Skip to content

fix: bump Next.js to 15.5.20 for security remediation#192

Closed
floreks wants to merge 1 commit into
mainfrom
agent/next-15-5-20-security-remediation-1751920600000
Closed

fix: bump Next.js to 15.5.20 for security remediation#192
floreks wants to merge 1 commit into
mainfrom
agent/next-15-5-20-security-remediation-1751920600000

Conversation

@floreks

@floreks floreks commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary

  • bump next from 15.5.15 to 15.5.20
  • keep eslint-config-next aligned at 15.5.20
  • refresh package-lock.json for the resolved Next.js toolchain

Why

This is the smallest safe repo-level remediation confirmed by analysis for the remaining Next.js advisory chain. The remaining form-data and qs findings are transitive through @hubspot/api-client, @types/node-fetch, and start-slicemachine; no clearly safe, limited-scope override or removal was confirmed in this repository, so those were left unchanged.

Validation

  • docker run --rm -v "$PWD":/work -w /work node:22-bullseye bash -lc 'npm install --package-lock-only [email protected] [email protected]'
  • docker run --rm -v "$PWD":/work -w /work node:22-bullseye bash -lc 'HUSKY=0 npm ci && npm run build'
  • docker run --rm -v "$PWD":/work -w /work node:22-bullseye bash -lc 'HUSKY=0 npm ci && npm run lint'

Remaining alerts

These were not forced with overrides because a safe repo-local remediation was not confirmed.

@floreks floreks requested a review from a team as a code owner July 7, 2026 15:00

@floreks floreks left a comment

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt Implement the minimal safe dependency vulnerability remediation for pluralsh/marketing if and only if analysis confirms a safe repo-level fix exists....
🔗 Run history View run history

@floreks floreks closed this Jul 7, 2026
@floreks floreks deleted the agent/next-15-5-20-security-remediation-1751920600000 branch July 7, 2026 15:01
@greptile-apps

greptile-apps Bot commented Jul 7, 2026

Copy link
Copy Markdown

Greptile Summary

This PR bumps next and eslint-config-next from 15.5.15 to 15.5.20 to remediate the Next.js advisory chain patched in the May 2026 security release (13 CVEs covering middleware bypass, DoS, SSRF, cache poisoning, and XSS). The package-lock.json is refreshed in lockstep with all corresponding @next/swc-* platform binaries and @next/env.

  • package.json: version pins updated for next and eslint-config-next; a missing trailing newline is also fixed.
  • package-lock.json: all nine @next/* packages updated to 15.5.20 with new integrity hashes; no other dependency versions are changed.
  • Remaining form-data and qs advisories via @hubspot/api-client and start-slicemachine are acknowledged but deliberately left unaddressed.

Confidence Score: 5/5

Safe to merge — this is a focused patch-level security bump with no API surface changes.

The only changes are version strings and integrity hashes for Next.js and its toolchain. All nine @next/* packages are updated consistently, the lock file matches package.json, and the author validated the build and lint passes in Docker. No application code is modified.

No files require special attention.

Important Files Changed

Filename Overview
package.json Bumps next and eslint-config-next from 15.5.15 to 15.5.20; also adds a missing trailing newline.
package-lock.json Lock file refreshed consistently: all @next/* packages (env, eslint-plugin-next, 8 SWC platform binaries, and next itself) updated to 15.5.20 with new integrity hashes.

Reviews (1): Last reviewed commit: "fix(deps): bump next to 15.5.20" | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant