[Snyk] Security upgrade next from 15.4.10 to 16.1.5#48
[Snyk] Security upgrade next from 15.4.10 to 16.1.5#48Krosebrook wants to merge 2 commits intomainfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NEXT-15104645 - https://snyk.io/vuln/SNYK-JS-NEXT-15105315
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello @Krosebrook, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request automates a critical security update for the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://waps.l3s.uni-hannover.de/live/im_/https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request from Snyk upgrades the next dependency to version ^16.1.5 to fix security vulnerabilities. While the upgrade is important, the PR is incomplete as it stands. The pnpm-lock.yaml file has not been updated, which means the dependency version won't actually be upgraded upon installation. Additionally, a related devDependency in another package within the workspace has not been updated, which could lead to testing inconsistencies. I've left a comment with details on the necessary changes to complete this upgrade.
| "@genkit-ai/next": "workspace:*", | ||
| "genkit": "workspace:*", | ||
| "next": "^15.4.10", | ||
| "next": "^16.1.5", |
There was a problem hiding this comment.
This dependency upgrade is a breaking change and has wider implications in the monorepo that need to be addressed before merging:
- Missing Lockfile Update: As warned in the PR description,
pnpm-lock.yamlhas not been updated. You must runpnpm installand commit the updated lockfile to make this change effective. - Inconsistent Dependency: The
js/plugins/next/package.jsonfile has adevDependencyonnextwhich is still at^15.4.10. This should also be updated to^16.1.5to ensure tests for the plugin run against the same major version of Next.js that this test app is using.
Without these changes, this PR is incomplete and may cause issues.
![chatgpt-codex-connector[bot]](https://waps.l3s.uni-hannover.de/live/im_/https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 96fabdadd2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "@genkit-ai/next": "workspace:*", | ||
| "genkit": "workspace:*", | ||
| "next": "^15.4.10", | ||
| "next": "^16.1.5", |
There was a problem hiding this comment.
This change bumps next to ^16.1.5, but the lockfile in the same workspace still pins next@15.2.4 (see js/testapps/next/pnpm-lock.yaml around lines 317/679). Any install that honors the lockfile (e.g., frozen/reproducible installs for this testapp) will either fail or keep using 15.2.4, so the security upgrade won’t actually take effect unless the lockfile(s) are regenerated.
Useful? React with 👍 / 👎.
![cubic-dev-ai[bot]](https://waps.l3s.uni-hannover.de/live/im_/https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 1 file
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="js/testapps/next/package.json">
<violation number="1" location="js/testapps/next/package.json:22">
P2: This major version upgrade creates an inconsistency with `js/plugins/next/package.json`, which has a devDependency on `next` at `^15.4.10`. Consider updating both to the same major version to ensure the plugin tests run against the same Next.js version used by this test app.</violation>
<violation number="2" location="js/testapps/next/package.json:22">
P2: The lockfile (`pnpm-lock.yaml`) must be updated to reflect this dependency change. Run `pnpm install` and commit the updated lockfile before merging, otherwise the dependency version change will not take effect properly.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| "@genkit-ai/next": "workspace:*", | ||
| "genkit": "workspace:*", | ||
| "next": "^15.4.10", | ||
| "next": "^16.1.5", |
There was a problem hiding this comment.
P2: This major version upgrade creates an inconsistency with js/plugins/next/package.json, which has a devDependency on next at ^15.4.10. Consider updating both to the same major version to ensure the plugin tests run against the same Next.js version used by this test app.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At js/testapps/next/package.json, line 22:
<comment>This major version upgrade creates an inconsistency with `js/plugins/next/package.json`, which has a devDependency on `next` at `^15.4.10`. Consider updating both to the same major version to ensure the plugin tests run against the same Next.js version used by this test app.</comment>
<file context>
@@ -19,7 +19,7 @@
"@genkit-ai/next": "workspace:*",
"genkit": "workspace:*",
- "next": "^15.4.10",
+ "next": "^16.1.5",
"zod": "^3.24.1"
},
</file context>
| "@genkit-ai/next": "workspace:*", | ||
| "genkit": "workspace:*", | ||
| "next": "^15.4.10", | ||
| "next": "^16.1.5", |
There was a problem hiding this comment.
P2: The lockfile (pnpm-lock.yaml) must be updated to reflect this dependency change. Run pnpm install and commit the updated lockfile before merging, otherwise the dependency version change will not take effect properly.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At js/testapps/next/package.json, line 22:
<comment>The lockfile (`pnpm-lock.yaml`) must be updated to reflect this dependency change. Run `pnpm install` and commit the updated lockfile before merging, otherwise the dependency version change will not take effect properly.</comment>
<file context>
@@ -19,7 +19,7 @@
"@genkit-ai/next": "workspace:*",
"genkit": "workspace:*",
- "next": "^15.4.10",
+ "next": "^16.1.5",
"zod": "^3.24.1"
},
</file context>
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NEXT-15104645 - https://snyk.io/vuln/SNYK-JS-NEXT-15105315
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
js/testapps/next/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-NEXT-15104645
SNYK-JS-NEXT-15105315
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling
Note
Medium Risk
Major Next.js version bump in the
js/testapps/nextsample app; while scoped to a test app, it can introduce breaking changes in build/runtime behavior and may require a lockfile update.Overview
Updates the
js/testapps/nextsample app dependency onnextfrom^15.4.10to^16.1.5(Snyk-driven security upgrade to address reported vulnerabilities).No other code changes are included; reviewers should ensure the pnpm lockfile is regenerated and the sample app still builds/runs under Next 16.
Written by Cursor Bugbot for commit 586d986. This will update automatically on new commits. Configure here.
Summary by cubic
Upgrade Next.js in js/testapps/next from 15.4.10 to 16.1.5 to fix two high-severity vulnerabilities and keep the test app on current security patches.
Dependencies
Migration
Written for commit 586d986. Summary will update on new commits.