Skip to content

chore(deps): bump next from 15.5.15 to 15.5.18#50

Merged
jrphilo merged 1 commit into
mainfrom
dependabot/npm_and_yarn/next-15.5.18
May 13, 2026
Merged

chore(deps): bump next from 15.5.15 to 15.5.18#50
jrphilo merged 1 commit into
mainfrom
dependabot/npm_and_yarn/next-15.5.18

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 12, 2026
edited
Loading

Bumps next from 15.5.15 to 15.5.18.

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v15.5.16

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

Commits
  • 9ff92ce v15.5.18
  • 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
  • 62c97ab v15.5.17
  • 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
  • fa78739 Turbopack: Fix middleware matcher suffix (#93590)
  • 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
  • 36589b5 [backport][test] Pin package manager to patch versions (#93596)
  • ad6fd4e v15.5.16
  • 79d7dff Ignore malformed CSP nonce headers (#103)
  • c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 12, 2026
@dependabot dependabot Bot requested a review from jrphilo as a code owner May 12, 2026 08:45
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 12, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 docs-preview acd63e9 Commit Preview URL

Branch Preview URL		 May 13 2026, 02:15 PM

@dependabot
chore(deps): bump next from 15.5.15 to 15.5.18
acd63e9 
Bumps [next](https://github.com/vercel/next.js) from 15.5.15 to 15.5.18.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.5.15...v15.5.18)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 15.5.18
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/next-15.5.18 branch from 0fbcc30 to acd63e9 Compare May 13, 2026 14:13
@jrphilo
Copy link
Copy Markdown
Collaborator

jrphilo commented May 13, 2026

Ralphie verified this — ready to merge.

Verification

  • lint: ✓ (pre-existing no-img-element warning in src/components/Logo.tsx, unrelated to this bump)
  • build: ✓ (Next.js type-check + bundle, 11/11 static pages, middleware 32.4 kB)
  • check:links: ✓ (39 files, 3 internal links, 0 broken)

Changelog highlights

  • Patch-series security release: 15.5.15 → 15.5.16 → 15.5.17 → 15.5.18.
  • Bundle of fixes for App Router middleware/proxy bypass, RSC DoS, RSC cache poisoning, Image Optimization DoS, CSP-nonce XSS, beforeInteractive XSS, WebSocket SSRF, and Pages Router i18n bypass.
  • Release notes — security advisories linked there.

Investigation

Elevated scrutiny applied: framework major (next). Bump is patch-within-minor (15.5.x), security-only.

  • Ownership: ownership change flagged — Dependabot reports the release was pushed to npm by GitHub Actions rather than the prior personal account. Investigated → this is Vercel's move to npm trusted publishing via GitHub Actions OIDC; consistent with the security-release theme and an upgrade in supply-chain posture, not a takeover signal.
  • Auth/secrets: none — no auth/secrets handling code in this repo (middleware deletes cookie/host on proxy, no token handling).
  • Security advisory: 13 advisories fixed in this range (7 High, 4 Moderate, 2 Low). Investigated our exposure to each affected surface:
    • Middleware/proxy bypass (GHSA-267c-6grr-h53f, -26hh-7cqf-hhc6, -492v-c6pp-mqqv, -3g8h-86w9-wvmq): we ship src/middleware.ts which proxies /ingest/* to PostHog and sets X-Frame-Options / X-Robots-Tag. Fixes are internal to Next's request handling — beneficial for us.
    • Pages Router i18n bypass (GHSA-36qx-fr4f-26g5): we're App Router-only; no pages/ dir.
    • Cache Components DoS (GHSA-mg66-mrh9-m8jx): we don't enable cacheComponents.
    • WebSocket SSRF (GHSA-c4j6-fc7j-m34r): no WebSocket upgrades in this repo.
    • CSP nonces (GHSA-ffhc-5mcf-pf4q) + beforeInteractive XSS (GHSA-gx5p-jg67-6x7h): no custom CSP nonce handling and no beforeInteractive script usage (grep clean).
    • Image Optimization DoS (GHSA-h64f-5h5j-jqjh) + RSC cache poisoning/DoS: docs render mostly static; fixes are server-side hardening — net positive.
  • Deprecations: next lint deprecation warning surfaces in the lint output but is pre-existing on main (introduced earlier in 15.5.x) — not introduced by this bump.
  • Breaking API: none — patch series within 15.5.x.

Recommendation

Security-only patch bump on a framework we use surgically (one middleware file, no Pages Router, no Cache Components, no WebSockets). All three verification steps green; investigated exposure to each fixed advisory; supply-chain publisher change is in the safer direction (OIDC trusted publishing). Safe to merge.

@jrphilo jrphilo added the ralphie:ready-to-merge Ralphie verified; maintainer to merge label May 13, 2026
@jrphilo jrphilo merged commit 7b84f90 into main May 13, 2026
5 checks passed
@jrphilo jrphilo deleted the dependabot/npm_and_yarn/next-15.5.18 branch May 13, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrphilo jrphilo Awaiting requested review from jrphilo jrphilo is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code ralphie:ready-to-merge Ralphie verified; maintainer to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrphilo