fix(KNO-12386): upgrade Next.js 16.1.4 → 16.2.2#1378
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Risk HIGH: Upgrades Next.js from 16.1.4 to 16.2.2 by updating yarn.lock to resolve security vulnerabilities.
Reasons
yarn.lockis modified, which triggers HIGH risk per classification rules regardless of diff size- Dependency version changes can introduce subtle runtime behavior changes even within semver-compatible ranges
- The change upgrades a core framework dependency (Next.js) that affects the entire build and rendering pipeline
- The diff is small (81+/71-, 1 file) and stays within the declared
^16.1.4semver range, which limits actual risk in practice - The PR author provides clear justification that type-checking passes and no breaking changes are present in the 16.2.x release notes
Notes
- Verify the Vercel preview deployment builds and renders correctly — this is the most important signal for a lock-file-only Next.js bump
- Confirm no regressions in page rendering, especially dynamic routes and API routes
- The author notes this resolves 5 security vulnerabilities (1 high, 2 medium, 2 low) flagged by Aikido — worth confirming those CVEs are addressed in 16.2.2
- Since
package.jsonis unchanged and Next.js was already declared as^16.1.4, this is a low-friction upgrade despite the HIGH classification
Sent by Cursor Automation: Docs PR classifier
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
cjbell
approved these changes
Apr 2, 2026
Contributor
cjbell
left a comment
cjbell
left a comment
There was a problem hiding this comment.
should this be in the package.json as well?
Raises the minimum version to ensure fresh installs cannot resolve to a version below the security fix threshold (16.1.7). Addresses review comment from @cjbell.
kylemcd
force-pushed
the
kyle-kno-12386-docs-small-upgrade-for-nextjs
branch
from
bce3ddc to
ad20fdb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades Next.js from 16.1.4 to 16.2.2 in the lock file to resolve 5 security vulnerabilities flagged by Aikido (1 high, 2 medium, 2 low).
What changed
nextwas already declared as^16.1.4in package.json, so 16.2.2 is within the existing semver rangeWhy this is safe
This is a minor version bump (16.1.4 → 16.2.2). The 16.2.x release notes contain no user-facing breaking changes — primarily internal improvements (Turbopack, error page redesign, React upgrade, build optimizations). All new features are opt-in via experimental flags.
Type-checking (
tsc) passes with identical results before and after the upgrade (pre-existing.next/typeserrors only).