[Snyk] Security upgrade next from 15.5.10 to 16.1.5#37
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NEXT-15105315
|
📢 New Pull Request Ready for Review Title: [Snyk] Security upgrade next from 15.5.10 to 16.1.5 Please review when you have a chance! 🚀 |
There was a problem hiding this comment.
Pull request overview
This PR upgrades Next.js from version 15.1.2 to 16.1.5 to address a high-severity security vulnerability (SNYK-JS-NEXT-15105315) related to "Allocation of Resources Without Limits or Throttling".
Changes:
- Upgrade Next.js dependency from ^15.1.2 to ^16.1.5 in frontend/package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| "dependencies": { | ||
| "next": "^15.1.2", | ||
| "next": "^16.1.5", |
There was a problem hiding this comment.
The PR description mentions upgrading from Next.js 15.5.10, but the actual change shows an upgrade from ^15.1.2 to ^16.1.5. This is a discrepancy between the PR title and the actual code change. The change itself appears correct as ^16.1.5 will fix the security vulnerability, but the PR metadata may be inaccurate.
| "react": "^18.3.1", | ||
| "react-dom": "^18.3.1", |
There was a problem hiding this comment.
Next.js 16 requires React 19 or later. The current React version (^18.3.1) is incompatible with Next.js 16. Both 'react' and 'react-dom' need to be upgraded to ^19.0.0 or later. The package-lock.json already shows React 19, indicating there's a mismatch between package.json and package-lock.json.
| "next": "^16.1.5", | ||
| "react": "^18.3.1", | ||
| "react-dom": "^18.3.1", | ||
| "next-auth": "^4.24.5", |
There was a problem hiding this comment.
NextAuth.js v4 may not be fully compatible with Next.js 16. Next.js 16 is better supported by Auth.js v5 (the successor to NextAuth.js v4). Consider upgrading to '@auth/nextjs' (Auth.js v5) or verifying that next-auth v4.24.5 is compatible with Next.js 16 and React 19.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
frontend/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-NEXT-15105315
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling