bigcommerce · chanceaclark · May 13, 2026 · May 8, 2026
@@ -0,0 +1,8 @@
+---
+"@bigcommerce/catalyst-core": patch
+---
+
+Bump Next.js and React to address security vulnerabilities
+
+- `next`: ~16.1.6 → ~16.2.6 — fixes middleware bypass, SSRF, XSS, and cache poisoning CVEs
+- `react` / `react-dom`: 19.1.5 → 19.1.7 — fixes GHSA-rv78-f8rc-xrxh (DoS via OOM/CPU exhaustion on server function endpoints)
@@ -26,7 +26,7 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Install Catalyst CLI
-        run: pnpm add @bigcommerce/catalyst@alpha @opennextjs/cloudflare@1.17.3
+        run: pnpm add @bigcommerce/catalyst@alpha @opennextjs/cloudflare@latest
         working-directory: core
 
       - name: Convert proxy.ts to middleware.ts

@@ -60,14 +60,14 @@
     "lodash.debounce": "^4.0.8",
     "lru-cache": "^11.1.0",
     "lucide-react": "^0.474.0",
-    "next": "~16.1.6",
+    "next": "~16.2.6",
     "next-auth": "5.0.0-beta.30",
     "next-intl": "^4.6.1",
     "nuqs": "^2.4.3",
     "p-lazy": "^5.0.0",
-    "react": "19.1.5",
+    "react": "19.1.7",
     "react-day-picker": "^9.7.0",
-    "react-dom": "19.1.5",
+    "react-dom": "19.1.7",
     "react-google-recaptcha": "^3.1.0",
     "react-headroom": "^3.2.1",
     "schema-dts": "^1.1.5",