ci(deps): bump next from 16.2.3 to 16.2.5 by dependabot[bot] · Pull Request #223 · nickelsh1ts/streamarr

dependabot · 2026-04-27T22:48:47Z

Bumps next from 16.2.3 to 16.2.5.

Release notes

v16.2.5

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)

Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)

Compiler: Support boolean and number primtives in next.config defines (#92731)

turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)

Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)

Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)

Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @Badbird5907, @lukesandberg, @andrewimm, @sokra, and @mischnic for helping!

Commits

766148f v16.2.5
0dd9483 fix: add explicit checks for RSC header (#83) (#98)
d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
9d50c0b Strip next-resume header from incoming requests (#92)
df7ab5a fix: skip internal param normalization in unsupported environments
ed41d1d Move htmlescape to shared/lib (#91)
b4c6705 Ignore malformed CSP nonce headers
5b194ee router-server: guard upgrade proxy against absolute-url SSRF (#77)
cb171d7 Fix i18n middleware matching for default-locale data routes (#82)
89e9954 [16.x] Type hardening and performance improvements (#80)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Bumps [next](https://github.com/vercel/next.js) from 16.2.3 to 16.2.5. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.2.3...v16.2.5) --- updated-dependencies: - dependency-name: next dependency-version: 16.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 27, 2026

dependabot Bot requested a review from nickelsh1ts as a code owner April 27, 2026 22:48

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 27, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/next-16.2.4 branch 2 times, most recently from 009cd32 to 0b28fa4 Compare April 28, 2026 04:45

nickelsh1ts self-assigned this May 7, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/next-16.2.4 branch 5 times, most recently from 7c1a8be to 1eadda1 Compare May 11, 2026 00:36

dependabot Bot changed the title ~~ci(deps): bump next from 16.2.3 to 16.2.4~~ ci(deps): bump next from 16.2.3 to 16.2.5 May 11, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/next-16.2.4 branch from 1eadda1 to a1d3a4b Compare May 11, 2026 18:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ci(deps): bump next from 16.2.3 to 16.2.5#223

ci(deps): bump next from 16.2.3 to 16.2.5#223
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/next-16.2.4

dependabot Bot commented on behalf of github Apr 27, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

dependabot Bot commented on behalf of github Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v16.2.5

v16.2.4

Core Changes

Credits

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Apr 27, 2026 •

edited

Loading