Commit 7333605
chore(deps): bump next 15.5.15 → 15.5.18 — closes 13 GHSA advisories
Patches the Next.js block flagged by Dependabot, including the highest-
impact runtime issues:
- SSRF via WebSocket upgrades (CVSS 8.6, GHSA-c4j6-fc7j-m34r)
- Middleware/proxy bypass via dynamic route param injection (8.1)
- Middleware/proxy bypass via segment-prefetch routes + i18n
- DoS via Server Components, Cache Components, Image Optimization
- XSS in beforeInteractive scripts, CSP-nonce App Router
- Cache poisoning in RSC responses + Middleware redirects
Lockstep eslint-config-next bumped to 15.5.18.
6 transitive alerts remain (mcp-sdk hono/fast-uri/ip-address/express-
rate-limit + Next-vendored postcss). All gated on upstream releases —
no runtime-reachable code paths in this app. See CLAUDE.md §12.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 34ddbd7 commit 7333605
2 files changed
Lines changed: 50 additions & 50 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
40 | 40 | | |
41 | 41 | | |
42 | 42 | | |
43 | | - | |
| 43 | + | |
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
| |||
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
63 | | - | |
| 63 | + | |
64 | 64 | | |
65 | 65 | | |
66 | 66 | | |
| |||
0 commit comments