🔒 [Security](deps): Bump next from 16.1.1 to 16.1.6#16
🔒 [Security](deps): Bump next from 16.1.1 to 16.1.6#16dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [next](https://github.com/vercel/next.js) from 16.1.1 to 16.1.6. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.1.1...v16.1.6) --- updated-dependencies: - dependency-name: next dependency-version: 16.1.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
blackboxprogramming
requested review from
Copilot
and removed request for
blackboxprogramming
There was a problem hiding this comment.
Pull request overview
This PR updates Next.js from version 16.1.1 to 16.1.6 to address multiple security vulnerabilities (CVE-2025-59471, CVE-2025-59472, and CVE-2026-23864) and includes important bug fixes for LRU cache implementation, response body size limits, and middleware redirects.
Changes:
- Bump Next.js from 16.1.1 to 16.1.6 to address security vulnerabilities
- Update transitive dependencies including SWC compiler binaries, @emnapi/runtime, baseline-browser-mapping, and caniuse-lite
- Add prettier 3.8.1 to devDependencies (unrelated to the security update)
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates Next.js version specifier from 16.1.1 to 16.1.6 |
| pnpm-lock.yaml | Updates Next.js, its platform-specific SWC binaries, transitive dependencies, and adds prettier to devDependencies |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| specifier: 16.1.1 | ||
| version: 16.1.1(@typescript-eslint/parser@8.50.1(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) |
There was a problem hiding this comment.
The eslint-config-next package remains at version 16.1.1 while Next.js is being updated to 16.1.6. These packages should typically be kept in sync to ensure compatibility and avoid potential configuration issues. Consider updating eslint-config-next to match the Next.js version.
| specifier: 16.1.1 | |
| version: 16.1.1(@typescript-eslint/parser@8.50.1(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) | |
| specifier: 16.1.6 | |
| version: 16.1.6(@typescript-eslint/parser@8.50.1(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) |
| prettier: | ||
| specifier: ^3.7.4 | ||
| version: 3.8.1 |
There was a problem hiding this comment.
The prettier package (version 3.8.1) appears to have been added to devDependencies in the lockfile. However, this addition is not shown in the package.json diff and appears unrelated to the Next.js security update described in the PR title and description. This suggests the lockfile may include changes from uncommitted package.json modifications or from a different branch. Consider whether this addition is intentional and, if so, should be documented in the PR description, or if the lockfile needs to be regenerated to exclude unrelated changes.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@theguild/remark-mermaid": "^0.3.0", | ||
| "next": "16.1.1", | ||
| "next": "16.1.6", | ||
| "nextra": "^4.6.1", | ||
| "nextra-theme-docs": "^4.6.1", | ||
| "react": "19.2.3", |
There was a problem hiding this comment.
next is bumped to 16.1.6 but eslint-config-next remains pinned to 16.1.1. Next.js recommends keeping eslint-config-next aligned with the installed Next version; leaving it behind can lead to lint rule/plugin mismatches. Consider bumping eslint-config-next to 16.1.6 (and regenerating the lockfile).
Bumps next from 16.1.1 to 16.1.6.
Release notes
Sourced from next's releases.
... (truncated)
Commits
adf8c61v16.1.6098c0c0[backport][ci] Make gh auth status optional when triggering a release (#89100)a43df32Backport/docs fixes jan 25 16.1.x (#89124)d6d5734tweak LRU sentinel cache key (#89123)4324698backport: implement LRU cache with invocation ID scoping for minimal mode res...23c4649[backport] Upgrade to swc 54 (#88207) (#89103)acba4a6v16.1.5e1d1fc6Add maximum size limit for postponed body parsing (#88175)500ec83fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)1caaca3feat(next/image)!: addimages.maximumResponseBodyconfig (#88183)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)