fix(deps): update dependency next to v15.4.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	15.4.8 → 15.4.9

GitHub Vulnerability Alerts

GHSA-w37m-7fhw-fmv9

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

GHSA-mwv6-3258-q52c

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

---

Release Notes

vercel/next.js (next)

v15.4.9

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
liam-app	Ready	Preview, Comment	Jan 4, 2026 8:21pm
liam-assets	Ready	Preview, Comment	Jan 4, 2026 8:21pm
liam-docs	Ready	Preview, Comment	Jan 4, 2026 8:21pm
liam-erd-sample	Ready	Preview	Jan 4, 2026 8:21pm
liam-storybook	Ready	Preview, Comment	Jan 4, 2026 8:21pm

[giselles-ai]

Finished running flow.

Step 1
🟢	On Pull Request Opened Status: Success Updated: Dec 21, 2025 12:10am
Step 2
🟢	gpt-5 Status: Success Updated: Dec 21, 2025 12:11am
Step 3
🟢	Create Pull Request Comment Status: Success Updated: Dec 21, 2025 12:11am

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

The following issues were found:

• ❌ 3 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

frontend/apps/app/package.json

Name	Version	Vulnerability	Severity
next	15.4.9	Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up	high

frontend/apps/docs/package.json

Name	Version	Vulnerability	Severity
next	15.4.9	Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up	high
next	15.4.9	Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up	high

pnpm-lock.yaml

Name	Version	Vulnerability	Severity
next	15.4.9	Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up	high
next	15.4.9	Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up	high
next	15.4.9	Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up	high

OpenSSF Scorecard

Package	Version	Score	Details
npm/next	15.4.9	🟢 5.1	Details Check Score Reason Code-Review 🟢 6 Found 20/30 approved changesets -- score normalized to 6 Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging 🟢 10 packaging workflow detected Binary-Artifacts ⚠️ 0 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 237 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed
npm/next	15.4.9	🟢 5.1	Details Check Score Reason Code-Review 🟢 6 Found 20/30 approved changesets -- score normalized to 6 Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging 🟢 10 packaging workflow detected Binary-Artifacts ⚠️ 0 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 237 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed
npm/next	15.4.9	🟢 5.1	Details Check Score Reason Code-Review 🟢 6 Found 20/30 approved changesets -- score normalized to 6 Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging 🟢 10 packaging workflow detected Binary-Artifacts ⚠️ 0 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 237 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed
npm/@next/env	15.4.9	🟢 5.1	Details Check Score Reason Code-Review 🟢 6 Found 20/30 approved changesets -- score normalized to 6 Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging 🟢 10 packaging workflow detected Binary-Artifacts ⚠️ 0 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 237 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed

Scanned Files

• frontend/apps/app/package.json
• frontend/apps/docs/package.json
• pnpm-lock.yaml

[giselles-ai]

Check changeset necessity

Status: NOT REQUIRED

Reason:

• The PR only updates Next.js from 15.4.8 to 15.4.9 in application packages: frontend/apps/app and frontend/apps/docs.
• These correspond to ignored packages (@liam-hq/app, @liam-hq/docs) per the guide; ignored packages do not require changesets.
• No changes were made to target packages that require versioning: @liam-hq/cli, @liam-hq/erd-core, @liam-hq/schema, or @liam-hq/ui.
• Changes are dependency bumps and lockfile updates for apps, with no user-facing API changes for the published packages.

Changeset (copy & paste):

N/A – changeset not required for this PR.