Skip to content

fix: bump next from 15.5.3 to 15.5.12 (critical RCE)#9

Open
johnwaldo wants to merge 1 commit intokarthikscale3:mainfrom
johnwaldo:fix/nextjs-security-bump
Open

fix: bump next from 15.5.3 to 15.5.12 (critical RCE)#9
johnwaldo wants to merge 1 commit intokarthikscale3:mainfrom
johnwaldo:fix/nextjs-security-bump

Conversation

@johnwaldo
Copy link
Copy Markdown

@johnwaldo johnwaldo commented Mar 9, 2026

Closes #8

Summary

  • Bump next from 15.5.3 to 15.5.12
  • Bump eslint-config-next from 15.5.3 to 15.5.12

Why

next@15.5.3 is affected by a critical remote code execution vulnerability in the React flight protocol (GHSA-9qr9-h5gf-34mp, CVSS 9.1), plus 4 additional advisories (2 high, 2 moderate) — all fixed in 15.5.10+.

This is a patch-level bump within 15.5.x — no breaking changes. Dependabot PR #6 proposes a major version jump to 16.1.5, which carries migration risk. This PR takes the conservative approach: fix the CVEs with the smallest possible change.

Note on lockfile

This PR updates package.json only. The lockfile (pnpm-lock.yaml) will need to be regenerated by running pnpm install after merging, since I don't have the full dev environment to produce a valid lockfile update.

fix: bump next and eslint-config-next from 15.5.3 to 15.5.12
7d709b4 
Fixes critical RCE vulnerability (GHSA-9qr9-h5gf-34mp, CVSS 9.1)
and 4 additional advisories (2 high, 2 moderate).

Patch-level bump only — no breaking changes.

Closes karthikscale3#8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: upgrade Next.js to fix critical RCE (GHSA-9qr9-h5gf-34mp)

1 participant

@johnwaldo