🚨 [security] Update all of nextjs 15.4.4 → 15.4.7 (patch) (#18838)

depfu[bot] · web-flow · commit fed6c6ab723f · 2025-09-01T11:24:56.000+02:00
<hr> 🚨 <b>Your current dependencies have known security vulnerabilities</b> 🚨 This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible! <hr> Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request. ### What changed? #### ✳️ eslint-config-next (15.4.4 → 15.4.7) Sorry, we couldn't find anything useful about this release. #### ✳️ next (15.4.4 → 15.4.7) · [Repo](https://github.com/vercel/next.js) <details> <summary>Security Advisories 🚨</summary> <h4><a href="https://bounce.depfu.com/github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v">🚨 Next.js Content Injection Vulnerability for Image Optimization</a></h4> <blockquote><p dir="auto">A vulnerability in <strong>Next.js Image Optimization</strong> has been fixed in <strong>v15.4.5</strong> and <strong>v14.2.31</strong>. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.</p> <p dir="auto">All users relying on <code class="notranslate">images.domains</code> or <code class="notranslate">images.remotePatterns</code> are encouraged to upgrade and verify that external image sources are strictly validated.</p> <p dir="auto">More details at <a href="https://vercel.com/changelog/cve-2025-55173">Vercel Changelog</a></p></blockquote> <h4><a href="https://bounce.depfu.com/github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v">🚨 Next.js Affected by Cache Key Confusion for Image Optimization API Routes</a></h4> <blockquote><p dir="auto">A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as <code class="notranslate">Cookie</code> or <code class="notranslate">Authorization</code>), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.</p> <p dir="auto">All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.</p> <p dir="auto">More details at <a href="https://vercel.com/changelog/cve-2025-57752">Vercel Changelog</a></p></blockquote> <h4><a href="https://bounce.depfu.com/github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f">🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF</a></h4> <blockquote><p dir="auto">A vulnerability in <strong>Next.js Middleware</strong> has been fixed in <strong>v14.2.32</strong> and <strong>v15.4.7</strong>. The issue occurred when request headers were directly passed into <code class="notranslate">NextResponse.next()</code>. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.</p> <p dir="auto">All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the <code class="notranslate">next()</code> function.</p> <p dir="auto">More details at <a href="https://vercel.com/changelog/cve-2025-57822">Vercel Changelog</a></p></blockquote> </details> <details> <summary>Release Notes</summary> <h4><a href="https://github.com/vercel/next.js/releases/tag/v15.4.7">15.4.7</a></h4> <blockquote><div class="markdown-alert markdown-alert-note" dir="auto"> <p class="markdown-alert-title" dir="auto"><svg class="octicon octicon-info mr-2" viewbox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</p> <p dir="auto">This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </div> <h3 dir="auto">Core Changes</h3> <ul dir="auto"> <li>fix router handling when setting a location response header <a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82588">#82588</a> </li> </ul> <h3 dir="auto">Credits</h3> <p dir="auto">Huge thanks to <a href="https://bounce.depfu.com/github.com/ztanner">@ztanner</a> for helping!</p></blockquote> <h4><a href="https://github.com/vercel/next.js/releases/tag/v15.4.6">15.4.6</a></h4> <blockquote><div class="markdown-alert markdown-alert-note" dir="auto"> <p class="markdown-alert-title" dir="auto"><svg class="octicon octicon-info mr-2" viewbox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</p> <p dir="auto">This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </div> <h3 dir="auto">Core Changes</h3> <ul dir="auto"> <li>fix: <code class="notranslate">_error</code> page's <code class="notranslate">req.url</code> can be overwritten to dynamic param on minimal mode (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82347">#82347</a>)</li> <li>fix: add <code class="notranslate">?dpl</code> to fonts in <code class="notranslate">/_next/static/media</code> (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82384">#82384</a>)</li> </ul> <h3 dir="auto">Credits</h3> <p dir="auto">Huge thanks to <a href="https://bounce.depfu.com/github.com/devjiwonchoi">@devjiwonchoi</a>, <a href="https://bounce.depfu.com/github.com/ijjk">@ijjk</a>, and <a href="https://bounce.depfu.com/github.com/styfle">@styfle</a> for helping!</p></blockquote> <h4><a href="https://github.com/vercel/next.js/releases/tag/v15.4.5">15.4.5</a></h4> <blockquote><div class="markdown-alert markdown-alert-note" dir="auto"> <p class="markdown-alert-title" dir="auto"><svg class="octicon octicon-info mr-2" viewbox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</p> <p dir="auto">This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </div> <h3 dir="auto">Core Changes</h3> <ul dir="auto"> <li>Fix API stripping JSON incorrectly (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82062">#82062</a>)</li> <li>Fix i18n fallback: false collision (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82158">#82158</a>)</li> <li>Revert "Fix tracing of server actions imported by client components (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82167">#82167</a>)</li> <li>Ensure setAssetPrefix updates config instance (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82165">#82165</a>)</li> <li>Turbopack: update mimalloc (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82166">#82166</a>)</li> <li>fix(next/image): fix image-optimizer.ts headers (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82175">#82175</a>)</li> <li>fix(next/image): improve and simplify detect-content-type (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82174">#82174</a>)</li> </ul> <h3 dir="auto">Credits</h3> <p dir="auto">Huge thanks to <a href="https://bounce.depfu.com/github.com/ijjk">@ijjk</a>, <a href="https://bounce.depfu.com/github.com/sokra">@sokra</a>, and <a href="https://bounce.depfu.com/github.com/styfle">@styfle</a> for helping!</p></blockquote> <p><em>Does any of this look wrong? <a href="https://depfu.com/packages/npm/next/feedback">Please let us know.</a></em></p> </details> <details> <summary>Commits</summary> <p><a href="https://github.com/vercel/next.js/compare/fe5db65859f0658d1c4701635ec4f4e5ec507e64...f30d815859e932e09222e93bb6e8a376b918d874">See the full diff on Github</a>. The new version differs by 14 commits:</p> <ul> <li><a href="https://github.com/vercel/next.js/commit/f30d815859e932e09222e93bb6e8a376b918d874"><code>v15.4.7</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/1a026e338d2b8c977c8949a134168952338d6d01"><code>fix router handling when setting a location response header (#82588)</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/be4aafd4b744fbf6500b311b74c84243f70a3059"><code>v15.4.6</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/91e5b6b84f56c096dc2bb647eb384388e06489fd"><code>Backport &quot;fix: add `?dpl` to fonts in `/_next/static/media` (#82384)&quot; (#82421)</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/f1629d939597cc46ccbe44fe66bda91eac31e219"><code>Backport &quot;[Pages] fix: `_error` page&#39;s `req.url` can be overwritten t… (#82377)</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/b9aab5dbe926c256d439bfecb226693dcd1a1be4"><code>v15.4.5</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/a8c93c49dd2d42a2ced8a17bc53b3fea11d25c96"><code>Disable test new tests jobs</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/ed2a6c754831406f8cd724eb52a562bb124c1504"><code>[backport]: fix(next/image): improve and simplify detect-content-type (#82118) (#82174)</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/f00fcc9011e7d0ef027021fc8424f51b8ac97880"><code>[backport]: fix(next/image): fix image-optimizer.ts headers (#82114) (#82175)</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/55a7568e9d12459f8c5f5ae120fe2e228af284bb"><code>Backport: Turbopack: update mimalloc (#81993) (#82166)</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/5bc4b368e5bc4d301f94955307e37a0328612408"><code>[backport] Ensure setAssetPrefix updates config instance (#82165)</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/717dfb6ec985ba58b20ce6533ceecab213f72c22"><code>[Backport] Revert &quot;Fix tracing of server actions imported by client components (#78968) (#82167)</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/6372ba03e85ca598b67fe21daa87dbad328f581b"><code>[backport] Fix i18n fallback: false collision (#82158)</code></a></li> <li><a href="https://github.com/vercel/next.js/commit/1e2c3792f88491ab8cfba580b8f17aad17015d17"><code>Fix API stripping JSON incorrectly (#82062)</code></a></li> </ul> </details> --- ![Depfu Status](https://depfu.com/badges/edd6acd35d74c8d41cbb540c30442adf/stats.svg) [Depfu](https://depfu.com) will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`. <details><summary>All Depfu comment commands</summary> <blockquote><dl> <dt>@​depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd> <dt>@​depfu recreate</dt><dd>Recreates this PR, overwriting any edits that you've made to it</dd> <dt>@​depfu merge</dt><dd>Merges this PR once your tests are passing and conflicts are resolved</dd> <dt>@​depfu cancel merge</dt><dd>Cancels automatic merging of this PR</dd> <dt>@​depfu close</dt><dd>Closes this PR and deletes the branch</dd> <dt>@​depfu reopen</dt><dd>Restores the branch and reopens this PR (if it's closed)</dd> <dt>@​depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd> <dt>@​depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd> <dt>@​depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd> </dl></blockquote> </details> Co-authored-by: depfu[bot] <23717796+depfu[bot]@users.noreply.github.com>
diff --git a/playgrounds/nextjs/package.json b/playgrounds/nextjs/package.json
@@ -11,7 +11,7 @@
   "dependencies": {
     "@tailwindcss/postcss": "workspace:^",
     "fast-glob": "^3.3.3",
-    "next": "15.4.4",
+    "next": "15.4.7",
     "react": "^19.1.1",
     "react-dom": "^19.1.1",
     "tailwindcss": "workspace:^"
@@ -21,7 +21,7 @@
     "@types/react": "^19.1.9",
     "@types/react-dom": "^19.1.7",
     "eslint": "^9.33.0",
-    "eslint-config-next": "^15.4.4",
+    "eslint-config-next": "^15.4.7",
     "typescript": "^5.5.4"
   }
 }
diff --git a/playgrounds/v3/package.json b/playgrounds/v3/package.json
@@ -9,7 +9,7 @@
     "upgrade": "node scripts/upgrade.mjs"
   },
   "dependencies": {
-    "next": "15.4.4",
+    "next": "15.4.7",
     "react": "^19.1.1",
     "react-dom": "^19.1.1",
     "tailwindcss": "^3"
@@ -20,7 +20,7 @@
     "@types/react-dom": "^19.1.7",
     "autoprefixer": "^10.4.21",
     "eslint": "^9.33.0",
-    "eslint-config-next": "^15.4.4",
+    "eslint-config-next": "^15.4.7",
     "typescript": "^5.5.4"
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
