chore(deps): update dependency next to v15.4.7 [security] #194

renovate · 2025-11-19T05:28:02Z

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	`15.1.5` -> `15.4.7`

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3
For Next.js 14.x, this issue is fixed in 14.2.25
For Next.js 13.x, this issue is fixed in 13.5.9
For Next.js 12.x, this issue is fixed in 12.3.5
For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)
Allam Yasser (inzo_)

CVE-2025-32421

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

CVE-2025-48068

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

CVE-2025-49826

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

Allam Rachid zhero;
Allam Yasser (inzo)

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

Release Notes

vercel/next.js (next)

`v15.4.7`

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

fix router handling when setting a location response header #82588

Credits

Huge thanks to @ztanner for helping!

`v15.4.6`

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#82347)
fix: add ?dpl to fonts in /_next/static/media (#82384)

Credits

Huge thanks to @devjiwonchoi, @ijjk, and @styfle for helping!

`v15.4.5`

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

Fix API stripping JSON incorrectly (#82062)
Fix i18n fallback: false collision (#82158)
Revert "Fix tracing of server actions imported by client components (#82167)
Ensure setAssetPrefix updates config instance (#82165)
Turbopack: update mimalloc (#82166)
fix(next/image): fix image-optimizer.ts headers (#82175)
fix(next/image): improve and simplify detect-content-type (#82174)

Credits

Huge thanks to @ijjk, @sokra, and @styfle for helping!

`v15.4.4`

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

Fix dynamicParams false layout case in dev (#82026)
Turbopack: fix scope hoisting variable renaming bug (#81640)
Upgrade to swc v33 (#81750)
Revert "[metadata] use https protocol for schema urls" (#81934)

Credits

Huge thanks to @bgw @mischnic @huozhi @lukesandberg and @ijjk for helping!

`v15.4.3`

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

Turbopack: fix dist dir on Windows (#81758)

Credits

Huge thanks to @mischnic for helping!

`v15.4.2`

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

pages router metadata bugs with React 19 (#81733)
[metadata] replace for initial body icon case (#81688)
Ensure custom NextServer config is honored (#81681)

Credits

Huge thanks to @huozhi, @ijjk, and @ztanner for helping!

`v15.4.1`

Compare Source

[!TIP]
Check out our Next v15.4 Blog Post to learn more about this release.

Core Changes

[next-server] fix params duplicate in query after rewrite: #77939
[next-server] preserve rsc query for rsc redirects: #77963
Turbopack: fix a bug where marking a task a completed causes a panic when reading the output: #77922
Turbopack warning spelling fix: #77999
Allow URL schemes that include +, - or .: #77932
[dev-overlay] Remove unused hydration error related code: #77929
[dev-overlay] Unify error deduplication logic: #78017
fix: use the match result after matching using the matched path header: #77994
Upgrade React from 3fbfb9ba-20250409 to c44e4a25-20250409: #78031
Move unhandled rejection handling to shared path: #77997
fix: ensure app router not found works when deployed with pages i18n config: #77905
Uninstall existing uncaughtException listeners to prevent the process from crashing: #78042
Experimental bfcache: Restore state w/ : #77992
Add graceful error fallback for bots requests: #77916
Upgrade React from c44e4a25-20250409 to 1d6c8168-20250411: #78067
[next-server] remove unnecessary query shallow copy: #78003
[dev-overlay] disable copy button when clipboard is not available: #78101
[dev-overlay] Stop stashing React error details on error instances: #77975
[dynamicIO] Model invalid dynamic on empty shells: #77270
fix: bump image-size@1.2.1: #78149
Handle graceful fallback for custom error boundaries: #78121
[dev-overlay] Stop squashing hydration related errors in App Router: #78140
[test] Enable strictNullChecks in test utils: #78142
Document Turbopack trace viewer: #78184
[dev-overlay] Fix error dialog resizing logic: #78144
Include types in published eslint-plugin-next: #78109
[dev-overlay] Stop appending wrong Owner Stacks to SSR-only shell errors: #77302
[dev-overlay] Add dedicated label for recoverable errors: #78186
[chore] remove unused __NEXT_PRIVATE_RUNTIME_TYPE: #78230
Preserve slashes when custom URL schemes are used in redirects: #78176
ignore-list published sources if they have a sourcemap: #78242
Upgrade React from 1d6c8168-20250411 to 39cad7af-20250411: #78152
Turbopack: add test case for persistent caching: #77030
Upgrade React from 39cad7af-20250411 to b04254fd-20250415: #78253
fix: alternate bundler support for dropping client pages in AMP: #77601
[errors] refactor default global-error into a separate file: #78182
[metadata] render streaming metadata on the top level: #77620
[metadata] skip head cache in default slot: #78206
chore: Backport SWC-based RC optimization (#78260)
fix: bump image-size@1.2.1 (#78164)
@next/mdx: Use stable turbopack config options: #78261
Upgrade React from b04254fd-20250415 to 4a36d3ea-20250416: #78297
Add graceful error boundary for bots requests: #78298
make sure eslint-plugin-next is built when running 'pnpm dev': #78305
Migrate pages API routes to handler interface: #78166
Update middleware public/static matching: #78325
Fix dynamic route param encoding: #78326
[Turbopack] refactor persistent caching from log based to cow approach: #76234
Add onInvalidate option to router.prefetch: #77880
Reserve bandwidth for most recently hovered link : #78362
fix: handle incremental PPR with client segment cache: #78387
fix: amphtml-validator WASM errors (for real): #78379
Turbopack: Remove next start --turbopack: #78384
Upgrade React from 4a36d3ea-20250416 to bc6184dd-20250417: #78322
[chore] remove dead code missing required error: #78403
[ts-next-plugin] remove typescript vfs and related metadata plugin: #78237
[ts-next-plugin] auto import metadata type: #78258
[ts-next-plugin] warn to add correct type for metadata exports: #78254
[ts-next-plugin] fix: validate metadata node before checking type: #78414
[errors] fix edge server initial error is not sent via hmr: #78415
misc: use correct capitals for React terms: #78445
Skip empty prefetch request for dynamic routes: #78436
Turbopack: don’t warn about webpack being configured when experimental.turbo is set: #77998
Upgrade React from bc6184dd-20250417 to 914319ae-20250423: #78468
Update turbopack to syn2: #78385
[next-server] ensure prepare is done before preloading entry: #78454
Upgrade React from 914319ae-20250423 to 197d6a04-20250424: #78516
[dev-overlay] Move error.name to label: #78198
[ts-next-plugin] update log for utils: #78538
[ppr] Route Cardinality Updates: #78476
Turbopack: support ignore comments for NFT fs access tracing: #78460
Externalize manifest loading in pages-api: #78358
Update font data: #78525
refactor: skip the prospective render when there's a more specific route to be rendered: #78555
fix: bodySizeLimit error responses + limit for non-multipart actions: #77746
[dynamicIO] Do not skip dynamic validation when metadata is dynamic: #78574
[dynamicIO] log dynamic validation errors consistently in dev: #78575
[ts-next-plugin] clean up unused proxy: #78539
[dynamicIO] Disallow only dynamic metadata: #78576
fix: make webpack handle "use cache" in node_modules : #78606
Use React's prerender function for "use cache" with Dynamic IO: #78382
Use node: prefixed in ESM emit of standalone server.js: #78624
feat: add ravendb library to server-external-packages.json: #78319
docs: fix typo in ppr.ts: #78590
Pre-compile busboy dependency: #78634
Pages API handler interface follow-ups: #78638
Repeat fix in #78387 for routes without params: #78568
[dev-tools] Fix width transition logic: #78635
[ts-next-plugin] fix: warn only if no type: #78628
[ts-next-plugin] fix: warn only if no type for separate export: #78629
chore: Drop @swc/counter: #78674
Turbopack: use small thread local collector that flushes to global collector: #78343
Upgrade React from 197d6a04-20250424 to 5dc00d6b-20250428: #78640
Fix bad decoding for x-matched-path header: #78677
Fix pages API rewrite case: #78644
chore: update rspack to 1.3.8: #78485
Always apply render preparations after running an action: #77898
Exclude config package from bundling: #78671
Upgrade builtin babel packages: #78673
Upgrade loader-utils v2 to latest patch: #78707
[Link] Add prefetch="auto" option: #78689
[build-sourcemaps] Ensure errors during prerender can be sourcemapped: #78709
Upgrade React from 5dc00d6b-20250428 to 408d055a-20250430: #78715
build: Fix minifier options for webpack builds: #78717
refactor(next-swc): Do not amend minifier options from Rust code: #78719
Change stylistic ESLint TypeScript defaults: #78679
fix: replace original request body after middleware execution: #77662
remove draft.isEnabled setter from exotic draftMode wrappers: #77972
Turbopack: limit compaction merging by size instead of count: #78669
[build-sourcemaps] Include codeframes in prod when sourcemaps are enabled: #78710
feat: build lifecycle hooks - afterProductionCompile: #77345
fix: make sure that the patched fetch cache set promise is properly awaited: #75971
[dev-overlay] Make badge draggable: #78716
Turbopack: fix ESM project in standalone mode: #78774
Revert "[Link] Add prefetch="auto" option": #78820
Downgrade React from 408d055a-20250430 to 197d6a04-20250424: #78834
Reland "[Link] Add prefetch="auto" option": #78821
build: Update @swc/core npm package to v1.11.24: #77668
Turbopack: Implement regex support for matching webpack loaders: #78733
Turbopack: Add support for extension regex in @next/mdx: #78734
backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#78488) (#78883)
@next/mdx: Use stable turbopack config options (#78880)
Fix react-compiler: Fix detection of interest (#78879)
Fix turbopack: Backport sourcemap bugfix (#78881)
[next-server] preserve rsc query for rsc redirects (#78876)
Update middleware public/static matching (#78875)
[dev-overlay] Polish mobile view: #78863
[dev-overlay] Consider scrollbar width for drag positioning: #78865
Add handling for setting deployment id via cookie: #78841
Run export child process with runtime's default max-old-space-size: #78712
[dynamicIO] cache tracking for import(): #74152
[dev-overlay] solidate the line number parsing: #78868
Update send to v0.18.0: #78816
Scope runInCleanSnapshot to Work Store: #78930
Removes onNavigate from transition scope: #78605
Add nonce handling from CSP in pages router: #78936
Ensure manual nonce on Script works as expected: #78939
Treat _debugInfo as a wellknown property for sync request data access purposes: #78942
chore(CI): Run rspack tests in build_and_test.yml: #78757
bugfix: Fix a bug that caused conflicting assets when adding a child compiler: #78011
[Fix] Inverse prefetch segment for Pages routes: #78932
Fix tracing of server actions imported by client components: #78968
Revert "fix: alternate bundler support for dropping client page": #78974
Fix --no-mangling for "use cache" functions: #78993
chore: update rspack to 1.3.9: #78984
[not-found] Add global-not-found convention: #78783
[not-found] support metadata exports of global-not-found: #78961
Prevent "use cache" timeout errors from being caught in userland code: #78998
patch react via recast instead of string replacements: #78916
[link] Avoid inlining of LinkProps in emitted declarations: #78773
[next-config-ts] fix: read tsconfig file using TypeScript API: #79055
Replace node:url usage in server-utils: #79094
[build-sourcemaps] Remove unused static workers: #79107
fix: cli test failed when using rspack: #79081
[build-sourcemaps] Allow inspecting prerender worker: #79098
Add initial modifyConfig hook: #79162
Re-land updated bundler for pre-bundling: #79164
[dynamicIO] model pathname access in metadata as async : #79136
Update font data: #79179
bugfix (pages): assetPrefix should not cause hard nav in development: #79176
Reland "Ensure mangling is disabled for dev runtime builds (#75297)": #79201
docs: add graceful error boundary example: #77781
turbo-tasks: Encode location information into panics: #78945
feat(turbopack): Add basic compilation event support: #78785
chore(dev-overlay): Minor cleanups to useDelayedRender hook: #79119
Update font data: #79227
Rename define-env-plugin.ts to define-env.ts: #79224
Always pass implicit/soft tags into the CacheHandler.get method: #79213
fix(dev-overlay): Ignore right clicks on the indicator draggable: #79120
Fix dangling promise in unstable-cache: #79248
Revert "Partial Fallback Prerendering Route Shells (#69282)": #79258
[devtool] initial support for segment explorer: #78858
Client router should discard stale prefetch entries for static pages: #79309
[dynamicIO] fix: do not apply import tracking transform in edge: #79284
Turbopack build: Fix type: module with output: standalone: #79292
[TypeScript Plugin] Moved the diagnostics' positions to the prop's type instead of the value for client-boundary warnings: #79193
Use onPostpone to determine if segment prefetch is partial: #79299
Enable ppr when dynamicIO is enabled: #79302
fix: replaceIdentifiersInAst takes an expression, not a string: #79196
Remove DIO w/o PPR branch from app-render.tsx: #79303
Remove prospective fallback prerenders: #79304
Fixed rewrite param parsing for interception routes in Vercel deployments: #79204
[build-sourcemaps] Sourcemap errors during prerender if experimental.enablePrerenderSourceMaps is enabled: #79109
[release] use @changesets/changelog-github for changelog format: #79040
next.config.ts: Implement compiler.defineServer for server-only constants: #79225
Always show warning if fetch cache limit hit: #79384
feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #79256
[release] use @changesets/changelog-github for changelog format: #79040
next.config.ts: Implement compiler.defineServer for server-only constants: #79225
Always show warning if fetch cache limit hit: #79384
feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #79256
Only share incremental cache for edge in next start (#79389)
[TypeScript Plugin] Match method signature (someFunc(): void) type for client boundary warnings: #79144
Only share incremental cache for edge in next start: #79386
fix: rspack framework and lib cacheGroups: #79172
Make sure bundle analyzer does not trigger warning with turbopack: #79399
[dynamicIO] Avoid timeout errors with dynamic params in "use cache": #78882
Implement initial handler interface for pages routes: #79260
[Segment Cache] Fix: Ensure server references can be prerendered: #79448
[dynamicIO] Avoid timeout errors with dynamic params in "use cache": #78882
Implement initial handler interface for pages routes: #79260
[Segment Cache] Fix: Ensure server references can be prerendered: #79448
[Segment Cache] Fix: Skew during dynamic prefetch: #79416
[dynamicIO] reimplement dynamicIO validation on prerender: #79414
fix: remove redundant performance.measure usage: #79475
[devtools] Add a very minimal API for restarting the dev server: #79265
Model prerender store as separate server and client scopes: #79429
fix: Merge link header from middleware with the ones from React (#73431)
fix(edge): run after() if request is cancelled mid-streaming (#76013)
gate segmentCache branch in base-server (#79505)
Model prerender store as separate server and client scopes: #79429
Use metadata for cache entry status code: #79512
fix(dev-overlay): Better handle edge-case file paths in launchEditor: #79526
[build-sourcemaps] Increase stacktrace limit during prerender: #79498
fix: Rspack not skip .d.ts file: #79285
Revert "[next-server] skip setting vary header for basic routes": #79426
[ppr] Narrow condition for fallback shell generation at runtime: #79565
Turbopack: derive de/serialize for loader config: #79581
Update font data: #79642
Avoid bundling dev overlay in page template: #79641
Enable preview builds for forks: #79648
misc: remove leftover clientInstrumentationHook type: #79701
cleanup(turbopack): Embed Global vs Specific channel type in the Rust type system: #79291
[dev-overlay] Show error overlay on any thrown value in /app: #79658
[dev-overlay] Move error handlers into dispatcher in /app: #79660
Verify cache-busting param during segment prefetch: #79563
update(turbopack): Update the messaging UX for timing writing files to disk: #79469
[dev-overlay] Move Redbox open/close into dispatcher: #79698
chore: update rspack to 1.3.12: #79428
Enable repeated tsc runs in packages/next without having to build first: #79782
Run tsc in watch mode during pnpm dev: #79785
Reinstate vary (#79939)
fix(next-swc): Fix interestingness detection for React Compiler (#79558)
fix(next-swc): Fix react compiler usefulness detector (#79480)
fix(dev-overlay): Better handle edge-case file paths in launchEditor (#79526)
Client router should discard stale prefetch entries for static pages (#79362)
fix: preload fonts in template.js: #79417
feat: using eval source map plugin for Rspack: #79199
feat: using builtin CssChunkingPlugin for rspack: #79762
fix(napi): Update generated types, add alias for RcStr: #79915
[dev-overlay] Fix highlighted line cut off on scroll: #79930
fix(next/font): allow custom font-family in declarations: #76274
Remove subissues from Issue: #79988
[devtools] Add a query parameter to restart endpoint to invalidate the persistent cache: #79425
Implement handler interface for app-page: #79568
Migrate app route to handler interface: #80008
Turbopack Build: Fix underscore path tests: #79778
Fix watchmode for taskr tasks: #80020
Update font data: #80036
Fix defunct ESLint overrides: #80053
[devtools] Add an endpoint to poll for server status: #80005
[dynamicIO] Only report client sync IO errors if they are above a Suspense boundary: #80026
[dev-overlay] Parse stacks in reducer not during dispatch: #79788
Remove obsolete @ts-expect-error: #80065
[dev-tools] Navigation header replaces close button: #80097
[dev-overlay] Inject get*Stack implementation: #79789
[dev-overlay] Fix dark‐mode styling for <option> in Preferences dropdowns: #80025
Use relative sources in require() instead of next/dist/ if possible: #80054
[dev-overlay] Inject isRecoverableError implementation: #80003
[devtool] fix explorer flag consuming and style: #80110
[dev-tools] add restart dev server button to error overlay: #80060
[dev-tools] add restart dev server button on dev-tools indicator preferences: #80072
[chore] remove legacy useEarlyImport flag: #80112
[testmode] Fix types of wrapRequestHandler: #80055
Extend bot list with googleweblight, Storebot-Google, Google-Inspecti…: #77728
[dev-overlay] Inject getSquashedHydrationErrorDetails implementation: #80046
[dev-tools] better description for restart server button: #80118
[dev-tools] style: preferences section title: #80120
[metadata] refactor to remove async metadata: #78495
[dynamicIO] Document client component remediations for sync IO: #79787
[dynamicIO] prioritize preprocessing RSC rows when prerendering: #80125
[dev-overlay] Remove unused onError in /pages: #79982
Remove unused vendored server-inserted-metadata module: #80143
Webpack Build: Use name-contenthash instead of name-chunkhash for dynamic imports: #80153
[dev-overlay] Remove unnecessary code from /pages dev error boundary: #79983
Turbopack Build: Implement helpful error for missing sass package: #80155
[global-not-found] fix shared css imports not being picked: #80151
Add experimental flag for RSC request validation: #80157
[dev-overlay] Remove indirection in app dev error boundary : #79984
Docs: preload entries impact on memory consumption: #80098
[dev-overlay] Move building indicator into Dev Overlay state: #79985
[metadata] only render one metadata outlet: #80146
Add a regions property to the Functions Config Manifest file: #80104
[metadata] fix nonce prop for hoist script: #80174
docs: fix grammar in Code of Conduct section ('them' → 'it') : #80181
[error-overlay] remove footer message: #80169
Turbopack: Log persistent cache store time: #80149
fix(turbopack): Next.js package not found panics in Turbopack: #79572
[turbopack] Compute Import Traces for Issues: #79351
Typecheck require() calls: #80056
Revert "[turbopack] Compute Import Traces for Issues": #80215
remove unique metadata prop from initial RSC payload #79388
Replay redirect if RSC parameter is missing: #80180
[devtool] style the segment explorer as nested view: #80212
Prerender with streaming metadata during revalidation: #80245
fix: invalid middleware configs should fail the build: #80221
[dev-overlay] Render /app Dev Overlay with a separate React instance: #79699
[devtool] display segment explorer as tree view: #80261
[dev-overlay] Use same bundle for Pages and App Router: #80019
Revert "Revert "[turbopack] Compute Import Traces for Issues"": #80220
[dev-overlay] Publish as production bundle: #80295
[metadata] only serve block streaming metadata for html bots: #80272
Update font data: #80301
Update font data: #80340
[dev-overlay] fix duplicate re-render of errors: #80322
[build-sourcemaps] Only compute codeframe once: #80326
[test] Fix Dev Overlay Storybook: #80288
[test] Fix crashes in Dev Overlay Stories: #80292
[metadata] use https protocol for schema urls: #80356
[dev-overlay] Remove positive tab-index: #80289
[devtools] Implement default /.well-known/appspecific/com.chrome.devtools.json endpoint in dev: #80260
[dev-overlay] Fix outstanding a11y issues reported by Axe: #80290
provide declarations for server-only/client-only: #80361
[test] Stop opening browser by default in local Dev Overlay Storybook: #80291
[dev-overlay] Move hot reloader client code out of react-dev-overlay: #80278
[dev-overlay] Remove unused code: #80279
[dev-overlay] Move app/pages related features closers together: #80280
Discard Infinity expiration for implicit tags: #80387
fix(next-swc-wasm): Only enable turbo-rcstr's napi feature when building the next-swc-napi crate/package: #80390
Add response handling inside handlers: #80189
feat(turbopack): Add simple tree shaker: #78286
Fix a couple typos: #80080
[dev-overlay] Move code into new top-level folder in src/next-devtools: #80281
Ensure we normalize .rsc/.prefetch.rsc: #80409
Turbopack Build: Fix /index/index handling: #80413
[segment-explorer] optimize tree view: #80392
Upgrade @playwright/test and cleanup internal APIs: #80334
Backport config.allowedDevOrigins (#80410) (Learn More)
[segment-explorer] Signal updates to React: #80316
[segment explorer] fix soft navigation case: #80443
Update the warning text for when multiple lockfiles are found: #80214
feat: in Rspack using native fn implemented by us using SWC to replace load module: #80342
chore: fix link to good first issue: #80478
Disable fetch cache size limit for implicit caching during build: #80480
[dynamicIO] Split up static generation into two phases: #79629
fix(turbopack): Fix config caching for turbopack + React Compiler: #80498
[dynamicIO] Use filled Resume Data Cache for final-phase prerenders: #79743
fix: Rspack dev gets stuck after removing a page: #80555
Ensure custom relative distDir resolves properly: #80569
fix: mark file system incremental cache as external so it's memory is shared: #80586
[fix] clone the config module to avoid mutation: #80573
Improve Incremental Cache Locking Algorithm: #80497
[devtools] add feature flag for new panel ui: #80251
[devtools] fork devtools-indicator: #80456
[devtools] fork next-logo: #80457
guarantee cache busting param correctness: #80381
Normalize filepaths when parsing patterns from js values: #80511
[metadata] render streaming metadata on the top level (#80566)
[fix] clone the config module to avoid mutation (#80573)
feat: rspack use swc to warn for edge runtime: #80485
A

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

bolt-new-by-stackblitz · 2025-11-19T05:28:05Z

Run & review this pull request in StackBlitz Codeflow.

chore(deps): update dependency next to v15.4.7 [security]

e80f1a3

pull-request-size bot added the size/XS label Nov 19, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency next to v15.4.7 [security] #194

chore(deps): update dependency next to v15.4.7 [security] #194

renovate bot commented Nov 19, 2025

Uh oh!

bolt-new-by-stackblitz bot commented Nov 19, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

chore(deps): update dependency next to v15.4.7 [security] #194

Are you sure you want to change the base?

chore(deps): update dependency next to v15.4.7 [security] #194

Conversation

renovate bot commented Nov 19, 2025

GitHub Vulnerability Alerts

Impact

Patches

Workaround

Credits

Summary

Credit

Summary

Credits

Release Notes

Core Changes

Credits

Core Changes

Credits

Core Changes

Credits

Core Changes

Credits

Core Changes

Credits

Core Changes

Credits

Core Changes

Configuration

Uh oh!

bolt-new-by-stackblitz bot commented Nov 19, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants