Update dependency next to v15.2.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	15.1.1 -> 15.2.3

GitHub Vulnerability Alerts

CVE-2024-56332

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

---

Release Notes

vercel/next.js (next)

v15.2.3

Compare Source

v15.2.2

Compare Source

Core Changes

• [dev-overlay] fix styling on overflow error messages, add button hover state: #​76771
• Fix: respond 405 status code on OPTIONS request to SSG page: #​76767
• [dev-overlay] Always show relative paths: #​76742
• [metadata] remove the duplicate metadata in the error boundary: #​76791
• Upgrade React from d55cc79b-20250228 to 443b7ff2-20250303: #​76804
• [dev-overlay] Ignore animations on page load: #​76834
• fix: remove useless set-cookie in action-handler: #​76839
• Turbopack: handle task cancelation: #​76831
• Upgrade React from 443b7ff2-20250303 to e03ac20f-20250305: #​76842
• add types for __next_app__ module loading functions: #​74566
• fix duplicated noindex when server action is triggered: #​76847
• fix: don't drop queued actions when navigating: #​75362
• [dev-overlay]: remove dependency on platform for focus trapping: #​76849
• Turbopack: Add turbopack_load_by_url: #​76814
• Add handling of origin in dev mode: #​76880
• [dev-overlay] Stop grouping callstack frames into ignored vs. not ignored: #​76861
• Upgrade React from e03ac20f-20250305 to 029e8bd6-20250306: #​76870
• [dev-overlay] Increase padding if no x button present: #​76898
• fix: prevent incorrect searchParams being applied on certain navs: #​76914
• [dev-overlay] Dim ignore-listed callstack frames when shown: #​76862

Example Changes

• chore(cna): update tailwind styles to be closer to non-tw cna: #​76647

Misc Changes

• Fix canary only warning for devlow-bench: #​76772
• [test] Add special placeholder if stackframes point into dist dir: #​76741
• [test] Use new Redbox matchers in pages/ service-side-dev-errors: #​76779
• [test] Use new Redbox matchers in app/ dynamic-error-trace: #​76783
• [test] Use new Redbox matchers in app/ owner-stack-invalid-element-type: #​76786
• [test] Use new Redbox matchers in app/ hook-functuon-names: #​76785
• [test] Use new Redbox matchers in app/ undefined-default-export: #​76781
• [test] Use new Redbox matchers in server-navigation-error: #​76787
• [test] Fix flaky error-recovery test: #​76789
• [test] Use new Redbox matchers in pages/ gssp-ssr-change-reloading: #​76788
• [docs] update Tailwind CSS installation and configuration instructions: #​76259
• docs: Tailwind v4: #​76801
• chore(docs): update minimumCacheTTL example to 31 days: #​76796
• Turbopack: improve sectioned source maps: #​76627
• [test] Use new Redbox matchers in pages/ middleware-errors: #​76797
• doc: use redirect in client components: #​76332
• [docs] document experimental viewTransition flag: #​76832
• docs(errors): remove confusing good-to-know since global-errors.tsx also show in dev as of 15.2: #​76825
• Turbopack: don't use HashMap in manifests: #​76833
• Update labeler.json: #​76828
• Fix missing turbo command for rust-check: #​76851
• fix(turbopack): Use correct SyntaxContext for __turbopack_esm__: #​73544
• Cleanup pure span handling: #​76846
• Turbopack: remove unused IncludeModulesModule: #​76868
• Update test snapshots for alternative bundler [5/n]: #​76617
• Update test snapshots for alternative bundler [6/n]: #​76768
• [test] Use next.browser instead of webdriver in pages/ client-navigation: #​76867
• fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files: #​76773
• Revert "fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files": #​76879
• build: Update swc_core to v16.4.0: #​76596
• docs: update Turbopack docs: #​76799
• build: Update lightningcss to v1.0.0-alpha.64: #​76856
• build: Fix warning: #​76890
• Turbopack: fix __dirname: #​76902
• Turbopack: deterministic server action order: #​76905
• docs: reword the docs of veiw transition flag: #​76841
• fix(turbopack): Use vergen-gitcl instead of shadow-rs (or vergen-git2) for napi and next-api crates to fix stale git lock files: #​76889
• Turbopack: ensure default layout is provided in default not-found entrypoint: #​76912
• chore(github): add moar labels: #​76922
• [test] Use new Redbox matchers in pages/ client-navigation/rendering: #​76798
• docs: fix create-next-app cli title: #​76908

Credits

Huge thanks to @​pranathip, @​gaojude, @​ijjk, @​eps1lon, @​Nayeem-XTREME, @​leerob, @​styfle, @​samcx, @​sokra, @​huozhi, @​raunofreiberg, @​mischnic, @​lubieowoce, @​unstubbable, @​ztanner, @​kdy1, @​timneutkens, @​wbinnssmith, @​bgw, and @​oscr for helping!

v15.2.1

Compare Source

Core Changes

• Unify Link and Form prefetching: #​76184
• Turbopack: Ensure server actions sourcemaps tests pass: #​76157
• [dev-overlay] control dark theme in one place: #​76528
• [dev-overlay] change css var for terminal: #​76590
• [dev-overlay] Discriminate stack frame settled typed: #​76517
• Remove obsolete sourcePackage references: #​76550
• refactor: remove unused variable in externals handling: #​76599
• fix: Add popular embedding libraries to serverExternalPackages: #​76574
• [Segment Cache] Implement hash-only navigations: #​76179
• Webpack: abstract away getting compilation spans: #​76579
• report compiler duration for webpack and improve numbers: #​76665
• [dev-overlay] fix dark theme missing close bracket: #​76672
• Remove revalidate property from incremental cache ctx for FETCH kind: #​76500
• [dev-overlay] fix: env name label style was out of sync with error type label: #​76668
• Turbopack: avoid celling source maps before minify: #​76626
• refactor(CI): Merge all four bundler test manifest scripts into one: #​76652
• [metadata] fix duplicate metadata for parallel routes: #​76669
• [Segment Cache] Omit from bundle if flag disabled: #​76622
• [Segment Cache] Support output: "export" mode: #​75671
• [Segment Cache] Refresh on same-page navigation: #​76223
• [metadata] re-enable streaming metadata with PPR: #​76119
• [Segment Cache] Search param fallback handling: #​75990
• [Segment Cache] Fix: canonicalURL omits origin: #​76444
• fix metadata basePath for manifest: #​76681
• Propagate expire time to cache-control header and prerender manifest: #​76207
• Show revalidate/expire columns in build output: #​76343
• Gate alternate bundler behind canary only: #​76634
• [dynamicIO] routes with dynamic segments should be able to be static in dev: #​76691
• [repo] upgrade ts 5.8.2: #​76709
• [metadata]: ensure metadata boundary is only rendered once on client nav: #​76692
• [metadata] clean up redudant options: #​76712
• Fix uniqueness detection for generateStaticParams: #​76713
• Upgrade React from 22e39ea7-20250225 to d55cc79b-20250228: #​76680
• [Turbopack] Compute module batches and use them for chunking: #​76133
• [Dev Tools] Improve keyboard interactions for menu & overlays: #​76754
• Keep server code out of browser chunks: #​76660
• Turbopack: inline minify into code generation and make it a plain function instead of a turbo tasks function: #​76628
• fix edge runtime asset fetch in pages api: #​76750
• Update use-cache-unknown-cache-kind.test.ts snapshot for alternate bundler: #​76682

Example Changes

• docs: fix reading params code blocks: #​76705

Misc Changes

• fix(rustdoc): Fix rustdoc warnings, block on rustdoc failures in CI: #​76448
• Update more global turbo CLI usage: #​76576
• docs: Node.js runtime support for Middleware: #​76556
• build: Update swc_core to v16.0.0: #​76414
• Turbopack: prevent panic in swc issue emitter: #​76595
• Unflake parallel-routes-revalidation test: #​76600
• Fix octokit.rest.issues.addLabels call: #​76601
• [test] Use new Redbox matchers in app/ error-recovery: #​76552
• [test] Use new Redbox matchers in pages/ ReactRefreshLogBox-app-doc: #​76551
• Run nightly bundler integration tests also with React 18: #​76606
• 15.2: Add version history for devIndicators and note on deprecated options: #​76611
• 15.2 docs: document missing htmlLimitedBots option: #​76616
• Update bundler production test manifest: #​76584
• Update bundler development test manifest: #​76585
• Fix test after CI switched to pnpm 10: #​76615
• chore(cna): fix theme extend for tailwind v4: #​76583
• [test] Use new Redbox matchers in app/ ReactRefreshLogBoxMisc: #​76563
• Don’t use native built-ins for additional bundler: #​76577
• Revert "Run nightly bundler integration tests also with React 18": #​76640
• Update bundler production test manifest: #​76643
• Update bundler development test manifest: #​76644
• Turbopack: dedupe middleware-manifest entries: #​76621
• Turbopack: Improve edge tests: #​76607
• Turbopack: add test test for css order: #​76675
• Turbopack: fix order of chunk items in cycles: #​76676
• [ci] Fix test-turbopack-integration not having any shards : #​76355
• Update Turbopack development test manifest: #​76658
• Update Turbopack production test manifest: #​76659
• fix(CI): Upload to areweturboyet immediately after a manifest is updated, not only on a fixed cron schedule: #​76688
• Update test snapshots for alternative bundler [4/n]: #​76578
• fix(turbopack): Fix analysis of private properties: #​76654
• Turbopack: Simplify emitDecoratorMetadata test: #​76678
• [test] Use new Redbox matchers in pages/ ReactRefreshRegression: #​76743
• [test] Remove describeVariants helper: #​76631
• [test] Fix flaky error-recovery test: #​76753
• [test] Use new Redbox matchers in app/ dynamic-error: #​76744
• [test] Use new Redbox matchers in app/ rsc-runtime-errors: #​76745
• Turbopack: avoid panic in module batches: #​76757
• Revert "test: temporarily disable after deploy test": #​74990
• toDisplayRedbox(): replace all occurrences of testDir: #​76618
• Fix: missing close brace in demo code: #​76549
• Disable flaky Turbopack tests: #​76760
• feat(CI): Revalidate vercel data cache on areweturboyet after uploading data to KV store: #​76693
• chore(github): move top prs and feature requests to different Slack channel: #​76764
• Fix flaky Bun test: #​76763

Credits

Huge thanks to @​acdlite, @​bgw, @​ijjk, @​molebox, @​kdy1, @​timneutkens, @​devjiwonchoi, @​mischnic, @​unstubbable, @​eps1lon, @​huozhi, @​philipithomas, @​delbaoliveira, @​samcx, @​wbinnssmith, @​sokra, @​gnoff, @​leerob, @​ztanner, @​raunofreiberg, @​lubieowoce, and @​LihaoWang for helping!

v15.2.0

Compare Source

v15.1.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: work around setTimeout memory leak, improve wrappers (#​75727)
• add additional x-middleware-set-cookie filtering (#​75869)
• fix: ensure lint worker errors aren't silenced (#​75766)

Credits

Huge thanks to @​lubieowoce and @​ztanner for helping!

v15.1.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: don't memory-leak promises passed to waitUntil (#​75041)
• backport: fix prerender issue with intercepting routes + generateStaticParams (#​75170)

Credits

Huge thanks to @​lubieowoce and @​ztanner for helping!

v15.1.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix missing revalidate with notFound() (#​75009)
• fix: when metadatabase is set we should not warn (#​74840)
• Fix @​vercel/og license SPDX expression (#​74745)
• fix: ts language server rule metadata should allow null (#​74704)
• fix: eslint rule of using img in metadata routes (#​74864)
• Fix presentation when onerror receives an event without error (#​74643)
• fix fetch lock not being consistently released #​74623 (#​75028)

Credits

Huge thanks to @​ijjk, @​huozhi, @​matmannion and @​ztanner for helping!

v15.1.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: force module format for virtual client-proxy (#​74608)
• Fix prerender tags when notFound is called (#​74607)
• Use provided waitUntil for pending revalidates (#​74604)
• Feature: next/image: add support for images.qualities in next.config (#​74588)
• Chore: docs: add missing search: '' on remotePatterns (#​74587)
• Chore: docs: update version history of next/image (#​73923) (#​74570)
• Chore: next/image: improve imgopt api bypass detection for unsupported images (#​74569)

Credits

Huge thanks to @​ and @​ for helping!

v15.1.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Retry manifest file loading only in dev mode: #​73900
• Use shared worker for lint & typecheck steps: #​74154

Credits

Huge thanks to @​unstubbable and @​ztanner for helping!

v15.1.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Update React from 7283a21-20241206 to 65e06cb-20241218: https://github.com/vercel/next.js/pull/74117

Credits

Huge thanks to @​ztanner for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.