74566
• fix duplicated noindex when server action is triggered: #​76847
• fix: don't drop queued actions when navigating: #​75362
• [dev-overlay]: remove dependency on platform for focus trapping: #​76849
• Turbopack: Add turbopack_load_by_url: #​76814
• Add handling of origin in dev mode: #​76880
• [dev-overlay] Stop grouping callstack frames into ignored vs. not ignored: #​76861
• Upgrade React from e03ac20f-20250305 to 029e8bd6-20250306: #​76870
• [dev-overlay] Increase padding if no x button present: #​76898
• fix: prevent incorrect searchParams being applied on certain navs: #​76914
• [dev-overlay] Dim ignore-listed callstack frames when shown: #​76862

Example Changes

• chore(cna): update tailwind styles to be closer to non-tw cna: #​76647

Misc Changes

• Fix canary only warning for devlow-bench: #​76772
• [test] Add special placeholder if stackframes point into dist dir: #​76741
• [test] Use new Redbox matchers in pages/ service-side-dev-errors: #​76779
• [test] Use new Redbox matchers in app/ dynamic-error-trace: #​76783
• [test] Use new Redbox matchers in app/ owner-stack-invalid-element-type: #​76786
• [test] Use new Redbox matchers in app/ hook-functuon-names: #​76785
• [test] Use new Redbox matchers in app/ undefined-default-export: #​76781
• [test] Use new Redbox matchers in server-navigation-error: #​76787
• [test] Fix flaky error-recovery test: #​76789
• [test] Use new Redbox matchers in pages/ gssp-ssr-change-reloading: #​76788
• [docs] update Tailwind CSS installation and configuration instructions: #​76259
• docs: Tailwind v4: #​76801
• chore(docs): update minimumCacheTTL example to 31 days: #​76796
• Turbopack: improve sectioned source maps: #​76627
• [test] Use new Redbox matchers in pages/ middleware-errors: #​76797
• doc: use redirect in client components: #​76332
• [docs] document experimental viewTransition flag: #​76832
• docs(errors): remove confusing good-to-know since global-errors.tsx also show in dev as of 15.2: #​76825
• Turbopack: don't use HashMap in manifests: #​76833
• Update labeler.json: #​76828
• Fix missing turbo command for rust-check: #​76851
• fix(turbopack): Use correct SyntaxContext for __turbopack_esm__: #​73544
• Cleanup pure span handling: #​76846
• Turbopack: remove unused IncludeModulesModule: #​76868
• Update test snapshots for alternative bundler [5/n]: #​76617
• Update test snapshots for alternative bundler [6/n]: #​76768
• [test] Use next.browser instead of webdriver in pages/ client-navigation: #​76867
• fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files: #​76773
• Revert "fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files": #​76879
• build: Update swc_core to v16.4.0: #​76596
• docs: update Turbopack docs: #​76799
• build: Update lightningcss to v1.0.0-alpha.64: #​76856
• build: Fix warning: #​76890
• Turbopack: fix __dirname: #​76902
• Turbopack: deterministic server action order: #​76905
• docs: reword the docs of veiw transition flag: #​76841
• fix(turbopack): Use vergen-gitcl instead of shadow-rs (or vergen-git2) for napi and next-api crates to fix stale git lock files: #​76889
• Turbopack: ensure default layout is provided in default not-found entrypoint: #​76912
• chore(github): add moar labels: #​76922
• [test] Use new Redbox matchers in pages/ client-navigation/rendering: #​76798
• docs: fix create-next-app cli title: #​76908

Credits

Huge thanks to @​pranathip, @​gaojude, @​ijjk, @​eps1lon, @​Nayeem-XTREME, @​leerob, @​styfle, @​samcx, @​sokra, @​huozhi, @​raunofreiberg, @​mischnic, @​lubieowoce, @​unstubbable, @​ztanner, @​kdy1, @​timneutkens, @​wbinnssmith, @​bgw, and @​oscr for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.