Skip to content

build(deps): bump next to 15.5.18 and patch vulnerable transitives#67

Merged
unnawut merged 1 commit into
ReamLabs:masterfrom
unnawut:deps/security-bump-next-15.5.18
May 19, 2026
Merged

build(deps): bump next to 15.5.18 and patch vulnerable transitives#67
unnawut merged 1 commit into
ReamLabs:masterfrom
unnawut:deps/security-bump-next-15.5.18

Conversation

@unnawut
Copy link
Copy Markdown
Collaborator

@unnawut unnawut commented May 19, 2026

Resolves all 31 open Dependabot alerts in one go:

  • next 15.5.10 -> 15.5.18 (closes 22 alerts: SSRF via WebSocket upgrades, middleware/proxy bypass in i18n/App Router/dynamic routes, DoS in Image Optimization & Server Components, XSS in beforeInteractive scripts, RSC + middleware cache poisoning, HTTP request smuggling, unbounded image disk cache)
  • postcss devDep ^8 -> ^8.5.10 (XSS via unescaped </style>)
  • overrides for transitive deps:
    • lodash ^4.18.0 (prototype pollution, code injection via _.template)
    • picomatch ^2.3.2 (ReDoS, method injection)
    • brace-expansion ^2.0.3 (process hang / memory exhaustion)
    • yaml ^2.8.3 (stack overflow on deeply nested collections)

Verified npm audit reports 0 vulnerabilities, production build and dev server boot cleanly on Next.js 15.5.18. Cross-checked the post- upgrade lockfile against known-compromised versions from the Sept 2025 chalk/debug account-takeover and Shai-Hulud worm waves — none of the tainted versions are present.

@unnawut
build(deps): bump next to 15.5.18 and patch vulnerable transitives
2415b3a 
Resolves all 31 open Dependabot alerts in one go:

- next 15.5.10 -> 15.5.18 (closes 22 alerts: SSRF via WebSocket
  upgrades, middleware/proxy bypass in i18n/App Router/dynamic routes,
  DoS in Image Optimization & Server Components, XSS in
  beforeInteractive scripts, RSC + middleware cache poisoning, HTTP
  request smuggling, unbounded image disk cache)
- postcss devDep ^8 -> ^8.5.10 (XSS via unescaped </style>)
- overrides for transitive deps:
  - lodash ^4.18.0 (prototype pollution, code injection via _.template)
  - picomatch ^2.3.2 (ReDoS, method injection)
  - brace-expansion ^2.0.3 (process hang / memory exhaustion)
  - yaml ^2.8.3 (stack overflow on deeply nested collections)

Verified npm audit reports 0 vulnerabilities, production build and
dev server boot cleanly on Next.js 15.5.18. Cross-checked the post-
upgrade lockfile against known-compromised versions from the Sept 2025
chalk/debug account-takeover and Shai-Hulud worm waves — none of the
tainted versions are present.
@unnawut unnawut merged commit 8b5bbb4 into ReamLabs:master May 19, 2026
2 checks passed
@unnawut unnawut deleted the deps/security-bump-next-15.5.18 branch May 19, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@unnawut