chore(deps): update dependency next to v15.4.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	15.2.5 -> 15.4.7

GitHub Vulnerability Alerts

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

---

Release Notes

vercel/next.js (next)

v15.4.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix router handling when setting a location response header #​82588

Credits

Huge thanks to @​ztanner for helping!

v15.4.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#​82347)
• fix: add ?dpl to fonts in /_next/static/media (#​82384)

Credits

Huge thanks to @​devjiwonchoi, @​ijjk, and @​styfle for helping!

v15.4.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix API stripping JSON incorrectly (#​82062)
• Fix i18n fallback: false collision (#​82158)
• Revert "Fix tracing of server actions imported by client components (#​82167)
• Ensure setAssetPrefix updates config instance (#​82165)
• Turbopack: update mimalloc (#​82166)
• fix(next/image): fix image-optimizer.ts headers (#​82175)
• fix(next/image): improve and simplify detect-content-type (#​82174)

Credits

Huge thanks to @​ijjk, @​sokra, and @​styfle for helping!

v15.4.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix dynamicParams false layout case in dev (#​82026)
• Turbopack: fix scope hoisting variable renaming bug (#​81640)
• Upgrade to swc v33 (#​81750)
• Revert "[metadata] use https protocol for schema urls" (#​81934)

Credits

Huge thanks to @​bgw @​mischnic @​huozhi @​lukesandberg and @​ijjk for helping!

v15.4.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: fix dist dir on Windows (#​81758)

Credits

Huge thanks to @​mischnic for helping!

v15.4.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• pages router metadata bugs with React 19 (#​81733)
• [metadata] replace for initial body icon case (#​81688)
• Ensure custom NextServer config is honored (#​81681)

Credits

Huge thanks to @​huozhi, @​ijjk, and @​ztanner for helping!

v15.4.1

Compare Source

[!TIP]
Check out our Next v15.4 Blog Post to learn more about this release.

Core Changes

• [next-server] fix params duplicate in query after rewrite: #​77939
• [next-server] preserve rsc query for rsc redirects: #​77963
• Turbopack: fix a bug where marking a task a completed causes a panic when reading the output: #​77922
• Turbopack warning spelling fix: #​77999
• Allow URL schemes that include +, - or .: #​77932
• [dev-overlay] Remove unused hydration error related code: #​77929
• [dev-overlay] Unify error deduplication logic: #​78017
• fix: use the match result after matching using the matched path header: #​77994
• Upgrade React from 3fbfb9ba-20250409 to c44e4a25-20250409: #​78031
• Move unhandled rejection handling to shared path: #​77997
• fix: ensure app router not found works when deployed with pages i18n config: #​77905
• Uninstall existing uncaughtException listeners to prevent the process from crashing: #​78042
• Experimental bfcache: Restore state w/ : #​77992
• Add graceful error fallback for bots requests: #​77916
• Upgrade React from c44e4a25-20250409 to 1d6c8168-20250411: #​78067
• [next-server] remove unnecessary query shallow copy: #​78003
• [dev-overlay] disable copy button when clipboard is not available: #​78101
• [dev-overlay] Stop stashing React error details on error instances: #​77975
• [dynamicIO] Model invalid dynamic on empty shells: #​77270
• fix: bump [email protected]: #​78149
• Handle graceful fallback for custom error boundaries: #​78121
• [dev-overlay] Stop squashing hydration related errors in App Router: #​78140
• [test] Enable strictNullChecks in test utils: #​78142
• Document Turbopack trace viewer: #​78184
• [dev-overlay] Fix error dialog resizing logic: #​78144
• Include types in published eslint-plugin-next: #​78109
• [dev-overlay] Stop appending wrong Owner Stacks to SSR-only shell errors: #​77302
• [dev-overlay] Add dedicated label for recoverable errors: #​78186
• [chore] remove unused __NEXT_PRIVATE_RUNTIME_TYPE: #​78230
• Preserve slashes when custom URL schemes are used in redirects: #​78176
• ignore-list published sources if they have a sourcemap: #​78242
• Upgrade React from 1d6c8168-20250411 to 39cad7af-20250411: #​78152
• Turbopack: add test case for persistent caching: #​77030
• Upgrade React from 39cad7af-20250411 to b04254fd-20250415: #​78253
• fix: alternate bundler support for dropping client pages in AMP: #​77601
• [errors] refactor default global-error into a separate file: #​78182
• [metadata] render streaming metadata on the top level: #​77620
• [metadata] skip head cache in default slot: #​78206
• chore: Backport SWC-based RC optimization (#​78260)
• fix: bump image-size@​1.2.1 (#​78164)
• @next/mdx: Use stable turbopack config options: #​78261
• Upgrade React from b04254fd-20250415 to 4a36d3ea-20250416: #​78297
• Add graceful error boundary for bots requests: #​78298
• make sure eslint-plugin-next is built when running 'pnpm dev': #​78305
• Migrate pages API routes to handler interface: #​78166
• Update middleware public/static matching: #​78325
• Fix dynamic route param encoding: #​78326
• [Turbopack] refactor persistent caching from log based to cow approach: #​76234
• Add onInvalidate option to router.prefetch: #​77880
• Reserve bandwidth for most recently hovered link : #​78362
• fix: handle incremental PPR with client segment cache: #​78387
• fix: amphtml-validator WASM errors (for real): #​78379
• Turbopack: Remove next start --turbopack: #​78384
• Upgrade React from 4a36d3ea-20250416 to bc6184dd-20250417: #​78322
• [chore] remove dead code missing required error: #​78403
• [ts-next-plugin] remove typescript vfs and related metadata plugin: #​78237
• [ts-next-plugin] auto import metadata type: #​78258
• [ts-next-plugin] warn to add correct type for metadata exports: #​78254
• [ts-next-plugin] fix: validate metadata node before checking type: #​78414
• [errors] fix edge server initial error is not sent via hmr: #​78415
• misc: use correct capitals for React terms: #​78445
• Skip empty prefetch request for dynamic routes: #​78436
• Turbopack: don’t warn about webpack being configured when experimental.turbo is set: #​77998
• Upgrade React from bc6184dd-20250417 to 914319ae-20250423: #​78468
• Update turbopack to syn2: #​78385
• [next-server] ensure prepare is done before preloading entry: #​78454
• Upgrade React from 914319ae-20250423 to 197d6a04-20250424: #​78516
• [dev-overlay] Move error.name to label: #​78198
• [ts-next-plugin] update log for utils: #​78538
• [ppr] Route Cardinality Updates: #​78476
• Turbopack: support ignore comments for NFT fs access tracing: #​78460
• Externalize manifest loading in pages-api: #​78358
• Update font data: #​78525
• refactor: skip the prospective render when there's a more specific route to be rendered: #​78555
• fix: bodySizeLimit error responses + limit for non-multipart actions: #​77746
• [dynamicIO] Do not skip dynamic validation when metadata is dynamic: #​78574
• [dynamicIO] log dynamic validation errors consistently in dev: #​78575
• [ts-next-plugin] clean up unused proxy: #​78539
• [dynamicIO] Disallow only dynamic metadata: #​78576
• fix: make webpack handle "use cache" in node_modules : #​78606
• Use React's prerender function for "use cache" with Dynamic IO: #​78382
• Use node: prefixed in ESM emit of standalone server.js: #​78624
• feat: add ravendb library to server-external-packages.json: #​78319
• docs: fix typo in ppr.ts: #​78590
• Pre-compile busboy dependency: #​78634
• Pages API handler interface follow-ups: #​78638
• Repeat fix in #​78387 for routes without params: #​78568
• [dev-tools] Fix width transition logic: #​78635
• [ts-next-plugin] fix: warn only if no type: #​78628
• [ts-next-plugin] fix: warn only if no type for separate export: #​78629
• chore: Drop @swc/counter: #​78674
• Turbopack: use small thread local collector that flushes to global collector: #​78343
• Upgrade React from 197d6a04-20250424 to 5dc00d6b-20250428: #​78640
• Fix bad decoding for x-matched-path header: #​78677
• Fix pages API rewrite case: #​78644
• chore: update rspack to 1.3.8: #​78485
• Always apply render preparations after running an action: #​77898
• Exclude config package from bundling: #​78671
• Upgrade builtin babel packages: #​78673
• Upgrade loader-utils v2 to latest patch: #​78707
• [Link] Add prefetch="auto" option: #​78689
• [build-sourcemaps] Ensure errors during prerender can be sourcemapped: #​78709
• Upgrade React from 5dc00d6b-20250428 to 408d055a-20250430: #​78715
• build: Fix minifier options for webpack builds: #​78717
• refactor(next-swc): Do not amend minifier options from Rust code: #​78719
• Change stylistic ESLint TypeScript defaults: #​78679
• fix: replace original request body after middleware execution: #​77662
• remove draft.isEnabled setter from exotic draftMode wrappers: #​77972
• Turbopack: limit compaction merging by size instead of count: #​78669
• [build-sourcemaps] Include codeframes in prod when sourcemaps are enabled: #​78710
• feat: build lifecycle hooks - afterProductionCompile: #​77345
• fix: make sure that the patched fetch cache set promise is properly awaited: #​75971
• [dev-overlay] Make badge draggable: #​78716
• Turbopack: fix ESM project in standalone mode: #​78774
• Revert "[Link] Add prefetch="auto" option": #​78820
• Downgrade React from 408d055a-20250430 to 197d6a04-20250424: #​78834
• Reland "[Link] Add prefetch="auto" option": #​78821
• build: Update @swc/core npm package to v1.11.24: #​77668
• Turbopack: Implement regex support for matching webpack loaders: #​78733
• Turbopack: Add support for extension regex in @next/mdx: #​78734
• backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#​78488) (#​78883)
• @​next/mdx: Use stable turbopack config options (#​78880)
• Fix react-compiler: Fix detection of interest (#​78879)
• Fix turbopack: Backport sourcemap bugfix (#​78881)
• [next-server] preserve rsc query for rsc redirects (#​78876)
• Update middleware public/static matching (#​78875)
• [dev-overlay] Polish mobile view: #​78863
• [dev-overlay] Consider scrollbar width for drag positioning: #​78865
• Add handling for setting deployment id via cookie: #​78841
• Run export child process with runtime's default max-old-space-size: #​78712
• [dynamicIO] cache tracking for import(): #​74152
• [dev-overlay] solidate the line number parsing: #​78868
• Update send to v0.18.0: #​78816
• Scope runInCleanSnapshot to Work Store: #​78930
• Removes onNavigate from transition scope: #​78605
• Add nonce handling from CSP in pages router: #​78936
• Ensure manual nonce on Script works as expected: #​78939
• Treat _debugInfo as a wellknown property for sync request data access purposes: #​78942
• chore(CI): Run rspack tests in build_and_test.yml: #​78757
• bugfix: Fix a bug that caused conflicting assets when adding a child compiler: #​78011
• [Fix] Inverse prefetch segment for Pages routes: #​78932
• Fix tracing of server actions imported by client components: #​78968
• Revert "fix: alternate bundler support for dropping client page": #​78974
• Fix --no-mangling for "use cache" functions: #​78993
• chore: update rspack to 1.3.9: #​78984
• [not-found] Add global-not-found convention: #​78783
• [not-found] support metadata exports of global-not-found: #​78961
• Prevent "use cache" timeout errors from being caught in userland code: #​78998
• patch react via recast instead of string replacements: #​78916
• [link] Avoid inlining of LinkProps in emitted declarations: #​78773
• [next-config-ts] fix: read tsconfig file using TypeScript API: #​79055
• Replace node:url usage in server-utils: #​79094
• [build-sourcemaps] Remove unused static workers: #​79107
• fix: cli test failed when using rspack: #​79081
• [build-sourcemaps] Allow inspecting prerender worker: #​79098
• Add initial modifyConfig hook: #​79162
• Re-land updated bundler for pre-bundling: #​79164
• [dynamicIO] model pathname access in metadata as async : #​79136
• Update font data: #​79179
• bugfix (pages): assetPrefix should not cause hard nav in development: #​79176
• Reland "Ensure mangling is disabled for dev runtime builds (#​75297)": #​79201
• docs: add graceful error boundary example: #​77781
• turbo-tasks: Encode location information into panics: #​78945
• feat(turbopack): Add basic compilation event support: #​78785
• chore(dev-overlay): Minor cleanups to useDelayedRender hook: #​79119
• Update font data: #​79227
• Rename define-env-plugin.ts to define-env.ts: #​79224
• Always pass implicit/soft tags into the CacheHandler.get method: #​79213
• fix(dev-overlay): Ignore right clicks on the indicator draggable: #​79120
• Fix dangling promise in unstable-cache: #​79248
• Revert "Partial Fallback Prerendering Route Shells (#​69282)": #​79258
• [devtool] initial support for segment explorer: #​78858
• Client router should discard stale prefetch entries for static pages: #​79309
• [dynamicIO] fix: do not apply import tracking transform in edge: #​79284
• Turbopack build: Fix type: module with output: standalone: #​79292
• [TypeScript Plugin] Moved the diagnostics' positions to the prop's type instead of the value for client-boundary warnings: #​79193
• Use onPostpone to determine if segment prefetch is partial: #​79299
• Enable ppr when dynamicIO is enabled: #​79302
• fix: replaceIdentifiersInAst takes an expression, not a string: #​79196
• Remove DIO w/o PPR branch from app-render.tsx: #​79303
• Remove prospective fallback prerenders: #​79304
• Fixed rewrite param parsing for interception routes in Vercel deployments: #​79204
• [build-sourcemaps] Sourcemap errors during prerender if experimental.enablePrerenderSourceMaps is enabled: #​79109
• [release] use @changesets/changelog-github for changelog format: #​79040
• next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
• Always show warning if fetch cache limit hit: #​79384
• feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
• [release] use @changesets/changelog-github for changelog format: #​79040
• next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
• Always show warning if fetch cache limit hit: #​79384
• feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
• Only share incremental cache for edge in next start (#​79389)
• [TypeScript Plugin] Match method signature (someFunc(): void) type for client boundary warnings: #​79144
• Only share incremental cache for edge in next start: #​79386
• fix: rspack framework and lib cacheGroups: #​79172
• Make sure bundle analyzer does not trigger warning with turbopack: #​79399
• [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
• Implement initial handler interface for pages routes: #​79260
• [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
• [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
• Implement initial handler interface for pages routes: #​79260
• [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
• [Segment Cache] Fix: Skew during dynamic prefetch: #​79416
• [dynamicIO] reimplement dynamicIO validation on prerender: #​79414
• fix: remove redundant performance.measure usage: #​79475
• [devtools] Add a very minimal API for restarting the dev server: #​79265
• Model prerender store as separate server and client scopes: #​79429
• fix: Merge link header from middleware with the ones from React (#​73431)
• fix(edge): run after() if request is cancelled mid-streaming (#​76013)
• gate segmentCache branch in base-server (#​79505)
• Model prerender store as separate server and client scopes: #​79429
• Use metadata for cache entry status code: #​79512
• fix(dev-overlay): Better handle edge-case file paths in launchEditor: #​79526
• [build-sourcemaps] Increase stacktrace limit during prerender: #​79498
• fix: Rspack not skip .d.ts file: #​79285
• Revert "[next-server] skip setting vary header for basic routes": #​79426
• [ppr] Narrow condition for fallback shell generation at runtime: #​79565
• Turbopack: derive de/serialize for loader config: #​79581
• Update font data: #​79642
• Avoid bundling dev overlay in page template: #​79641
• Enable preview builds for forks: #​79648
• misc: remove leftover clientInstrumentationHook type: #​79701
• cleanup(turbopack): Embed Global vs Specific channel type in the Rust type system: #​79291
• [dev-overlay] Show error overlay on any thrown value in /app: #​79658
• [dev-overlay] Move error handlers into dispatcher in /app: #​79660
• Verify cache-busting param during segment prefetch: #​79563
• update(turbopack): Update the messaging UX for timing writing files to disk: #​79469
• [dev-overlay] Move Redbox open/close into dispatcher: #​79698
• chore: update rspack to 1.3.12: #​79428
• Enable repeated tsc runs in packages/next without having to build first: #​79782
• Run tsc in watch mode during pnpm dev: #​79785
• Reinstate vary (#​79939)
• fix(next-swc): Fix interestingness detection for React Compiler (#​79558)
• fix(next-swc): Fix react compiler usefulness detector (#​79480)
• fix(dev-overlay): Better handle edge-case file paths in launchEditor (#​79526)
• Client router should discard stale prefetch entries for static pages (#​79362)
• fix: preload fonts in template.js: #​79417
• feat: using eval source map plugin for Rspack: #​79199
• feat: using builtin CssChunkingPlugin for rspack: #​79762
• fix(napi): Update generated types, add alias for RcStr: #​79915
• [dev-overlay] Fix highlighted line cut off on scroll: #​79930
• fix(next/font): allow custom font-family in declarations: #​76274
• Remove subissues from Issue: #​79988
• [devtools] Add a query parameter to restart endpoint to invalidate the persistent cache: #​79425
• Implement handler interface for app-page: #​79568
• Migrate app route to handler interface: #​80008
• Turbopack Build: Fix underscore path tests: #​79778
• Fix watchmode for taskr tasks: #​80020
• Update font data: #​80036
• Fix defunct ESLint overrides: #​80053
• [devtools] Add an endpoint to poll for server status: #​80005
• [dynamicIO] Only report client sync IO errors if they are above a Suspense boundary: #​80026
• [dev-overlay] Parse stacks in reducer not during dispatch: #​79788
• Remove obsolete @ts-expect-error: #​80065
• [dev-tools] Navigation header replaces close button: #​80097
• [dev-overlay] Inject get*Stack implementation: #​79789
• [dev-overlay] Fix dark‐mode styling for <option> in Preferences dropdowns: #​80025
• Use relative sources in require() instead of next/dist/ if possible: #​80054
• [dev-overlay] Inject isRecoverableError implementation: #​80003
• [devtool] fix explorer flag consuming and style: #​80110
• [dev-tools] add restart dev server button to error overlay: #​80060
• [dev-tools] add restart dev server button on dev-tools indicator preferences: #​80072
• [chore] remove legacy useEarlyImport flag: #​80112
• [testmode] Fix types of wrapRequestHandler: #​80055
• Extend bot list with googleweblight, Storebot-Google, Google-Inspecti…: #​77728
• [dev-overlay] Inject getSquashedHydrationErrorDetails implementation: #​80046
• [dev-tools] better description for restart server button: #​80118
• [dev-tools] style: preferences section title: #​80120
• [metadata] refactor to remove async metadata: #​78495
• [dynamicIO] Document client component remediations for sync IO: #​79787
• [dynamicIO] prioritize preprocessing RSC rows when prerendering: #​80125
• [dev-overlay] Remove unused onError in /pages: #​79982
• Remove unused vendored server-inserted-metadata module: #​80143
• Webpack Build: Use name-contenthash instead of name-chunkhash for dynamic imports: #​80153
• [dev-overlay] Remove unnecessary code from /pages dev error boundary: #​79983
• Turbopack Build: Implement helpful error for missing sass package: #​80155
• [global-not-found] fix shared css imports not being picked: #​80151
• Add experimental flag for RSC request validation: #​80157
• [dev-overlay] Remove indirection in app dev error boundary : #​79984
• Docs: preload entries impact on memory consumption: #​80098
• [dev-overlay] Move building indicator into Dev Overlay state: #​79985
• [metadata] only render one metadata outlet: #​80146
• Add a regions property to the Functions Config Manifest file: #​80104
• [metadata] fix nonce prop for hoist script: #​80174
• docs: fix grammar in Code of Conduct section ('them' → 'it') : #​80181
• [error-overlay] remove footer message: #​80169
• Turbopack: Log persistent cache store time: #​80149
• fix(turbopack): Next.js package not found panics in Turbopack: #​79572
• [turbopack] Compute Import Traces for Issues: #​79351
• Typecheck require() calls: #​80056
• Revert "[turbopack] Compute Import Traces for Issues": #​80215
• remove unique metadata prop from initial RSC payload #​79388
• Replay redirect if RSC parameter is missing: #​80180
• [devtool] style the segment explorer as nested view: #​80212
• Prerender with streaming metadata during revalidation: #​80245
• fix: invalid middleware configs should fail the build: #​80221
• [dev-overlay] Render /app Dev Overlay with a separate React instance: #​79699
• [devtool] display segment explorer as tree view: #​80261
• [dev-overlay] Use same bundle for Pages and App Router: #​80019
• Revert "Revert "[turbopack] Compute Import Traces for Issues"": #​80220
• [dev-overlay] Publish as production bundle: #​80295
• [metadata] only serve block streaming metadata for html bots: #​80272
• Update font data: #​80301
• Update font data: #​80340
• [dev-overlay] fix duplicate re-render of errors: #​80322
• [build-sourcemaps] Only compute codeframe once: #​80326
• [test] Fix Dev Overlay Storybook: #​80288
• [test] Fix crashes in Dev Overlay Stories: #​80292
• [metadata] use https protocol for schema urls: #​80356
• [dev-overlay] Remove positive tab-index: #​80289
• [devtools] Implement default /.well-known/appspecific/com.chrome.devtools.json endpoint in dev: #​80260
• [dev-overlay] Fix outstanding a11y issues reported by Axe: #​80290
• provide declarations for server-only/client-only: #​80361
• [test] Stop opening browser by default in local Dev Overlay Storybook: #​80291
• [dev-overlay] Move hot reloader client code out of react-dev-overlay: #​80278
• [dev-overlay] Remove unused code: #​80279
• [dev-overlay] Move app/pages related features closers together: #​80280
• Discard Infinity expiration for implicit tags: #​80387
• fix(next-swc-wasm): Only enable turbo-rcstr's napi feature when building the next-swc-napi crate/package: #​80390
• Add response handling inside handlers: #​80189
• feat(turbopack): Add simple tree shaker: #​78286
• Fix a couple typos: #​80080
• [dev-overlay] Move code into new top-level folder in src/next-devtools: #​80281
• Ensure we normalize .rsc/.prefetch.rsc: #​80409
• Turbopack Build: Fix /index/index handling: #​80413
• [segment-explorer] optimize tree view: #​80392
• Upgrade @​playwright/test and cleanup internal APIs: #​80334
• Backport config.allowedDevOrigins (#​80410) (Learn More)
• [segment-explorer] Signal updates to React: #​80316
• [segment explorer] fix soft navigation case: #​80443
• Update the warning text for when multiple lockfiles are found: #​80214
• feat: in Rspack using native fn implemented by us using SWC to replace load module: #​80342
• chore: fix link to good first issue: #​80478
• Disable fetch cache size limit for implicit caching during build: #​80480
• [dynamicIO] Split up static generation into two phases: #​79629
• fix(turbopack): Fix config caching for turbopack + React Compiler: #​80498
• [dynamicIO] Use filled Resume Data Cache for final-phase prerenders: #​79743
• fix: Rspack dev gets stuck after removing a page: #​80555
• Ensure custom relative distDir resolves properly: #​80569
• fix: mark file system incremental cache as external so it's memory is shared: #​80586
• [fix] clone the config module to avoid mutation: #​80573
• Improve Incremental Cache Locking Algorithm: #​80497
• [devtools] add feature flag for new panel ui: #​80251
• [devtools] fork devtools-indicator: #​80456
• [devtools] fork next-logo: #​80457
• guarantee cache busting param correctness: #​80381
• Normalize filepaths when parsing patterns from js values: #​80511
• [metadata] render streaming metadata on the top level (#​80566)
• [fix] clone the config module to avoid mutation (#​80573)
• feat: rspack use swc to warn for edge runtime: #​80485
• Avoid timeout error when transformed params are passed to "use cache": #​80463
• Respond with 404 for unknown server actions: #​80613
• [segment explorer] single row layout segment: #​80576
• Fix: Rules of Hooks violation in AppRouter: #​80623
• fix: Add Chrome-ligthouse to htmlLimitedBots: #​80656
• Turn on clientSegmentCache during PPR CI runs: #​80581
• [devtools] port overlay backdrop out of overlay: #​80460
• Revert "(E2E) Log which config file is used for next start": #​80666
• fix(turbopack): Fix static immutability analysis: #​80646
• [devtools] add panel ui placeholder under feature flag: #​80354
• [devtools] add dialog behavior to panel ui: #​80355
• Add --debug-prerender option for next build: #​80667
• [devtools] port devtools-indicator position to dispatcher: #​80536
• fix: mark the shared cache controls as external so it's memory is shared: #​80588
• [devtools] apply draggable to panel ui: #​80517
• Apply normalizers for init URL used for handlers: #​80694
• overwrite redirect SSG meta.status to 200 for RSC requests: #​80391
• [devtools] panel ui header: #​80509
• [development-server] Display pid of already-running process that is using port: #​80069
• [devtools] panel ui footer: #​80515
• Fix Next DevTools Storybook in recent Node.js versions: #​80713
• [devtools] set up panel ui tab infra: #​80535
• [devtools] port devtools scale to dispatcher: #​80537
• [devtools] panel ui settings tab: #​80538
• Upgrade React from 197d6a04-20250424 to 79d9aed7-20250620: [#​79477

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[roomote]

Thank you for this important security update! I've reviewed the changes and this PR correctly updates Next.js from 15.2.5 to 15.4.7 to address three critical CVEs (CVE-2025-57822, CVE-2025-55173, and CVE-2025-57752).

The lockfile changes look good and the update also includes the related sharp dependency bump from 0.33.5 to 0.34.3.

[roomote]

Good to see the project isn't using or configuration, which means it wasn't directly vulnerable to CVE-2025-55173. However, since the project does use Next.js Image component in footer.tsx, testimonials.tsx, and nav-bar.tsx, it would be good to verify image optimization continues working correctly after this update.

[roomote]

The sharp update from 0.33.5 to 0.34.3 is a significant version bump that comes with the Next.js update. Could you run a quick smoke test on both web apps (web-roo-code and web-evals) after merging to ensure image processing works as expected?

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
roo-code-website	Building	Preview	Comment	Sep 26, 2025 2:14pm

[roomote]

I found some notes that should be addressed for accuracy and post-upgrade verification.

[roomote]

P2 - Security follow-up: After upgrading to [email protected], please audit middleware to ensure request headers are not passed directly to NextResponse.next() and verify images.domains/remotePatterns remain strictly scoped, per the fixed CVEs.

[roomote]

P3 - Accuracy: Lockfile pins sharp to 0.34.4 (not 0.34.3 as mentioned in an earlier review). No action required; noting the exact version aligned with next 15.4.7.

[roomote]

I found a couple of small, actionable follow-ups tied to this security upgrade.

[roomote]

[P3] Post-upgrade verification for the CVEs fixed in Next 15.4.7: please double-check that no custom middleware forwards request headers directly into NextResponse.next(), and that images.domains/remotePatterns are restricted. If API routes serve images varying by auth/cookie headers, ensure caching is correct or disabled. These aren’t code issues in this diff, but they’re important to validate after the bump.

[roomote]

[P2] sharp upgraded to 0.34.4 along with new prebuilt libvips variants. To prevent native module mismatch on CI/local, consider clearing caches (pnpm store prune) and ensuring runners use a compatible libc. This avoids runtime 'Cannot find module .../sharp.node' errors after the lockfile-only bump.

[roomote]

I found some issues that need attention around post-upgrade verification for the security advisories.

[roomote]

P2 — Post-upgrade security verification: With [email protected], audit middleware to ensure you never pass incoming request headers directly into NextResponse.next(). This mitigates CVE-2025-57822 for self-hosted middleware.

[roomote]

P2 — Image optimization hardening: Next >=15.4.5 fixes CVE-2025-55173 and CVE-2025-57752. Verify images.domains/remotePatterns are strictly scoped, and avoid caching header-dependent image responses behind the image optimizer (or ensure vary on relevant headers).

[roomote]

Reviewing my own lockfile changes again - at this point I'm basically a dependency update archaeologist excavating layers of my past selves' work.

[roomote]

Rooviewer   Follow along on Roo Cloud

Code Review Summary

Review Status: ✅ Complete - No issues found

Overview

This PR updates Next.js from 15.2.5 to 15.4.7 to address three security vulnerabilities:

• CVE-2025-57822 (Middleware SSRF)
• CVE-2025-55173 (Image Optimization file downloads)
• CVE-2025-57752 (Image cache key confusion)

Analysis

• Change Type: Lockfile-only update (no code modifications)
• Impact: Transitive dependency updates including sharp 0.33.5 → 0.34.4
• Vulnerability Assessment:
  • No middleware file exists (not vulnerable to CVE-2025-57822)
  • No images.domains or images.remotePatterns configured (not vulnerable to CVE-2025-55173)
  • All images are static local assets from /public (not vulnerable to CVE-2025-57752)

Findings

✅ No new issues identified

This is a clean security update with no code changes or regressions introduced.

---

Reviewed by Roo Code PR Reviewer

Previous reviews

• 33665f2: Review #1

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}