fix: bump Next.js to 15.5.20 for security remediation#192
Conversation
floreks
left a comment
There was a problem hiding this comment.
This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:
| Name | Details |
|---|---|
| 💬 Prompt | Implement the minimal safe dependency vulnerability remediation for pluralsh/marketing if and only if analysis confirms a safe repo-level fix exists.... |
| 🔗 Run history | View run history |
Greptile SummaryThis PR bumps
Confidence Score: 5/5Safe to merge — this is a focused patch-level security bump with no API surface changes. The only changes are version strings and integrity hashes for Next.js and its toolchain. All nine No files require special attention.
|
| Filename | Overview |
|---|---|
| package.json | Bumps next and eslint-config-next from 15.5.15 to 15.5.20; also adds a missing trailing newline. |
| package-lock.json | Lock file refreshed consistently: all @next/* packages (env, eslint-plugin-next, 8 SWC platform binaries, and next itself) updated to 15.5.20 with new integrity hashes. |
Reviews (1): Last reviewed commit: "fix(deps): bump next to 15.5.20" | Re-trigger Greptile
Summary
nextfrom15.5.15to15.5.20eslint-config-nextaligned at15.5.20package-lock.jsonfor the resolved Next.js toolchainWhy
This is the smallest safe repo-level remediation confirmed by analysis for the remaining Next.js advisory chain. The remaining
form-dataandqsfindings are transitive through@hubspot/api-client,@types/node-fetch, andstart-slicemachine; no clearly safe, limited-scope override or removal was confirmed in this repository, so those were left unchanged.Validation
docker run --rm -v "$PWD":/work -w /work node:22-bullseye bash -lc 'npm install --package-lock-only [email protected] [email protected]'docker run --rm -v "$PWD":/work -w /work node:22-bullseye bash -lc 'HUSKY=0 npm ci && npm run build'docker run --rm -v "$PWD":/work -w /work node:22-bullseye bash -lc 'HUSKY=0 npm ci && npm run lint'Remaining alerts
form-dataremains via@hubspot/[email protected] -> [email protected]form-dataremains via@types/node-fetch -> [email protected]qsremains via[email protected] -> [email protected]/[email protected] -> [email protected]These were not forced with overrides because a safe repo-local remediation was not confirmed.