Skip to content

chore(deps): update dependency next to v15.2.3 [security] #8978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency next to v15.2.3 [security] #8978

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 9, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 15.1.2 -> 15.2.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js 13.x, this issue is fixed in 13.5.9
  • For Next.js 12.x, this issue is fixed in 12.3.5
  • For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)

Release Notes

vercel/next.js (next)

v15.2.3

Compare Source

v15.2.2

Compare Source

Core Changes
  • [dev-overlay] fix styling on overflow error messages, add button hover state: #​76771
  • Fix: respond 405 status code on OPTIONS request to SSG page: #​76767
  • [dev-overlay] Always show relative paths: #​76742
  • [metadata] remove the duplicate metadata in the error boundary: #​76791
  • Upgrade React from d55cc79b-20250228 to 443b7ff2-20250303: #​76804
  • [dev-overlay] Ignore animations on page load: #​76834
  • fix: remove useless set-cookie in action-handler: #​76839
  • Turbopack: handle task cancelation: #​76831
  • Upgrade React from 443b7ff2-20250303 to e03ac20f-20250305: #​76842
  • add types for __next_app__ module loading functions: #​74566
  • fix duplicated noindex when server action is triggered: #​76847
  • fix: don't drop queued actions when navigating: #​75362
  • [dev-overlay]: remove dependency on platform for focus trapping: #​76849
  • Turbopack: Add turbopack_load_by_url: #​76814
  • Add handling of origin in dev mode: #​76880
  • [dev-overlay] Stop grouping callstack frames into ignored vs. not ignored: #​76861
  • Upgrade React from e03ac20f-20250305 to 029e8bd6-20250306: #​76870
  • [dev-overlay] Increase padding if no x button present: #​76898
  • fix: prevent incorrect searchParams being applied on certain navs: #​76914
  • [dev-overlay] Dim ignore-listed callstack frames when shown: #​76862
Example Changes
  • chore(cna): update tailwind styles to be closer to non-tw cna: #​76647
Misc Changes
  • Fix canary only warning for devlow-bench: #​76772
  • [test] Add special placeholder if stackframes point into dist dir: #​76741
  • [test] Use new Redbox matchers in pages/ service-side-dev-errors: #​76779
  • [test] Use new Redbox matchers in app/ dynamic-error-trace: #​76783
  • [test] Use new Redbox matchers in app/ owner-stack-invalid-element-type: #​76786
  • [test] Use new Redbox matchers in app/ hook-functuon-names: #​76785
  • [test] Use new Redbox matchers in app/ undefined-default-export: #​76781
  • [test] Use new Redbox matchers in server-navigation-error: #​76787
  • [test] Fix flaky error-recovery test: #​76789
  • [test] Use new Redbox matchers in pages/ gssp-ssr-change-reloading: #​76788
  • [docs] update Tailwind CSS installation and configuration instructions: #​76259
  • docs: Tailwind v4: #​76801
  • chore(docs): update minimumCacheTTL example to 31 days: #​76796
  • Turbopack: improve sectioned source maps: #​76627
  • [test] Use new Redbox matchers in pages/ middleware-errors: #​76797
  • doc: use redirect in client components: #​76332
  • [docs] document experimental viewTransition flag: #​76832
  • docs(errors): remove confusing good-to-know since global-errors.tsx also show in dev as of 15.2: #​76825
  • Turbopack: don't use HashMap in manifests: #​76833
  • Update labeler.json: #​76828
  • Fix missing turbo command for rust-check: #​76851
  • fix(turbopack): Use correct SyntaxContext for __turbopack_esm__: #​73544
  • Cleanup pure span handling: #​76846
  • Turbopack: remove unused IncludeModulesModule: #​76868
  • Update test snapshots for alternative bundler [5/n]: #​76617
  • Update test snapshots for alternative bundler [6/n]: #​76768
  • [test] Use next.browser instead of webdriver in pages/ client-navigation: #​76867
  • fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files: #​76773
  • Revert "fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files": #​76879
  • build: Update swc_core to v16.4.0: #​76596
  • docs: update Turbopack docs: #​76799
  • build: Update lightningcss to v1.0.0-alpha.64: #​76856
  • build: Fix warning: #​76890
  • Turbopack: fix __dirname: #​76902
  • Turbopack: deterministic server action order: #​76905
  • docs: reword the docs of veiw transition flag: #​76841
  • fix(turbopack): Use vergen-gitcl instead of shadow-rs (or vergen-git2) for napi and next-api crates to fix stale git lock files: #​76889
  • Turbopack: ensure default layout is provided in default not-found entrypoint: #​76912
  • chore(github): add moar labels: #​76922
  • [test] Use new Redbox matchers in pages/ client-navigation/rendering: #​76798
  • docs: fix create-next-app cli title: #​76908
Credits

Huge thanks to @​pranathip, @​gaojude, @​ijjk, @​eps1lon, @​Nayeem-XTREME, @​leerob, @​styfle, @​samcx, @​sokra, @​huozhi, @​raunofreiberg, @​mischnic, @​lubieowoce, @​unstubbable, @​ztanner, @​kdy1, @​timneutkens, @​wbinnssmith, @​bgw, and @​oscr for helping!

v15.2.1

Compare Source

Core Changes
  • Unify Link and Form prefetching: #​76184
  • Turbopack: Ensure server actions sourcemaps tests pass: #​76157
  • [dev-overlay] control dark theme in one place: #​76528
  • [dev-overlay] change css var for terminal: #​76590
  • [dev-overlay] Discriminate stack frame settled typed: #​76517
  • Remove obsolete sourcePackage references: #​76550
  • refactor: remove unused variable in externals handling: #​76599
  • fix: Add popular embedding libraries to serverExternalPackages: #​76574
  • [Segment Cache] Implement hash-only navigations: #​76179
  • Webpack: abstract away getting compilation spans: #​76579
  • report compiler duration for webpack and improve numbers: #​76665
  • [dev-overlay] fix dark theme missing close bracket: #​76672
  • Remove revalidate property from incremental cache ctx for FETCH kind: #​76500
  • [dev-overlay] fix: env name label style was out of sync with error type label: #​76668
  • Turbopack: avoid celling source maps before minify: #​76626
  • refactor(CI): Merge all four bundler test manifest scripts into one: #​76652
  • [metadata] fix duplicate metadata for parallel routes: #​76669
  • [Segment Cache] Omit from bundle if flag disabled: #​76622
  • [Segment Cache] Support output: "export" mode: #​75671
  • [Segment Cache] Refresh on same-page navigation: #​76223
  • [metadata] re-enable streaming metadata with PPR: #​76119
  • [Segment Cache] Search param fallback handling: #​75990
  • [Segment Cache] Fix: canonicalURL omits origin: #​76444
  • fix metadata basePath for manifest: #​76681
  • Propagate expire time to cache-control header and prerender manifest: #​76207
  • Show revalidate/expire columns in build output: #​76343
  • Gate alternate bundler behind canary only: #​76634
  • [dynamicIO] routes with dynamic segments should be able to be static in dev: #​76691
  • [repo] upgrade ts 5.8.2: #​76709
  • [metadata]: ensure metadata boundary is only rendered once on client nav: #​76692
  • [metadata] clean up redudant options: #​76712
  • Fix uniqueness detection for generateStaticParams: #​76713
  • Upgrade React from 22e39ea7-20250225 to d55cc79b-20250228: #​76680
  • [Turbopack] Compute module batches and use them for chunking: #​76133
  • [Dev Tools] Improve keyboard interactions for menu & overlays: #​76754
  • Keep server code out of browser chunks: #​76660
  • Turbopack: inline minify into code generation and make it a plain function instead of a turbo tasks function: #​76628
  • fix edge runtime asset fetch in pages api: #​76750
  • Update use-cache-unknown-cache-kind.test.ts snapshot for alternate bundler: #​76682
Example Changes
  • docs: fix reading params code blocks: #​76705
Misc Changes
  • fix(rustdoc): Fix rustdoc warnings, block on rustdoc failures in CI: #​76448
  • Update more global turbo CLI usage: #​76576
  • docs: Node.js runtime support for Middleware: #​76556
  • build: Update swc_core to v16.0.0: #​76414
  • Turbopack: prevent panic in swc issue emitter: #​76595
  • Unflake parallel-routes-revalidation test: #​76600
  • Fix octokit.rest.issues.addLabels call: #​76601
  • [test] Use new Redbox matchers in app/ error-recovery: #​76552
  • [test] Use new Redbox matchers in pages/ ReactRefreshLogBox-app-doc: #​76551
  • Run nightly bundler integration tests also with React 18: #​76606
  • 15.2: Add version history for devIndicators and note on deprecated options: #​76611
  • 15.2 docs: document missing htmlLimitedBots option: #​76616
  • Update bundler production test manifest: #​76584
  • Update bundler development test manifest: #​76585
  • Fix test after CI switched to pnpm 10: #​76615
  • chore(cna): fix theme extend for tailwind v4: #​76583
  • [test] Use new Redbox matchers in app/ ReactRefreshLogBoxMisc: #​76563
  • Don’t use native built-ins for additional bundler: #​76577
  • Revert "Run nightly bundler integration tests also with React 18": #​76640
  • Update bundler production test manifest: #​76643
  • Update bundler development test manifest: #​76644
  • Turbopack: dedupe middleware-manifest entries: #​76621
  • Turbopack: Improve edge tests: #​76607
  • Turbopack: add test test for css order: #​76675
  • Turbopack: fix order of chunk items in cycles: #​76676
  • [ci] Fix test-turbopack-integration not having any shards : #​76355
  • Update Turbopack development test manifest: #​76658
  • Update Turbopack production test manifest: #​76659
  • fix(CI): Upload to areweturboyet immediately after a manifest is updated, not only on a fixed cron schedule: #​76688
  • Update test snapshots for alternative bundler [4/n]: #​76578
  • fix(turbopack): Fix analysis of private properties: #​76654
  • Turbopack: Simplify emitDecoratorMetadata test: #​76678
  • [test] Use new Redbox matchers in pages/ ReactRefreshRegression: #​76743
  • [test] Remove describeVariants helper: #​76631
  • [test] Fix flaky error-recovery test: #​76753
  • [test] Use new Redbox matchers in app/ dynamic-error: #​76744
  • [test] Use new Redbox matchers in app/ rsc-runtime-errors: #​76745
  • Turbopack: avoid panic in module batches: #​76757
  • Revert "test: temporarily disable after deploy test": #​74990
  • toDisplayRedbox(): replace all occurrences of testDir: #​76618
  • Fix: missing close brace in demo code: #​76549
  • Disable flaky Turbopack tests: #​76760
  • feat(CI): Revalidate vercel data cache on areweturboyet after uploading data to KV store: #​76693
  • chore(github): move top prs and feature requests to different Slack channel: #​76764
  • Fix flaky Bun test: #​76763
Credits

Huge thanks to @​acdlite, @​bgw, @​ijjk, @​molebox, @​kdy1, @​timneutkens, @​devjiwonchoi, @​mischnic, @​unstubbable, @​eps1lon, @​huozhi, @​philipithomas, @​delbaoliveira, @​samcx, @​wbinnssmith, @​sokra, @​gnoff, @​leerob, @​ztanner, @​raunofreiberg, @​lubieowoce, and @​LihaoWang for helping!

v15.2.0

Compare Source

v15.1.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: work around setTimeout memory leak, improve wrappers (#​75727)
  • add additional x-middleware-set-cookie filtering (#​75869)
  • fix: ensure lint worker errors aren't silenced (#​75766)
Credits

Huge thanks to @​lubieowoce and @​ztanner for helping!

v15.1.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: don't memory-leak promises passed to waitUntil (#​75041)
  • backport: fix prerender issue with intercepting routes + generateStaticParams (#​75170)
Credits

Huge thanks to @​lubieowoce and @​ztanner for helping!

v15.1.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix missing revalidate with notFound() (#​75009)
  • fix: when metadatabase is set we should not warn (#​74840)
  • Fix @​vercel/og license SPDX expression (#​74745)
  • fix: ts language server rule metadata should allow null (#​74704)
  • fix: eslint rule of using img in metadata routes (#​74864)
  • Fix presentation when onerror receives an event without error (#​74643)
  • fix fetch lock not being consistently released #​74623 (#​75028)
Credits

Huge thanks to @​ijjk, @​huozhi, @​matmannion and @​ztanner for helping!

v15.1.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • backport: force module format for virtual client-proxy (#​74608)
  • Fix prerender tags when notFound is called (#​74607)
  • Use provided waitUntil for pending revalidates (#​74604)
  • Feature: next/image: add support for images.qualities in next.config (#​74588)
  • Chore: docs: add missing search: '' on remotePatterns (#​74587)
  • Chore: docs: update version history of next/image (#​73923) (#​74570)
  • Chore: next/image: improve imgopt api bypass detection for unsupported images (#​74569)
Credits

Huge thanks to @​ and @​ for helping!

v15.1.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Retry manifest file loading only in dev mode: #​73900
  • Use shared worker for lint & typecheck steps: #​74154
Credits

Huge thanks to @​unstubbable and @​ztanner for helping!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Apr 9, 2025
@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Apr 9, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 52e9855.

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ❌ Failed 1m 11s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 3s View ↗

☁️ Nx Cloud last updated this comment at 2025-04-09 14:05:31 UTC

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Apr 9, 2025

More templates

@tanstack/angular-query-devtools-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-devtools-experimental@8978

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-experimental@8978

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@8978

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@8978

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@8978

@tanstack/query-core

npm i https://pkg.pr.new/@tanstack/query-core@8978

@tanstack/query-devtools

npm i https://pkg.pr.new/@tanstack/query-devtools@8978

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/@tanstack/query-persist-client-core@8978

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@8978

@tanstack/react-query

npm i https://pkg.pr.new/@tanstack/react-query@8978

@tanstack/react-query-devtools

npm i https://pkg.pr.new/@tanstack/react-query-devtools@8978

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@8978

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/@tanstack/react-query-persist-client@8978

@tanstack/solid-query

npm i https://pkg.pr.new/@tanstack/solid-query@8978

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/@tanstack/solid-query-devtools@8978

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@8978

@tanstack/svelte-query

npm i https://pkg.pr.new/@tanstack/svelte-query@8978

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@8978

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@8978

@tanstack/vue-query

npm i https://pkg.pr.new/@tanstack/vue-query@8978

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/@tanstack/vue-query-devtools@8978

commit: 52e9855

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 9, 2025

Sizes for commit 52e9855:

Branch Bundle Size
Main
This PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants