Next.js security update GHSA-c4j6-fc7j-m34r

[realproject7]

Context

Next.js published GHSA-c4j6-fc7j-m34r / CVE-2026-44578, a CVSS 8.6 SSRF issue in self-hosted apps using the built-in Node.js server and WebSocket upgrade handling. Official advisory: GHSA-c4j6-fc7j-m34r

Official affected ranges:

• >=13.4.13 <15.5.16
• >=16.0.0 <16.2.5

Official patched minimums are 15.5.16 and 16.2.5. Current npm patch targets checked during triage are 15.5.18 and 16.2.6.

Important: npm's green package/version icon is package provenance/verification. It is not proof that a version is safe for this CVE. Use the advisory ranges above as the source of truth.

This repo

• Current next: 16.1.6 in devDependencies and lockfile
• Current eslint-config-next: 16.1.6
• Target: next@16.2.6, eslint-config-next@16.2.6 as dev dependencies
• Deployment/package notes: this repo has both a Next app (next build / next start) and a separate OWS app build (app:build, Vite/Hono/Prisma). next is a dev dependency but is still used for the web build and should be patched before any Next deployment. vercel.json has a cron path /api/cron/backfill.
• Additional audit note from triage: this repo also had separate Hono/Vite advisories unrelated to this Next CVE. Do not conflate them with this ticket, but include audit output in the PR.

Suggested patch

npm install --save-dev --save-exact next@16.2.6 eslint-config-next@16.2.6

Verification

Run from repo root:

npm audit --omit=dev
npm run lint
npm run typecheck
npm run test
npm run build
npm run app:build

Run npm run test:e2e if Playwright dependencies/env are available. Smoke the cron route /api/cron/backfill if deployed.

Acceptance criteria

• package.json and package-lock.json resolve next to 16.2.6.
• npm audit --omit=dev no longer reports GHSA-c4j6-fc7j-m34r for next.
• Both Next build and OWS app build pass.