Skip to content

fix: bump next from 14.0.0 to 16.2.5 for CVE-2026-44578#2

Open
Leathal1 wants to merge 1 commit into
caffo:mainfrom
Leathal1:fix/CVE-2026-44578-next-16.2.5
Open

fix: bump next from 14.0.0 to 16.2.5 for CVE-2026-44578#2
Leathal1 wants to merge 1 commit into
caffo:mainfrom
Leathal1:fix/CVE-2026-44578-next-16.2.5

Conversation

@Leathal1

Copy link
Copy Markdown

Summary

Bumps next from 14.0.0 to 16.2.5 and eslint-config-next to the same version to fix CVE-2026-44578 / GHSA-c4j6-fc7j-m34r (Next.js SSRF via crafted WebSocket upgrade requests).

Changes

  • package.json: next 14.0.0 → 16.2.5, eslint-config-next 14.0.0 → 16.2.5
  • pnpm-lock.yaml: regenerated
  • app/proxy/page.tsx: await headers() (Next.js 16 async API)
  • components/dashboard.tsx: ref callback adjusted for stricter React 19 type checks

Verification

  • node ./node_modules/next/dist/bin/next build passes
  • node ./node_modules/next/dist/bin/next --version reports Next.js v16.2.5

References

- Upgrade next 14.0.0 -> 16.2.5 and eslint-config-next 14.0.0 -> 16.2.5
- Affected range for 16.x: >= 16.0.0 < 16.2.5; fixed in 16.2.5
- CVE-2026-44578 / GHSA-c4j6-fc7j-m34r: Next.js SSRF via crafted WebSocket upgrade
- Regenerate pnpm-lock.yaml
- Adapt page.tsx for Next.js 16 async headers() API
- Adapt dashboard.tsx ref callback to satisfy stricter React 19 type checks
@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 25c510ee-0731-4411-8d32-44e258205805

📥 Commits

Reviewing files that changed from the base of the PR and between 9bae5db and 51f2f37.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (3)
  • app/proxy/page.tsx
  • components/dashboard.tsx
  • package.json

📝 Walkthrough

Summary by CodeRabbit

  • Refactor

    • Updated internal code patterns and component implementations.
  • Chores

    • Updated framework and development tool dependencies to latest versions.

Walkthrough

Next.js and eslint-config-next are upgraded from 14.0.0 to 16.2.5 in package.json. Two call sites are updated for compatibility: headers() in the proxy page is now awaited, and the segment ref callback in Dashboard is converted from expression-body to block-body syntax.

Changes

Next.js 16 Upgrade

Layer / File(s) Summary
Next.js and ESLint config version bump
package.json
next bumped from 14.0.0 to 16.2.5; eslint-config-next bumped from 14.0.0 to 16.2.5.
Next.js 16 API compatibility fixes
app/proxy/page.tsx, components/dashboard.tsx
headers() is now awaited in the proxy page to match the async API introduced in Next.js 16; the segment ref callback in Dashboard is rewritten from expression-body (= el) to block-body ({ segmentRefs.current[index] = el }) form.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: upgrading Next.js to address a security vulnerability.
Description check ✅ Passed The description is comprehensive and directly related to the changeset, explaining the security fix, version upgrades, code adjustments, and verification steps.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

app/proxy/page.tsx

Oops! Something went wrong! :(

ESLint: 9.39.4

Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Cannot read config file: /node_modules/.pnpm/eslint-config-next@16.0.0_@typescript-eslint+parser@8.61.1_eslint@9.39.4_jiti@1.21.7__t_9a07a727fa428addbb99e5b41859596e/node_modules/eslint-config-next/dist/core-web-vitals.js
Error: Package subpath './v4' is not defined by "exports" in /node_modules/.pnpm/eslint-plugin-react-hooks@7.1.1_eslint@9.39.4_jiti@1.21.7_/node_modules/zod-validation-error/package.json
Referenced from: /.eslintrc.json
at exportsNotFound (node:internal/modules/esm/resolve:310:10)
at packageExportsResolve (node:internal/modules/esm/resolve:658:9)
at resolveExports (node:internal/modules/cjs/loader:685:36)
at Module._findPath (node:internal/modules/cjs/loader:752:31)
at Module._resolveFilename (node:internal/modules/cjs/loader:1461:27)
at wrapResolveFilename (node:internal/modules/cjs/loader:1049:27)
at defaultResolveImplForCJSLoading (node:internal/modules/cjs/loader:1073:10)
at resolveForCJSWithHooks (node:internal/modules/cjs/loader:1094:12)
at Module._load (node:internal/modules/cjs/loader:1262:25)
at wrapModuleLoad (node:internal/modules/cjs/loader:255:19)
(node:2) ESLintRCWarning: You are using an eslintrc configuration file, which is deprecated and support will be removed in v10.0.0. Please migrate to an eslint.config.js file. See https://eslint.org/docs/latest/use/configure/migration-guide for details. An eslintrc configuration file is used because you have the ESLINT_USE_FLAT_CONFIG environment variable set to false. If you want to use an eslint.config.js file, remove the environment variable. If you want to find the location of the eslintrc configuration file, use the --debug flag.
(Use node --trace-warnings ... to show where the warning was created)

components/dashboard.tsx

Oops! Something went wrong! :(

ESLint: 9.39.4

Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Cannot read config file: /node_modules/.pnpm/eslint-config-next@16.0.0_@typescript-eslint+parser@8.61.1_eslint@9.39.4_jiti@1.21.7__t_9a07a727fa428addbb99e5b41859596e/node_modules/eslint-config-next/dist/core-web-vitals.js
Error: Package subpath './v4' is not defined by "exports" in /node_modules/.pnpm/eslint-plugin-react-hooks@7.1.1_eslint@9.39.4_jiti@1.21.7_/node_modules/zod-validation-error/package.json
Referenced from: /.eslintrc.json
at exportsNotFound (node:internal/modules/esm/resolve:310:10)
at packageExportsResolve (node:internal/modules/esm/resolve:658:9)
at resolveExports (node:internal/modules/cjs/loader:685:36)
at Module._findPath (node:internal/modules/cjs/loader:752:31)
at Module._resolveFilename (node:internal/modules/cjs/loader:1461:27)
at wrapResolveFilename (node:internal/modules/cjs/loader:1049:27)
at defaultResolveImplForCJSLoading (node:internal/modules/cjs/loader:1073:10)
at resolveForCJSWithHooks (node:internal/modules/cjs/loader:1094:12)
at Module._load (node:internal/modules/cjs/loader:1262:25)
at wrapModuleLoad (node:internal/modules/cjs/loader:255:19)
(node:2) ESLintRCWarning: You are using an eslintrc configuration file, which is deprecated and support will be removed in v10.0.0. Please migrate to an eslint.config.js file. See https://eslint.org/docs/latest/use/configure/migration-guide for details. An eslintrc configuration file is used because you have the ESLINT_USE_FLAT_CONFIG environment variable set to false. If you want to use an eslint.config.js file, remove the environment variable. If you want to find the location of the eslintrc configuration file, use the --debug flag.
(Use node --trace-warnings ... to show where the warning was created)


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant