chore(deps): update dependency next to v16.0.9 [security] #9966
Conversation
|
📝 WalkthroughWalkthroughTwo integration package manifests update their Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx affected --targets=test:sherif,test:knip,tes... |
❌ Failed | 35s | View ↗ |
nx run-many --target=build --exclude=examples/*... |
✅ Succeeded | 1s | View ↗ |
☁️ Nx Cloud last updated this comment at 2026-01-24 09:34:45 UTC
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
0e75fda to
bcd89cf
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
integrations/react-next-14/package.json (1)
10-12: Consider upgrading React to 19 to use Next.js 16's new features.React 18.2.0 remains compatible with Next.js 16, but Next.js 16 is designed for React 19 and includes first-class support for React 19 features like React Compiler and View Transitions. Update
reactandreact-domto^19.0.0to take full advantage of Next.js 16's capabilities.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (2)
integrations/react-next-14/package.jsonintegrations/react-next-15/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
- integrations/react-next-15/package.json
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-09-02T17:57:33.184Z
Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.
Applied to files:
integrations/react-next-14/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Preview
- GitHub Check: Test
🔇 Additional comments (1)
integrations/react-next-14/package.json (1)
10-10: No action needed. The integration code is compatible with Next.js 16.0.0 without modifications. The example uses only basic React Query patterns (client-side hooks and providers) that are unaffected by Next.js 15→16 breaking changes.
| "@tanstack/react-query": "workspace:*", | ||
| "@tanstack/react-query-devtools": "workspace:*", | ||
| "next": "^14.2.33", | ||
| "next": "^16.0.0", |
There was a problem hiding this comment.
Package naming inconsistency: "react-next-14" now uses Next.js 16.
The package is named react-next-14 but now depends on next: ^16.0.0. This creates confusion about which Next.js version this integration example demonstrates. Consider either:
- Renaming the package/folder to
react-next-16, or - Creating a separate
react-next-16integration example while keeping this one on Next.js 14
🤖 Prompt for AI Agents
integrations/react-next-14/package.json lines 10-10: the package folder/name
indicates Next.js 14 but package.json depends on "next": "^16.0.0"; either
rename the package/folder to react-next-16 or downgrade the dependency to a
Next.js 14 release. To fix, choose one approach and apply these steps: if
renaming to react-next-16, rename the directory, update the "name" field in
package.json, update any README/docs and CI/workflow references to the new
path/name; if keeping as react-next-14, change the next dependency to a 14.x
compatible version (and run install/test to confirm compatibility), update
lockfile, and verify any code uses Next 14 APIs.
bcd89cf to
aff4bbd
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
aff4bbd to
934f2cd
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
934f2cd to
1eb4cf5
Compare
size-limit report 📦
|
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
2 times, most recently
from
4cd23b6 to
0d99633
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
0d99633 to
ca8241b
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@integrations/react-next-15/package.json`:
- Line 12: Add an "engines" entry to package.json to require Node >=20.9.0
(Next.js 16 requirement) and update the "next" dependency update to ^16.0.0;
then audit and migrate integration code for Next.js 16 breaking changes: search
for any App Router page handlers that access params/searchParams synchronously
and convert them to support async params/searchParams, check
build/bundler-related config for Turbopack assumptions (and adjust Next.js
config or build scripts if you rely on webpack-specific behavior), review usages
of next/image for default/prop/security changes and update image imports/props,
and remove or replace any AMP and next lint-specific code paths; ensure React
19.2.1 remains specified if needed.
| "@tanstack/react-query": "workspace:*", | ||
| "@tanstack/react-query-devtools": "workspace:*", | ||
| "next": "^15.4.8", | ||
| "next": "^16.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Next.js 16.0.0 release notes breaking changes minimum Node.js version
💡 Result:
Next.js 16.0.0 — minimum Node.js version
- Minimum Node.js: 20.9.0+ (LTS)
- Node.js 18 is no longer supported. [1][2]
Notable breaking changes (from the official 16 release notes / upgrade guide)
middleware.ts→proxy.tsfor Node.js request interception (Edgemiddlewareremains but is deprecated for this use). [1][2]- Turbopack is now the default for
next devandnext build(custom webpack setups may require opting out with--webpack). [1][2] - Async Request APIs / async params change (e.g.,
params/searchParamsand related APIs are now treated as async in the App Router). [2] next/imagedefault / security-related changes (e.g., local images with query strings require config; defaults likeminimumCacheTTLchanged). [2]- Removals: AMP support removed,
next lintremoved, and other previously-deprecated options/APIs removed or renamed. [2]
Sources: Next.js 16 release post [1], official “Upgrading: Version 16” guide [2].
🏁 Script executed:
cat integrations/react-next-15/package.jsonRepository: TanStack/query
Length of output: 529
Add engines field and review Next.js 16 breaking changes.
Next.js 16.0.0 requires Node.js 20.9.0+ (Node.js 18 no longer supported). Add "engines": { "node": ">=20.9.0" } to enforce this. React 19.2.1 is compatible. However, this upgrade has breaking changes requiring migration:
- Async
paramsandsearchParamsin App Router - Turbopack is now the default bundler
next/imagedefaults and security changes- AMP and
next lintremoved
Review the integration code for required updates to these areas before merging.
🤖 Prompt for AI Agents
In `@integrations/react-next-15/package.json` at line 12, Add an "engines" entry
to package.json to require Node >=20.9.0 (Next.js 16 requirement) and update the
"next" dependency update to ^16.0.0; then audit and migrate integration code for
Next.js 16 breaking changes: search for any App Router page handlers that access
params/searchParams synchronously and convert them to support async
params/searchParams, check build/bundler-related config for Turbopack
assumptions (and adjust Next.js config or build scripts if you rely on
webpack-specific behavior), review usages of next/image for
default/prop/security changes and update image imports/props, and remove or
replace any AMP and next lint-specific code paths; ensure React 19.2.1 remains
specified if needed.
This PR contains the following updates:
16.0.2→16.0.916.0.7→16.0.9^15.4.8→^16.0.0^14.2.33→^16.0.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
GHSA-9qr9-h5gf-34mp
A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.
Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+
The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.
All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.
1 The affected React packages are:
GHSA-mwv6-3258-q52c
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
GHSA-w37m-7fhw-fmv9
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.
A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.
GHSA-5j59-xgg2-r9c4
It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.
Release Notes
vercel/next.js (next)
v16.0.9Compare Source
v16.0.8Compare Source
v16.0.7Compare Source
v16.0.6Compare Source
v16.0.5Compare Source
Core Changes
Credits
Huge thanks to @lucasadrianof for helping!
v16.0.4Compare Source
v16.0.3Compare Source
Core Changes
next dev --inspect: #85037b4455a6e-20251027to4f931700-20251029: #85518cacheLifetypes out of the webpack plugin and into the dev bundler directly: #85539'use cache'in page/layout component: #855194f931700-20251029to561ee24d-20251101: #85670'next'plugin: #85749561ee24d-20251101to67f7d47a-20251103: #8576267f7d47a-20251103tof646e8ff-20251104: #85772f646e8ff-20251104todd048c3b-20251105: #85819dd048c3b-20251105tofa50caf5-20251107: #85906'use cache'call stacks: #85966fa50caf5-20251107to52684925-20251110: #85980Misc Changes
opt-level = sfor not frequently used crates: #85426experimental.cacheLife: #85467createSandbox: #85507--debug-build-pathsinstead ofNEXT_PRIVATE_APP_PATHS: #85504completion.rsa bit: #84863maxRetriesandhardErrorparameters: #85536cells are created inresolve_rawto make cell allocation order deterministic.: #85525assert*->waitFor*when the util is not instant: #85450RegExp-like implementations incheck: #85537after()tests: #85566test/integration/in flake detection tests: #85590run-for-changescript: #85619extern crateandmacro_usesyntax: #85778NEXT_TEST_PREFER_OFFLINEininstall-native.mjs: #85850next-core/src/next_client_reference/visit_client_reference.rs: #85843non_operation_vc_strongly_consistentfeature usage from next-api: #85874turbo-tasks-macros-sharedcrate intoturbo-tasks-macros: #85917next.browserWithResponse(): #85911'use cache'functions to reduce function allocations: #85904font-familydeclaration: #85913Auth0Link: #85953cacheLife&cacheTagin client: #85872cacheLife&cacheTag: #85875sharpandunrs-resolver: #83168evaluateto take module_graph: #85971encryptActionBoundArgs/decryptActionBoundArgsimports: #86015Credits
Huge thanks to @kdy1, @eps1lon, @SyMind, @bgw, @swarnava, @devjiwonchoi, @ztanner, @ijjk, @huozhi, @icyJoseph, @acdlite, @unstubbable, @gnoff, @gusfune, @vercel-release-bot, @lukesandberg, @sokra, @hayes, @shuding, @wyattjoh, @marjan-ahmed, @timneutkens, @ajstrongdev, @zigang93, @mischnic, @Nayeem-XTREME, @hamirmahal, @eli0shin, @tessamero, @gaojude, @jamesdaniels, @georgesfarah, and @timeyoutakeit for helping!
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.