chore(deps): bump next to 15.5.15 (GHSA-q4gf-8mx6-v5v3)

[coderdan]

Summary

• Bumps transitive `next` from `15.5.10` → `15.5.15` to patch GHSA-q4gf-8mx6-v5v3 (high): denial of service via Server Components, affecting `next >= 13.0.0, < 15.5.15`.
• Closes Dependabot alert #96.

Context

Next.js is a transitive runtime dep here — `packages/nextjs` declares it as a peer (`^14 || ^15`), and `@clerk/nextjs` pulls it in too. The existing root override at `>=15.5.10` already targeted next; it just hadn't been bumped past the patched cutoff. Tightened to `>=15.5.15`, and bumped the `security` catalog entry to match.

Why a surgical hand-edit (vs. `pnpm install`)

Same reason as the lodash bump: a fresh resolve correctly picks `next@15.5.15`, but also walks the rest of the tree and pulls in ~30 unrelated transitive bumps (`drizzle-orm`, `@types/node`, `drizzle-kit`, etc.). Outside the scope of a CVE patch.

The lockfile change is contained: `next` (1 def + 4 refs) + `@next/env` (1 def + 2 refs) + `@next/swc-*` (8 platform binaries × 1 def + 1 ref each, all 15.5.7 → 15.5.15). Each integrity hash sourced from `npm view @15.5.15 dist.integrity`.

Note: `next@15.5.15` satisfies `packages/nextjs`'s declared `^14 || ^15` peer range and `@clerk/nextjs@6.39.2`'s peer range, so no API compatibility risk.

Summary by CodeRabbit

• Chores
  • Upgraded Next.js framework to patch version 15.5.15. This latest release incorporates framework improvements, bug fixes, and security enhancements. Dependency versions synchronized consistently across all project configurations to maintain unified framework compatibility, ensure system stability, and provide access to the latest optimizations.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 32c08d4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e146453a-9774-4e7d-b2ef-cdca4435c457

📥 Commits

Reviewing files that changed from the base of the PR and between c630548 and 32c08d4.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

Next.js version constraint is bumped from 15.5.10 to 15.5.15 across both package.json and pnpm-workspace.yaml to synchronize dependency pinning in both npm and pnpm configuration files.

Changes

Dependency Version Updates

Layer / File(s)	Summary
Configuration Updates package.json, pnpm-workspace.yaml	Next.js version pinned to >=15.5.15 in package.json overrides and 15.5.15 in pnpm-workspace.yaml catalogs.repo.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• auxesis
• calvinbrewer

Poem

🐰 A hop and a skip, version goes up,
Fifteen point five, we fill up the cup,
Next.js now gleams at fifteen-five-teen,
The freshest framework ever seen!
Tiny tweaks, mighty gains—rabbit approves! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: bumping Next.js from 15.5.10 to 15.5.15 to address a security vulnerability (GHSA-q4gf-8mx6-v5v3).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dan/bump-next-15.5.15

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}