build(deps): bump next from 15.5.2 to 15.5.7 in /docs

[dependabot]

Bumps next from 15.5.2 to 15.5.7.

Release notes

Sourced from next's releases.

v15.5.7

Please see CVE-2025-66478 for additional details about this release.

v15.5.6

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: don't define process.cwd() in node_modules #83452

Credits

Huge thanks to @​mischnic for helping!

v15.5.5

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Split code-frame into separate compiled package (#84238)
• Add deprecation warning to Runtime config (#84650)
• fix: unstable_cache should perform blocking revalidation during ISR revalidation (#84716)
• feat: experimental.middlewareClientMaxBodySize body cloning limit (#84722)
• fix: missing next/link types with typedRoutes (#84779)

Misc Changes

• docs: early October improvements and fixes (#84334)

Credits

Huge thanks to @​devjiwonchoi, @​ztanner, and @​icyJoseph for helping!

Commits

• 3eaf68b v15.5.7
• 8367ce5 update version script
• 9115040 Update React Version for Next.js 15.5.7 (#10)
• 96f6999 update tag
• 55ef0e3 v15.5.6
• 92bbbb1 Backport: don't define process.cwd() in node_modules (#84957)
• f895b72 Fix url-imports test on 15-5 (#84966)
• 81f530d v15.5.5
• 9abbc0e [backport] fix: missing next/link types with typedRoutes (#82814) (#84779)
• 121e1b5 [backport] docs: early October improvements and fixes (#84334)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

• Chores
  • Updated framework dependencies for improved stability and compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 85af02d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The pull request bumps the next dependency in docs/package.json from version ^15.2.4 to ^15.5.7. This is a pure dependency version update with no functional code changes or control-flow modifications.

Changes

Cohort / File(s)	Summary
Dependency version bump docs/package.json	Updated next from ^15.2.4 to ^15.5.7

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

This is a straightforward dependency version bump with no code logic changes. Review consists of verifying the version constraint is appropriate and checking for any known breaking changes between the two versions.

Possibly related PRs

• Aug 1 2025 - Security Fixes #1283: Previously bumped next from ^15.2.3→^15.2.4 in the same file, representing an earlier incremental update to the Next.js dependency.
• Security Fixes and Package updates 22 Mar 2025 #951: Another PR that modified the next dependency version in docs/package.json, contributing to the ongoing maintenance and updates of the Next.js framework.

Poem

🐰 A version bump, so small and sweet,
Next goes up, the upgrade complete!
From 15.2 to 15.5 we hop,
Dependencies dance—there's no stop!
⬆️✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: bumping the 'next' dependency from version 15.5.2 to 15.5.7 in the /docs directory, which matches the raw summary and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/npm_and_yarn/docs/next-15.5.7

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5a465f7 and 85af02d.

⛔ Files ignored due to path filters (2)

• docs/package-lock.json is excluded by !**/package-lock.json
• docs/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• docs/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: coverage

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, inspect the docs/package.json file to see the current state
cat -n docs/package.json | head -50

Repository: rad-ui/ui

Length of output: 1710

---

🌐 Web query:

CVE-2025-66478 Next.js security vulnerability

💡 Result:

Short summary — CVE-2025-66478 (Next.js)

• What it is: a critical RCE-class vulnerability in the React Server Components (RSC) protocol that affects Next.js App Router builds. (Next.js advisory published Dec 3, 2025). [1]
• Severity: rated critical (CVSS 10.0 in the Next.js advisory); can lead to remote code execution in unpatched deployments. [1]
• Affected Next.js versions: Next.js 15.x and 16.x, and Next.js 14.3.0-canary.77+ canaries using the App Router. (Stable 13/14, Pages Router and Edge Runtime are not affected). [1][2]
• Fixed in: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. React fixes are in React 19.0.1 / 19.1.2 / 19.2.1. [1][2]
• Immediate action: upgrade Next.js to the appropriate patched release for your release line (or downgrade any 14.3 canary to the latest stable 14.x), and update React to patched 19.x where applicable. If hosted on Vercel, platform-level protections are in place but you should still upgrade. [1][2]

Sources:
[1] Next.js security advisory — CVE-2025-66478 (Next.js blog, Dec 3, 2025).
[2] Vercel changelog: Summary of CVE-2025-55182 (Dec 3, 2025).

---

🏁 Script executed:

# Check if lock file exists and inspect relevant package versions
if [ -f "docs/pnpm-lock.yaml" ]; then
  echo "=== Checking @next/mdx version constraints ==="
  rg '@next/mdx' docs/pnpm-lock.yaml -A 3 | head -30
  echo ""
  echo "=== Checking next version in lock ==="
  rg '"next":' docs/pnpm-lock.yaml -B 2 -A 3 | head -40
fi

Repository: rad-ui/ui

Length of output: 711

---

🌐 Web query:

Next.js 15.5.7 breaking changes from 15.2.4 @next/mdx compatibility

💡 Result:

Short answer — Next.js 15.5.x introduced changes (Turbopack/loader handling and stricter loader option serialization) that break some @next/mdx setups that worked on 15.2.4. Common symptoms: build/dev errors from the @next/mdx loader about "does not have serializable options" or MDX not building under Turbo/production. Recommended fixes/workarounds:

• Cause: Turbopack and the updated loader in 15.5.x enforce that loader options be plain serializable JS values (no functions/require() calls).

---

🌐 Web query:

@next/mdx 15.5.x version changelog compatibility with next 15.5.7

💡 Result:

Short answer: Yes — @next/mdx 15.5.x is the official MDX integration for Next.js 15 and is intended to be compatible with Next.js 15.5.7. See the Next.js MDX docs for usage. [1]

Notes / gotchas:

• Some users reported a Turbopack/loader options issue in the 15.5.x line (errors about "mdx-js-loader ... does not have serializable options"); a known workaround is to pass plugin names (strings) instead of require() calls in next.config when configuring remark/rehype plugins. Test dev/build with your exact setup. [2]
• Confirm the exact @next/mdx subversion you install (match minor/patch where possible) — package listings show the 15.5.x releases available. [3]

If you want, tell me the exact @next/mdx version you plan to use and your next.config.js so I can check for any specific incompatibilities.

Sources: Next.js MDX docs. [1] Issue/workaround writeup. [2] Package/version listing. [3]

---

🏁 Script executed:

# Check what version of @next/mdx is available that matches next 15.5.x
rg '@next/mdx' docs/package.json
# Also verify React version requirement for CVE-2025-66478
rg '"react":' docs/package.json
# Check eslint-config-next version mismatch
rg 'eslint-config-next' docs/package.json

Repository: rad-ui/ui

Length of output: 139

---

Update @next/mdx to ^15.5.0 and react to ^19.0.1 to fully resolve CVE-2025-66478.

The next@15.5.7 upgrade addresses the critical RCE vulnerability CVE-2025-66478 (CVSS 10.0) in the React Server Components protocol. However, two related updates are required:

1. @next/mdx must be updated from ^15.2.0 to ^15.5.0 — The 15.5.x line introduced stricter loader option serialization in Turbopack that breaks compatibility with 15.2.x. Known issue: if next.config.js passes plugin functions via require() in remark/rehype configuration, Turbopack will fail with "does not have serializable options" errors. Use plugin name strings instead.

2. react must be bumped from 19.0.0 to ^19.0.1 — The CVE fix includes React-side patches in 19.0.1+; the current version needs this update for complete protection.

3. Consider updating eslint-config-next from 15.1.2 to ^15.5.0 — Version alignment with Next.js is recommended for lint rule consistency.

Test the dev and build scripts after merging to verify Turbopack compatibility and MDX rendering.

🤖 Prompt for AI Agents

In docs/package.json around line 32, the Next.js upgrade to "next": "^15.5.7"
requires companion updates: bump "@next/mdx" from "^15.2.0" to "^15.5.0" to
match Turbopack loader option serialization changes, update "react" from
"19.0.0" to "^19.0.1" to include the CVE-2025-66478 React-side fix, and
optionally align "eslint-config-next" to "^15.5.0"; after changing these
versions run npm/yarn install and verify dev and build (Turbopack) along with
MDX rendering, and if you pass functions in next.config.js remark/rehype options
replace them with plugin name strings to avoid "does not have serializable
options" errors.