Skip to content

fix(deps): update next 15.5.18 and react 19.0.6 [security]#1591

Merged
zzq0826 merged 1 commit into
sepoliafrom
update-deps-2026-05
May 15, 2026
Merged

fix(deps): update next 15.5.18 and react 19.0.6 [security]#1591
zzq0826 merged 1 commit into
sepoliafrom
update-deps-2026-05

Conversation

@zzq0826
Copy link
Copy Markdown
Member

@zzq0826 zzq0826 commented May 15, 2026

Summary

Address the Next.js May 2026 coordinated security release (May 7, 2026) which fixes 13 advisories including:

  • Auth bypass via App Router segment-prefetch URL
  • SSRF / cache poisoning / XSS
  • Denial of Service in Server Components

Tracking tweet: https://x.com/nextjs/status/2052489312944759202

Changes

Package From To
next 15.5.10 15.5.18
react 19.0.0 19.0.6
react-dom 19.0.0 19.0.6
eslint-config-next 15.1.4 15.5.18 (align with next)
@next/mdx 15.1.5 (transitive) 15.5.18 (transitive realignment)
@next/third-parties 15.1.5 (transitive) 15.5.18 (transitive realignment)

Staying on the 15.x line per the advisory (15.5.18 and 16.2.6 are co-equal patched targets) to minimize risk.

Test plan

  • yarn install clean
  • yarn lint — no new errors (only pre-existing _error/unused-var warnings)
  • npx tsc --noEmit — zero type errors
  • yarn build — verified via Vercel preview deploy (local build needs NEXT_PUBLIC_ECOSYSTEM_BASE_URI env which isn't in my local; this is a pre-existing env issue, not a regression)
  • Vercel preview deploy smoke test (manual)

🤖 Generated with Claude Code

@zzq0826
fix(deps): update next 15.5.18 and react 19.0.6 [security]
6c79204 
Address the Next.js May 2026 coordinated security release (13 advisories
including auth bypass, SSRF, cache poisoning, XSS, DoS). Bump:

- next: 15.5.10 -> 15.5.18
- react: 19.0.0 -> 19.0.6
- react-dom: 19.0.0 -> 19.0.6
- eslint-config-next: 15.1.4 -> 15.5.18 (align with next)
- @next/mdx: -> 15.5.18 (transitive realignment)
- @next/third-parties: -> 15.5.18 (transitive realignment)

Refs: https://vercel.com/changelog/next-js-may-2026-security-release
@vercel
Copy link
Copy Markdown

vercel Bot commented May 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
frontends Ready Ready Preview, Comment May 15, 2026 11:28am

Request Review

@zzq0826 zzq0826 merged commit 8cc4cde into sepolia May 15, 2026
2 checks passed
@zzq0826 zzq0826 deleted the update-deps-2026-05 branch May 15, 2026 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zzq0826