Skip to content

fix(deps): update dependency next to v15.1.6 [security] #1488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: sepolia
Choose a base branch
from
Open

fix(deps): update dependency next to v15.1.6 [security] #1488

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 22, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 15.1.4 -> 15.1.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js 13.x, this issue is fixed in 13.5.9
  • For Next.js 12.x, this issue is fixed in 12.3.5
  • For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)

CVE-2025-32421

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

Release Notes

vercel/next.js (next)

v15.1.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: don't memory-leak promises passed to waitUntil (#​75041)
  • backport: fix prerender issue with intercepting routes + generateStaticParams (#​75170)
Credits

Huge thanks to @​lubieowoce and @​ztanner for helping!

v15.1.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix missing revalidate with notFound() (#​75009)
  • fix: when metadatabase is set we should not warn (#​74840)
  • Fix @​vercel/og license SPDX expression (#​74745)
  • fix: ts language server rule metadata should allow null (#​74704)
  • fix: eslint rule of using img in metadata routes (#​74864)
  • Fix presentation when onerror receives an event without error (#​74643)
  • fix fetch lock not being consistently released #​74623 (#​75028)
Credits

Huge thanks to @​ijjk, @​huozhi, @​matmannion and @​ztanner for helping!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel Vercel
Copy link

vercel bot commented Mar 22, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
frontends ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 17, 2025 8:17pm

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from da585f7 to bc10e82 Compare March 25, 2025 01:14
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from bc10e82 to 1db459c Compare March 25, 2025 04:22
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 1db459c to f74f692 Compare March 25, 2025 11:22
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from f74f692 to ae564cd Compare March 27, 2025 02:50
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from ae564cd to 7319ec7 Compare April 2, 2025 01:55
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 7319ec7 to 233f9c9 Compare April 2, 2025 04:11
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 233f9c9 to efbb6c6 Compare April 7, 2025 11:33
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from efbb6c6 to ddae02b Compare April 9, 2025 00:53
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from ddae02b to 26cabf7 Compare April 10, 2025 01:59
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 26cabf7 to fe27dab Compare April 11, 2025 04:56
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from fe27dab to 826914b Compare April 16, 2025 05:21
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 826914b to 43b37bb Compare April 16, 2025 10:03
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 43b37bb to 5c06917 Compare April 16, 2025 10:56
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 5c06917 to b2e36fd Compare April 21, 2025 11:00
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from b2e36fd to 82c374c Compare April 21, 2025 11:17
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 82c374c to 9b2ce73 Compare April 29, 2025 05:39
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 9b2ce73 to 6f0b49e Compare May 1, 2025 15:53
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 6f0b49e to c1fae93 Compare May 7, 2025 08:17
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from c1fae93 to 4db0d37 Compare May 7, 2025 08:42
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 4db0d37 to ba47b61 Compare May 8, 2025 06:53
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from ba47b61 to aeb8f9b Compare May 14, 2025 03:12
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from aeb8f9b to 3ed8150 Compare May 14, 2025 04:10
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 3ed8150 to fd3136f Compare May 17, 2025 20:12
@renovate renovate bot changed the title fix(deps): update dependency next to v15.2.3 [security] fix(deps): update dependency next to v15.1.6 [security] May 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants