fix: 🔒 update next version to 15.5.9 to mitigate security issues

[c0ball]

I've updated the Next version from 15.5.7 to 15.5.9to mitigate the following CVEs:

• CVE-2025-55184 (high): DoS via malicious HTTP request causing server to hang and consume CPU
• CVE-2025-55183 (medium): Compiled Server Action source code can be exposed via malicious request
• CVE-2025-67779 (high): Incomplete fix for CVE-2025-55184 DoS via malicious RSC payload causing infinite loop

Greptile Overview

Greptile Overview

Greptile Summary

This PR updates Next.js from version 15.5.7 to 15.5.9 across three package.json files to mitigate three CVEs: CVE-2025-55184 (DoS via malicious HTTP request), CVE-2025-55183 (Server Action source code exposure), and CVE-2025-67779 (Incomplete fix for CVE-2025-55184). The changes are straightforward version bumps in the dependencies section of:

• apps/web/package.json - Updated Next.js dependency
• packages/database/package.json - Updated Next.js dependency
• packages/web-backend/package.json - Updated Next.js dependency

However, there is a version consistency issue: the eslint-config-next devDependency in apps/web/package.json remains at 15.5.7 and should be updated to 15.5.9 to match the Next.js version. The eslint-config-next package is versioned alongside Next.js and should be kept in sync for ESLint rule compatibility and to benefit from the same security fixes.

Confidence Score: 3/5

• The PR requires one critical fix before merging: the eslint-config-next version must be updated to match the Next.js version.
• The PR correctly updates Next.js to 15.5.9 in all three relevant packages to address security vulnerabilities. However, a critical consistency issue was identified: eslint-config-next in apps/web/package.json remains at 15.5.7 instead of being updated to 15.5.9. This versioned package should always match the Next.js version for ESLint rule compatibility and to ensure all security fixes are applied. The incomplete update reduces confidence from high to moderate.
• apps/web/package.json requires the eslint-config-next version to be updated from 15.5.7 to 15.5.9

Important Files Changed

File Analysis

Filename	Score	Overview
apps/web/package.json	2/5	Updated Next.js from 15.5.7 to 15.5.9, but missed updating the corresponding eslint-config-next devDependency which should also be 15.5.9 for compatibility and security fixes.
packages/database/package.json	5/5	Correctly updated Next.js from 15.5.7 to 15.5.9. No other Next.js-related dependencies require updating.
packages/web-backend/package.json	5/5	Correctly updated Next.js from 15.5.7 to 15.5.9. This file has no other Next.js-related dependencies that require updating.

Sequence Diagram

sequenceDiagram
    participant web as apps/web
    participant db as packages/database
    participant backend as packages/web-backend
    participant next as Next.js

    web->>next: Depends on [email protected] ✓
    db->>next: Depends on [email protected] ✓
    backend->>next: Depends on [email protected] ✓
    
    web->>next: Depends on [email protected] ✗ (should be 15.5.9)
    
    Note over next: CVE-2025-55184, CVE-2025-55183, CVE-2025-67779 fixed in 15.5.9

Loading

Important Files Changed

File Analysis

Filename	Score	Overview
apps/web/package.json	2/5	Updated Next.js from 15.5.7 to 15.5.9, but missed updating the corresponding eslint-config-next devDependency which should also be 15.5.9 for compatibility and security fixes.
packages/database/package.json	5/5	Correctly updated Next.js from 15.5.7 to 15.5.9. No other Next.js-related dependencies require updating.
packages/web-backend/package.json	5/5	Correctly updated Next.js from 15.5.7 to 15.5.9. This file has no other Next.js-related dependencies that require updating.

Sequence Diagram

sequenceDiagram
    participant web as apps/web
    participant db as packages/database
    participant backend as packages/web-backend
    participant next as Next.js

    web->>next: Depends on [email protected] ✓
    db->>next: Depends on [email protected] ✓
    backend->>next: Depends on [email protected] ✓
    
    web->>next: Depends on [email protected] ✗ (should be 15.5.9)
    
    Note over next: CVE-2025-55184, CVE-2025-55183, CVE-2025-67779 fixed in 15.5.9

Loading

_{(2/5) Greptile learns from your feedback when you react with thumbs up/down!}

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

apps/web/package.json
The eslint-config-next version should be updated from 15.5.7 to 15.5.9 to match the Next.js version update in this PR. The eslint-config-next package is versioned with Next.js and should be kept in sync to ensure ESLint rules are compatible with the updated Next.js version and to include fixes for the security issues (CVE-2025-55184, CVE-2025-55183, CVE-2025-67779).

		"eslint-config-next": "15.5.9",

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/web/package.json
Line: 164:164

Comment:
The `eslint-config-next` version should be updated from `15.5.7` to `15.5.9` to match the Next.js version update in this PR. The `eslint-config-next` package is versioned with Next.js and should be kept in sync to ensure ESLint rules are compatible with the updated Next.js version and to include fixes for the security issues (CVE-2025-55184, CVE-2025-55183, CVE-2025-67779).

```suggestion
		"eslint-config-next": "15.5.9",
```

How can I resolve this? If you propose a fix, please make it concise.

[richiemcilroy]

Thank you!

[c0ball]

Thanks for merging this PR so quickly @richiemcilroy ! Would it be possible to cut a 0.4.1 release that includes this fix?