[Snyk] Security upgrade next from 15.5.3 to 15.5.9#108
[Snyk] Security upgrade next from 15.5.3 to 15.5.9#108dennislee928 wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NEXT-14400636 - https://snyk.io/vuln/SNYK-JS-NEXT-14400644
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Pull request overview
This PR implements a Snyk-automated security upgrade for Next.js from version 15.5.3 to 15.5.9, addressing two vulnerabilities: a high-severity deserialization issue (SNYK-JS-NEXT-14400636, score 852) and a medium-severity information exposure issue (SNYK-JS-NEXT-14400644, score 678). The upgrade includes updates to the Next.js core package and its platform-specific SWC compiler binaries, along with automatic adjustments to peer dependency markers in the lockfile.
Key Changes
- Next.js upgraded from 15.5.3 to 15.5.9 to fix critical security vulnerabilities
- SWC compiler binaries updated to version 15.5.7 across all platforms (darwin, linux, win32)
- Multiple peer dependency markers removed from package-lock.json for various packages
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates Next.js dependency from 15.5.3 to 15.5.9 |
| package-lock.json | Updates Next.js core, SWC compiler versions, and removes peer dependency flags for various packages |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "bs58": "^6.0.0", | ||
| "lucide-react": "^0.544.0", | ||
| "next": "15.5.3", | ||
| "next": "15.5.9", |
There was a problem hiding this comment.
Version specifier inconsistency detected: package.json specifies "next": "15.5.9" (exact version), but package-lock.json specifies "next": "^15.5.9" (with caret). These should match to ensure consistent dependency resolution. Consider using "^15.5.9" in package.json to allow patch updates, or ensure both files use exact versioning if that's the project's convention.
| "next": "15.5.9", | |
| "next": "^15.5.9", |
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-NEXT-14400636
SNYK-JS-NEXT-14400644
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Deserialization of Untrusted Data