fix(deps)!: bump minimum next version to 15.4.9 (#14898)

# ⚠️ Security Issue

A high-severity Denial of Service
([CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184)) and
a medium-severity Source Code Exposure
([CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183))
affect React 19 and frameworks that use it, like Next.js.

## Summary

Denial of Service
([CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184))

> A malicious HTTP request can be crafted and sent to any App Router
endpoint that, when deserialized, can cause the server process to hang
and consume CPU.

Source Code Exposure
([CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183))

> A malicious HTTP request can be crafted and sent to any App Router
endpoint that can return the compiled source code of Server Actions.
This could reveal business logic, but would not expose secrets unless
they were hardcoded directly into the Server Action’s code.

Full details here:
https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#how-to-upgrade-and-protect-your-next.js-app

While this is **not a Payload vulnerability,** it may affect any Payload
project running on the affected versions of Next.js. Payload does not
install any of these dependencies directly, it simply _enforces_ their
versions through its peer dependencies, which will only _warn_ you of
the version incompatibilities.

You will need to upgrade React and Next.js yourself in your own apps to
the patched versions listed below in order to receive these updates.

## Resolution

You are strongly encouraged to upgrade your own apps to the nearest
patched versions of Next.js and deploy immediately.

Quick steps:

If using `pnpm` as your package manager, here's a one-liner:

```
pnpm add next@15.4.9
```

For a full breakdown of the vulnerable packages and their patched
releases, see
https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#how-to-upgrade-and-protect-your-next.js-app.

Related: #14807

Author: jacobsfletch

examples/astro/payload/package.json

@@ -27,7 +27,7 @@
     "@payloadcms/richtext-lexical": "3.11.0",
     "cross-env": "^7.0.3",
     "graphql": "^16.8.1",
-    "next": "15.4.8",
+    "next": "15.4.9",
     "payload": "3.11.0",
     "react": "19.2.1",
     "react-dom": "19.2.1",

examples/astro/payload/pnpm-lock.yaml

@@ -21,7 +21,7 @@
     "@payloadcms/richtext-slate": "latest",
     "@payloadcms/ui": "latest",
     "cross-env": "^7.0.3",
-    "next": "^15.4.8",
+    "next": "^15.4.9",
     "payload": "latest",
     "react": "19.2.1",
     "react-dom": "19.2.1",

examples/auth/package.json

@@ -25,7 +25,7 @@
     "dotenv": "^8.2.0",
     "graphql": "^16.9.0",
     "install": "^0.13.0",
-    "next": "^15.4.8",
+    "next": "^15.4.9",
     "payload": "latest",
     "react": "^19.2.1",
     "react-dom": "^19.2.1"

examples/auth/pnpm-lock.yaml

@@ -17,7 +17,7 @@
     "cross-env": "^7.0.3",
     "express": "^4.21.1",
     "graphql": "^16.8.1",
-    "next": "15.4.8",
+    "next": "15.4.9",
     "payload": "latest",
     "react": "^19.2.1",
     "react-dom": "^19.2.1"

examples/custom-components/package.json

@@ -24,7 +24,7 @@
     "dotenv": "^8.2.0",
     "escape-html": "^1.0.3",
     "graphql": "^16.9.0",
-    "next": "^15.4.8",
+    "next": "^15.4.9",
     "payload": "latest",
     "react": "19.2.1",
     "react-dom": "19.2.1"