Skip to content

build(deps): bump next from 15.5.2 to 15.5.7 in /docs #1642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(deps): bump next from 15.5.2 to 15.5.7 in /docs #1642

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 56 additions & 40 deletions docs/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion docs/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
"eslint-config-next": "15.1.2",
"js-cookie": "^3.0.5",
"motion": "^12.9.2",
"next": "^15.2.4",
"next": "^15.5.7",
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, inspect the docs/package.json file to see the current state
cat -n docs/package.json | head -50

Repository: rad-ui/ui

Length of output: 1710

🌐 Web query:

CVE-2025-66478 Next.js security vulnerability

💡 Result:

Short summary — CVE-2025-66478 (Next.js)

  • What it is: a critical RCE-class vulnerability in the React Server Components (RSC) protocol that affects Next.js App Router builds. (Next.js advisory published Dec 3, 2025). [1]
  • Severity: rated critical (CVSS 10.0 in the Next.js advisory); can lead to remote code execution in unpatched deployments. [1]
  • Affected Next.js versions: Next.js 15.x and 16.x, and Next.js 14.3.0-canary.77+ canaries using the App Router. (Stable 13/14, Pages Router and Edge Runtime are not affected). [1][2]
  • Fixed in: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. React fixes are in React 19.0.1 / 19.1.2 / 19.2.1. [1][2]
  • Immediate action: upgrade Next.js to the appropriate patched release for your release line (or downgrade any 14.3 canary to the latest stable 14.x), and update React to patched 19.x where applicable. If hosted on Vercel, platform-level protections are in place but you should still upgrade. [1][2]

Sources:
[1] Next.js security advisory — CVE-2025-66478 (Next.js blog, Dec 3, 2025).
[2] Vercel changelog: Summary of CVE-2025-55182 (Dec 3, 2025).

🏁 Script executed:

# Check if lock file exists and inspect relevant package versions
if [ -f "docs/pnpm-lock.yaml" ]; then
  echo "=== Checking @next/mdx version constraints ==="
  rg '@next/mdx' docs/pnpm-lock.yaml -A 3 | head -30
  echo ""
  echo "=== Checking next version in lock ==="
  rg '"next":' docs/pnpm-lock.yaml -B 2 -A 3 | head -40
fi

Repository: rad-ui/ui

Length of output: 711

🌐 Web query:

Next.js 15.5.7 breaking changes from 15.2.4 @next/mdx compatibility

💡 Result:

Short answer — Next.js 15.5.x introduced changes (Turbopack/loader handling and stricter loader option serialization) that break some @next/mdx setups that worked on 15.2.4. Common symptoms: build/dev errors from the @next/mdx loader about "does not have serializable options" or MDX not building under Turbo/production. Recommended fixes/workarounds:

  • Cause: Turbopack and the updated loader in 15.5.x enforce that loader options be plain serializable JS values (no functions/require() calls).

🌐 Web query:

@next/mdx 15.5.x version changelog compatibility with next 15.5.7

💡 Result:

Short answer: Yes — @next/mdx 15.5.x is the official MDX integration for Next.js 15 and is intended to be compatible with Next.js 15.5.7. See the Next.js MDX docs for usage. [1]

Notes / gotchas:

  • Some users reported a Turbopack/loader options issue in the 15.5.x line (errors about "mdx-js-loader ... does not have serializable options"); a known workaround is to pass plugin names (strings) instead of require() calls in next.config when configuring remark/rehype plugins. Test dev/build with your exact setup. [2]
  • Confirm the exact @next/mdx subversion you install (match minor/patch where possible) — package listings show the 15.5.x releases available. [3]

If you want, tell me the exact @next/mdx version you plan to use and your next.config.js so I can check for any specific incompatibilities.

Sources: Next.js MDX docs. [1] Issue/workaround writeup. [2] Package/version listing. [3]

🏁 Script executed:

# Check what version of @next/mdx is available that matches next 15.5.x
rg '@next/mdx' docs/package.json
# Also verify React version requirement for CVE-2025-66478
rg '"react":' docs/package.json
# Check eslint-config-next version mismatch
rg 'eslint-config-next' docs/package.json

Repository: rad-ui/ui

Length of output: 139

Update @next/mdx to ^15.5.0 and react to ^19.0.1 to fully resolve CVE-2025-66478.

The next@15.5.7 upgrade addresses the critical RCE vulnerability CVE-2025-66478 (CVSS 10.0) in the React Server Components protocol. However, two related updates are required:

  1. @next/mdx must be updated from ^15.2.0 to ^15.5.0 — The 15.5.x line introduced stricter loader option serialization in Turbopack that breaks compatibility with 15.2.x. Known issue: if next.config.js passes plugin functions via require() in remark/rehype configuration, Turbopack will fail with "does not have serializable options" errors. Use plugin name strings instead.

  2. react must be bumped from 19.0.0 to ^19.0.1 — The CVE fix includes React-side patches in 19.0.1+; the current version needs this update for complete protection.

  3. Consider updating eslint-config-next from 15.1.2 to ^15.5.0 — Version alignment with Next.js is recommended for lint rule consistency.

Test the dev and build scripts after merging to verify Turbopack compatibility and MDX rendering.

🤖 Prompt for AI Agents 
In docs/package.json around line 32, the Next.js upgrade to "next": "^15.5.7"
requires companion updates: bump "@next/mdx" from "^15.2.0" to "^15.5.0" to
match Turbopack loader option serialization changes, update "react" from
"19.0.0" to "^19.0.1" to include the CVE-2025-66478 React-side fix, and
optionally align "eslint-config-next" to "^15.5.0"; after changing these
versions run npm/yarn install and verify dev and build (Turbopack) along with
MDX rendering, and if you pass functions in next.config.js remark/rehype options
replace them with plugin name strings to avoid "does not have serializable
options" errors.

"next-cookies": "^2.0.3",
"node-fetch": "^3.3.2",
"nookies": "^2.5.2",
Expand Down
Loading
Loading