Next.js version is pinned to 14.x – upgrade to 15/16 recommended due to recent CVEs

[MrTob]

Hi 👋,

first of all, thank you for this awesome SaaS boilerplate – great work!

I noticed that the project is currently pinned to Next.js 14.x, while the latest stable release is already Next.js 16.x.
Given the recent security advisories / CVEs affecting older Next.js versions, this could become a potential security concern for users who deploy this boilerplate to production.

Why this matters:

• Several CVEs have been disclosed in the last months affecting older Next.js releases
• SaaS boilerplates are often used as production starters, sometimes without deep dependency audits
• Users may assume security-critical dependencies are kept reasonably up to date

Suggested improvements:

• Upgrade the project to the latest stable Next.js version (or at least the latest LTS)
• Alternatively, document why the project is intentionally pinned to 14.x (e.g. compatibility reasons)
• Consider adding Dependabot or a short security note in the README

I’d be happy to help test or contribute to a Next.js upgrade if that’s useful.

Thanks again for maintaining this project! 🙌

[nextify2025]

Hi there 👋,

Thank you so much for the kind words and for the detailed analysis! You are absolutely right—keeping dependencies up to date, especially for security reasons, is crucial for a production-ready boilerplate.

To be completely transparent, we currently don't have the bandwidth to dedicate to a major version upgrade and the necessary testing. However, since you mentioned you might be open to contributing, we would generally welcome a Pull Request to upgrade to Next.js 16!

If you are willing to take this on, please feel free to submit a PR. We'd be happy to review and merge it.

Thanks again for looking out for the community! 🙌