Skip to content

Bump next from 14.2.3 to 15.5.18#159

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/next-15.5.18
Open

Bump next from 14.2.3 to 15.5.18#159
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/next-15.5.18

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 11, 2026
edited by cubic-dev-ai Bot
Loading

Bumps next from 14.2.3 to 15.5.18.

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits
  • 9ff92ce v15.5.18
  • 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
  • 62c97ab v15.5.17
  • 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
  • fa78739 Turbopack: Fix middleware matcher suffix (#93590)
  • 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
  • 36589b5 [backport][test] Pin package manager to patch versions (#93596)
  • ad6fd4e v15.5.16
  • 79d7dff Ignore malformed CSP nonce headers (#103)
  • c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgrade next from 14.2.3 to 15.5.18 to apply the latest security fixes and Next 15 runtime updates. This also updates SWC and styled-jsx, and introduces an optional sharp dependency for image optimization.

  • Dependencies

    • Bumped next to 15.5.18 (includes fixes for DoS, middleware/proxy bypass, SSRF, and XSS advisories).
    • Added transitive sharp@^0.34.3 and platform-specific @img/sharp-* packages.
    • Updated @next/swc-* to 15.5.18 and styled-jsx to 5.1.6.

  • Migration

    • Clean install and build: remove .next/, run yarn install, then build.
    • Ensure CI allows optional deps so sharp installs; verify image optimization and middleware behave as expected.

Written for commit 6f8355a. Summary will update on new commits.

@dependabot
Bump next from 14.2.3 to 15.5.18
6f8355a 
Bumps [next](https://github.com/vercel/next.js) from 14.2.3 to 15.5.18.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v14.2.3...v15.5.18)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 15.5.18
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Dependency updates javascript labels May 11, 2026
@dependabot dependabot Bot mentioned this pull request May 11, 2026
Closed
@netlify
Copy link
Copy Markdown

netlify Bot commented May 11, 2026
edited
Loading

Deploy Preview for alloradocs ready!

Name Link
🔨 Latest commit 6f8355a
🔍 Latest deploy log https://app.netlify.com/projects/alloradocs/deploys/6a020a0c17fddc000814678c
😎 Deploy Preview https://deploy-preview-159--alloradocs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Architecture diagram 
sequenceDiagram
    participant Client as Browser Client
    participant SS as Next.js Server<br/>v15.5.18
    participant MW as Request Middleware
    participant RSC as React Server<br/>Components
    participant Image as Image<br/>Optimization API
    participant WS as WebSocket<br/>Upgrade Handler
    participant Cache as Response Cache

    Note over Client,Cache: NEW: Next 15 Security Boundary Enforcement

    Client->>SS: HTTP Request (page/navigation)
    
    alt Segment-prefetch routes detected
        SS->>MW: CHANGED: Validate route (strict matcher)
        alt Invalid/malicious route
            MW-->>SS: Reject (403)
            SS-->>Client: Blocked response
        else Valid route
            MW->>RSC: Continue to Server Component
        end
    else Normal navigation
        SS->>MW: Standard middleware match
        alt Middleware redirect
            MW->>Cache: CHANGED: Bypass cache for redirect
            MW->>SS: Return redirect
            SS-->>Client: 307/308 redirect + no-cache headers
        else Direct render
            MW->>RSC: Proceed
        end
    end

    RSC->>RSC: CHANGED: Strict input validation
    alt Malformed props/data
        RSC-->>SS: Reject (DoS prevention)
        SS-->>Client: 413/400
    else Valid request
        RSC-->>SS: Rendered component
        SS-->>Client: HTML + CSP nonce header
    end

    Note over Client,Image: Image Optimization Path
    
    Client->>SS: HTTP GET /_next/image
    alt image optimization
        opt sharp not installed
            SS->>SS: Use built-in sharp fallback
        end
        SS->>Image: Process image
        Image-->>SS: Optimized image
        SS-->>Client: Response + cache headers
    end

    Note over Client,WS: WebSocket Upgrade Protection
    
    Client->>SS: Upgrade request (ws://)
    SS->>WS: CHANGED: Validate target URL
    alt Absolute URL in upgrade (SSRF attempt)
        WS-->>SS: Reject upgrade
        SS-->>Client: 403 Forbidden
    else Relative/safe URL
        WS-->>SS: Allow upgrade
        SS-->>Client: 101 Switching Protocols
    end

    Note over Client,Cache: Cache Poisoning Prevention
    
    SS->>RSC: CHANGED: Generate cache key
    alt Cache key collision detected
        RSC->>RSC: Add random cache-busting value
        RSC-->>Cache: Store with unique key
    else Standard
        RSC-->>Cache: Store rendered component
    end
Loading

@ghost ghost removed the javascript label May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Dependency updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants