Skip to content

Bump next from 15.5.9 to 15.5.10 #3987

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
franciscao633 merged 2 commits into from
Jan 28, 2026
Merged

Bump next from 15.5.9 to 15.5.10 #3987

franciscao633 merged 2 commits into from
Jan 28, 2026
+158 −451

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 27, 2026

Bumps next from 15.5.9 to 15.5.10.

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump next from 15.5.9 to 15.5.10
dd3649b 
Bumps [next](https://github.com/vercel/next.js) from 15.5.9 to 15.5.10.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.5.9...v15.5.10)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 27, 2026
@vercel
Copy link

vercel bot commented Jan 27, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
umami Ready Ready Preview, Comment Jan 28, 2026 5:21pm
4 Skipped Deployments
Project Deployment Review Updated (UTC)
umami-analytics-eu Ignored Ignored Jan 28, 2026 5:21pm
umami-analytics-us Ignored Ignored Jan 28, 2026 5:21pm
umami-mysql Ignored Ignored Jan 28, 2026 5:21pm
umami-postgresql Ignored Ignored Jan 28, 2026 5:21pm

Request Review

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 27, 2026

Greptile Overview

Greptile Summary

This PR updates Next.js from 15.5.9 to 15.5.10, a critical security release addressing three CVEs (CVE-2025-59471, CVE-2025-59472, and CVE-2026-23864). The update includes:

  • DoS mitigation for React Flight to prevent server resource exhaustion
  • Reduction of next/image maximum response body from 300MB to 50MB to prevent memory-based attacks
  • New images.maximumResponseBody configuration option for customizing image optimization limits

Key Changes:

  • package.json: Next.js version bumped to 15.5.10
  • pnpm-lock.yaml: Lockfile updated with Next.js 15.5.10 and transitive dependency updates (sharp image processing library and @emnapi/runtime)

Security Impact:
The application does not currently use next/image component (verified via codebase search), so the image optimization vulnerabilities have minimal direct impact. However, the React Flight DoS mitigations are still beneficial for the application's overall security posture.

Recommendation:
This is a straightforward security patch with no breaking changes. Merge after CI passes to ensure the application is protected against the documented vulnerabilities.

Confidence Score: 5/5

  • This PR is safe to merge - it's a standard security patch from Dependabot with no code changes
  • This is a minor version security update with well-documented changes. The update only modifies dependency versions without any code changes, breaking changes, or new features that could introduce bugs. The CVEs being addressed are legitimate security concerns, and the update is automatically generated by Dependabot following standard practices.
  • No files require special attention - both files are standard dependency updates

Important Files Changed

Filename Overview
package.json Security update bumping Next.js from 15.5.9 to 15.5.10 to address CVEs
pnpm-lock.yaml Lockfile updates for Next.js and transitive dependencies (sharp, emnapi runtime)

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Dep as Dependabot
    participant GH as GitHub
    participant CI as CI/CD Pipeline
    participant App as Umami Application

    Note over Dep,GH: Security Advisory Detected
    Dep->>GH: Detect CVE-2025-59471, CVE-2025-59472, CVE-2026-23864
    Dep->>GH: Create PR #3987
    GH->>Dev: Notify about security update PR
    
    Note over Dep: Update Dependencies
    Dep->>Dep: Bump next: 15.5.9 → 15.5.10
    Dep->>Dep: Update pnpm-lock.yaml (sharp, emnapi transitive deps)
    
    Dev->>GH: Review PR
    Dev->>CI: Trigger CI checks
    CI->>CI: Run tests
    CI->>CI: Build application
    CI-->>Dev: CI status
    
    alt CI passes and review approved
        Dev->>GH: Merge PR
        GH->>App: Deploy with security fixes
        Note over App: Protected from DoS attacks<br/>Image optimization limits enforced
    else CI fails or issues found
        Dev->>Dep: Request changes
    end
Loading

greptile-apps[bot]
greptile-apps bot reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@franciscao633 franciscao633 changed the base branch from master to dev January 28, 2026 17:16
@franciscao633 franciscao633 merged commit 376c570 into dev Jan 28, 2026
6 of 8 checks passed
@franciscao633 franciscao633 deleted the dependabot/npm_and_yarn/next-15.5.10 branch January 28, 2026 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@franciscao633 franciscao633 franciscao633 approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@franciscao633