Skip to content

chore(deps): bump the npm_and_yarn group across 2 directories with 1 update#6

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-3ede907f29
Closed

chore(deps): bump the npm_and_yarn group across 2 directories with 1 update#6
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-3ede907f29

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Aug 30, 2025

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 1 update in the / directory: next.
Bumps the npm_and_yarn group with 1 update in the /apps/login directory: next.

Updates next from 15.4.0-canary.86 to 15.4.7

Release notes

Sourced from next's releases.

v15.4.7

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • fix router handling when setting a location response header #82588

Credits

Huge thanks to @​ztanner for helping!

v15.4.6

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#82347)
  • fix: add ?dpl to fonts in /_next/static/media (#82384)

Credits

Huge thanks to @​devjiwonchoi, @​ijjk, and @​styfle for helping!

v15.4.5

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Fix API stripping JSON incorrectly (#82062)
  • Fix i18n fallback: false collision (#82158)
  • Revert "Fix tracing of server actions imported by client components (#82167)
  • Ensure setAssetPrefix updates config instance (#82165)
  • Turbopack: update mimalloc (#82166)
  • fix(next/image): fix image-optimizer.ts headers (#82175)
  • fix(next/image): improve and simplify detect-content-type (#82174)

Credits

Huge thanks to @​ijjk, @​sokra, and @​styfle for helping!

v15.4.4

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Fix dynamicParams false layout case in dev (#82026)
  • Turbopack: fix scope hoisting variable renaming bug (#81640)
  • Upgrade to swc v33 (#81750)
  • Revert "[metadata] use https protocol for schema urls" (#81934)

... (truncated)

Commits

Updates next from 15.4.0-canary.86 to 15.4.7

Release notes

Sourced from next's releases.

v15.4.7

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • fix router handling when setting a location response header #82588

Credits

Huge thanks to @​ztanner for helping!

v15.4.6

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#82347)
  • fix: add ?dpl to fonts in /_next/static/media (#82384)

Credits

Huge thanks to @​devjiwonchoi, @​ijjk, and @​styfle for helping!

v15.4.5

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Fix API stripping JSON incorrectly (#82062)
  • Fix i18n fallback: false collision (#82158)
  • Revert "Fix tracing of server actions imported by client components (#82167)
  • Ensure setAssetPrefix updates config instance (#82165)
  • Turbopack: update mimalloc (#82166)
  • fix(next/image): fix image-optimizer.ts headers (#82175)
  • fix(next/image): improve and simplify detect-content-type (#82174)

Credits

Huge thanks to @​ijjk, @​sokra, and @​styfle for helping!

v15.4.4

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Fix dynamicParams false layout case in dev (#82026)
  • Turbopack: fix scope hoisting variable renaming bug (#81640)
  • Upgrade to swc v33 (#81750)
  • Revert "[metadata] use https protocol for schema urls" (#81934)

... (truncated)

Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

…update

Bumps the npm_and_yarn group with 1 update in the / directory: [next](https://github.com/vercel/next.js).
Bumps the npm_and_yarn group with 1 update in the /apps/login directory: [next](https://github.com/vercel/next.js).


Updates `next` from 15.4.0-canary.86 to 15.4.7
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.4.0-canary.86...v15.4.7)

Updates `next` from 15.4.0-canary.86 to 15.4.7
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.4.0-canary.86...v15.4.7)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 15.4.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.4.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Aug 30, 2025
@dependabot @github

dependabot Bot commented on behalf of github Sep 16, 2025

Copy link
Copy Markdown
Author

Dependabot encountered an unknown error. Because of this, Dependabot cannot update this pull request.

@dependabot @github

dependabot Bot commented on behalf of github Apr 14, 2026

Copy link
Copy Markdown
Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-3ede907f29 branch April 14, 2026 02:46
yahyafakhroji added a commit that referenced this pull request Jul 5, 2026
Fixes 31 of 32 confirmed findings from the adversarially-verified ultracode audit
of the auth-ui rebuild; #16 is partially fixed with a documented residual. All
changes typecheck clean and pass the mirrored cypress component specs. See
docs/AUDIT-FINDINGS.md for the full per-finding detail and status.

Highlights by subsystem:
- session/device: device-authorization grants no longer auto-complete from the
  forgeable GET /signed-in; they route to the CSRF-protected /device/authorize
  consent screen (explicit Approve showing app + scope). (#10)
- rate-limit: limiters mount on '*' and self-guard on a normalized (lowercased,
  .data-stripped) path, closing the case-variant and single-fetch bypasses. (#1, #11)
- verify: email-code resend is gated on server-verified session ownership and never
  500s / enumerates; requestId validated + encoded into the /authorize hand-back.
  (#9, #25, #30)
- signup: registration policy (allowRegister/allowPassword/passkeysType) enforced in
  the actions; duplicate-email responses emit a Set-Cookie (presence oracle closed,
  content/size residual documented — #16); fingerprintId used instead of the MaxMind
  token; requestId resumed on email-link complete. (#3, #4, #14, #16, #17)
- sso: guarded getSession/startIdpIntent (graceful branded errors, not 500s); LDAP
  reauth cookie cleared; ProviderError on sign-in mapped to the branded page;
  deviceTrackingToken threaded on auto-link. (#2, #5, #6, #13, #19, #20, #21)
- providers/mappers: U2F factor derived from the webAuthN proto factor (fixes the
  U2F login loop); failedAttempts extracted with the proper schema; forceMfaLocalOnly
  kept distinct from forceMfa. (#0, #7, #22)
- session cookie: dual-format (ISO/epoch) timestamp parsing in the eviction pre-pass
  so the 2KB budget is respected. (#8)
- webauthn: real browsers without WebAuthn see the unsupported message instead of
  submitting the Cypress fake credential. (#27)
- fraud: MaxMind token falls back to the cookie when it lands after the poll budget;
  default-org cache keyed per service URL. (#28, #29)
- audit logging: raw loginName replaced with hashActor across OTP/webauthn/password
  reset events. (#23, #24, #26)
- setup: safeParse on tampered skip params; TOTP register guarded. (#12, #31)

Verification (2026-07-04): the 12 findings applied in the prior batch were
independently re-verified (verifier + adversary per finding). 9 closed cleanly;
#10 (device-auth) was incomplete and #30 (resend test) was a regression — both
re-fixed here; #16 (signup enumeration) is partial, with the residual documented
and full closure (sessions-cookie encryption) deferred by owner decision.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UhyUkaSmoNFax5wu2aHfi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant