fix(deps): update dependency next to v15.2.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	15.1.3 -> 15.2.3

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js versions 11.1.4 thru 13.5.6, consult the below workaround.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

---

Release Notes

vercel/next.js (next)

v15.2.3

Compare Source

v15.2.2

Compare Source

Core Changes

• [dev-overlay] fix styling on overflow error messages, add button hover state: #​76771
• Fix: respond 405 status code on OPTIONS request to SSG page: #​76767
• [dev-overlay] Always show relative paths: #​76742
• [metadata] remove the duplicate metadata in the error boundary: #​76791
• Upgrade React from d55cc79b-20250228 to 443b7ff2-20250303: #​76804
• [dev-overlay] Ignore animations on page load: #​76834
• fix: remove useless set-cookie in action-handler: #​76839
• Turbopack: handle task cancelation: #​76831
• Upgrade React from 443b7ff2-20250303 to e03ac20f-20250305: #​76842
• add types for __next_app__ module loading functions: #​74566
• fix duplicated noindex when server action is triggered: #​76847
• fix: don't drop queued actions when navigating: #​75362
• [dev-overlay]: remove dependency on platform for focus trapping: #​76849
• Turbopack: Add turbopack_load_by_url: #​76814
• Add handling of origin in dev mode: #​76880
• [dev-overlay] Stop grouping callstack frames into ignored vs. not ignored: #​76861
• Upgrade React from e03ac20f-20250305 to 029e8bd6-20250306: #​76870
• [dev-overlay] Increase padding if no x button present: #​76898
• fix: prevent incorrect searchParams being applied on certain navs: #​76914
• [dev-overlay] Dim ignore-listed callstack frames when shown: #​76862

Example Changes

• chore(cna): update tailwind styles to be closer to non-tw cna: #​76647

Misc Changes

• Fix canary only warning for devlow-bench: #​76772
• [test] Add special placeholder if stackframes point into dist dir: #​76741
• [test] Use new Redbox matchers in pages/ service-side-dev-errors: #​76779
• [test] Use new Redbox matchers in app/ dynamic-error-trace: #​76783
• [test] Use new Redbox matchers in app/ owner-stack-invalid-element-type: #​76786
• [test] Use new Redbox matchers in app/ hook-functuon-names: #​76785
• [test] Use new Redbox matchers in app/ undefined-default-export: #​76781
• [test] Use new Redbox matchers in server-navigation-error: #​76787
• [test] Fix flaky error-recovery test: #​76789
• [test] Use new Redbox matchers in pages/ gssp-ssr-change-reloading: #​76788
• [docs] update Tailwind CSS installation and configuration instructions: #​76259
• docs: Tailwind v4: #​76801
• chore(docs): update minimumCacheTTL example to 31 days: #​76796
• Turbopack: improve sectioned source maps: #​76627
• [test] Use new Redbox matchers in pages/ middleware-errors: #​76797
• doc: use redirect in client components: #​76332
• [docs] document experimental viewTransition flag: #​76832
• docs(errors): remove confusing good-to-know since global-errors.tsx also show in dev as of 15.2: #​76825
• Turbopack: don't use HashMap in manifests: #​76833
• Update labeler.json: #​76828
• Fix missing turbo command for rust-check: #​76851
• fix(turbopack): Use correct SyntaxContext for __turbopack_esm__: #​73544
• Cleanup pure span handling: #​76846
• Turbopack: remove unused IncludeModulesModule: #​76868
• Update test snapshots for alternative bundler [5/n]: #​76617
• Update test snapshots for alternative bundler [6/n]: #​76768
• [test] Use next.browser instead of webdriver in pages/ client-navigation: #​76867
• fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files: #​76773
• Revert "fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files": #​76879
• build: Update swc_core to v16.4.0: #​76596
• docs: update Turbopack docs: #​76799
• build: Update lightningcss to v1.0.0-alpha.64: #​76856
• build: Fix warning: #​76890
• Turbopack: fix __dirname: #​76902
• Turbopack: deterministic server action order: #​76905
• docs: reword the docs of veiw transition flag: #​76841
• fix(turbopack): Use vergen-gitcl instead of shadow-rs (or vergen-git2) for napi and next-api crates to fix stale git lock files: #​76889
• Turbopack: ensure default layout is provided in default not-found entrypoint: #​76912
• chore(github): add moar labels: #​76922
• [test] Use new Redbox matchers in pages/ client-navigation/rendering: #​76798
• docs: fix create-next-app cli title: #​76908

Credits

Huge thanks to @​pranathip, @​gaojude, @​ijjk, @​eps1lon, @​Nayeem-XTREME, @​leerob, @​styfle, @​samcx, @​sokra, @​huozhi, @​raunofreiberg, @​mischnic, @​lubieowoce, @​unstubbable, @​ztanner, @​kdy1, @​timneutkens, @​wbinnssmith, @​bgw, and @​oscr for helping!

v15.2.1

Compare Source

Core Changes

• Unify Link and Form prefetching: #​76184
• Turbopack: Ensure server actions sourcemaps tests pass: #​76157
• [dev-overlay] control dark theme in one place: #​76528
• [dev-overlay] change css var for terminal: #​76590
• [dev-overlay] Discriminate stack frame settled typed: #​76517
• Remove obsolete sourcePackage references: #​76550
• refactor: remove unused variable in externals handling: #​76599
• fix: Add popular embedding libraries to serverExternalPackages: #​76574
• [Segment Cache] Implement hash-only navigations: #​76179
• Webpack: abstract away getting compilation spans: #​76579
• report compiler duration for webpack and improve numbers: #​76665
• [dev-overlay] fix dark theme missing close bracket: #​76672
• Remove revalidate property from incremental cache ctx for FETCH kind: #​76500
• [dev-overlay] fix: env name label style was out of sync with error type label: #​76668
• Turbopack: avoid celling source maps before minify: #​76626
• refactor(CI): Merge all four bundler test manifest scripts into one: #​76652
• [metadata] fix duplicate metadata for parallel routes: #​76669
• [Segment Cache] Omit from bundle if flag disabled: #​76622
• [Segment Cache] Support output: "export" mode: #​75671
• [Segment Cache] Refresh on same-page navigation: #​76223
• [metadata] re-enable streaming metadata with PPR: #​76119
• [Segment Cache] Search param fallback handling: #​75990
• [Segment Cache] Fix: canonicalURL omits origin: #​76444
• fix metadata basePath for manifest: #​76681
• Propagate expire time to cache-control header and prerender manifest: #​76207
• Show revalidate/expire columns in build output: #​76343
• Gate alternate bundler behind canary only: #​76634
• [dynamicIO] routes with dynamic segments should be able to be static in dev: #​76691
• [repo] upgrade ts 5.8.2: #​76709
• [metadata]: ensure metadata boundary is only rendered once on client nav: #​76692
• [metadata] clean up redudant options: #​76712
• Fix uniqueness detection for generateStaticParams: #​76713
• Upgrade React from 22e39ea7-20250225 to d55cc79b-20250228: #​76680
• [Turbopack] Compute module batches and use them for chunking: #​76133
• [Dev Tools] Improve keyboard interactions for menu & overlays: #​76754
• Keep server code out of browser chunks: #​76660
• Turbopack: inline minify into code generation and make it a plain function instead of a turbo tasks function: #​76628
• fix edge runtime asset fetch in pages api: #​76750
• Update use-cache-unknown-cache-kind.test.ts snapshot for alternate bundler: #​76682

Example Changes

• docs: fix reading params code blocks: #​76705

Misc Changes

• fix(rustdoc): Fix rustdoc warnings, block on rustdoc failures in CI: #​76448
• Update more global turbo CLI usage: #​76576
• docs: Node.js runtime support for Middleware: #​76556
• build: Update swc_core to v16.0.0: #​76414
• Turbopack: prevent panic in swc issue emitter: #​76595
• Unflake parallel-routes-revalidation test: #​76600
• Fix octokit.rest.issues.addLabels call: #​76601
• [test] Use new Redbox matchers in app/ error-recovery: #​76552
• [test] Use new Redbox matchers in pages/ ReactRefreshLogBox-app-doc: #​76551
• Run nightly bundler integration tests also with React 18: #​76606
• 15.2: Add version history for devIndicators and note on deprecated options: #​76611
• 15.2 docs: document missing htmlLimitedBots option: #​76616
• Update bundler production test manifest: #​76584
• Update bundler development test manifest: #​76585
• Fix test after CI switched to pnpm 10: #​76615
• chore(cna): fix theme extend for tailwind v4: #​76583
• [test] Use new Redbox matchers in app/ ReactRefreshLogBoxMisc: #​76563
• Don’t use native built-ins for additional bundler: #​76577
• Revert "Run nightly bundler integration tests also with React 18": #​76640
• Update bundler production test manifest: #​76643
• Update bundler development test manifest: #​76644
• Turbopack: dedupe middleware-manifest entries: #​76621
• Turbopack: Improve edge tests: #​76607
• Turbopack: add test test for css order: #​76675
• Turbopack: fix order of chunk items in cycles: #​76676
• [ci] Fix test-turbopack-integration not having any shards : #​76355
• Update Turbopack development test manifest: #​76658
• Update Turbopack production test manifest: #​76659
• fix(CI): Upload to areweturboyet immediately after a manifest is updated, not only on a fixed cron schedule: #​76688
• Update test snapshots for alternative bundler [4/n]: #​76578
• fix(turbopack): Fix analysis of private properties: #​76654
• Turbopack: Simplify emitDecoratorMetadata test: #​76678
• [test] Use new Redbox matchers in pages/ ReactRefreshRegression: #​76743
• [test] Remove describeVariants helper: #​76631
• [test] Fix flaky error-recovery test: #​76753
• [test] Use new Redbox matchers in app/ dynamic-error: #​76744
• [test] Use new Redbox matchers in app/ rsc-runtime-errors: #​76745
• Turbopack: avoid panic in module batches: #​76757
• Revert "test: temporarily disable after deploy test": #​74990
• toDisplayRedbox(): replace all occurrences of testDir: #​76618
• Fix: missing close brace in demo code: #​76549
• Disable flaky Turbopack tests: #​76760
• feat(CI): Revalidate vercel data cache on areweturboyet after uploading data to KV store: #​76693
• chore(github): move top prs and feature requests to different Slack channel: #​76764
• Fix flaky Bun test: #​76763

Credits

Huge thanks to @​acdlite, @​bgw, @​ijjk, @​molebox, @​kdy1, @​timneutkens, @​devjiwonchoi, @​mischnic, @​unstubbable, @​eps1lon, @​huozhi, @​philipithomas, @​delbaoliveira, @​samcx, @​wbinnssmith, @​sokra, @​gnoff, @​leerob, @​ztanner, @​raunofreiberg, @​lubieowoce, and @​LihaoWang for helping!

v15.2.0

Compare Source

v15.1.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: work around setTimeout memory leak, improve wrappers (#​75727)
• add additional x-middleware-set-cookie filtering (#​75869)
• fix: ensure lint worker errors aren't silenced (#​75766)

Credits

Huge thanks to @​lubieowoce and @​ztanner for helping!

v15.1.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: don't memory-leak promises passed to waitUntil (#​75041)
• backport: fix prerender issue with intercepting routes + generateStaticParams (#​75170)

Credits

Huge thanks to @​lubieowoce and @​ztanner for helping!

v15.1.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix missing revalidate with notFound() (#​75009)
• fix: when metadatabase is set we should not warn (#​74840)
• Fix @​vercel/og license SPDX expression (#​74745)
• fix: ts language server rule metadata should allow null (#​74704)
• fix: eslint rule of using img in metadata routes (#​74864)
• Fix presentation when onerror receives an event without error (#​74643)
• fix fetch lock not being consistently released #​74623 (#​75028)

Credits

Huge thanks to @​ijjk, @​huozhi, @​matmannion and @​ztanner for helping!

v15.1.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: force module format for virtual client-proxy (#​74608)
• Fix prerender tags when notFound is called (#​74607)
• Use provided waitUntil for pending revalidates (#​74604)
• Feature: next/image: add support for images.qualities in next.config (#​74588)
• Chore: docs: add missing search: '' on remotePatterns (#​74587)
• Chore: docs: update version history of next/image (#​73923) (#​74570)
• Chore: next/image: improve imgopt api bypass detection for unsupported images (#​74569)

Credits

Huge thanks to @​ and @​ for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package	Version	Info
@graphql-eslint/eslint-plugin	4.4.0-alpha-20250321181033-0ceb13a30db28c549013a6d331639d4d15ecd292	npm ↗︎ unpkg ↗︎

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-2899.graphql-eslint.pages.dev