Skip to content

Security: Update Next.js to 16.1.6 (GHSA-h25m-26qc-wcjf)#418

Merged
hotlong merged 2 commits intocopilot/update-action-run-outputfrom
copilot/update-action-step-integration
Jan 31, 2026
Merged

Security: Update Next.js to 16.1.6 (GHSA-h25m-26qc-wcjf)#418
hotlong merged 2 commits intocopilot/update-action-run-outputfrom
copilot/update-action-step-integration

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 31, 2026
edited
Loading

CI audit failing on high-severity Next.js vulnerability: HTTP request deserialization DoS in React Server Components.

Changes

  • apps/docs: Bump next from ^16.1.3 to ^16.1.5 (resolves to 16.1.6)
  • Update pnpm-lock.yaml accordingly

Vulnerability Details

Original prompt

引用: https://github.com/objectstack-ai/spec/actions/runs/21536535905/job/62063308420#step:8:1

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@vercel
Copy link
Copy Markdown

vercel bot commented Jan 31, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
spec Ready Ready Preview, Comment Jan 31, 2026 1:49am

Request Review

@hotlong
Fix Next.js security vulnerability by updating to 16.1.6
e7176b9 
Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>
Copilot AI changed the title [WIP] Update action step integration for better efficiency Security: Update Next.js to 16.1.6 (GHSA-h25m-26qc-wcjf) Jan 31, 2026
Copilot AI requested a review from hotlong January 31, 2026 01:49
@hotlong hotlong marked this pull request as ready for review January 31, 2026 01:49
Copilot AI review requested due to automatic review settings January 31, 2026 01:49
@hotlong hotlong merged commit 7c09a58 into copilot/update-action-run-output Jan 31, 2026
2 checks passed
Copilot AI reviewed Jan 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Next.js from version 16.1.3 to 16.1.6 in the documentation app to address a high-severity security vulnerability (GHSA-h25m-26qc-wcjf) related to HTTP request deserialization DoS in React Server Components.

Changes:

  • Updated Next.js version specifier from ^16.1.3 to ^16.1.5 in apps/docs package.json
  • Regenerated pnpm-lock.yaml with all Next.js dependencies resolved to version 16.1.6

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
apps/docs/package.json Updated Next.js dependency specifier from ^16.1.3 to ^16.1.5
pnpm-lock.yaml Updated all Next.js core and platform-specific SWC packages from 16.1.3 to 16.1.6, including transitive dependencies in fumadocs packages
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hotlong hotlong Awaiting requested review from hotlong

Assignees

@hotlong hotlong

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hotlong