[Snyk] Upgrade next from 13.1.6 to 15.3.0

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade next from 13.1.6 to 15.3.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 1319 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Improper Authorization SNYK-JS-NEXT-9508709	705	Mature
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	705	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	705	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	705	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	705	No Known Exploit
	Uncontrolled Recursion SNYK-JS-NEXT-8186172	705	No Known Exploit
	Missing Authorization SNYK-JS-NEXT-8520073	705	No Known Exploit
	Improper Input Validation SNYK-JS-POSTCSS-5926692	705	No Known Exploit
	Improper Input Validation SNYK-JS-POSTCSS-5926692	705	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	705	No Known Exploit
	Resource Exhaustion SNYK-JS-NEXT-6032387	705	Proof of Concept
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-8602067	705	No Known Exploit

Release notes

Package name: next

• 15.3.0 - 2025-04-09
  

  Core Changes

  • [dev-overlay] Customize <select> styling for consistency: #76973
  • Upgrade React from 029e8bd6-20250306 to 0ca3deeb-20250311: #76989
  • [metadata]: add pinterest meta tag: #76988
  • [dev-overlay] ensure stripping overlay bundle in prod build: #76976
  • Apply env inlining during generate build mode: #76990
  • Turbopack: Implement deploymentId: #76904
  • track persistent caching usage: #76996
  • [metadata] re-insert icons to head for streamed metadata: #76915
  • Upgrade React from 0ca3deeb-20250311 to 6aa8254b-20250312: #77033
  • Move static-env imports: #77035
  • [dev-overlay] Add size setting to preferences: #77027
  • Add config for only generating static env: #77038
  • chore(HMR clients): Clean up and share code between app and pages router: #76960
  • Add dev warning for cross-origin and stabilize allowedDevOrigins: #77044
  • unify allowed origin detection handling: #77053
  • Handle hash change in all files for static env: #77058
  • [dev-overlay] highlight errored code line for runtime errors: #77078
  • NFT: Ignore all of Webpack: #77081
  • Add experimental build mode flag for env: #77089
  • (feat) support client-side instrumentation: #76916
  • Fix JSDoc comment for 'seconds' cache life profile: #77084
  • refactor(HMR clients): Encapsulate some of the turbopack state tracking into a shared TurbopackHmr class: #76994
  • Slightly improve error handling for unknown server actions: #77135
  • Fix output standalone for alternative bundler: #76971
  • Add alternate bundler plugin information to next info: #77059
  • [metadata] remove the default segement check for metadata rendering: #77119
  • [dev-overlay] Fix stacking order of highlighted line: #77189
  • Upgrade React from 6aa8254b-20250312 to 5398b711-20250314: #77129
  • fix(styled-jsx): Pass useLightningcss option to styled-jsx correctly: #77008
  • log the instrumentation-client execution time: #77121
  • Turbopack: canary-gate production builds: #77146
  • [dev-overlay] remove special handling for missing tag error : #77147
  • chore(react-dev-overlay): Remove confusingly underscored variables in useErrorOverlayReducer: #77205
  • Update middleware request header: #77201
  • Update default allowed origins list: #77212
  • Ensure deploymentId is used for CSS preloads: #77210
  • chore(HMR clients): Fix a bunch of typescript errors by including the appropriate webpack type declarations: #77207
  • Update cache handler interface: #76687
  • Turbopack: don't include AMP optimizer in NFT: #77242
  • Server actions should not read stale data after calling revalidate*: #76885
  • [dev-overlay] Blur fader for scrollable container: #77196
  • Make revalidate* work when followed by a redirect in a route handler: #77090
  • feat: onNavigate for link: #77209
  • fix: pass telemetry plugin rspack tests: #77257
  • feat(eslint-plugin): add minimal built-in flat presets: #73873
  • [perf] skip loading client manifest for static metadata routes: #77260
  • Upgrade React from 5398b711-20250314 to c69a5fc5-20250318: #77249
  • [ppr] Handle failed resume data cache entries: #77258
  • Bypass "use cache" caches when Draft Mode is enabled: #77141
  • chore(HMR clients): Clean up tryApplyUpdates, reduce differences between app/pages versions: #77219
  • Upgrade React from c69a5fc5-20250318 to db7dfe05-20250319: #77295
  • Turbopack: layout segment optimization for Pages: #74815
  • [dev-overlay] Make footer sticky without side effects: #77327
  • Alternate bundler: show state in app info message: #77259
  • Revert "Turbopack: layout segment optimization for Pages": #77339
  • [metadata] add Yeti to html limited bots: #77335
  • [dev-overlay] Remove unused code from pages: #77325
  • [metadata] remove dead code of metadata routes handling: #77336
  • Alternate bundler: pass more tests and update to 1.3.0-beta: #77269
  • [metadata] fix the metadata route like pages and refactor utils: #77264
  • fix: absolute assetPrefix url with path: #77256
  • clean up useReducer code re dev indicator: #77354
  • test: ensure that router identity stays stable when navigating: #77356
  • [dev-overlay] Remove unused fields from hydration error state: #77332
  • Turbopack: implement optimized css production chunking: #77284
  • only log when instrumentation client takes too long: #77378
  • switch development origin verification to be opt-in rather than opt-out: #77395
  • remove direct ip/port bypass in dev origin check: #77414
  • ensure /__next middleware URLs are included in the origin check: #77416
  • exclude images and static media from dev origin check: #77417
  • Refactor metadata and viewport preloading: #77400
  • [dev-overlay] Remove unused fields from unhandled error action event: #77333
  • Turbopack: Add --turbopack for next start: #77442
  • Update README: #77464
  • Remove unnecessary indirections around dispatch-related methods: #77423
  • Lift public router instance to module level : #77426
  • directly import param resolver in metadata: #77401
  • [metadata] always serve streaming metadata in build: #77437
  • directly import search param resolver in metadata: #77402
  • Remove forwardRef from Link in App Router: #77471
  • Match subrequest handling for edge and node: #77474
  • Add deprecation warning for legacyBehavior prop: #77473
  • feat: useLinkStatus: #77300
  • [dynamicIO] Avoid memory leak warning for hanging promises: #77480
  • [dev-overlay] Remove "Unhandled Runtime Error" label: #77484
  • Upgrade React from db7dfe05-20250319 to 740a4f7a-20250325: #77507
  • Upgrade React from 740a4f7a-20250325 to 313332d1-20250326: #77527
  • Do not call expireTags/getExpiration unnecessarily: #77570
  • fix(jest): stricter regex for 'server-only' in default config: #77588
  • Fix: RESTORE_ACTION should not be thenable: #77582
  • Use NEXT_PRIVATE_DEBUG_CACHE env variable for cache handler debug logs: #77585
  • fix: make sure body can be read using nodejs runtime in middleware: #77553
  • Update alternate bundler and pass more tests : #77579
  • Refactor build scripts and rewrite pack-next in TypeScript: #77536
  • fix isCsrfOriginAllowed handling for localhost: #77594
  • Turbopack build: fix deterministic build test: #77618
  • Turbopack build: Fix urlencoding test: #77622
  • [og] fix vercel og build issue on windows: #77650
  • [Segment Cache] Add "client-only" option: #77655
  • Remove useSyncExternalStore from useIsDevRendering: #77651
  • Track navigation timestamp on CacheNode: #77251
  • Upgrade @ playwright/test and cleanup internal APIs: #77659
  • Refactor: move "use cache" revalidation logic out of incremental cache: #77577
  • Remove obsolete update of implicit tags expiration after server action: #77595
  • Revert "Remove useSyncExternalStore from useIsDevRendering (#77651)": #77672
  • Upgrade React from 313332d1-20250326 to 63779030-20250328: #77643
  • Turbopack build: Add marker for when a build used Turbopack: #77674
  • feat(images): use experimental isrFlushToDisk option to prevent writing optimized images to cache: #70645
  • doc: instrumentation-client: #77649
  • Alternate bundler: use equivalent native plugins for built-in plugins: #77355
  • Resolve Viewport separately from Metadata: #77427
  • fix(turbopack): Suppress logging for short no-op turbopack HMRs: #76924
  • Turbopack build: Fix node-file-trace test: #77641
  • Turbopack build: Implement error when using next start without --turbopack: #77678
  • legacyBehavior deprecation error should only trigger once: #77687
  • Pass only required props to NonIndex: #77685
  • Revert "fix: make sure body can be read using nodejs runtime in middleware": #77690
  • [dev-overlay] Harden types when handling hydration mismatches: #77334
  • [dev-overlay] Fix ref warning when Pages Router with React 18 is used: #77726
  • add support for cssmodules-pure-no-check to allow global CSS features like View Transitions: #77321
  • [dev-overlay] Only warn once per invalid sourcemap: #77444
  • [dynamicIO] only abort once per prerender: #77747
  • Turbopack build: Move Turbopack marker to SERVER_FILES_MANIFEST: #77711
  • Reapply "Turbopack: layout segment optimization for Pages" (#77339): #77696
  • feat(next/image): support new URL() for images.remotePatterns: #77692
  • [dev-overlay] remove text wrap for terminal: #76953
  • Upgrade React from 63779030-20250328 to 040f8286-20250402: #77742
  • Optimize server runtime bundles: #77723
  • Turbopack Build: Remove cases of process.env.TURBOPACK: #77757
  • [dev-overlay] Fix unactionable useLayoutEffect warning if React 18 is used: #77737
  • [dev-tools] Fix flashing of disabled state on indicator: #77727
  • Webpack build: Add compiled in x seconds in missing places: #77751
  • Ignore an existing HMR refresh hash cookie with next start: #77714
  • Turbopack build: Replace process.env.TURBOPACK usage: #77783
  • Client instrumentation: onRouterTransitionStart: #77791
  • Turbopack: log telemetry events when TurbopackInternalErrors occur: #77660
  • Rename alternate bundler package name: #77793
  • Turbopack: fix sideEffects matching for non-relative globs: #77693
  • Revert "Upgrade @ playwright/test and cleanup internal APIs": #77814
  • [next-ts-plugin] fix: language service crashes / metadata plugin not working: #77213
  • [dev-overlay] always display bundler name on version info: #77739
  • [dev-overlay] sync horizontal scrollbar style:

[sourcery-ai]

Reviewer's Guide

This pull request upgrades the next dependency from version 13.1.6 to 15.3.0 to address several security vulnerabilities.

File-Level Changes

Change	Details	Files
Update next dependency to version 15.3.0.	Modified the next version specified in the dependencies. This is a major version upgrade, spanning multiple major releases (v13 -> v15), and includes numerous features, bug fixes, and potential breaking changes as detailed in the release notes. Addresses multiple security vulnerabilities listed in the PR description (e.g., Improper Authorization, ReDoS, Resource Exhaustion).	examples/todo-list/nextjs-todo-list/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.