🚨 [security] Update next 15.2.6 → 15.5.6 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ next (15.2.6 → 15.5.6) · Repo

Security Advisories 🚨

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.js Affected by Cache Key Confusion for Image Optimization API Routes

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Summary

A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.

More details: CVE-2025-49005

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn't find anything useful about this release.

↗️ @​emnapi/runtime (indirect, 1.2.0 → 1.7.1) · Repo

Release Notes

1.7.1

What's Changed

• move Node-API version detection by @toyobayashi in #182
• feat: support SharedArrayBuffer in napi_create_dataview by @toyobayashi in #183

Full Changelog: v1.7.0...v1.7.1

1.7.0

What's Changed

• feat: add napi_create_object_with_properties method by @toyobayashi in #181

Full Changelog: v1.6.0...v1.7.0

1.6.0

What's Changed

• feat: added SharedArrayBuffer api by @toyobayashi in #171
• feat: make napi_delete_reference use node_api_basic_env by @toyobayashi in #170
• ci: migrate to npm trusted publishing by @toyobayashi in #168

Full Changelog: v1.5.0...v1.6.0

1.5.0

What's Changed

Prebuilt libraries are built by LLVM clang 20.

• fix: env undefined after emitting beforeExit event by @toyobayashi in #162
• fix(wasi): avoid deadlock caused by child thread abort when the main thread is in Atomics.wait and allow blocking calls on browser main thread (requires wasi-sdk 26+ and --export=emnapi_thread_crashed) by @toyobayashi in #163
• build: backport emscripten parse tools changes to v1 by @toyobayashi in #165

Full Changelog: v1.4.5...v1.5.0

1.4.5

What's Changed

• fix(wasm32-wasip1-threads): process never exit if trap in threads (#156)

Full Changelog: v1.4.4...v1.4.5

1.4.3

What's Changed

• update @emnapi/wasi-threads@1.0.2 in the package.json dependency of @emnapi/core

Full Changelog: v1.4.2...v1.4.3

1.4.2

What's Changed

• fix: check SharedArrayBuffer by @toyobayashi in #144

Full Changelog: v1.4.1...v1.4.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 54 commits:

• 1.7.1
• feat: support SharedArrayBuffer in napi_create_dataview (#183)
• move Node-API version detection (#182)
• 1.7.0
• [Backport] feat: add napi_create_object_with_properties method (#181)
• ci: fix version retrieval
• 1.6.0
• feat: make napi_delete_reference use node_api_basic_env (#170)
• [Backport] feat: added SharedArrayBuffer api (#171)
• ci: migrate to npm trusted publishing (#168)
• fix ci
• fix ci
• 1.5.0
• [Backport] build: backport emscripten parse tools changes to v1 (#165)
• fix: signature mismatch
• [Backport] fix(wasi): avoid deadlock caused by child thread abort when the main thread is in `Atomics.wait` (#163)
• [Backport] fix: env undefined after emitting beforeExit event (#162)
• 1.4.5
• fix(wasm32-wasip1-threads): process never exit if trap in threads (#156)
• 1.4.4
• fix: `worker.onerror` may receive an `Event`
• 1.4.3
• 1.4.2
• fix: check SharedArrayBuffer (#144)
• 1.4.1
• add checks for message channel usage in web runtime (#142)
• 1.4.0
• perf: reduce the overhead of binding function call (#139)
• build: fix spawning `.bat` on Windows
• update learn-wasm.dev link
• add learn-wasm.dev link
• test: fix operator delete overload
• refactor: store external value in separated WeakMap (#134)
• test: build napi version 10
• define version 10 (#133)
• explicitly specify emnapiInit in test
• explicitly specify emnapiInit in documentation
• remove deprecated attribute from napi_module_register (#132)
• allow napi_delete_reference in basic finalizers (#130)
• 1.3.1
• update readme
• add missing source to gyp config
• add missing source to js entry
• add napi_create_buffer_from_arraybuffer (#126)
• fix: `napi_is_buffer(Uint8Array)` should return `true` (#129)
• 1.3.0
• remove uv redefined macros
• update uv source
• add support for UTF-8 and Latin-1 property keys (#127)
• refactor: remove RefBase (#122)
• update libuv source (#121)
• refactor: rename nogc to basic (#125)
• feat: add suppressDestroy to context (#124)
• update dependencies (#123)

↗️ @​next/env (indirect, 15.2.6 → 15.5.6) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn't find anything useful about this release.

↗️ detect-libc (indirect, 2.0.3 → 2.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 15 commits:

• Release v2.1.2
• Ensure Node.js 10 and 12 can use async file-based detection methods (#33)
• Add semi-automated changelog #32
• Release v2.1.1
• Ensure Node.js 10 and 12 can use file-based detection methods (#30)
• Release v2.1.0
• CI: Add non-Linux integration tests for completeness
• Prerelease v2.1.0-rc.0
• CI: Publish tagged commits to npm
• Detect libc using the interpreter value from Node's ELF header
• CI: update integration test expectations
• Release v2.0.4
• TypeScript: Add types field to package.json (#28)
• CI: remove Node.js 22
• CI: Add Node.js 20/22, remove CentOS (EOL)

↗️ semver (indirect, 7.6.3 → 7.7.3) · Repo · Changelog

Release Notes

7.7.3

7.7.3 (2025-10-06)

Bug Fixes

• e37e0ca #813 faster paths for compare (#813) (@H4ad)
• 2471d75 #811 x-range build metadata support (i529015)

Chores

• 8f05c87 #807 bump @npmcli/template-oss from 4.25.0 to 4.25.1 (#807) (@dependabot[bot], @owlstronaut)

7.7.2

7.7.2 (2025-05-12)

Bug Fixes

• fcafb61 #780 add missing 'use strict' directives (#780) (@Fdawgs)
• c99f336 #781 prerelease identifier starting with digits (#781) (@mbtools)

Chores

• c760403 #784 template-oss-apply for workflow permissions (#784) (@wraithgar)
• 2677f2a #778 bump @npmcli/template-oss from 4.23.6 to 4.24.3 (#778) (@dependabot[bot], @npm-cli-bot)

7.7.1

7.7.1 (2025-02-03)

Bug Fixes

• af761c0 #764 inc: fully capture prerelease identifier (#764) (@wraithgar)

7.7.0

7.7.0 (2025-01-29)

Features

• 0864b3c #753 add "release" inc type (#753) (@mbtools)

Bug Fixes

• d588e37 #755 diff: fix prerelease to stable version diff logic (#755) (@eminberkayd, berkay.daglar)
• 8a34bde #754 add identifier validation to inc() (#754) (@mbtools)

Documentation

• 67e5478 #756 readme: added missing period for consistency (#756) (@shaymolcho)
• 868d4bb #749 clarify comment about obsolete prefixes (#749) (@mbtools, @ljharb)

Chores

• 145c554 #741 bump @npmcli/eslint-config from 4.0.5 to 5.0.0 (@dependabot[bot])
• 753e02b #747 bump @npmcli/template-oss from 4.23.3 to 4.23.4 (#747) (@dependabot[bot], @npm-cli-bot)
• 0b812d5 #744 postinstall for dependabot template-oss PR (@hashtagchris)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

• chore: release 7.7.3 (#812)
• fix: faster paths for compare (#813)
• fix: x-range build metadata support
• chore: bump @npmcli/template-oss from 4.25.0 to 4.25.1 (#807)
• chore: bump @npmcli/template-oss from 4.24.4 to 4.25.0 (#797)
• chore: bump @npmcli/template-oss from 4.24.3 to 4.24.4 (#790)
• chore: release 7.7.2 (#783)
• fix: add missing `'use strict'` directives (#780)
• chore: template-oss-apply for workflow permissions (#784)
• fix: prerelease identifier starting with digits (#781)
• chore: bump @npmcli/template-oss from 4.23.6 to 4.24.3 (#778)
• chore: bump @npmcli/template-oss from 4.23.4 to 4.23.6 (#760)
• chore: release 7.7.1 (#765)
• fix(inc): fully capture prerelease identifier (#764)
• chore: release 7.7.0 (#750)
• fix(diff): fix prerelease to stable version diff logic (#755)
• chore: bump @npmcli/template-oss from 4.23.3 to 4.23.4 (#747)
• fix: add identifier validation to `inc()` (#754)
• feat: add "release" inc type (#753)
• docs(readme): added missing period for consistency (#756)
• docs: clarify comment about obsolete prefixes (#749)
• chore: bump @npmcli/eslint-config from 4.0.5 to 5.0.0
• chore: postinstall for dependabot template-oss PR
• chore: bump @npmcli/template-oss from 4.23.1 to 4.23.3
• chore: bump @npmcli/template-oss from 4.22.0 to 4.23.1
• chore: bump @npmcli/template-oss from 4.22.0 to 4.23.1

🆕 @​img/colour (added, 1.0.0)

🆕 @​img/sharp-libvips-linux-ppc64 (added, 1.2.4)

🆕 @​img/sharp-libvips-linux-riscv64 (added, 1.2.4)

🆕 @​img/sharp-linux-ppc64 (added, 0.34.5)

🆕 @​img/sharp-linux-riscv64 (added, 0.34.5)

🆕 @​img/sharp-win32-arm64 (added, 0.34.5)

🆕 @​img/sharp-darwin-arm64 (added, 0.34.5)

🆕 @​img/sharp-darwin-x64 (added, 0.34.5)

🆕 @​img/sharp-libvips-darwin-arm64 (added, 1.2.4)

🆕 @​img/sharp-libvips-darwin-x64 (added, 1.2.4)

🆕 @​img/sharp-libvips-linux-arm (added, 1.2.4)

🆕 @​img/sharp-libvips-linux-arm64 (added, 1.2.4)

🆕 @​img/sharp-libvips-linux-s390x (added, 1.2.4)

🆕 @​img/sharp-libvips-linux-x64 (added, 1.2.4)

🆕 @​img/sharp-libvips-linuxmusl-arm64 (added, 1.2.4)

🆕 @​img/sharp-libvips-linuxmusl-x64 (added, 1.2.4)

🆕 @​img/sharp-linux-arm (added, 0.34.5)

🆕 @​img/sharp-linux-arm64 (added, 0.34.5)

🆕 @​img/sharp-linux-s390x (added, 0.34.5)

🆕 @​img/sharp-linux-x64 (added, 0.34.5)

🆕 @​img/sharp-linuxmusl-arm64 (added, 0.34.5)

🆕 @​img/sharp-linuxmusl-x64 (added, 0.34.5)

🆕 @​img/sharp-wasm32 (added, 0.34.5)

🆕 @​img/sharp-win32-ia32 (added, 0.34.5)

🆕 @​img/sharp-win32-x64 (added, 0.34.5)

🆕 sharp (added, 0.34.5)

🗑️ @​swc/counter (removed)

🗑️ busboy (removed)

🗑️ streamsearch (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[changeset-bot]

⚠️ No Changeset found

Latest commit: d3ce875

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
mindect	Error			Dec 11, 2025 7:02pm