Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR updates Next.js to address two security vulnerabilities (CVE-2025-55184 and CVE-2025-55183) as announced in the Next.js security update from December 11, 2025. However, there are critical version inconsistencies between the package files that need to be resolved.
Key Issues:
- Version mismatch: package.json specifies 15.5.8 while package-lock.json installs 15.5.9
- Inconsistent version declaration within package-lock.json itself
Expected Changes:
- Update Next.js from version 15.5.7 to 15.5.9 to address security vulnerabilities
- Update @next/env dependency from 15.5.7 to 15.5.9
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates Next.js version constraint, but specifies 15.5.8 instead of the correct 15.5.9 |
| package-lock.json | Updates Next.js and @next/env to 15.5.9 in node_modules, but has inconsistent version declaration in dependencies section (15.5.7) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "cnbuilder": "^3.1.0", | ||
| "decanter": "^7.4.0", | ||
| "next": "^15.5.7", | ||
| "next": "^15.5.8", |
There was a problem hiding this comment.
The version update in package.json specifies Next.js version 15.5.8, but the package-lock.json shows version 15.5.9 is being installed. These should match to ensure the correct version is installed. Based on the PR description referencing the security update from December 11, 2025, version 15.5.9 appears to be the correct version that addresses CVE-2025-55184 and CVE-2025-55183. Please update package.json to specify "next": "^15.5.9" instead of "^15.5.8".
| "next": "^15.5.8", | |
| "next": "^15.5.9", |
1 participant
READY FOR REVIEW
Summary