Skip to content

Update dependency next to v16.2.3 [SECURITY]#4221

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-next-vulnerability
Apr 23, 2026
Merged

Update dependency next to v16.2.3 [SECURITY]#4221
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-next-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
next (source) 16.2.216.2.3 age confidence

Next.js has a Denial of Service with Server Components

GHSA-q4gf-8mx6-v5v3

More information

Details

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this changelog.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

vercel/next.js (next)

v16.2.3

Compare Source


Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the security label Apr 23, 2026
@renovate renovate Bot enabled auto-merge (squash) April 23, 2026 22:48
@renovate renovate Bot added the security label Apr 23, 2026
@codecov

codecov Bot commented Apr 23, 2026

Copy link
Copy Markdown

❌ 2 Tests Failed:

Tests completed Failed Passed Skipped
2240 2 2238 189
View the top 2 failed test(s) by shortest run time
github.com/PeerDB-io/peerdb/flow/e2e::TestApiMy
Stack Traces | 0.01s run time
=== RUN   TestApiMy
=== PAUSE TestApiMy
=== CONT  TestApiMy
--- FAIL: TestApiMy (0.01s)
github.com/PeerDB-io/peerdb/flow/e2e::TestApiMy/TestQRep
Stack Traces | 63.2s run time
=== RUN   TestApiMy/TestQRep
=== PAUSE TestApiMy/TestQRep
=== CONT  TestApiMy/TestQRep
2026/04/23 23:03:27 INFO Received AWS credentials from peer for connector: ci x-peerdb-additional-metadata={Operation:FLOW_OPERATION_UNKNOWN}
2026/04/23 23:03:27 INFO Received AWS credentials from peer for connector: clickhouse x-peerdb-additional-metadata={Operation:FLOW_OPERATION_UNKNOWN}
    api_test.go:2371: WaitFor qrep initial load 2026-04-23 23:03:27.198397361 +0000 UTC m=+630.803149471
2026/04/23 23:03:27 INFO fetched schema x-peerdb-additional-metadata={Operation:FLOW_OPERATION_UNKNOWN} table=e2e_test_api_ezbuh5bd.qrepapi_api_ezbuh5bd
    api_test.go:2371: code: 60, message: Unknown table expression identifier 'qrepapi_api_ezbuh5bd' in scope SELECT id, val FROM qrepapi_api_ezbuh5bd FINAL WHERE _peerdb_is_deleted = 0 ORDER BY 1 ASC SETTINGS use_query_cache = false
2026/04/23 23:03:27 INFO fetched schema x-peerdb-additional-metadata={Operation:FLOW_OPERATION_UNKNOWN} table=e2e_test_api_1twfv3w5.table1
    api_test.go:2376: WaitFor insert post qrep initial load 2026-04-23 23:03:28.211322909 +0000 UTC m=+631.816075019
2026/04/23 23:03:28 INFO fetched schema x-peerdb-additional-metadata={Operation:FLOW_OPERATION_UNKNOWN} table=e2e_test_api_ezbuh5bd.qrepapi_api_ezbuh5bd
    api_test.go:2376: q.NumRecords: 2
    api_test.go:2376: other.NumRecords: 1
    api_test.go:2376: q.NumRecords: 2
    api_test.go:2376: other.NumRecords: 1
    api_test.go:2395: WaitFor finish 2026-04-23 23:03:30.232652881 +0000 UTC m=+633.837404992
2026/04/23 23:03:30 INFO fetched schema x-peerdb-additional-metadata={Operation:FLOW_OPERATION_UNKNOWN} table=e2e_test_api_nu8cargq.valid
    api_test.go:2395: UNEXPECTED TIMEOUT finish 2026-04-23 23:04:30.367212047 +0000 UTC m=+693.971964157
    api_test.go:49: begin tearing down postgres schema api_ezbuh5bd
--- FAIL: TestApiMy/TestQRep (63.22s)

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: TestApiMy/TestQRep timed out waiting for the QRep flow to finish because ClickHouse returned "Unknown table expression identifier" (table not yet visible) under high parallel-test load (32 concurrent tests), a classic async timing race condition rather than a code bug.
Confidence: 0.9

✅ Automatically retrying the workflow

View workflow run

@renovate renovate Bot merged commit a37cfed into main Apr 23, 2026
20 of 21 checks passed
@renovate renovate Bot deleted the renovate/npm-next-vulnerability branch April 23, 2026 23:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant