Bump next from 14.2.3 to 15.5.14

[dependabot]

Bumps next from 14.2.3 to 15.5.14.

Release notes

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#82340)
• Turbopack: support pattern into exports field (#82757)
• NFT tracing fixes (#84155 and #85323)
• Turbopack: validate CSS without computing all paths (#83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

Commits

• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• 6cef992 [backport] normalize CRLF line endings in jscodeshift tests on Windows (#8800...
• 7a94645 Apply needs for publishRelease
• bbfd4e3 v15.5.11
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade next from 14.2.3 to 15.5.14 to pick up security fixes and improved image caching. No app code changes included.

• Bug Fixes

  • Patches request smuggling in rewrites (security).
  • Adds LRU disk cache for next/image with images.maximumDiskCacheSize.
  • Restores Content-Length and ETag headers for /_next/data/ JSON.

• Dependencies

  • Bumps next to 15.5.14.
  • Updates transitive deps: styled-jsx@5.1.6, SWC binaries @next/swc-* 15.5.14, @swc/helpers@0.5.15.
  • Adds optional sharp@^0.34 via Next for image optimization.

^{Written for commit b48b26b. Summary will update on new commits.}

[netlify]

✅ Deploy Preview for alloradocs ready!

Name	Link
🔨 Latest commit	b48b26b
🔍 Latest deploy log	https://app.netlify.com/projects/alloradocs/deploys/69bc4b50bf7a810008359b93
😎 Deploy Preview	https://deploy-preview-151--alloradocs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="package.json">

<violation number="1" location="package.json:4">
P0: Upgrading to Next.js 15 without also upgrading `nextra` and `nextra-theme-docs` from v2 to at least v3 (or v4) will almost certainly break the build. Nextra 2.x was designed for Next.js 13/14; the Nextra project itself couples Next.js 15 support with Nextra 3+. Either hold `next` at v14, or upgrade `nextra`/`nextra-theme-docs` alongside this change.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Client as Browser/Client
    participant Next as Next.js Server
    participant Cache as LRU Disk Cache
    participant Proxy as Rewrites (http-proxy)
    participant Upstream as Origin/Upstream

    Note over Client, Upstream: Next.js 15.5.14 Runtime Flow Changes

    rect rgb(240, 240, 240)
        Note right of Next: Image Optimization Flow
        Client->>Next: GET /_next/image?url=...
        Next->>Cache: NEW: Check LRU Disk Cache
        alt Cache Miss
            Next->>Next: Optimize Image
            Next->>Cache: NEW: Store image (respects images.maximumDiskCacheSize)
        else Cache Hit
            Cache-->>Next: Return cached file
        end
        Next-->>Client: 200 OK (Optimized Image)
    end

    rect rgb(230, 240, 255)
        Note right of Next: Secure Rewrite Flow (CVE-2026-29057)
        Client->>Next: Request matching a 'rewrite'
        Next->>Proxy: Forward request logic
        Proxy->>Proxy: CHANGED: Prevent request smuggling (patched http-proxy)
        Proxy->>Upstream: Forwarded Request
        Upstream-->>Proxy: Response
        Proxy-->>Next: Response
        Next-->>Client: Final Response
    end

    rect rgb(240, 255, 240)
        Note right of Next: Pages Router Data Flow
        Client->>Next: GET /_next/data/ (JSON for Client Navigation)
        Next->>Next: Execute getServerSideProps/getStaticProps
        Next->>Next: CHANGED: Calculate Content-Length & ETag
        Next-->>Client: 200 OK (JSON with restored headers)
    end

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P0: Upgrading to Next.js 15 without also upgrading nextra and nextra-theme-docs from v2 to at least v3 (or v4) will almost certainly break the build. Nextra 2.x was designed for Next.js 13/14; the Nextra project itself couples Next.js 15 support with Nextra 3+. Either hold next at v14, or upgrade nextra/nextra-theme-docs alongside this change.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 4:

<comment>Upgrading to Next.js 15 without also upgrading `nextra` and `nextra-theme-docs` from v2 to at least v3 (or v4) will almost certainly break the build. Nextra 2.x was designed for Next.js 13/14; the Nextra project itself couples Next.js 15 support with Nextra 3+. Either hold `next` at v14, or upgrade `nextra`/`nextra-theme-docs` alongside this change.</comment>

<file context>
@@ -1,7 +1,7 @@
   "dependencies": {
     "katex": "^0.16.11",
-    "next": "^14.2.3",
+    "next": "^15.5.14",
     "nextra": "^2.13.4",
     "nextra-theme-docs": "^2.13.4",
</file context>

Suggested change

	"next": "^15.5.14",
	"next": "^14.2.3",