fix: bump next from 14.0.0 to 16.2.5 for CVE-2026-44578#2
Conversation
- Upgrade next 14.0.0 -> 16.2.5 and eslint-config-next 14.0.0 -> 16.2.5 - Affected range for 16.x: >= 16.0.0 < 16.2.5; fixed in 16.2.5 - CVE-2026-44578 / GHSA-c4j6-fc7j-m34r: Next.js SSRF via crafted WebSocket upgrade - Regenerate pnpm-lock.yaml - Adapt page.tsx for Next.js 16 async headers() API - Adapt dashboard.tsx ref callback to satisfy stricter React 19 type checks
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
📝 WalkthroughSummary by CodeRabbit
WalkthroughNext.js and ChangesNext.js 16 Upgrade
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
app/proxy/page.tsxOops! Something went wrong! :( ESLint: 9.39.4 Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Cannot read config file: /node_modules/.pnpm/eslint-config-next@16.0.0_@typescript-eslint+parser@8.61.1_eslint@9.39.4_jiti@1.21.7__t_9a07a727fa428addbb99e5b41859596e/node_modules/eslint-config-next/dist/core-web-vitals.js components/dashboard.tsxOops! Something went wrong! :( ESLint: 9.39.4 Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Cannot read config file: /node_modules/.pnpm/eslint-config-next@16.0.0_@typescript-eslint+parser@8.61.1_eslint@9.39.4_jiti@1.21.7__t_9a07a727fa428addbb99e5b41859596e/node_modules/eslint-config-next/dist/core-web-vitals.js Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
Bumps
nextfrom 14.0.0 to 16.2.5 andeslint-config-nextto the same version to fix CVE-2026-44578 / GHSA-c4j6-fc7j-m34r (Next.js SSRF via crafted WebSocket upgrade requests).Changes
package.json:next14.0.0 → 16.2.5,eslint-config-next14.0.0 → 16.2.5pnpm-lock.yaml: regeneratedapp/proxy/page.tsx: awaitheaders()(Next.js 16 async API)components/dashboard.tsx: ref callback adjusted for stricter React 19 type checksVerification
node ./node_modules/next/dist/bin/next buildpassesnode ./node_modules/next/dist/bin/next --versionreports Next.js v16.2.5References