Skip to content

🚨 [security] Update all of nextjs 16.0.3 → 16.0.7 (patch) #19404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
depfu merged 1 commit into from
Dec 3, 2025
Merged

🚨 [security] Update all of nextjs 16.0.3 → 16.0.7 (patch) #19404

depfu merged 1 commit into from
Dec 3, 2025
+68 −147

Conversation

@depfu
Copy link
Contributor

@depfu depfu bot commented Dec 3, 2025

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint-config-next (16.0.3 → 16.0.7)

Sorry, we couldn't find anything useful about this release.

✳️ next (16.0.3 → 16.0.7) · Repo

Security Advisories 🚨

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

1 The affected React packages are:

  • react-server-dom-parcel
  • react-server-dom-turbopack
  • react-server-dom-webpack
Release Notes

16.0.6

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • bump the browserslist version to silence a warning in CI (#86625)

Credits

Huge thanks to @lukesandberg for helping!

16.0.5

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • fix(nodejs-middleware): await for body cloning to be properly finalized (#85418)

Credits

Huge thanks to @lucasadrianof for helping!

16.0.4

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • fix: Rename proxy.js to middleware.js in NFT file (#86214)
  • fix: prevent fetch abort errors propagating to user error boundaries (#86277)
  • Turbopack: fix passing project options from napi (#86256)

Credits

Huge thanks to @devjiwonchoi, @sokra and @ztanner for helping!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot requested a review from a team as a code owner December 3, 2025 20:06
@depfu depfu bot added the depfu label Dec 3, 2025
@coderabbitai
Copy link

coderabbitai bot commented Dec 3, 2025

Walkthrough

This pull request updates Next.js and related dependencies across two playground package configuration files. In playgrounds/nextjs/package.json and playgrounds/v3/package.json, the Next.js dependency is bumped from version ^16.0.3 to ^16.0.7, and the ESLint configuration for Next.js is similarly updated from ^16.0.3 to ^16.0.7. These version updates bring both playground environments to a more recent patch version of the Next.js 16 release line. No exported or public entity signatures are modified by these changes.

Pre-merge checks

✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: updating Next.js from 16.0.3 to 16.0.7 to address security vulnerabilities, using appropriate security emoji and concise language.
Description check ✅ Passed The description is directly related to the changeset, detailing security vulnerabilities fixed, affected packages, release notes, and commits for the Next.js and eslint-config-next version updates.
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f107e2 and 75693bc.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • playgrounds/nextjs/package.json (2 hunks)
  • playgrounds/v3/package.json (2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
  • GitHub Check: macOS
  • GitHub Check: Linux
  • GitHub Check: Windows
  • GitHub Check: Linux / webpack
  • GitHub Check: Linux / vite
  • GitHub Check: Linux / oxide
  • GitHub Check: Linux / upgrade
  • GitHub Check: Linux / postcss
  • GitHub Check: Linux / cli
🔇 Additional comments (2)
playgrounds/nextjs/package.json (1)

14-14: ✓ Security patch applied correctly.

The Next.js and eslint-config-next versions are updated to 16.0.7, addressing the CVE-2025-55182 RCE vulnerability in the React flight protocol. React is already at the patched version (^19.2.0). Patch-level updates within the ^16.0.x constraint are backward compatible and introduce only backported bug fixes (middleware body cloning, fetch abort error handling, Turbopack fixes).

Also applies to: 24-24

playgrounds/v3/package.json (1)

12-12: ✓ Security patch applied consistently across playgrounds.

Both playground environments now align on Next.js 16.0.7 and eslint-config-next 16.0.7. React dependencies are already patched (^19.2.0). The patch-level update maintains compatibility while addressing CVE-2025-55182.

Also applies to: 23-23

Comment @coderabbitai help to get the list of available commands and usage tips.

@depfu depfu bot merged commit a92fa97 into main Dec 3, 2025
9 checks passed
@depfu depfu bot deleted the depfu/update/pnpm/group/nextjs-16.0.7 branch December 3, 2025 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thecrypticace thecrypticace thecrypticace approved these changes

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thecrypticace