🚨 [security] Update next 12.0.5 → 15.5.2 (major)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ next (12.0.5 → 15.5.2) · Repo

Security Advisories 🚨

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.JS vulnerability can lead to DoS via cache poisoning

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

• Allam Rachid zhero;
• Allam Yasser (inzo)

🚨 Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Summary

A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.

More details: CVE-2025-49005

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js authorization bypass vulnerability

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

🚨 Denial of Service condition in Next.js image optimization

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

• The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
• The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9
• Using pages router
• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

• Deployments using only app router
• Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

• Allam Rachid (zhero_)
• Henry Chen

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9
• Using pages router
• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

• Deployments using only app router
• Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

• Allam Rachid (zhero_)
• Henry Chen

🚨 Next.js Denial of Service (DoS) condition

Impact

A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server.

This vulnerability can affect all Next.js deployments on the affected versions.

Patches

This vulnerability was resolved in Next.js 13.5 and later. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credit

• Thai Vu of flyseccorp.com
• Aonan Guan (@0dd), Senior Cloud Security Engineer

🚨 Next.js Vulnerable to HTTP Request Smuggling

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.

Workarounds

There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.

References

https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

🚨 Next.js Server-Side Request Forgery in Server Actions

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

• Next.js (<14.1.1) is running in a self-hosted* manner.
• The Next.js application makes use of Server Actions.
• The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

🚨 Next.js missing cache-control header may lead to CDN caching empty reply

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

🚨 Unexpected server crash in Next.js

Impact

When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.

• Affected: All of the following must be true to be affected by this CVE

  • Node.js version above v15.0.0 being used with strict unhandledRejection exiting
  • Next.js version v12.2.3
  • Using next start or a custom server

• Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn't being shared across requests.

Patches

https://github.com/vercel/next.js/releases/tag/v12.2.4

🚨 Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 12.0.10
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

🚨 Denial of Service Vulnerability in next.js

Impact

Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version >= 12.0.0, and using i18n functionality.

• Affected: All of the following must be true to be affected by this CVE
  • Next.js versions above v12.0.0
  • Using next start or a custom server
  • Using the built-in i18n support
• Not affected:
  • Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

Patches

A patch has been released, next@12.0.9, that mitigates this issue. We recommend all affected users upgrade as soon as possible.

Workarounds

We recommend upgrading whether you can reproduce or not although you can ensure /${locale}/_next/ is blocked from reaching the Next.js instance until you upgrade.

For more information

If you have any questions or comments about this advisory:

• Open an issue in next
• Email us at security@vercel.com

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 3 commits:

• v15.5.2
• [backport] revert: add ?dpl to fonts in `/_next/static/media` (#83062) (#83066)
• [backport] fix: disable unknownatrules lint rule entirely (#83059) (#83060)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3c467bc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​next/​swc-darwin-arm64@​12.0.5 ⏵ 15.5.2	+1
	@​next/​swc-darwin-x64@​12.0.5 ⏵ 15.5.2	+1
	@​next/​swc-linux-arm64-gnu@​12.0.5 ⏵ 15.5.2	+1
	@​next/​swc-linux-arm64-musl@​12.0.5 ⏵ 15.5.2	+1
	@​next/​swc-linux-x64-gnu@​12.0.5 ⏵ 15.5.2	+1
	@​next/​swc-linux-x64-musl@​12.0.5 ⏵ 15.5.2	+1
	@​next/​swc-win32-arm64-msvc@​12.0.5 ⏵ 15.5.2	+1
	@​next/​swc-win32-x64-msvc@​12.0.5 ⏵ 15.5.2	+1
	client-only@​0.0.1
	@​img/​sharp-darwin-arm64@​0.34.3
	@​img/​sharp-darwin-x64@​0.34.3
	@​img/​sharp-linux-arm64@​0.34.3
	@​img/​sharp-linux-arm@​0.34.3
	@​img/​sharp-linux-ppc64@​0.34.3
	@​img/​sharp-linux-s390x@​0.34.3
	@​img/​sharp-linux-x64@​0.34.3
	@​img/​sharp-linuxmusl-arm64@​0.34.3
	@​img/​sharp-linuxmusl-x64@​0.34.3
	node-releases@​1.1.77 ⏵ 2.0.1			-29
	@​next/​env@​12.0.5 ⏵ 15.5.2	-1		+2
	tr46@​1.0.1 ⏵ 0.0.3	+1		-27	+1
	ansi-regex@​2.1.1
	escape-string-regexp@​4.0.0
	@​swc/​helpers@​0.5.15
	@​emnapi/​runtime@​1.5.0
	caniuse-lite@​1.0.30001278 ⏵ 1.0.30001737	+1		-24	-1
	@​img/​sharp-libvips-linuxmusl-x64@​1.2.0
	@​img/​sharp-libvips-linux-x64@​1.2.0
	@​img/​sharp-libvips-darwin-arm64@​1.2.0
See 28 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		caniuse-lite@1.0.30001737 has a License Policy Violation. License: CC-BY-4.0 (npm metadata) License: CC-BY-4.0 (package/LICENSE) License: CC-BY-4.0 (package/package.json) From: yarn.lock → npm/caniuse-lite@1.0.30001737 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001737. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report