chore(deps): update dependency next to v15.4.7 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	15.2.2 -> 15.4.7
next (source)	15.2.4 -> 15.4.7

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

---

Release Notes

vercel/next.js (next)

v15.4.7

Compare Source

v15.4.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#​82347)
• fix: add ?dpl to fonts in /_next/static/media (#​82384)

Credits

Huge thanks to @​devjiwonchoi, @​ijjk, and @​styfle for helping!

v15.4.5

Compare Source

v15.4.4

Compare Source

v15.4.3

Compare Source

v15.4.2

Compare Source

v15.4.1

Compare Source

v15.4.0

Compare Source

v15.3.5

Compare Source

v15.3.4

Compare Source

v15.3.3

Compare Source

v15.3.2

Compare Source

v15.3.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Backport SWC-based RC optimization (#​78260)
• fix: bump [email protected] (#​78164)

Credits

Huge thanks to @​kdy1 and @​styfle for helping!

v15.3.0

Compare Source

Core Changes

• [dev-overlay] Customize <select> styling for consistency: #​76973
• Upgrade React from 029e8bd6-20250306 to 0ca3deeb-20250311: #​76989
• [metadata]: add pinterest meta tag: #​76988
• [dev-overlay] ensure stripping overlay bundle in prod build: #​76976
• Apply env inlining during generate build mode: #​76990
• Turbopack: Implement deploymentId: #​76904
• track persistent caching usage: #​76996
• [metadata] re-insert icons to head for streamed metadata: #​76915
• Upgrade React from 0ca3deeb-20250311 to 6aa8254b-20250312: #​77033
• Move static-env imports: #​77035
• [dev-overlay] Add size setting to preferences: #​77027
• Add config for only generating static env: #​77038
• chore(HMR clients): Clean up and share code between app and pages router: #​76960
• Add dev warning for cross-origin and stabilize allowedDevOrigins: #​77044
• unify allowed origin detection handling: #​77053
• Handle hash change in all files for static env: #​77058
• [dev-overlay] highlight errored code line for runtime errors: #​77078
• NFT: Ignore all of Webpack: #​77081
• Add experimental build mode flag for env: #​77089
• (feat) support client-side instrumentation: #​76916
• Fix JSDoc comment for 'seconds' cache life profile: #​77084
• refactor(HMR clients): Encapsulate some of the turbopack state tracking into a shared TurbopackHmr class: #​76994
• Slightly improve error handling for unknown server actions: #​77135
• Fix output standalone for alternative bundler: #​76971
• Add alternate bundler plugin information to next info: #​77059
• [metadata] remove the default segement check for metadata rendering: #​77119
• [dev-overlay] Fix stacking order of highlighted line: #​77189
• Upgrade React from 6aa8254b-20250312 to 5398b711-20250314: #​77129
• fix(styled-jsx): Pass useLightningcss option to styled-jsx correctly: #​77008
• log the instrumentation-client execution time: #​77121
• Turbopack: canary-gate production builds: #​77146
• [dev-overlay] remove special handling for missing tag error : #​77147
• chore(react-dev-overlay): Remove confusingly underscored variables in useErrorOverlayReducer: #​77205
• Update middleware request header: #​77201
• Update default allowed origins list: #​77212
• Ensure deploymentId is used for CSS preloads: #​77210
• chore(HMR clients): Fix a bunch of typescript errors by including the appropriate webpack type declarations: #​77207
• Update cache handler interface: #​76687
• Turbopack: don't include AMP optimizer in NFT: #​77242
• Server actions should not read stale data after calling revalidate*: #​76885
• [dev-overlay] Blur fader for scrollable container: #​77196
• Make revalidate* work when followed by a redirect in a route handler: #​77090
• feat: onNavigate for link: #​77209
• fix: pass telemetry plugin rspack tests: #​77257
• feat(eslint-plugin): add minimal built-in flat presets: #​73873
• [perf] skip loading client manifest for static metadata routes: #​77260
• Upgrade React from 5398b711-20250314 to c69a5fc5-20250318: #​77249
• [ppr] Handle failed resume data cache entries: #​77258
• Bypass "use cache" caches when Draft Mode is enabled: #​77141
• chore(HMR clients): Clean up tryApplyUpdates, reduce differences between app/pages versions: #​77219
• Upgrade React from c69a5fc5-20250318 to db7dfe05-20250319: #​77295
• Turbopack: layout segment optimization for Pages: #​74815
• [dev-overlay] Make footer sticky without side effects: #​77327
• Alternate bundler: show state in app info message: #​77259
• Revert "Turbopack: layout segment optimization for Pages": #​77339
• [metadata] add Yeti to html limited bots: #​77335
• [dev-overlay] Remove unused code from pages: #​77325
• [metadata] remove dead code of metadata routes handling: #​77336
• Alternate bundler: pass more tests and update to 1.3.0-beta: #​77269
• [metadata] fix the metadata route like pages and refactor utils: #​77264
• fix: absolute assetPrefix url with path: #​77256
• clean up useReducer code re dev indicator: #​77354
• test: ensure that router identity stays stable when navigating: #​77356
• [dev-overlay] Remove unused fields from hydration error state: #​77332
• Turbopack: implement optimized css production chunking: #​77284
• only log when instrumentation client takes too long: #​77378
• switch development origin verification to be opt-in rather than opt-out: #​77395
• remove direct ip/port bypass in dev origin check: #​77414
• ensure /__next middleware URLs are included in the origin check: #​77416
• exclude images and static media from dev origin check: #​77417
• Refactor metadata and viewport preloading: #​77400
• [dev-overlay] Remove unused fields from unhandled error action event: #​77333
• Turbopack: Add --turbopack for next start: #​77442
• Update README: #​77464
• Remove unnecessary indirections around dispatch-related methods: #​77423
• Lift public router instance to module level : #​77426
• directly import param resolver in metadata: #​77401
• [metadata] always serve streaming metadata in build: #​77437
• directly import search param resolver in metadata: #​77402
• Remove forwardRef from Link in App Router: #​77471
• Match subrequest handling for edge and node: #​77474
• Add deprecation warning for legacyBehavior prop: #​77473
• feat: useLinkStatus: #​77300
• [dynamicIO] Avoid memory leak warning for hanging promises: #​77480
• [dev-overlay] Remove "Unhandled Runtime Error" label: #​77484
• Upgrade React from db7dfe05-20250319 to 740a4f7a-20250325: #​77507
• Upgrade React from 740a4f7a-20250325 to 313332d1-20250326: #​77527
• Do not call expireTags/getExpiration unnecessarily: #​77570
• fix(jest): stricter regex for 'server-only' in default config: #​77588
• Fix: RESTORE_ACTION should not be thenable: #​77582
• Use NEXT_PRIVATE_DEBUG_CACHE env variable for cache handler debug logs: #​77585
• fix: make sure body can be read using nodejs runtime in middleware: #​77553
• Update alternate bundler and pass more tests : #​77579
• Refactor build scripts and rewrite pack-next in TypeScript: #​77536
• fix isCsrfOriginAllowed handling for localhost: #​77594
• Turbopack build: fix deterministic build test: #​77618
• Turbopack build: Fix urlencoding test: #​77622
• [og] fix vercel og build issue on windows: #​77650
• [Segment Cache] Add "client-only" option: #​77655
• Remove useSyncExternalStore from useIsDevRendering: #​77651
• Track navigation timestamp on CacheNode: #​77251
• Upgrade @​playwright/test and cleanup internal APIs: #​77659
• Refactor: move "use cache" revalidation logic out of incremental cache: #​77577
• Remove obsolete update of implicit tags expiration after server action: #​77595
• Revert "Remove useSyncExternalStore from useIsDevRendering (#​77651)": #​77672
• Upgrade React from 313332d1-20250326 to 63779030-20250328: #​77643
• Turbopack build: Add marker for when a build used Turbopack: #​77674
• feat(images): use experimental isrFlushToDisk option to prevent writing optimized images to cache: #​70645
• doc: instrumentation-client: #​77649
• Alternate bundler: use equivalent native plugins for built-in plugins: #​77355
• Resolve Viewport separately from Metadata: #​77427
• fix(turbopack): Suppress logging for short no-op turbopack HMRs: #​76924
• Turbopack build: Fix node-file-trace test: #​77641
• Turbopack build: Implement error when using next start without --turbopack: #​77678
• legacyBehavior deprecation error should only trigger once: #​77687
• Pass only required props to NonIndex: #​77685
• Revert "fix: make sure body can be read using nodejs runtime in middleware": #​77690
• [dev-overlay] Harden types when handling hydration mismatches: #​77334
• [dev-overlay] Fix ref warning when Pages Router with React 18 is used: #​77726
• add support for cssmodules-pure-no-check to allow global CSS features like View Transitions: #​77321
• [dev-overlay] Only warn once per invalid sourcemap: #​77444
• [dynamicIO] only abort once per prerender: #​77747
• Turbopack build: Move Turbopack marker to SERVER_FILES_MANIFEST: #​77711
• Reapply "Turbopack: layout segment optimization for Pages" (#​77339): #​77696
• feat(next/image): support new URL() for images.remotePatterns: #​77692
• [dev-overlay] remove text wrap for terminal: #​76953
• Upgrade React from 63779030-20250328 to 040f8286-20250402: #​77742
• Optimize server runtime bundles: #​77723
• Turbopack Build: Remove cases of process.env.TURBOPACK: #​77757
• [dev-overlay] Fix unactionable useLayoutEffect warning if React 18 is used: #​77737
• [dev-tools] Fix flashing of disabled state on indicator: #​77727
• Webpack build: Add compiled in x seconds in missing places: #​77751
• Ignore an existing HMR refresh hash cookie with next start: #​77714
• Turbopack build: Replace process.env.TURBOPACK usage: #​77783
• Client instrumentation: onRouterTransitionStart: #​77791
• Turbopack: log telemetry events when TurbopackInternalErrors occur: #​77660
• Rename alternate bundler package name: #​77793
• Turbopack: fix sideEffects matching for non-relative globs: #​77693
• Revert "Upgrade @​playwright/test and cleanup internal APIs": #​77814
• [next-ts-plugin] fix: language service crashes / metadata plugin not working: #​77213
• [dev-overlay] always display bundler name on version info: #​77739
• [dev-overlay] sync horizontal scrollbar style: #​77769
• [dev-overlay] Read issueCount from non-async errors array: #​77821
• [dev-overlay] Fix error dialog resizing logic: #​77830
• Turbopack Build: Optimize instrumentation hook generation: #​77832
• [next-server] skip setting vary header for basic routes: #​77797
• Lazily call refreshTags and getExpiration: #​77779
• Add debug logging to default cache handler and "use cache" wrapper: #​77827
• [ts-next-plugin] fix: properly exit when failed to initialize: #​77842
• Alternate bundler: correctly inject react refresh loader: #​77713
• [dynamicIO] Fix dev warmup: #​77829
• fix: don't reset the prefetch segment data routes on loop: #​77845
• Ensure searchParams access in "use cache" triggers error when caught: #​77838
• Revert "[dev-overlay] Fix error dialog resizing logic": #​77849
• fix: add cache tags to segment prefetch responses: #​77846
• Avoid microtaskiness when lazily fetching from cache handlers: #​77843
• [Experiment] : #​77866
• [dev-overlay] disable font ligatures: #​77865
• Enable process.env.TURBOPACK when process.env.IS_TURBOPACK_TEST is set: #​77894
• [ts-next-plugin] fix: use getSourceFile instead of fileExists to check file existence: #​77863
• fix: only set request phase to "action" when actually running an action: #​76993
• Alternate bundler: fix react refresh and adjust sourcemap: #​77875
• Upgrade React from 040f8286-20250402 to 33661467-20250407: #​77899
• refactor: rename isAction to isPossibleServerAction: #​77011
• [logging] improve logging of port retry: #​77868
• Remove canary-gate and add experimental warning for alternate bundler: #​77806
• fix(next/image): bump [email protected]: #​77839
• Turbopack builds: Remove canary-gate and add experimental warning: #​77808
• feat: Disable char frequency analysis for mangler: #​77887
• Set Turbopack env var for internal modules: #​77902
• Don't externalize various new next/* entrypoints: #​77844
• Revert "Fix: RESTORE_ACTION should not be thenable": #​77909
• Fix resolve alternate bundler in monorepo: #​77913
• Output server.mjs for standalone with type: module: #​77944

Example Changes

• with-polyfills example: only link to specific browsers: #​77211
• Add example for alternate bundler: #​77057
• chore(examples): remove examples that can be v0'd: #​77349
• Alternate bundler example: use canary version: #​77754
• Fix Wasm example: #​77924

Misc Changes

• [test] consolidate hmr test for react 18.3: #​76975
• docs: update API example: #​76987
• docs: add Pinterest Rich Pins metadata example: #​77025
• fix(CI): Correctly call test/update-bundler-manifest.js script: #​77000
• Update bundler development test manifest: #​77040
• Update bundler production test manifest: #​77043
• Update Turbopack development test manifest: #​77041
• chore(github): remove /examples from contribution guidelines, remove examples issue template: #​77050
• Turbopack: when reading a non yet existing cell from a in progress tasks, wait for the computation to finish: #​77029
• Turbopack: wait before reading cells when the task is scheduled: #​77031
• Turbopack: don't call individual() again: #​77048
• Turbopack: create module graph strongly consistent: #​77051
• Turbopack: Vc stability of ModuleGraph: #​77052
• Turbopack: fix corrected time calcuation for trace server: #​77080
• Turbopack: fewer manifests for static metadata: #​77087
• Update Turbopack development test manifest: #​77071
• Update bundler production test manifest: #​77069
• Update bundler development test manifest: #​77068
• Revert "Update rust toolchain to 2025-03-12": #​77103
• perf(turbopack): Merge nodes with same starting point: #​76938
• refactor(actions): Remove turbopack magic comments: #​77063
• Update Turbopack development test manifest: #​77108
• Turbopack: move must_use to actually have an effect: #​77111
• Turbopack: align chunking with graph entries: #​76441
• Turbopack: ChunkGroup in evaluated_chunk_group: #​76593
• Turbopack: charset=utf-8 in data-url source maps: #​77112
• Update bundler production test manifest: #​77107
• Update bundler development test manifest: #​77106
• Update Turbopack production test manifest: #​77109
• docs(scripts): update Script -> beforeInteractive docs: #​77136
• Add doc for instrumentation client hook: #​77134
• docs(scripts): missing 'soon': #​77137
• doc: diff between instrumentation vs instrumentation-client: #​77143
• Alternate bundler: add index.d.ts types to plugin: #​77144
• Alternate bundler: Add react-refresh as a dependency of plugin: #​77142
• build: Update swc_core to v16.6.0: #​77155
• Allow building node-pty in tests: #​77187
• Don't mark ppr-errors Turbopack dev tests as failed: #​76951
• Bump lightningcss: #​77132
• Update Turbopack production test manifest: #​77183
• Turbopack: fix graph layout segment optimization: #​77094
• Turbopack: split up server actions modules for better treeshaking: #​76877
• Turbopack: conditional parse in apply_module_type: #​77191
• build: Update swc_core to v16.6.2: #​77194
• Turbopack: more tracing: #​75351
• Update bundler development test manifest: #​77180
• Better failure tracking for middleware-custom-matchers-i18n: #​76974
• Update bundler production test manifest: #​77179
• fix(test/e2e/prerender): Remove race condition in test: #​77222
• Update Turbopack production test manifest: #​77228
• Update Turbopack development test manifest: #​77227
• [Turbopack] basic production chunking for CSS: #​75049
• docs: optimizing local dev: #​77140
• Update bundler production test manifest: #​77225
• devlow-bench: wait for complete ready for server startup event: #​77217
• fix(CI): Re-enable retries for bundler integration tests: #​77265
• Turbopack: handle non chunkable modules in module batches: #​77282
• Update Turbopack development test manifest: #​77276
• Update Turbopack production test manifest: #​77275
• Turbopack: avoid single css chunks when there is only a single chunk item: #​77283
• Update bundler development test manifest: #​77272
• Update bundler production test manifest: #​77273
• Turbopack: compute ordered entries in module batches: #​77294
• Update Turbopack production test manifest: #​77316
• Update Turbopack development test manifest: #​77317
• Update bundler production test manifest: #​77314
• fix(turbopack): Call .minify() of lightningcss StyleSheet: #​77313
• fix(CI build_and_deploy): Use a larger fetch-depth for build-native job: #​77307
• chore(turbopack): Fix a few syntactic nits: #​77310
• Update bundler development test manifest: #​77315
• Turbopack: refactor CssEmbed to avoid creating a chunk item: #​77303
• fix: Update swc_core and use rayon instead of chili: #​77338
• Fix chakra link: #​77280
• Update Turbopack production test manifest: #​77366
• Update Turbopack development test manifest: #​77365
• Turbopack: ignore static asset imports for Edge: #​77382
• Update bundler development test manifest: #​77364
• docs: clarify middleware use cases: #​77438
• fix(turbopack-bench): Limit copy_dir concurrency to avoid running out of file descriptors: #​77468
• docs: fix typo: #​77483
• Update swc_core to v16.10.0: #​77489
• fix(turbopack): Use strongly consistent reads for sourcemaps in napi FFI boundary: #​77511
• Update mappings in launch.json to improve debugging in VSCode: #​76559
• chore(ci): Configure codspeed: #​76884
• Update bundler production test manifest: #​77602
• Update bundler development test manifest: #​77603
• Update Turbopack development test manifest: #​77605
• Update Turbopack production test manifest: #​77604
• Turbopack build: Fix symbolic-file-links test: #​77615
• Update pnpm swc-build-native's file path: #​77623
• fix: Use standard PostCSS configuration in create-next-app format for ecosystem compatibility: #​77376
• Turbopack build: Fix basepath test: #​77630
• Turbopack: disable pages dir css test cases: #​77380
• Update bundler development test manifest: #​77627
• Update Turbopack development test manifest: #​77628
• Update bundler production test manifest: #​77626
• refactor(turbo-tasks): Make TraceRawVcs a supertrait of TaskInput: #​77397
• refactor(turbo-tasks): Make TraceRawVcs a supertrait of MagicAny: #​77596
• fix(turbopack): Recognize urls starting with // as external: #​77526
• Update CI build caching docs to include bun and other package manager: #​77633
• fix(turbopack): Fix panic while tree shaking optimization: #​77492
• fix(turbopack): Prevent duplicate in tree shaking: #​77491
• Turbopack: Skip ssr processing when next/dynamic ssr: false: #​77636
• Turbopack Build: CSR bailout test skip check for file path: #​77639
• Turbopack: fix side effects optimization bug: #​77640
• Turbopack: add tracing for fetch calls: #​77673
• [test] Update stale snapshots: #​77680
• Turbopack: fix bug in handling of module batches: #​77638
• pack-next: use default --js-build as option instead of --no-js-build: #​77686
• Turbopack: Allow overriding tsconfig path via next-config: #​77563
• Scripts: migrate unpack-next to TypeScript: #​77538
• chore(turbopack): Make TaskInputs use ResolvedVc: #​77700
• Getting Started Docs: Add Metadata and OG images page: #​74077
• Getting Started Docs: Add Upgrade page: #​77717
• Docs IA 2.0: Rename Examples to Guides: #​77722
• build: Update swc_core to v19.0.0: #​77669
• Add Josh to Turbopack team for created-by label: #​77738
• Turbopack: use better ident for worker chunk group: #​77731
• chore(turbo-tasks): Remove redundant ast-grep lint rule: #​77701
• fix(docs): update error type in notFound function description: #​77503
• Update bundler development test manifest: #​77706
• Update Turbopack production test manifest: #​77709
• Turbopack: refactor resolve_url_reference to avoid chunk_path: #​77732
• Update Turbopack development test manifest: #​77708
• Port "app-document" test to e2e: #​77748
• [ci]: skip build-windows job for docs only change: #​77743
• Update bundler production test manifest: #​77707
• chore(turbo-tasks): Audit all remaining uses of Vc in a struct: #​77756
• docs: instrumentation-client follow up: #​77752
• [test] Get rid of unrelated "Invalid hook call" error from tests using styled-components: #​77736
• Turbopack: keep side-effect-full imports: #​76545
• Docs: Recommend inline use server and update examples: #​77770
• Revert "Docs: Recommend inline use server and update examples": #​77771
• doc: useLinkStatus: #​77648
• Update Turbopack production test manifest: #​77767
• Update bundler development test manifest: #​77765
• [docs] fix lint issue in use link status doc: #​77785
• doc: onNavigate: #​77647
• Update bundler production test manifest: #​77764
• doc: useLinkStatus doc follow-up: #​77790
• Update Turbopack development test manifest: #​77766
• [ci] remove needs build-native for lint job: #​77787
• test(examples): update turbopack manifest: #​75092
• [test] fix bad test fixuture for perf test: #​77804
• [test] fix react 19.1 related tests: #​77809
• doc: onNavigate follow-up: #​77805
• fix(turbopack): Apply hygiene if mangling is disabled: #​77815
• Turbopack: omit empty source map when code starts with a new line: #​77734
• [next-lint] test: remove eslint config snapshot testing: #​77818
• Turbopack: avoid deriving css source map path from generated code path: #​77735
• Turbopack: pass asset to chunk_path to allow to use content hash later: #​77772
• Docs IA 2.0: Add Deep Dive section placeholder: #​77724
• Turbopack: use document.currentScript instead of chunk path literal: #​77773
• Turbopack: don't include client-fs assets in NFT: #​77799
• Turbopack: enable content hashing in production: #​77775
• Turbopack: correctly track await import("path") in static analysis: #​77811
• fix(turbopack-cli): Make turbopack_cli::dev::source a persistent (non-transient) task: #​77798
• [test] temporarily disable flaky test for react 18: #​77848
• Update Turbopack production test manifest: #​77872
• Rename process.env.TURBOPACK to process.env.IS_TURBOPACK_TEST for tests: #​77892
• [test] consolidate missing tag dev test: #​77896
• fix(Turbopack): Intermittent CapacityExceeded Error in Persistent Caching: #​77691
• fix: flaky test detection needs to use new turbopack flag: #​77908
• fix: apply Geist fonts correctly on default cna template: #​77237
• Update bundler development test manifest: #​77884
• Update bundler production test manifest: #​77885
• Update Turbopack development test manifest: #​77886
• Update bundler production test manifest: #​77914
• Update bundler development test manifest: #​77915
• fix(turbopack): Apply import_map option of swc_emotion correctly: #​71776
• Turbopack: handle removed routes: #​77890
• build: Update swc_core to v21.0.1: #​77918
• IA 2.0: Review Getting Started Section: #​77921
• test: attempt to de-flake rsc-basic: #​77934
• docs: revert image 15.3 change until live: #​77941
• Turbopack: remove CSS comments when minifying: #​77940

Credits

Huge thanks to @​raunofreiberg, @​huozhi, @​ijjk, @​timneutkens, @​gaojude, @​leerob, @​mezotv, @​bgw, @​samcx, @​ztanner, @​sokra, @​mischnic, @​wbinnssmith, @​kdy1, @​unstubbable, @​ahabhgk, @​ScriptedAlchemy, @​SukkaW, @​wyattjoh, @​eps1lon, @​Amirroid, @​Netail, @​lubieowoce, @​gnoff, @​jackwilson323, @​acdlite, @​sbougerel, @​kevva, @​kasperpeulen, @​Cy-Tek, @​dvoytenko, @​husseinraoouf, @​isBatak, @​iamkd, @​delbaoliveira, @​jantimon, @​padmaia, @​Bernardoow, @​styfle, @​devjiwonchoi, @​JamBalaya56562, and @​Marukome0743 for helping!

v15.2.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Update swc_core and use rayon instead of chili (#​77338)
• Update swc_core to v16.6.2 (#​77194)
• Update swc_core to v16.6.0 (#​77155)
• [og] fix vercel og build issue on windows (#​77650)
• clean up useReducer code re dev indicator (#​77354)
• [dev-overlay] ensure stripping overlay bundle in prod build (#​76976)

Credits

Huge thanks to @​huozhi, @​gaojude and @​kdy1 for helping!

v15.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pe

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: genkit/postcard-generator/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: [email protected]
npm error Found: @genkit-ai/[email protected]
npm error node_modules/@genkit-ai/google-cloud
npm error   @genkit-ai/google-cloud@"^1.0.0" from the root project
npm error
npm error Could not resolve dependency:
npm error @genkit-ai/google-cloud@"^1.0.0" from the root project
npm error
npm error Conflicting peer dependency: [email protected]
npm error node_modules/genkit
npm error   peer genkit@"^1.18.0" from @genkit-ai/[email protected]
npm error   node_modules/@genkit-ai/google-cloud
npm error     @genkit-ai/google-cloud@"^1.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-09-02T14_48_45_302Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-09-02T14_48_45_302Z-debug-0.log

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a crucial update of the Next.js framework to its latest stable version within the v15 series. The primary purpose of this update is to incorporate important security patches and ensure the application benefits from the most recent bug fixes and performance improvements provided by the Next.js team.

Highlights

• Dependency Update: Updated the next dependency from version 15.2.2 to 15.4.7.
• Security Fixes: This update includes critical security fixes for Next.js, addressing vulnerabilities related to Image Optimization (CVE-2025-55173, CVE-2025-57752) and Middleware (CVE-2025-57822).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the next dependency to v15.4.7. While the diff shows an update from v15.2.2, other information in the PR suggests this might be a major upgrade from v14. In either case, this is a valuable update as it addresses several security vulnerabilities. If this is a major version upgrade, thorough testing is highly recommended to catch any potential breaking changes. My review includes a suggestion to also update the eslint-config-next package to maintain version consistency with next, which is important for ensuring the linter works correctly.

[gemini-code-assist]

It's great to see next being updated. To ensure compatibility and prevent potential linting issues, it's best practice to keep the eslint-config-next package version in sync with the next package version. Please consider updating eslint-config-next to 15.4.7 in your devDependencies as part of this change.