Conversation
Snyk has created this PR to upgrade next from 15.1.3 to 15.5.6. See this package in pnpm: next See this project in Snyk: https://app.snyk.io/org/smsdao/project/23300643-389a-4501-9b0f-67791b6a2022?utm_source=github&utm_medium=referral&page=upgrade-pr
There was a problem hiding this comment.
Pull request overview
This PR upgrades Next.js from version 15.1.3 to 15.5.6, intending to address multiple security vulnerabilities identified by Snyk. However, the upgraded version itself is marked as deprecated with a security vulnerability (CVE-2025-66478), making this PR unsuitable for merging.
- Snyk automated security upgrade to address 7 vulnerabilities (1 critical, 2 high, 2 medium, 2 low)
- Updates Next.js dependency and its associated transitive dependencies
- Critical Issue: The target version 15.5.6 is deprecated and contains a security vulnerability
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates Next.js version from 15.1.3 to 15.5.6 (deprecated version) |
| pnpm-lock.yaml | Updates dependency resolution with deprecation warning for Next.js 15.5.6 and transitive dependencies including sharp upgrade from 0.33.5 to 0.34.5 |
Files not reviewed (1)
- examples/tg-bot-starter/basic-tg-bot/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "grammy": "^1.33.0", | ||
| "messages": "link:@langchain/core/messages", | ||
| "next": "15.1.3", | ||
| "next": "15.5.6", |
There was a problem hiding this comment.
The upgraded version of Next.js (15.5.6) is marked as deprecated in the lock file with a security vulnerability warning (CVE-2025-66478). This PR should be updating to a newer, patched version instead of 15.5.6. Please upgrade to a version that addresses this vulnerability rather than this deprecated version.
| "next": "15.5.6", | |
| "next": "^15.5.7", |
| next@15.5.6: | ||
| resolution: {integrity: sha512-zTxsnI3LQo3c9HSdSf91O1jMNsEzIXDShXd4wVdg9y5shwLqBXi4ZtUUJyB86KGVSJLZx0PFONvO54aheGX8QQ==} | ||
| engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0} | ||
| deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details. |
There was a problem hiding this comment.
Next.js 15.5.6 is marked as deprecated with a security vulnerability (CVE-2025-66478). This indicates that even though this upgrade was intended to fix security issues, it introduces or retains a different vulnerability. The package should be upgraded to a version newer than 15.5.6 that has been patched for this CVE.
Snyk has created this PR to upgrade next from 15.1.3 to 15.5.6.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 418 versions ahead of your current version.
The recommended version was released 2 months ago.
Issues fixed by the recommended upgrade:
SNYK-JS-NEXT-10598339
SNYK-JS-NEXT-12299318
SNYK-JS-NEXT-10176058
SNYK-JS-NEXT-12301496
SNYK-JS-NEXT-10259370
SNYK-JS-NEXT-12265451
SNYK-JS-NEXT-9508709
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: