fix(deps): update dependency next to v15.4.7 [security] #1488

renovate · 2025-03-22T15:32:27Z

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	`15.1.4` -> `15.4.7`

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3
For Next.js 14.x, this issue is fixed in 14.2.25
For Next.js 13.x, this issue is fixed in 13.5.9
For Next.js 12.x, this issue is fixed in 12.3.5
For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)
Allam Yasser (inzo_)

CVE-2025-32421

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

CVE-2025-48068

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

CVE-2025-49826

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

Allam Rachid zhero;
Allam Yasser (inzo)

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

Release Notes

vercel/next.js (next)

`v15.4.7`

Compare Source

`v15.4.6`

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#82347)
fix: add ?dpl to fonts in /_next/static/media (#82384)

Credits

Huge thanks to @devjiwonchoi, @ijjk, and @styfle for helping!

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

chore: Backport SWC-based RC optimization (#78260)
fix: bump [email protected] (#78164)

Credits

Huge thanks to @kdy1 and @styfle for helping!

`v15.3.0`

Compare Source

Core Changes

[dev-overlay] Customize <select> styling for consistency: #76973
Upgrade React from 029e8bd6-20250306 to 0ca3deeb-20250311: #76989
[metadata]: add pinterest meta tag: #76988
[dev-overlay] ensure stripping overlay bundle in prod build: #76976
Apply env inlining during generate build mode: #76990
Turbopack: Implement deploymentId: #76904
track persistent caching usage: #76996
[metadata] re-insert icons to head for streamed metadata: #76915
Upgrade React from 0ca3deeb-20250311 to 6aa8254b-20250312: #77033
Move static-env imports: #77035
[dev-overlay] Add size setting to preferences: #77027
Add config for only generating static env: #77038
chore(HMR clients): Clean up and share code between app and pages router: #76960
Add dev warning for cross-origin and stabilize allowedDevOrigins: #77044
unify allowed origin detection handling: #77053
Handle hash change in all files for static env: #77058
[dev-overlay] highlight errored code line for runtime errors: #77078
NFT: Ignore all of Webpack: #77081
Add experimental build mode flag for env: #77089
(feat) support client-side instrumentation: #76916
Fix JSDoc comment for 'seconds' cache life profile: #77084
refactor(HMR clients): Encapsulate some of the turbopack state tracking into a shared TurbopackHmr class: #76994
Slightly improve error handling for unknown server actions: #77135
Fix output standalone for alternative bundler: #76971
Add alternate bundler plugin information to next info: #77059
[metadata] remove the default segement check for metadata rendering: #77119
[dev-overlay] Fix stacking order of highlighted line: #77189
Upgrade React from 6aa8254b-20250312 to 5398b711-20250314: #77129
fix(styled-jsx): Pass useLightningcss option to styled-jsx correctly: #77008
log the instrumentation-client execution time: #77121
Turbopack: canary-gate production builds: #77146
[dev-overlay] remove special handling for missing tag error : #77147
chore(react-dev-overlay): Remove confusingly underscored variables in useErrorOverlayReducer: #77205
Update middleware request header: #77201
Update default allowed origins list: #77212
Ensure deploymentId is used for CSS preloads: #77210
chore(HMR clients): Fix a bunch of typescript errors by including the appropriate webpack type declarations: #77207
Update cache handler interface: #76687
Turbopack: don't include AMP optimizer in NFT: #77242
Server actions should not read stale data after calling revalidate*: #76885
[dev-overlay] Blur fader for scrollable container: #77196
Make revalidate* work when followed by a redirect in a route handler: #77090
feat: onNavigate for link: #77209
fix: pass telemetry plugin rspack tests: #77257
feat(eslint-plugin): add minimal built-in flat presets: #73873
[perf] skip loading client manifest for static metadata routes: #77260
Upgrade React from 5398b711-20250314 to c69a5fc5-20250318: #77249
[ppr] Handle failed resume data cache entries: #77258
Bypass "use cache" caches when Draft Mode is enabled: #77141
chore(HMR clients): Clean up tryApplyUpdates, reduce differences between app/pages versions: #77219
Upgrade React from c69a5fc5-20250318 to db7dfe05-20250319: #77295
Turbopack: layout segment optimization for Pages: #74815
[dev-overlay] Make footer sticky without side effects: #77327
Alternate bundler: show state in app info message: #77259
Revert "Turbopack: layout segment optimization for Pages": #77339
[metadata] add Yeti to html limited bots: #77335
[dev-overlay] Remove unused code from pages: #77325
[metadata] remove dead code of metadata routes handling: #77336
Alternate bundler: pass more tests and update to 1.3.0-beta: #77269
[metadata] fix the metadata route like pages and refactor utils: #77264
fix: absolute assetPrefix url with path: #77256
clean up useReducer code re dev indicator: #77354
test: ensure that router identity stays stable when navigating: #77356
[dev-overlay] Remove unused fields from hydration error state: #77332
Turbopack: implement optimized css production chunking: #77284
only log when instrumentation client takes too long: #77378
switch development origin verification to be opt-in rather than opt-out: #77395
remove direct ip/port bypass in dev origin check: #77414
ensure /__next middleware URLs are included in the origin check: #77416
exclude images and static media from dev origin check: #77417
Refactor metadata and viewport preloading: #77400
[dev-overlay] Remove unused fields from unhandled error action event: #77333
Turbopack: Add --turbopack for next start: #77442
Update README: #77464
Remove unnecessary indirections around dispatch-related methods: #77423
Lift public router instance to module level : #77426
directly import param resolver in metadata: #77401
[metadata] always serve streaming metadata in build: #77437
directly import search param resolver in metadata: #77402
Remove forwardRef from Link in App Router: #77471
Match subrequest handling for edge and node: #77474
Add deprecation warning for legacyBehavior prop: #77473
feat: useLinkStatus: #77300
[dynamicIO] Avoid memory leak warning for hanging promises: #77480
[dev-overlay] Remove "Unhandled Runtime Error" label: #77484
Upgrade React from db7dfe05-20250319 to 740a4f7a-20250325: #77507
Upgrade React from 740a4f7a-20250325 to 313332d1-20250326: #77527
Do not call expireTags/getExpiration unnecessarily: #77570
fix(jest): stricter regex for 'server-only' in default config: #77588
Fix: RESTORE_ACTION should not be thenable: #77582
Use NEXT_PRIVATE_DEBUG_CACHE env variable for cache handler debug logs: #77585
fix: make sure body can be read using nodejs runtime in middleware: #77553
Update alternate bundler and pass more tests : #77579
Refactor build scripts and rewrite pack-next in TypeScript: #77536
fix isCsrfOriginAllowed handling for localhost: #77594
Turbopack build: fix deterministic build test: #77618
Turbopack build: Fix urlencoding test: #77622
[og] fix vercel og build issue on windows: #77650
[Segment Cache] Add "client-only" option: #77655
Remove useSyncExternalStore from useIsDevRendering: #77651
Track navigation timestamp on CacheNode: #77251
Upgrade @playwright/test and cleanup internal APIs: #77659
Refactor: move "use cache" revalidation logic out of incremental cache: #77577
Remove obsolete update of implicit tags expiration after server action: #77595
Revert "Remove useSyncExternalStore from useIsDevRendering (#77651)": #77672
Upgrade React from 313332d1-20250326 to 63779030-20250328: #77643
Turbopack build: Add marker for when a build used Turbopack: #77674
feat(images): use experimental isrFlushToDisk option to prevent writing optimized images to cache: #70645
doc: instrumentation-client: #77649
Alternate bundler: use equivalent native plugins for built-in plugins: #77355
Resolve Viewport separately from Metadata: #77427
fix(turbopack): Suppress logging for short no-op turbopack HMRs: #76924
Turbopack build: Fix node-file-trace test: #77641
Turbopack build: Implement error when using next start without --turbopack: #77678
legacyBehavior deprecation error should only trigger once: #77687
Pass only required props to NonIndex: #77685
Revert "fix: make sure body can be read using nodejs runtime in middleware": #77690
[dev-overlay] Harden types when handling hydration mismatches: #77334
[dev-overlay] Fix ref warning when Pages Router with React 18 is used: #77726
add support for cssmodules-pure-no-check to allow global CSS features like View Transitions: #77321
[dev-overlay] Only warn once per invalid sourcemap: #77444
[dynamicIO] only abort once per prerender: #77747
Turbopack build: Move Turbopack marker to SERVER_FILES_MANIFEST: #77711
Reapply "Turbopack: layout segment optimization for Pages" (#77339): #77696
feat(next/image): support new URL() for images.remotePatterns: #77692
[dev-overlay] remove text wrap for terminal: #76953
Upgrade React from 63779030-20250328 to 040f8286-20250402: #77742
Optimize server runtime bundles: #77723
Turbopack Build: Remove cases of process.env.TURBOPACK: #77757
[dev-overlay] Fix unactionable useLayoutEffect warning if React 18 is used: #77737
[dev-tools] Fix flashing of disabled state on indicator: #77727
Webpack build: Add compiled in x seconds in missing places: #77751
Ignore an existing HMR refresh hash cookie with next start: #77714
Turbopack build: Replace process.env.TURBOPACK usage: #77783
Client instrumentation: onRouterTransitionStart: #77791
Turbopack: log telemetry events when TurbopackInternalErrors occur: #77660
Rename alternate bundler package name: #77793
Turbopack: fix sideEffects matching for non-relative globs: #77693
Revert "Upgrade @playwright/test and cleanup internal APIs": #77814
[next-ts-plugin] fix: language service crashes / metadata plugin not working: #77213
[dev-overlay] always display bundler name on version info: #77739
[dev-overlay] sync horizontal scrollbar style: #77769
[dev-overlay] Read issueCount from non-async errors array: #77821
[dev-overlay] Fix error dialog resizing logic: #77830
Turbopack Build: Optimize instrumentation hook generation: #77832
[next-server] skip setting vary header for basic routes: #77797
Lazily call refreshTags and getExpiration: #77779
Add debug logging to default cache handler and "use cache" wrapper: #77827
[ts-next-plugin] fix: properly exit when failed to initialize: #77842
Alternate bundler: correctly inject react refresh loader: #77713
[dynamicIO] Fix dev warmup: #77829
fix: don't reset the prefetch segment data routes on loop: #77845
Ensure searchParams access in "use cache" triggers error when caught: #77838
Revert "[dev-overlay] Fix error dialog resizing logic": #77849
fix: add cache tags to segment prefetch responses: #77846
Avoid microtaskiness when lazily fetching from cache handlers: #77843
[Experiment] : #77866
[dev-overlay] disable font ligatures: #77865
Enable process.env.TURBOPACK when process.env.IS_TURBOPACK_TEST is set: #77894
[ts-next-plugin] fix: use getSourceFile instead of fileExists to check file existence: #77863
fix: only set request phase to "action" when actually running an action: #76993
Alternate bundler: fix react refresh and adjust sourcemap: #77875
Upgrade React from 040f8286-20250402 to 33661467-20250407: #77899
refactor: rename isAction to isPossibleServerAction: #77011
[logging] improve logging of port retry: #77868
Remove canary-gate and add experimental warning for alternate bundler: #77806
fix(next/image): bump [email protected]: #77839
Turbopack builds: Remove canary-gate and add experimental warning: #77808
feat: Disable char frequency analysis for mangler: #77887
Set Turbopack env var for internal modules: #77902
Don't externalize various new next/* entrypoints: #77844
Revert "Fix: RESTORE_ACTION should not be thenable": #77909
Fix resolve alternate bundler in monorepo: #77913
Output server.mjs for standalone with type: module: #77944

Example Changes

with-polyfills example: only link to specific browsers: #77211
Add example for alternate bundler: #77057
chore(examples): remove examples that can be v0'd: #77349
Alternate bundler example: use canary version: #77754
Fix Wasm example: #77924

Misc Changes

[test] consolidate hmr test for react 18.3: #76975
docs: update API example: #76987
docs: add Pinterest Rich Pins metadata example: #77025
fix(CI): Correctly call test/update-bundler-manifest.js script: #77000
Update bundler development test manifest: #77040
Update bundler production test manifest: #77043
Update Turbopack development test manifest: #77041
chore(github): remove /examples from contribution guidelines, remove examples issue template: #77050
Turbopack: when reading a non yet existing cell from a in progress tasks, wait for the computation to finish: #77029
Turbopack: wait before reading cells when the task is scheduled: #77031
Turbopack: don't call individual() again: #77048
Turbopack: create module graph strongly consistent: #77051
Turbopack: Vc stability of ModuleGraph: #77052
Turbopack: fix corrected time calcuation for trace server: #77080
Turbopack: fewer manifests for static metadata: #77087
Update Turbopack development test manifest: #77071
Update bundler production test manifest: #77069
Update bundler development test manifest: #77068
Revert "Update rust toolchain to 2025-03-12": #77103
perf(turbopack): Merge nodes with same starting point: #76938
refactor(actions): Remove turbopack magic comments: #77063
Update Turbopack development test manifest: #77108
Turbopack: move must_use to actually have an effect: #77111
Turbopack: align chunking with graph entries: #76441
Turbopack: ChunkGroup in evaluated_chunk_group: #76593
Turbopack: charset=utf-8 in data-url source maps: #77112
Update bundler production test manifest: #77107
Update bundler development test manifest: #77106
Update Turbopack production test manifest: #77109
docs(scripts): update Script -> beforeInteractive docs: #77136
Add doc for instrumentation client hook: #77134
docs(scripts): missing 'soon': #77137
doc: diff between instrumentation vs instrumentation-client: #77143
Alternate bundler: add index.d.ts types to plugin: #77144
Alternate bundler: Add react-refresh as a dependency of plugin: #77142
build: Update swc_core to v16.6.0: #77155
Allow building node-pty in tests: #77187
Don't mark ppr-errors Turbopack dev tests as failed: #76951
Bump lightningcss: #77132
Update Turbopack production test manifest: #77183
Turbopack: fix graph layout segment optimization: #77094
Turbopack: split up server actions modules for better treeshaking: #76877
Turbopack: conditional parse in apply_module_type: #77191
build: Update swc_core to v16.6.2: #77194
Turbopack: more tracing: #75351
Update bundler development test manifest: #77180
Better failure tracking for middleware-custom-matchers-i18n: #76974
Update bundler production test manifest: #77179
fix(test/e2e/prerender): Remove race condition in test: #77222
Update Turbopack production test manifest: #77228
Update Turbopack development test manifest: #77227
[Turbopack] basic production chunking for CSS: #75049
docs: optimizing local dev: #77140
Update bundler production test manifest: #77225
devlow-bench: wait for complete ready for server startup event: #77217
fix(CI): Re-enable retries for bundler integration tests: #77265
Turbopack: handle non chunkable modules in module batches: #77282
Update Turbopack development test manifest: #77276
Update Turbopack production test manifest: #77275
Turbopack: avoid single css chunks when there is only a single chunk item: #77283
Update bundler development test manifest: #77272
Update bundler production test manifest: #77273
Turbopack: compute ordered entries in module batches: #77294
Update Turbopack production test manifest: #77316
Update Turbopack development test manifest: #77317
Update bundler production test manifest: #77314
fix(turbopack): Call .minify() of lightningcss StyleSheet: #77313
fix(CI build_and_deploy): Use a larger fetch-depth for build-native job: #77307
chore(turbopack): Fix a few syntactic nits: #77310
Update bundler development test manifest: #77315
Turbopack: refactor CssEmbed to avoid creating a chunk item: #77303
fix: Update swc_core and use rayon instead of chili: #77338
Fix chakra link: #77280
Update Turbopack production test manifest: #77366
Update Turbopack development test manifest: #77365
Turbopack: ignore static asset imports for Edge: #77382
Update bundler development test manifest: #77364
docs: clarify middleware use cases: #77438
fix(turbopack-bench): Limit copy_dir concurrency to avoid running out of file descriptors: #77468
docs: fix typo: #77483
Update swc_core to v16.10.0: #77489
fix(turbopack): Use strongly consistent reads for sourcemaps in napi FFI boundary: #77511
Update mappings in launch.json to improve debugging in VSCode: #76559
chore(ci): Configure codspeed: #76884
Update bundler production test manifest: #77602
Update bundler development test manifest: #77603
Update Turbopack development test manifest: #77605
Update Turbopack production test manifest: #77604
Turbopack build: Fix symbolic-file-links test: #77615
Update pnpm swc-build-native's file path: #77623
fix: Use standard PostCSS configuration in create-next-app format for ecosystem compatibility: #77376
Turbopack build: Fix basepath test: #77630
Turbopack: disable pages dir css test cases: #77380
Update bundler development test manifest: #77627
Update Turbopack development test manifest: #77628
Update bundler production test manifest: #77626
refactor(turbo-tasks): Make TraceRawVcs a supertrait of TaskInput: #77397
refactor(turbo-tasks): Make TraceRawVcs a supertrait of MagicAny: #77596
fix(turbopack): Recognize urls starting with // as external: #77526
Update CI build caching docs to include bun and other package manager: #77633
fix(turbopack): Fix panic while tree shaking optimization: #77492
fix(turbopack): Prevent duplicate in tree shaking: #77491
Turbopack: Skip ssr processing when next/dynamic ssr: false: #77636
Turbopack Build: CSR bailout test skip check for file path: #77639
Turbopack: fix side effects optimization bug: #77640
Turbopack: add tracing for fetch calls: #77673
[test] Update stale snapshots: #77680
Turbopack: fix bug in handling of module batches: #77638
pack-next: use default --js-build as option instead of --no-js-build: #77686
Turbopack: Allow overriding tsconfig path via next-config: #77563
Scripts: migrate unpack-next to TypeScript: #77538
chore(turbopack): Make TaskInputs use ResolvedVc: #77700
Getting Started Docs: Add Metadata and OG images page: #74077
Getting Started Docs: Add Upgrade page: #77717
Docs IA 2.0: Rename Examples to Guides: #77722
build: Update swc_core to v19.0.0: #77669
Add Josh to Turbopack team for created-by label: #77738
Turbopack: use better ident for worker chunk group: #77731
chore(turbo-tasks): Remove redundant ast-grep lint rule: #77701
fix(docs): update error type in notFound function description: #77503
Update bundler development test manifest: #77706
Update Turbopack production test manifest: #77709
Turbopack: refactor resolve_url_reference to avoid chunk_path: #77732
Update Turbopack development test manifest: #77708
Port "app-document" test to e2e: #77748
[ci]: skip build-windows job for docs only change: #77743
Update bundler production test manifest: #77707
chore(turbo-tasks): Audit all remaining uses of Vc in a struct: #77756
docs: instrumentation-client follow up: #77752
[test] Get rid of unrelated "Invalid hook call" error from tests using styled-components: #77736
Turbopack: keep side-effect-full imports: #76545
Docs: Recommend inline use server and update examples: #77770
Revert "Docs: Recommend inline use server and update examples": #77771
doc: useLinkStatus: #77648
Update Turbopack production test manifest: #77767
Update bundler development test manifest: #77765
[docs] fix lint issue in use link status doc: #77785
doc: onNavigate: #77647
Update bundler production test manifest: #77764
doc: useLinkStatus doc follow-up: #77790
Update Turbopack development test manifest: #77766
[ci] remove needs build-native for lint job: #77787
test(examples): update turbopack manifest: #75092
[test] fix bad test fixuture for perf test: #77804
[test] fix react 19.1 related tests: #77809
doc: onNavigate follow-up: #77805
fix(turbopack): Apply hygiene if mangling is disabled: #77815
Turbopack: omit empty source map when code starts with a new line: #77734
[next-lint] test: remove eslint config snapshot testing: #77818
Turbopack: avoid deriving css source map path from generated code path: #77735
Turbopack: pass asset to chunk_path to allow to use content hash later: #77772
Docs IA 2.0: Add Deep Dive section placeholder: #77724
Turbopack: use document.currentScript instead of chunk path literal: #77773
Turbopack: don't include client-fs assets in NFT: #77799
Turbopack: enable content hashing in production: #77775
Turbopack: correctly track await import("path") in static analysis: #77811
fix(turbopack-cli): Make turbopack_cli::dev::source a persistent (non-transient) task: #77798
[test] temporarily disable flaky test for react 18: #77848
Update Turbopack production test manifest: #77872
Rename process.env.TURBOPACK to process.env.IS_TURBOPACK_TEST for tests: #77892
[test] consolidate missing tag dev test: #77896
fix(Turbopack): Intermittent CapacityExceeded Error in Persistent Caching: #77691
fix: flaky test detection needs to use new turbopack flag: #77908
fix: apply Geist fonts correctly on default cna template: #77237
Update bundler development test manifest: #77884
Update bundler production test manifest: #77885
Update Turbopack development test manifest: #77886
Update bundler production test manifest: #77914
Update bundler development test manifest: #77915
fix(turbopack): Apply import_map option of swc_emotion correctly: #71776
Turbopack: handle removed routes: #77890
build: Update swc_core to v21.0.1: #77918
IA 2.0: Review Getting Started Section: #77921
test: attempt to de-flake rsc-basic: #77934
docs: revert image 15.3 change until live: #77941
Turbopack: remove CSS comments when minifying: #77940

Credits

Huge thanks to @raunofreiberg, @huozhi, @ijjk, @timneutkens, @gaojude, @leerob, @mezotv, @bgw, @samcx, @ztanner, @sokra, @mischnic, @wbinnssmith, @kdy1, @unstubbable, @ahabhgk, @ScriptedAlchemy, @SukkaW, @wyattjoh, @eps1lon, @Amirroid, @Netail, @lubieowoce, @gnoff, @jackwilson323, @acdlite, @sbougerel, @kevva, @kasperpeulen, @Cy-Tek, @dvoytenko, @husseinraoouf, @isBatak, [@iamkd](https://redirect.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

vercel · 2025-03-22T15:32:29Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
frontends	Ready	Preview	Comment	Sep 1, 2025 3:02am

vercel bot deployed to Preview March 22, 2025 15:37 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from da585f7 to bc10e82 Compare March 25, 2025 01:14

vercel bot deployed to Preview March 25, 2025 01:19 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from bc10e82 to 1db459c Compare March 25, 2025 04:22

vercel bot deployed to Preview March 25, 2025 04:26 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 1db459c to f74f692 Compare March 25, 2025 11:22

vercel bot deployed to Preview March 25, 2025 11:26 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from f74f692 to ae564cd Compare March 27, 2025 02:50

vercel bot deployed to Preview March 27, 2025 02:54 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from ae564cd to 7319ec7 Compare April 2, 2025 01:55

vercel bot deployed to Preview April 2, 2025 01:59 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 7319ec7 to 233f9c9 Compare April 2, 2025 04:11

vercel bot deployed to Preview April 2, 2025 04:15 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 233f9c9 to efbb6c6 Compare April 7, 2025 11:33

vercel bot deployed to Preview April 7, 2025 11:37 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from efbb6c6 to ddae02b Compare April 9, 2025 00:53

vercel bot deployed to Preview April 9, 2025 00:58 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from ddae02b to 26cabf7 Compare April 10, 2025 01:59

vercel bot deployed to Preview April 10, 2025 02:03 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 26cabf7 to fe27dab Compare April 11, 2025 04:56

vercel bot deployed to Preview April 11, 2025 05:00 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from fe27dab to 826914b Compare April 16, 2025 05:21

vercel bot deployed to Preview April 16, 2025 05:27 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 826914b to 43b37bb Compare April 16, 2025 10:03

vercel bot deployed to Preview April 16, 2025 10:07 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 43b37bb to 5c06917 Compare April 16, 2025 10:56

vercel bot deployed to Preview April 16, 2025 10:59 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 5c06917 to b2e36fd Compare April 21, 2025 11:00

vercel bot deployed to Preview April 21, 2025 11:04 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 6333183 to 0247dfc Compare June 4, 2025 10:31

renovate bot changed the title ~~fix(deps): update dependency next to v15.1.6 [security]~~ fix(deps): update dependency next to v15.2.3 [security] Jun 4, 2025

vercel bot deployed to Preview June 4, 2025 10:42 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 0247dfc to f8c2478 Compare June 5, 2025 01:18

vercel bot deployed to Preview June 5, 2025 01:22 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from f8c2478 to f0ec502 Compare June 10, 2025 04:31

vercel bot deployed to Preview June 10, 2025 04:35 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from f0ec502 to baf3fff Compare June 15, 2025 08:01

renovate bot changed the title ~~fix(deps): update dependency next to v15.2.3 [security]~~ fix(deps): update dependency next to v15.2.2 [security] Jun 15, 2025

vercel bot deployed to Preview June 15, 2025 08:07 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from baf3fff to 0167508 Compare July 3, 2025 00:11

vercel bot deployed to Preview July 3, 2025 00:16 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 0167508 to 26cf6a0 Compare July 16, 2025 06:34

vercel bot deployed to Preview July 16, 2025 06:37 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 26cf6a0 to 32714d8 Compare July 21, 2025 05:30

vercel bot deployed to Preview July 21, 2025 05:34 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 32714d8 to bc90460 Compare July 22, 2025 08:53

vercel bot deployed to Preview July 22, 2025 08:56 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from bc90460 to f7462ef Compare August 7, 2025 01:39

vercel bot deployed to Preview August 7, 2025 01:43 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from f7462ef to ec09150 Compare August 7, 2025 05:10

vercel bot deployed to Preview August 7, 2025 05:15 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from ec09150 to ae06c55 Compare August 18, 2025 07:31

vercel bot deployed to Preview August 18, 2025 07:35 View deployment

renovate bot force-pushed the renovate/npm-next-vulnerability branch from ae06c55 to 6765434 Compare August 19, 2025 00:59

vercel bot deployed to Preview August 19, 2025 01:03 View deployment

fix(deps): update dependency next to v15.4.7 [security]

b02270b

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 6765434 to b02270b Compare September 1, 2025 02:56

renovate bot changed the title ~~fix(deps): update dependency next to v15.2.2 [security]~~ fix(deps): update dependency next to v15.4.7 [security] Sep 1, 2025

vercel bot deployed to Preview September 1, 2025 03:02 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update dependency next to v15.4.7 [security] #1488

fix(deps): update dependency next to v15.4.7 [security] #1488

Uh oh!

renovate bot commented Mar 22, 2025 •

edited

Loading

Uh oh!

vercel bot commented Mar 22, 2025 •

edited

Loading

Uh oh!

Uh oh!

fix(deps): update dependency next to v15.4.7 [security] #1488

Are you sure you want to change the base?

fix(deps): update dependency next to v15.4.7 [security] #1488

Uh oh!

Conversation

renovate bot commented Mar 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workaround

Credits

Summary

Credit

Summary

Credits

Release Notes

Core Changes

Credits

Core Changes

Credits

Core Changes

Example Changes

Misc Changes

Credits

Configuration

Uh oh!

vercel bot commented Mar 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

renovate bot commented Mar 22, 2025 •

edited

Loading

vercel bot commented Mar 22, 2025 •

edited

Loading