This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [next](https://nextjs.org)
([source](https://redirect.github.com/vercel/next.js)) | [`16.0.9` ->
`16.0.10`](https://renovatebot.com/diffs/npm/next/16.0.9/16.0.10) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[GHSA-5j59-xgg2-r9c4](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4)
It was found that the fix
addressing [CVE-2025-55184](https://redirect.github.com/advisories/GHSA-2m3v-v2m8-q956) in
React Server Components was incomplete and did not fully prevent
denial-of-service attacks in all payload types. This affects React
package versions 19.0.2, 19.1.3, and 19.2.2 and frameworks that use the
affected packages, including Next.js 13.x, 14.x, 15.x and 16.x using the
App Router. The issue is tracked upstream as
[CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
A malicious HTTP request can be crafted and sent to any Server Function
endpoint that, when deserialized, can enter an infinite loop within the
React Server Components runtime. This can cause the server process to
hang and consume CPU, resulting in denial of service in unpatched
environments.
---
### Release Notes
<details>
<summary>vercel/next.js (next)</summary>
###
[`v16.0.10`](https://redirect.github.com/vercel/next.js/releases/tag/v16.0.10)
[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v16.0.9...v16.0.10)
Please see the [Next.js Security
Update](https://nextjs.org/blog/security-update-2025-12-11) for
information about this security patch.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6W119-->
Co-authored-by: Renovate Bot <renovate@whitesourcesoftware.com>
Only merge using a merge commit!