Skip to content

Bump next from 15.5.12 to 15.5.15#854

Open
dependabot[bot] wants to merge 2 commits intomasterfrom
dependabot/npm_and_yarn/next-15.5.15
Open

Bump next from 15.5.12 to 15.5.15#854
dependabot[bot] wants to merge 2 commits intomasterfrom
dependabot/npm_and_yarn/next-15.5.15

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 13, 2026
edited
Loading

Bumps next from 15.5.12 to 15.5.15.

Release notes

Sourced from next's releases.

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
  • Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

Commits
  • 412eb90 v15.5.15
  • cb90de9 [15.x] Avoid consuming cyclic models multiple times (#74)
  • fffef9e Fix CI for glibc linux builds
  • d7b012d v15.5.14
  • 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
  • f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
  • cfd5f53 v15.5.13
  • 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 13, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 13, 2026 23:38
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 13, 2026
@dependabot dependabot Bot mentioned this pull request Apr 13, 2026
Closed
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 13, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 19bf7a1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/next-15.5.15 branch from ee9c9d1 to 57012e6 Compare April 27, 2026 14:35
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 27, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @react-native/debugger-frontend is 96.0% likely obfuscated

Confidence: 0.96

Location: Package overview

From: pnpm-lock.yamlnpm/@react-native/debugger-frontend@0.76.9

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.76.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/next-15.5.15 branch 10 times, most recently from b7beb9a to 610242a Compare May 1, 2026 11:24
@dependabot
Bump next from 15.5.12 to 15.5.15
d8261f7 
Bumps [next](https://github.com/vercel/next.js) from 15.5.12 to 15.5.15.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.5.12...v15.5.15)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 15.5.15
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/next-15.5.15 branch from 610242a to d8261f7 Compare May 1, 2026 13:20
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 5, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​jsdom@​21.1.61001007484100
Added@​types/​react-dom@​18.2.171001007586100
Added@​react-navigation/​bottom-tabs@​7.2.110010075100100
Added@​react-navigation/​native@​7.0.151001007699100
Added@​types/​applepayjs@​14.0.91001007680100
Added@​types/​googlepay@​0.7.101001007683100
Added@​types/​jest@​28.1.81001007781100
Added@​types/​react@​18.3.181001007988100
Addedcrc-32@​1.2.210010010080100
Added@​types/​node@​24.10.101001008194100
Added@​vitejs/​plugin-basic-ssl@​2.1.4971008390100
Added@​rollup/​plugin-node-resolve@​16.0.09810010085100
Added@​rollup/​plugin-typescript@​12.1.29910010086100
Addedrollup@​4.59.08810010099100
Added@​swc/​core@​1.4.119210010096100
Added@​vitejs/​plugin-react@​4.7.09910010093100
Added@​peculiar/​webcrypto@​1.5.0991009894100
Added@​testing-library/​react-native@​13.2.09910010099100
Added@​playwright/​test@​1.57.010010010099100

View full report

@matt-evervault Claude
Copy link
Copy Markdown
Contributor

matt-evervault commented May 7, 2026

Review summary — safe to merge ✅

No code changes were needed. Nothing was pushed to the branch.

Where next is used in this repo

  • The only consumer is examples/next-3ds (verified by grepping every package.json in the workspace).
  • It's pulled in via the pnpm workspace catalog ("next": "catalog:"), so the only required edit is the catalog spec — which is exactly what this PR does.
  • Surfaces touched by the example:
    • next/font/google, next/image, next/types (Metadata) in app/layout.tsx
    • next/navigation redirect from a "use server" Server Action in app/actons.server.ts
    • App Router pages in app/page.tsx, app/success/page.tsx
    • Empty next.config.mjsno rewrites, no images.*, no experimental flags

Changelog walk (15.5.12 → 15.5.15)

  • 15.5.13 — security backport: patches http-proxy to prevent request smuggling in rewrites (CVE-2026-29057). The example has no rewrites, so this codebase was not exposed, but the patch is desirable.
  • 15.5.14 — bug fixes / one opt-in feature:
    • feat(next/image): LRU disk cache + images.maximumDiskCacheSize (opt-in, no config change here, no behaviour change).
    • fix(pages-router): restore Content-Length/ETag for /_next/data/ JSON. Example uses App Router only, so neither affected nor at risk.
  • 15.5.15 — security backport: CVE-2026-23869 — crafted requests to React Server Components / Server Function endpoints (App Router, 13.x–16.x) can cause excessive CPU consumption (DoS via deserialization). The example does use App Router + Server Actions, so this is the most relevant fix and the strongest reason to merge.

All three are patch-level, security/bugfix-only backports — Vercel explicitly notes they do not include canary features. No public API changes that affect any surface this repo uses.

Diff sanity

  • Only pnpm-workspace.yaml (catalog spec ^15.5.12^15.5.15) and pnpm-lock.yaml change.
  • Lockfile side-effect: caniuse-lite deduped to a single resolved copy (1.0.30001777) — pure cleanup.
  • No new transitive deps, no new postinstall/scripts. Lockfile deprecation comments on tar@6.2.1 / uuid@7,8 are registry annotations, not introduced by this PR.

Local verification

  • pnpm install --frozen-lockfile
  • pnpm build (workspace @evervault/* filter) ✅
  • pnpm --filter example-next-3ds build (next build end-to-end) ✅ — produced static routes for /, /success, /_not-found with no errors. The pre-existing autoprefixer/flex-end warning and next build's automatic tsconfig.json target: ES2017 rewrite are both unrelated to this bump (same behaviour on 15.5.12).
  • CI on the PR is fully green (lint+test, all e2e shards, CodeQL, Socket).

Verdict

Safe to merge as-is. The most relevant CVE for our usage (15.5.15 / CVE-2026-23869) directly mitigates a Server-Actions DoS vector that the next-3ds example exercises.

Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matt-evervault