fix(deps): update dependency next to v15.5.15 [security]#346
fix(deps): update dependency next to v15.5.15 [security]#346renovate[bot] wants to merge 1 commit intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖 🎉 Global Bundle Size Decreased
DetailsThe global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster. Any third party scripts you have added directly to your app using the If you want further insight into what is behind the changes, give @next/bundle-analyzer a try! Four Pages Changed SizeThe following pages changed size from the code in this PR compared to its base branch:
DetailsOnly the gzipped size is provided here based on an expert tip. First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If Any third party scripts you have added directly to your app using the Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this. |
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
519890e to
705ea35
Compare
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖 🎉 Global Bundle Size Decreased
DetailsThe global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster. Any third party scripts you have added directly to your app using the If you want further insight into what is behind the changes, give @next/bundle-analyzer a try! Four Pages Changed SizeThe following pages changed size from the code in this PR compared to its base branch:
DetailsOnly the gzipped size is provided here based on an expert tip. First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If Any third party scripts you have added directly to your app using the Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this. |
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
705ea35 to
7102318
Compare
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖 🎉 Global Bundle Size Decreased
DetailsThe global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster. Any third party scripts you have added directly to your app using the If you want further insight into what is behind the changes, give @next/bundle-analyzer a try! Four Pages Changed SizeThe following pages changed size from the code in this PR compared to its base branch:
DetailsOnly the gzipped size is provided here based on an expert tip. First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If Any third party scripts you have added directly to your app using the Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this. |
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
7102318 to
9e06116
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
9e06116 to
c46cf3a
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
c46cf3a to
d2ef17c
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
d2ef17c to
ece9fe9
Compare
renovate
Bot
changed the title
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖 🎉 Global Bundle Size Decreased
DetailsThe global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster. Any third party scripts you have added directly to your app using the If you want further insight into what is behind the changes, give @next/bundle-analyzer a try! Four Pages Changed SizeThe following pages changed size from the code in this PR compared to its base branch:
DetailsOnly the gzipped size is provided here based on an expert tip. First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If Any third party scripts you have added directly to your app using the Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this. |
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
ece9fe9 to
19940cc
Compare
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖 🎉 Global Bundle Size Decreased
DetailsThe global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster. Any third party scripts you have added directly to your app using the If you want further insight into what is behind the changes, give @next/bundle-analyzer a try! Four Pages Changed SizeThe following pages changed size from the code in this PR compared to its base branch:
DetailsOnly the gzipped size is provided here based on an expert tip. First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If Any third party scripts you have added directly to your app using the Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this. |
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
19940cc to
2e61ab4
Compare
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖 🎉 Global Bundle Size Decreased
DetailsThe global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster. Any third party scripts you have added directly to your app using the If you want further insight into what is behind the changes, give @next/bundle-analyzer a try! Four Pages Changed SizeThe following pages changed size from the code in this PR compared to its base branch:
DetailsOnly the gzipped size is provided here based on an expert tip. First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If Any third party scripts you have added directly to your app using the Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this. |
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
2e61ab4 to
dfbe997
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
b6d544f to
c92c271
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
c92c271 to
aef03aa
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
aef03aa to
952f022
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
952f022 to
434700a
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
434700a to
299e070
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
299e070 to
d6369df
Compare
renovate
Bot
changed the title
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖
|
| Page | Size (compressed) |
|---|---|
global |
99.38 KB (🟢 118 B) |
Details
The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!
Two Pages Changed Size
The following pages changed size from the code in this PR compared to its base branch:
| Page | Size (compressed) | First Load |
|---|---|---|
/_not-found/page |
991 B (🟢 -2 B) |
100.35 KB |
/layout |
3.23 KB (🟢 1 B) |
102.61 KB |
Details
Only the gzipped size is provided here based on an expert tip.
First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this.
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
d6369df to
06b5203
Compare
renovate
Bot
changed the title
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖
|
| Page | Size (compressed) |
|---|---|
global |
99.33 KB (🟢 60 B) |
Details
The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!
Two Pages Changed Size
The following pages changed size from the code in this PR compared to its base branch:
| Page | Size (compressed) | First Load |
|---|---|---|
/_not-found/page |
989 B (🟢 -4 B) |
100.29 KB |
/layout |
3.23 KB (🟢 1 B) |
102.55 KB |
Details
Only the gzipped size is provided here based on an expert tip.
First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this.
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
2 times, most recently
from
06b5203 to
087090d
Compare
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖
|
| Page | Size (compressed) |
|---|---|
global |
99.33 KB (🟢 60 B) |
Details
The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!
Two Pages Changed Size
The following pages changed size from the code in this PR compared to its base branch:
| Page | Size (compressed) | First Load |
|---|---|---|
/_not-found/page |
989 B (🟢 -4 B) |
100.29 KB |
/layout |
3.23 KB (🟢 1 B) |
102.55 KB |
Details
Only the gzipped size is provided here based on an expert tip.
First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this.
1 similar comment
📦 Next.js Bundle Analysis for next-enterpriseThis analysis was generated by the Next.js Bundle Analysis action. 🤖
|
| Page | Size (compressed) |
|---|---|
global |
99.33 KB (🟢 60 B) |
Details
The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!
Two Pages Changed Size
The following pages changed size from the code in this PR compared to its base branch:
| Page | Size (compressed) | First Load |
|---|---|---|
/_not-found/page |
989 B (🟢 -4 B) |
100.29 KB |
/layout |
3.23 KB (🟢 1 B) |
102.55 KB |
Details
Only the gzipped size is provided here based on an expert tip.
First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this.
1 participant
This PR contains the following updates:
15.5.10→15.5.15Next.js: HTTP request smuggling in rewrites
CVE-2026-29057 / GHSA-ggv3-7p47-pfv8
More information
Details
Summary
When Next.js rewrites proxy traffic to an external backend, a crafted
DELETE/OPTIONSrequest usingTransfer-Encoding: chunkedcould trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.Impact
An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.
Patches
The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so
content-length: 0is added only when bothcontent-lengthandtransfer-encodingare absent, andtransfer-encodingis no longer removed in that code path.Workarounds
If upgrade is not immediately possible:
DELETE/OPTIONSrequests on rewritten routes at your edge/proxy.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js: Unbounded next/image disk cache growth can exhaust storage
CVE-2026-27980 / GHSA-3x4c-7xq6-9pq8
More information
Details
Summary
The default Next.js image optimization disk cache (
/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.Impact
An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.
Patches
Fixed by adding an LRU-backed disk cache with
images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. SettingmaximumDiskCacheSize: 0disables disk caching.Workarounds
If upgrade is not immediately possible:
.next/cache/images.images.localPatterns,images.remotePatterns, andimages.qualities)Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js has a Denial of Service with Server Components
GHSA-q4gf-8mx6-v5v3
More information
Details
A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this changelog.
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vercel/next.js (next)
v15.5.15Compare Source
Please refer the following changelogs for more information about this security release:
https://vercel.com/changelog/summary-of-cve-2026-23869
v15.5.14Compare Source
v15.5.13Compare Source
v15.5.12Compare Source
This is a re-release of v15.5.11 applying the turbopack changes.
v15.5.11Compare Source
Core Changes
Credits
Huge thanks to @timneutkens, @mischnic, @ztanner, and @wyattjoh for helping!
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.