Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

chore(deps): bump the next group with 3 updates

Closed
Number: #6
Type: Pull Request
State: Closed
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 2
Created: May 12, 2026 at 02:36 AM UTC
(about 1 month ago)
Updated: May 28, 2026 at 02:07 AM UTC
(14 days ago)
Closed: May 28, 2026 at 02:07 AM UTC
(14 days ago)
Time to Close: 16 days
Description:

Bumps the next group with 3 updates: next, @next/bundle-analyzer and eslint-config-next.

Updates next from 15.5.18 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.5

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits
  • ee6e79b v16.2.6
  • afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
  • 97a154e Turbopack: Fix middleware matcher suffix (#93590)
  • 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
  • 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
  • a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
  • 766148f v16.2.5
  • 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
  • d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
  • 9d50c0b Strip next-resume header from incoming requests (#92)
  • Additional commits viewable in compare view

Updates @next/bundle-analyzer from 15.5.18 to 16.2.6

Release notes

Sourced from @​next/bundle-analyzer's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.5

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

Updates eslint-config-next from 15.5.18 to 16.2.6

Release notes

Sourced from eslint-config-next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.5

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
Package Dependencies
Package:
next
Ecosystem:
npm
Version Change:
15.5.18 → 16.2.6
Update Type:
Major
Package:
eslint-config-next
Ecosystem:
npm
Version Change:
15.5.18 → 16.2.6
Update Type:
Major
Package:
@next/bundle-analyzer
Ecosystem:
npm
Version Change:
15.5.18 → 16.2.6
Update Type:
Major
Security Advisories
Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
GHSA-ffhc-5mcf-pf4q CVE-2026-44581 MODERATE
### Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived...
Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
GHSA-vfv6-92ff-j949 CVE-2026-44582 LOW
### Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisio...
Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
GHSA-gx5p-jg67-6x7h CVE-2026-44580 MODERATE
### Impact Applications that use `beforeInteractive` scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not esca...
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
GHSA-mg66-mrh9-m8jx CVE-2026-44579 HIGH
### Impact Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected con...
Next.js has a Denial of Service in the Image Optimization API
GHSA-h64f-5h5j-jqjh CVE-2026-44577 MODERATE
### Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could c...
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
GHSA-c4j6-fc7j-m34r CVE-2026-44578 HIGH
### Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server ...
Next.js vulnerable to cache poisoning in React Server Component responses
GHSA-wfc6-r584-vfw7 CVE-2026-44576 MODERATE
### Impact Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker c...
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
GHSA-267c-6grr-h53f CVE-2026-44575 HIGH
### Impact App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetch...
Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
GHSA-492v-c6pp-mqqv CVE-2026-44574 HIGH
### Impact Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynam...
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
GHSA-36qx-fr4f-26g5 CVE-2026-44573 HIGH
### Impact Applications using the Pages Router with `i18n` configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less `/_next/data...
Next.js Vulnerable to Denial of Service with Server Components
GHSA-8h8q-6873-q5fj HIGH
A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. ...
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
GHSA-26hh-7cqf-hhc6 CVE-2026-45109 HIGH
### Impact It was found that the fix addressing [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) did not apply to `middleware.ts` with Turbopack. Refer ...
Next.js's Middleware / Proxy redirects can be cache-poisoned
GHSA-3g8h-86w9-wvmq CVE-2026-44572 LOW
### Impact Next.js uses the `x-nextjs-data` request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by midd...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 15942571
UUID: 4425744431
Node ID: PR_kwDOSZFd7c7af6L4
Host: GitHub
Repository: StackForgeAI-Projects/stackforgeai-website