Skip to content

fix(deps): upgrade Next.js 15.1.3 → 15.5.16 to fix high-severity CVEs#707

Open
Vera3289 wants to merge 1 commit into
AnnabelJoe:mainfrom
Vera3289:fix/464-pnpm-audit-high-severity
Open

fix(deps): upgrade Next.js 15.1.3 → 15.5.16 to fix high-severity CVEs#707
Vera3289 wants to merge 1 commit into
AnnabelJoe:mainfrom
Vera3289:fix/464-pnpm-audit-high-severity

Conversation

@Vera3289

Copy link
Copy Markdown
Contributor

Summary

Upgrades next from 15.1.3 to 15.5.16 and eslint-config-next to match, resolving all high-severity and critical vulnerabilities detected by the weekly pnpm audit.

Vulnerabilities Fixed

Severity Advisory Description
critical GHSA-9qr9-h5gf-34mp RCE in React flight protocol
critical GHSA-f82v-jwr5-mffw Authorization bypass in middleware
high GHSA-67rr-84xm-4c7r DoS via cache poisoning
high GHSA-mwv6-3258-q52c DoS with Server Components
high GHSA-h25m-26qc-wcjf HTTP deserialization DoS
high GHSA-q4gf-8mx6-v5v3 DoS with Server Components
high GHSA-mg66-mrh9-m8jx DoS via connection exhaustion
high GHSA-c4j6-fc7j-m34r SSRF via WebSocket upgrades
high GHSA-36qx-fr4f-26g5 Middleware/proxy bypass in i18n

Tested

pnpm audit --severity high exits 0 after this change.

Closes

Closes #464

Closes AnnabelJoe#464

Resolves all high-severity and critical vulnerabilities in next@15.1.3:
- GHSA-9qr9-h5gf-34mp: RCE in React flight protocol (critical)
- GHSA-f82v-jwr5-mffw: Authorization bypass in middleware (critical)
- GHSA-67rr-84xm-4c7r: DoS via cache poisoning (high)
- GHSA-mwv6-3258-q52c: DoS with server components (high)
- GHSA-h25m-26qc-wcjf: HTTP request deserialization DoS (high)
- GHSA-q4gf-8mx6-v5v3: DoS with server components (high)
- GHSA-mg66-mrh9-m8jx: DoS via connection exhaustion (high)
- GHSA-c4j6-fc7j-m34r: SSRF via WebSocket upgrades (high)
- GHSA-36qx-fr4f-26g5: Middleware/proxy bypass in i18n (high)

Also bumps eslint-config-next to match 15.5.16.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

🚨 Weekly pnpm audit failed: High-severity vulnerabilities detected

1 participant