Skip to content

Commit 7333605

Browse files
josers18claude
andcommitted
chore(deps): bump next 15.5.15 → 15.5.18 — closes 13 GHSA advisories
Patches the Next.js block flagged by Dependabot, including the highest- impact runtime issues: - SSRF via WebSocket upgrades (CVSS 8.6, GHSA-c4j6-fc7j-m34r) - Middleware/proxy bypass via dynamic route param injection (8.1) - Middleware/proxy bypass via segment-prefetch routes + i18n - DoS via Server Components, Cache Components, Image Optimization - XSS in beforeInteractive scripts, CSP-nonce App Router - Cache poisoning in RSC responses + Middleware redirects Lockstep eslint-config-next bumped to 15.5.18. 6 transitive alerts remain (mcp-sdk hono/fast-uri/ip-address/express- rate-limit + Next-vendored postcss). All gated on upstream releases — no runtime-reachable code paths in this app. See CLAUDE.md §12. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 34ddbd7 commit 7333605

2 files changed

Lines changed: 50 additions & 50 deletions

File tree

package-lock.json

Lines changed: 48 additions & 48 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@
4040
"clsx": "^2.1.1",
4141
"ioredis": "^5.4.1",
4242
"lucide-react": "^0.454.0",
43-
"next": "^15.5.15",
43+
"next": "^15.5.18",
4444
"openai": "^6.34.0",
4545
"pg": "^8.13.1",
4646
"react": "^18.3.1",
@@ -60,7 +60,7 @@
6060
"@types/react-dom": "^18.3.1",
6161
"autoprefixer": "^10.4.20",
6262
"eslint": "^8.57.1",
63-
"eslint-config-next": "^15.5.15",
63+
"eslint-config-next": "^15.5.18",
6464
"postcss": "^8.4.47",
6565
"tailwindcss": "^3.4.14",
6666
"typescript": "^5.6.3"

0 commit comments

Comments
 (0)