Skip to content

fix: upgrade Next.js to 16.2.6 for security vulnerabilities#92

Merged
oioki merged 1 commit intomainfrom
fix/nextjs-security-upgrade
May 8, 2026
Merged

fix: upgrade Next.js to 16.2.6 for security vulnerabilities#92
oioki merged 1 commit intomainfrom
fix/nextjs-security-upgrade

Conversation

@sergical
Copy link
Copy Markdown
Member

@sergical sergical commented May 7, 2026

Summary

  • Upgrades next from ^16.2.4 to ^16.2.6 to address 13 critical/high-severity CVEs disclosed on 2026-05-06
  • Updates pnpm-lock.yaml accordingly

CVEs Addressed

Advisory Severity Description
GHSA-26hh-7cqf-hhc6 High Middleware bypass via segment-prefetch (requires 16.2.6)
GHSA-492v-c6pp-mqqv High Middleware bypass via dynamic route injection
GHSA-c4j6-fc7j-m34r High SSRF via WebSocket upgrades
GHSA-8h8q-6873-q5fj High DoS with Server Components
GHSA-mg66-mrh9-m8jx High DoS via Cache Components
CVE-2026-23870 High React Server Components DoS

See full disclosure: https://developers.cloudflare.com/changelog/post/2026-05-06-react-nextjs-vulnerabilities/

Test plan

  • Verify the app builds successfully on Vercel preview deployment
  • Smoke test the changelog pages load correctly
  • Confirm middleware-protected routes still function as expected

🤖 Generated with Claude Code

@sergical @claude
fix: upgrade Next.js to 16.2.6 for security vulnerabilities
baaf28a 
Addresses 13 CVEs disclosed 2026-05-06 including:
- GHSA-26hh-7cqf-hhc6 (High): Middleware bypass via segment-prefetch
- GHSA-492v-c6pp-mqqv (High): Middleware bypass via dynamic route injection
- GHSA-c4j6-fc7j-m34r (High): SSRF via WebSocket upgrades
- GHSA-8h8q-6873-q5fj (High): DoS with Server Components
- GHSA-mg66-mrh9-m8jx (High): DoS via Cache Components
- CVE-2026-23870 (High): React Server Components DoS

See: https://developers.cloudflare.com/changelog/post/2026-05-06-react-nextjs-vulnerabilities/

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented May 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
sentry-changelog Ready Ready Preview, Comment May 7, 2026 10:33pm

Request Review

@sergical sergical requested a review from chargome May 7, 2026 22:38
@oioki oioki merged commit 21e14ac into main May 8, 2026
12 checks passed
@oioki oioki deleted the fix/nextjs-security-upgrade branch May 8, 2026 07:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oioki oioki oioki approved these changes

@chargome chargome Awaiting requested review from chargome

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sergical @oioki