[Snyk] Upgrade next from 13.1.6 to 15.4.1

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade next from 13.1.6 to 15.4.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 1472 versions ahead of your current version.

• The recommended version was released 21 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	140	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	140	No Known Exploit
	Uncontrolled Recursion SNYK-JS-NEXT-8186172	140	No Known Exploit
	Missing Authorization SNYK-JS-NEXT-8520073	140	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	140	Proof of Concept
	Improper Input Validation SNYK-JS-NANOID-8492085	140	No Known Exploit
	Race Condition SNYK-JS-NEXT-10176058	140	Proof of Concept
	Resource Exhaustion SNYK-JS-NEXT-6032387	140	Proof of Concept
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-8602067	140	No Known Exploit
	Improper Input Validation SNYK-JS-POSTCSS-5926692	140	No Known Exploit
	Improper Input Validation SNYK-JS-POSTCSS-5926692	140	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	140	Proof of Concept
	Missing Origin Validation in WebSockets SNYK-JS-NEXT-10259370	140	No Known Exploit
	Improper Authorization SNYK-JS-NEXT-9508709	140	Mature

Release notes

Package name: next

• 15.4.1 - 2025-07-14
  

  Tip

  Check out our Next v15.4 Blog Post to learn more about this release.

  Core Changes

  • [next-server] fix params duplicate in query after rewrite: #77939
  • [next-server] preserve rsc query for rsc redirects: #77963
  • Turbopack: fix a bug where marking a task a completed causes a panic when reading the output: #77922
  • Turbopack warning spelling fix: #77999
  • Allow URL schemes that include +, - or .: #77932
  • [dev-overlay] Remove unused hydration error related code: #77929
  • [dev-overlay] Unify error deduplication logic: #78017
  • fix: use the match result after matching using the matched path header: #77994
  • Upgrade React from 3fbfb9ba-20250409 to c44e4a25-20250409: #78031
  • Move unhandled rejection handling to shared path: #77997
  • fix: ensure app router not found works when deployed with pages i18n config: #77905
  • Uninstall existing uncaughtException listeners to prevent the process from crashing: #78042
  • Experimental bfcache: Restore state w/ : #77992
  • Add graceful error fallback for bots requests: #77916
  • Upgrade React from c44e4a25-20250409 to 1d6c8168-20250411: #78067
  • [next-server] remove unnecessary query shallow copy: #78003
  • [dev-overlay] disable copy button when clipboard is not available: #78101
  • [dev-overlay] Stop stashing React error details on error instances: #77975
  • [dynamicIO] Model invalid dynamic on empty shells: #77270
  • fix: bump [email protected]: #78149
  • Handle graceful fallback for custom error boundaries: #78121
  • [dev-overlay] Stop squashing hydration related errors in App Router: #78140
  • [test] Enable strictNullChecks in test utils: #78142
  • Document Turbopack trace viewer: #78184
  • [dev-overlay] Fix error dialog resizing logic: #78144
  • Include types in published eslint-plugin-next: #78109
  • [dev-overlay] Stop appending wrong Owner Stacks to SSR-only shell errors: #77302
  • [dev-overlay] Add dedicated label for recoverable errors: #78186
  • [chore] remove unused __NEXT_PRIVATE_RUNTIME_TYPE: #78230
  • Preserve slashes when custom URL schemes are used in redirects: #78176
  • ignore-list published sources if they have a sourcemap: #78242
  • Upgrade React from 1d6c8168-20250411 to 39cad7af-20250411: #78152
  • Turbopack: add test case for persistent caching: #77030
  • Upgrade React from 39cad7af-20250411 to b04254fd-20250415: #78253
  • fix: alternate bundler support for dropping client pages in AMP: #77601
  • [errors] refactor default global-error into a separate file: #78182
  • [metadata] render streaming metadata on the top level: #77620
  • [metadata] skip head cache in default slot: #78206
  • chore: Backport SWC-based RC optimization (#78260)
  • fix: bump [email protected] (#78164)
  • @ next/mdx: Use stable turbopack config options: #78261
  • Upgrade React from b04254fd-20250415 to 4a36d3ea-20250416: #78297
  • Add graceful error boundary for bots requests: #78298
  • make sure eslint-plugin-next is built when running 'pnpm dev': #78305
  • Migrate pages API routes to handler interface: #78166
  • Update middleware public/static matching: #78325
  • Fix dynamic route param encoding: #78326
  • [Turbopack] refactor persistent caching from log based to cow approach: #76234
  • Add onInvalidate option to router.prefetch: #77880
  • Reserve bandwidth for most recently hovered link : #78362
  • fix: handle incremental PPR with client segment cache: #78387
  • fix: amphtml-validator WASM errors (for real): #78379
  • Turbopack: Remove next start --turbopack: #78384
  • Upgrade React from 4a36d3ea-20250416 to bc6184dd-20250417: #78322
  • [chore] remove dead code missing required error: #78403
  • [ts-next-plugin] remove typescript vfs and related metadata plugin: #78237
  • [ts-next-plugin] auto import metadata type: #78258
  • [ts-next-plugin] warn to add correct type for metadata exports: #78254
  • [ts-next-plugin] fix: validate metadata node before checking type: #78414
  • [errors] fix edge server initial error is not sent via hmr: #78415
  • misc: use correct capitals for React terms: #78445
  • Skip empty prefetch request for dynamic routes: #78436
  • Turbopack: don’t warn about webpack being configured when experimental.turbo is set: #77998
  • Upgrade React from bc6184dd-20250417 to 914319ae-20250423: #78468
  • Update turbopack to syn2: #78385
  • [next-server] ensure prepare is done before preloading entry: #78454
  • Upgrade React from 914319ae-20250423 to 197d6a04-20250424: #78516
  • [dev-overlay] Move error.name to label: #78198
  • [ts-next-plugin] update log for utils: #78538
  • [ppr] Route Cardinality Updates: #78476
  • Turbopack: support ignore comments for NFT fs access tracing: #78460
  • Externalize manifest loading in pages-api: #78358
  • Update font data: #78525
  • refactor: skip the prospective render when there's a more specific route to be rendered: #78555
  • fix: bodySizeLimit error responses + limit for non-multipart actions: #77746
  • [dynamicIO] Do not skip dynamic validation when metadata is dynamic: #78574
  • [dynamicIO] log dynamic validation errors consistently in dev: #78575
  • [ts-next-plugin] clean up unused proxy: #78539
  • [dynamicIO] Disallow only dynamic metadata: #78576
  • fix: make webpack handle "use cache" in node_modules : #78606
  • Use React's prerender function for "use cache" with Dynamic IO: #78382
  • Use node: prefixed in ESM emit of standalone server.js: #78624
  • feat: add ravendb library to server-external-packages.json: #78319
  • docs: fix typo in ppr.ts: #78590
  • Pre-compile busboy dependency: #78634
  • Pages API handler interface follow-ups: #78638
  • Repeat fix in #78387 for routes without params: #78568
  • [dev-tools] Fix width transition logic: #78635
  • [ts-next-plugin] fix: warn only if no type: #78628
  • [ts-next-plugin] fix: warn only if no type for separate export: #78629
  • chore: Drop @ swc/counter: #78674
  • Turbopack: use small thread local collector that flushes to global collector: #78343
  • Upgrade React from 197d6a04-20250424 to 5dc00d6b-20250428: #78640
  • Fix bad decoding for x-matched-path header: #78677
  • Fix pages API rewrite case: #78644
  • chore: update rspack to 1.3.8: #78485
  • Always apply render preparations after running an action: #77898
  • Exclude config package from bundling: #78671
  • Upgrade builtin babel packages: #78673
  • Upgrade loader-utils v2 to latest patch: #78707
  • [Link] Add prefetch="auto" option: #78689
  • [build-sourcemaps] Ensure errors during prerender can be sourcemapped: #78709
  • Upgrade React from 5dc00d6b-20250428 to 408d055a-20250430: #78715
  • build: Fix minifier options for webpack builds: #78717
  • refactor(next-swc): Do not amend minifier options from Rust code: #78719
  • Change stylistic ESLint TypeScript defaults: #78679
  • fix: replace original request body after middleware execution: #77662
  • remove draft.isEnabled setter from exotic draftMode wrappers: #77972
  • Turbopack: limit compaction merging by size instead of count: #78669
  • [build-sourcemaps] Include codeframes in prod when sourcemaps are enabled: #78710
  • feat: build lifecycle hooks - afterProductionCompile: #77345
  • fix: make sure that the patched fetch cache set promise is properly awaited: #75971
  • [dev-overlay] Make badge draggable: #78716
  • Turbopack: fix ESM project in standalone mode: #78774
  • Revert "[Link] Add prefetch="auto" option": #78820
  • Downgrade React from 408d055a-20250430 to 197d6a04-20250424: #78834
  • Reland "[Link] Add prefetch="auto" option": #78821
  • build: Update @ swc/core npm package to v1.11.24: #77668
  • Turbopack: Implement regex support for matching webpack loaders: #78733
  • Turbopack: Add support for extension regex in @ next/mdx: #78734
  • backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#78488) (#78883)
  • @ next/mdx: Use stable turbopack config options (#78880)
  • Fix react-compiler: Fix detection of interest (#78879)
  • Fix turbopack: Backport sourcemap bugfix (#78881)
  • [next-server] preserve rsc query for rsc redirects (#78876)
  • Update middleware public/static matching (#78875)
  • [dev-overlay] Polish mobile view: #78863
  • [dev-overlay] Consider scrollbar width for drag positioning: #78865
  • Add handling for setting deployment id via cookie: #78841
  • Run export child process with runtime's default max-old-space-size: #78712
  • [dynamicIO] cache tracking for import(): #74152
  • [dev-overlay] solidate the line number parsing: #78868
  • Update send to v0.18.0: #78816
  • Scope runInCleanSnapshot to Work Store: #78930
  • Removes onNavigate from transition scope: #78605
  • Add nonce handling from CSP in pages router: #78936
  • Ensure manual nonce on Script works as expected: #78939