[Snyk] Security upgrade next from 14.2.35 to 15.5.10#1046
[Snyk] Security upgrade next from 14.2.35 to 15.5.10#1046akilarootcode wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NEXT-15104645
|
|
|
There was a problem hiding this comment.
Pull request overview
This PR upgrades Next.js from version 14.2.35 to 15.5.10 to fix a high-severity security vulnerability (SNYK-JS-NEXT-15104645) with a score of 696 related to "Allocation of Resources Without Limits or Throttling".
Changes:
- Upgrades Next.js dependency from ^14.2.35 to ^15.5.10 in package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "luxon": "^3.6.1", | ||
| "luxon-business-days": "^3.0.1", | ||
| "next": "^14.2.35", | ||
| "next": "^15.5.10", |
There was a problem hiding this comment.
The eslint-config-next package version (13.4.7) is not compatible with Next.js 15.5.10. The eslint-config-next version should match the Next.js version to ensure proper linting rules and compatibility. This package should be updated to version 15.5.10 or the closest available version to match the Next.js upgrade.
| "next": "^15.5.10", | |
| "next": "13.4.7", |
| "luxon": "^3.6.1", | ||
| "luxon-business-days": "^3.0.1", | ||
| "next": "^14.2.35", | ||
| "next": "^15.5.10", |
There was a problem hiding this comment.
The next-auth package (version 4.24.7) may have compatibility issues with Next.js 15. NextAuth.js v4 was primarily designed for Next.js 12-14. For Next.js 15, it's recommended to migrate to Auth.js v5 (the successor to NextAuth.js v4) or ensure that the current version is tested and compatible with Next.js 15. This should be verified and potentially upgraded to prevent authentication issues after the Next.js upgrade.
| "luxon": "^3.6.1", | ||
| "luxon-business-days": "^3.0.1", | ||
| "next": "^14.2.35", | ||
| "next": "^15.5.10", |
There was a problem hiding this comment.
This is an incomplete upgrade that only updates the Next.js version without addressing the necessary breaking changes and related package updates. For a successful Next.js 15 upgrade, the following should be addressed:
- Replace all router.events usage with Next.js 15-compatible alternatives
- Update eslint-config-next to version 15.5.10
- Consider upgrading next-auth to Auth.js v5 or verify v4 compatibility with Next.js 15
- Test all authentication flows, route change handlers, and navigation patterns
- Review and update any deprecated APIs or patterns
Simply updating the package version will result in build failures or runtime errors due to the removed router.events API.
| "luxon": "^3.6.1", | ||
| "luxon-business-days": "^3.0.1", | ||
| "next": "^14.2.35", | ||
| "next": "^15.5.10", |
There was a problem hiding this comment.
This Next.js upgrade from 14.2.35 to 15.5.10 is a major version upgrade that introduces breaking changes which are not addressed in this PR. The router.events API has been removed in Next.js 15, but the codebase still uses it extensively in multiple files including:
- frontend/pages/_app.tsx (lines 97-106)
- frontend/pages/community/leave/types/[slug].tsx (lines 51, 63, 67)
- frontend/pages/community/people/directory/edit-all-information/[id].tsx (lines 362, 368, 371)
- frontend/pages/community/user-account.tsx (lines 220, 226, 229)
- frontend/src/community/configurations/components/organisms/TimeConfigurations/TimeConfigurations.tsx (lines 232, 253-254)
- frontend/src/community/people/components/molecules/RouteChangeAreYouSureModal/RouteChangeAreYouSureModal.tsx (lines 36, 42, 45)
- frontend/src/community/people/components/organisms/AddNewResourceFlow/AddNewResourceFlow.tsx (lines 188, 194, 197)
In Next.js 15, router.events has been removed and should be replaced with the useEffect hook that monitors router.pathname, router.query, or router.asPath changes. Alternatively, consider using the new Next.js navigation events from next/navigation or implementing a custom solution. This upgrade will break the application's route change handling functionality.
| "next": "^15.5.10", | |
| "next": "14.2.35", |
3 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
frontend/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-NEXT-15104645
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling