chore(deps): update dependency next to v16.0.7 [security] #9941
Conversation
|
WalkthroughBumped Next.js dependency to ^16.0.0 across multiple integration and example package.json files; no other fields or code changes in the diff. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Possibly related PRs
Suggested reviewers
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx affected --targets=test:sherif,test:knip,tes... |
❌ Failed | 2m 23s | View ↗ |
nx run-many --target=build --exclude=examples/*... |
❌ Failed | 1m 16s | View ↗ |
☁️ Nx Cloud last updated this comment at 2025-12-03 20:56:48 UTC
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
integrations/react-next-14/package.json (1)
2-2: Update package name to reflect Next.js 15 dependency.The package is named "react-next-14" but now depends on Next.js ^15.0.0. Consider renaming it to "react-next-15" or a more generic name to avoid confusion about the supported framework version.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (1)
integrations/react-next-14/package.json(1 hunks)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-09-02T17:57:33.184Z
Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.
Applied to files:
integrations/react-next-14/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Test
- GitHub Check: Preview
🔇 Additional comments (1)
integrations/react-next-14/package.json (1)
10-10: Verify if integration code requires updates for Next.js 15 breaking changes.Next.js 15 introduces several breaking changes, most notably:
cookies(),headers(),params,searchParams, anddraftModeare now async- GET Route Handlers are no longer cached by default (opt-in with
export dynamic = 'force-static')- Client Router Cache defaults to
staleTime = 0If this integration or its consumers use any of these APIs, code updates will be required. Search the codebase for usages of these APIs and confirm compatibility.
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
afbe8a5 to
28340c3
Compare
renovate
bot
changed the title
There was a problem hiding this comment.
Actionable comments posted: 3
♻️ Duplicate comments (1)
examples/react/optimistic-updates-cache/package.json (1)
13-15: React 18 is incompatible with Next.js 16; requires React 19.
🧹 Nitpick comments (1)
integrations/react-next-15/package.json (1)
2-2: Package name mismatch: "react-next-15" now targets Next.js 16.0.0.The integration directory and package name reference "next-15" but the Next.js dependency is now ^16.0.0. This is a naming/documentation consistency issue that will confuse maintainers and users looking for a Next.js 15 example.
Consider renaming the package and directory to
react-next-16to reflect the actual Next.js version in use, aligning naming with the Next.js release it targets. (This would require renaming the directory fromintegrations/react-next-15/tointegrations/react-next-16/.)Also applies to: 12-12
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (11)
examples/react/auto-refetching/package.json(1 hunks)examples/react/infinite-query-with-max-pages/package.json(1 hunks)examples/react/load-more-infinite-scroll/package.json(1 hunks)examples/react/nextjs-app-prefetching/package.json(1 hunks)examples/react/nextjs/package.json(1 hunks)examples/react/optimistic-updates-cache/package.json(1 hunks)examples/react/optimistic-updates-ui/package.json(1 hunks)examples/react/pagination/package.json(1 hunks)examples/react/prefetching/package.json(1 hunks)integrations/react-next-14/package.json(1 hunks)integrations/react-next-15/package.json(1 hunks)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-09-02T17:57:33.184Z
Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.
Applied to files:
examples/react/optimistic-updates-ui/package.jsonexamples/react/auto-refetching/package.jsonexamples/react/optimistic-updates-cache/package.jsonexamples/react/prefetching/package.jsonexamples/react/nextjs-app-prefetching/package.jsonintegrations/react-next-15/package.jsonexamples/react/load-more-infinite-scroll/package.jsonexamples/react/infinite-query-with-max-pages/package.jsonexamples/react/pagination/package.jsonintegrations/react-next-14/package.jsonexamples/react/nextjs/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Preview
- GitHub Check: Test
🔇 Additional comments (6)
examples/react/auto-refetching/package.json (1)
13-13: [DUPLICATE_CONCERN] See pagination/package.json review for React 18 + Next.js 16 compatibility issue.examples/react/infinite-query-with-max-pages/package.json (1)
13-13: [DUPLICATE_CONCERN] See pagination/package.json review for React 18 + Next.js 16 compatibility issue.examples/react/prefetching/package.json (1)
13-13: [DUPLICATE_CONCERN] See pagination/package.json review for React 18 + Next.js 16 compatibility issue.examples/react/optimistic-updates-ui/package.json (1)
13-13: [DUPLICATE_CONCERN] See pagination/package.json review for React 18 + Next.js 16 compatibility issue.examples/react/nextjs-app-prefetching/package.json (1)
13-15: Correctly configured with React 19 + Next.js 16.0.0.This example properly aligns React 19 with Next.js 16.0.0. In contrast, the other 6 example files still use React 18.2.0 with Next.js 16.0.0, which is likely incompatible. Use this file as the correct template for updating the other examples.
Once the React 18 → 19 upgrade is confirmed as necessary across all affected files, this becomes the pattern to follow.
examples/react/load-more-infinite-scroll/package.json (1)
13-15: React 18 is incompatible with Next.js 16; requires React 19.Next.js 16 is built for and requires React 19 according to the official upgrade guide and release notes. The current package.json specifies
react@^18.2.0andreact-dom@^18.2.0, which will cause build and runtime failures in the App Router.The DevDependencies also lock to React 18 types (
@types/react@^18.2.79), which should be updated to align with React 19.Update to fix the incompatibility:
"dependencies": { "@tanstack/react-query": "^5.90.11", "@tanstack/react-query-devtools": "^5.91.1", "next": "^16.0.0", - "react": "^18.2.0", - "react-dom": "^18.2.0", + "react": "^19.0.0", + "react-dom": "^19.0.0", "react-intersection-observer": "^9.16.0" }, "devDependencies": { - "@types/react": "^18.2.79", - "@types/react-dom": "^18.2.25", + "@types/react": "^19.0.0", + "@types/react-dom": "^19.0.0", "typescript": "5.8.3" }Likely an incorrect or invalid review comment.
| "@tanstack/react-query": "^5.90.11", | ||
| "@tanstack/react-query-devtools": "^5.91.1", | ||
| "next": "^15.3.1", | ||
| "next": "^16.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Next.js 16.0.0 React version requirements compatibility
💡 Result:
Short answer: Next.js 16 supports React 18 and React 19 (Next.js docs recommend installing the latest React). Use matching react + react-dom versions (e.g. 18.x or 19.x). Note: some third‑party packages may still have peerDependency ranges that block React 19 and will need updates or overrides. [1][2][3][4]
Sources:
- Next.js upgrade guide (v16) — recommends installing react@latest / react-dom@latest. [1]
- Next.js 16 release post / blog. [2]
- Next.js support policy (v16 release date / LTS). [3]
- Third‑party issues showing peerDependency mismatches with React 19 (example). [4]
Critical: Major version discrepancy between PR objectives and actual code.
The PR objectives state a security update to Next.js 15.4.7 with CVE fixes in the v15.4.x series, but this file bumps to ^16.0.0 — a major version jump. This is a significant scope change that needs clarification.
React 18.2.0 (line 14) is compatible with Next.js 16.0.0, so no compatibility issue there.
🤖 Prompt for AI Agents
In examples/react/nextjs/package.json around line 13, the dependency was bumped
to "next": "^16.0.0" which contradicts the PR objective of updating to Next.js
15.4.7; change the version back to the intended 15.4.7 (or ^15.4.x per policy),
update the lockfile (run npm install / pnpm install) so
package-lock.json/yarn.lock reflects the rollback, run the test suite and
security audit (npm audit or similar) to confirm CVE fixes remain, and commit
the updated package.json and lockfile with a note clarifying the PR targets
15.4.7 (not a major-version upgrade).
| "next": "^16.0.0", | ||
| "react": "^18.2.0", | ||
| "react-dom": "^18.2.0" |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Next.js 16.0.0 React version requirements compatibility
💡 Result:
Short answer: Next.js 16 expects you to use the latest React (install react@latest / react-dom@latest). It adds stable support for the React Compiler and explicit support for React 19 features while remaining compatible with recent React releases — the official upgrade docs instruct installing react@latest. (nextjs.org)
If you want a precise version to install now: run npm info react version or npm install react@latest to pick the React release the Next.js 16 docs target. (nextjs.org)
Citations:
- 1: https://nextjs.org/docs/app/guides/upgrading/version-16?utm_source=openai
- 2: https://nextjs.org/docs/app/guides/upgrading/version-16?utm_source=openai
🌐 Web query:
React 19 latest version release date 2024 2025
💡 Result:
React 19 (stable) — December 5, 2024. [1]
Notable follow-up release: React 19.1.0 — March 28, 2025. [2]
Sources: React blog post announcing v19 (Dec 5, 2024) [1]; official GitHub releases (19.1.0, Mar 28, 2025) [2].
Update React version for Next.js 16 compatibility.
Next.js 16 requires React 19 (released December 2024). The example pins React to ^18.2.0, which is incompatible. Update to react@^19.0.0 and react-dom@^19.0.0 to align with Next.js 16's official upgrade guidance.
🤖 Prompt for AI Agents
In examples/react/pagination/package.json around lines 13 to 15, the project
pins "react" and "react-dom" to ^18.2.0 which is incompatible with Next.js 16;
update the package.json entries for "react" and "react-dom" to ^19.0.0 (or
^19.x) to match Next.js 16 requirements, then run npm/yarn install and verify
the example builds and runs (fix any peer dependency/resolution issues if they
appear).
| "next": "^16.0.0", | ||
| "react": "^18.2.0", | ||
| "react-dom": "^18.2.0" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Check for PR context, renovate config, and app router code
git log --oneline -20 --allRepository: TanStack/query
Length of output: 1449
🏁 Script executed:
# Look for Renovate configuration
fd -t f 'renovate\.json|\.renovaterc' -o 'renovate.json5'Repository: TanStack/query
Length of output: 205
🏁 Script executed:
# Check the app directory structure
fd -t f '\.(tsx?|jsx?)$' integrations/react-next-14/app --max-depth 2Repository: TanStack/query
Length of output: 236
🏁 Script executed:
# Read the referenced app/client-component.tsx file
cat -n integrations/react-next-14/app/client-component.tsx 2>/dev/null || echo "File not found"Repository: TanStack/query
Length of output: 688
🏁 Script executed:
# Check package.json for full dependency context
cat -n integrations/react-next-14/package.jsonRepository: TanStack/query
Length of output: 569
🌐 Web query:
Next.js 16 React version requirements compatibility matrix
💡 Result:
Here’s a concise compatibility matrix for Next.js 16 and React versions:
- Next.js 16 — React 19.x: Supported / required (Next.js 16 ships with first‑class React 19/React Compiler support). [1][2]
- Next.js 16 — React 18.x: Incompatible / not supported (Next.js 16 expects React 19 features; upgrade React when migrating). [1][2]
- Next.js 16 — React 17.x and earlier: Incompatible / not supported. [1][2]
- Notes: App Router uses React canary builds internally during dev; install react@19 and react-dom@19 for production apps. Next.js 16 also requires a modern Node.js (see docs). [3][2]
Sources: Next.js 16 announcement & blog / upgrade docs; Next.js installation docs / support policy. [1][2][3]
References
[1] Next.js 16 (blog/announcement).
[2] Next.js — Upgrading to version 16 (migration/upgrade guide).
[3] Next.js installation / getting started (notes about React canary / install react@latest).
🏁 Script executed:
# Check git history for this specific file to see the version change
git log --oneline -- integrations/react-next-14/package.json | head -10Repository: TanStack/query
Length of output: 124
🏁 Script executed:
# Get more details on the security commit
git show 28340c31 --statRepository: TanStack/query
Length of output: 50371
React 18 is incompatible with Next.js 16; upgrade React and React DOM to ^19.0.0.
Next.js 16 requires React 19, but this package declares react@^18.2.0 and react-dom@^18.2.0, which will cause runtime failures in App Router code (confirmed in app/client-component.tsx).
Apply this fix:
"dependencies": {
"@tanstack/react-query": "workspace:*",
"@tanstack/react-query-devtools": "workspace:*",
"next": "^16.0.0",
- "react": "^18.2.0",
- "react-dom": "^18.2.0"
+ "react": "^19.0.0",
+ "react-dom": "^19.0.0"Also update TypeScript types in devDependencies to match React 19:
"devDependencies": {
- "@types/react": "^18.2.79",
- "@types/react-dom": "^18.2.25"
+ "@types/react": "^19.0.0",
+ "@types/react-dom": "^19.0.0"Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
integrations/react-next-14/package.json lines 10-12: the project lists react and
react-dom as ^18.2.0 which is incompatible with Next.js 16; update the
dependencies to "react" and "react-dom" to ^19.0.0, and also bump the
devDependencies for TypeScript React types (e.g. @types/react and
@types/react-dom) to versions that match React 19 (e.g. ^19.0.0) to avoid type
mismatches; after editing package.json run your package manager to
reinstall/update the lockfile and verify the app/client-component.tsx and any
JSX typings compile cleanly.
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
This PR contains the following updates:
16.0.2->16.0.7^15.3.1->^16.0.0^14.2.28->^16.0.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-48068
Summary
A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while
npm run devis active.Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure
allowedDevOriginsin your next config after upgrading to a patched version. Learn more.Learn more: https://vercel.com/changelog/cve-2025-48068
Credit
Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.
CVE-2025-49005
Summary
A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.
Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.
More details: CVE-2025-49005
CVE-2025-55173
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on
images.domainsorimages.remotePatternsare encouraged to upgrade and verify that external image sources are strictly validated.More details at Vercel Changelog
CVE-2025-57752
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as
CookieorAuthorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
More details at Vercel Changelog
CVE-2025-57822
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into
NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the
next()function.More details at Vercel Changelog
CVE-2025-66478
A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.
Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.
All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.
1 The affected React packages are:
Release Notes
vercel/next.js (next)
v16.0.7Compare Source
v16.0.6Compare Source
v16.0.5Compare Source
Core Changes
Credits
Huge thanks to @lucasadrianof for helping!
v16.0.4Compare Source
v16.0.3Compare Source
Core Changes
next dev --inspect: #85037b4455a6e-20251027to4f931700-20251029: #85518cacheLifetypes out of the webpack plugin and into the dev bundler directly: #85539'use cache'in page/layout component: #855194f931700-20251029to561ee24d-20251101: #85670'next'plugin: #85749561ee24d-20251101to67f7d47a-20251103: #8576267f7d47a-20251103tof646e8ff-20251104: #85772f646e8ff-20251104todd048c3b-20251105: #85819dd048c3b-20251105tofa50caf5-20251107: #85906'use cache'call stacks: #85966fa50caf5-20251107to52684925-20251110: #85980Misc Changes
opt-level = sfor not frequently used crates: #85426experimental.cacheLife: #85467createSandbox: #85507--debug-build-pathsinstead ofNEXT_PRIVATE_APP_PATHS: #85504completion.rsa bit: #84863maxRetriesandhardErrorparameters: #85536cells are created inresolve_rawto make cell allocation order deterministic.: #85525assert*->waitFor*when the util is not instant: #85450RegExp-like implementations incheck: #85537after()tests: #85566test/integration/in flake detection tests: #85590run-for-changescript: #85619extern crateandmacro_usesyntax: #85778NEXT_TEST_PREFER_OFFLINEininstall-native.mjs: #85850next-core/src/next_client_reference/visit_client_reference.rs: #85843non_operation_vc_strongly_consistentfeature usage from next-api: #85874turbo-tasks-macros-sharedcrate intoturbo-tasks-macros: #85917next.browserWithResponse(): #85911'use cache'functions to reduce function allocations: #85904font-familydeclaration: #85913Auth0Link: #85953cacheLife&cacheTagin client: #85872cacheLife&cacheTag: #85875sharpandunrs-resolver: #83168evaluateto take module_graph: #85971encryptActionBoundArgs/decryptActionBoundArgsimports: #86015Credits
Huge thanks to @kdy1, @eps1lon, @SyMind, @bgw, @swarnava, @devjiwonchoi, @ztanner, @ijjk, @huozhi, @icyJoseph, @acdlite, @unstubbable, @gnoff, @gusfune, @vercel-release-bot, @lukesandberg, @sokra, @hayes, @shuding, @wyattjoh, @marjan-ahmed, @timneutkens, @ajstrongdev, @zigang93, @mischnic, @Nayeem-XTREME, @hamirmahal, @eli0shin, @tessamero, @gaojude, @jamesdaniels, @georgesfarah, and @timeyoutakeit for helping!
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.
Summary by CodeRabbit
Release Notes
✏️ Tip: You can customize this high-level summary in your review settings.