fix(deps): update dependency next to v15.2.3 [security]

[renovate]

RicardoGEsteves all-non-major update, dependency next to v15.2.3

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF	New value	Package file	References
next (source)	dependencies	minor	15.2.0 -> 15.2.3		15.2.3	package.json	homepage, source

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

---

Release Notes

vercel/next.js (next)

v15.2.3

Compare Source

v15.2.2

Compare Source

Core Changes

• [dev-overlay] fix styling on overflow error messages, add button hover state: #​76771
• Fix: respond 405 status code on OPTIONS request to SSG page: #​76767
• [dev-overlay] Always show relative paths: #​76742
• [metadata] remove the duplicate metadata in the error boundary: #​76791
• Upgrade React from d55cc79b-20250228 to 443b7ff2-20250303: #​76804
• [dev-overlay] Ignore animations on page load: #​76834
• fix: remove useless set-cookie in action-handler: #​76839
• Turbopack: handle task cancelation: #​76831
• Upgrade React from 443b7ff2-20250303 to e03ac20f-20250305: #​76842
• add types for __next_app__ module loading functions: #​74566
• fix duplicated noindex when server action is triggered: #​76847
• fix: don't drop queued actions when navigating: #​75362
• [dev-overlay]: remove dependency on platform for focus trapping: #​76849
• Turbopack: Add turbopack_load_by_url: #​76814
• Add handling of origin in dev mode: #​76880
• [dev-overlay] Stop grouping callstack frames into ignored vs. not ignored: #​76861
• Upgrade React from e03ac20f-20250305 to 029e8bd6-20250306: #​76870
• [dev-overlay] Increase padding if no x button present: #​76898
• fix: prevent incorrect searchParams being applied on certain navs: #​76914
• [dev-overlay] Dim ignore-listed callstack frames when shown: #​76862

Example Changes

• chore(cna): update tailwind styles to be closer to non-tw cna: #​76647

Misc Changes

• Fix canary only warning for devlow-bench: #​76772
• [test] Add special placeholder if stackframes point into dist dir: #​76741
• [test] Use new Redbox matchers in pages/ service-side-dev-errors: #​76779
• [test] Use new Redbox matchers in app/ dynamic-error-trace: #​76783
• [test] Use new Redbox matchers in app/ owner-stack-invalid-element-type: #​76786
• [test] Use new Redbox matchers in app/ hook-functuon-names: #​76785
• [test] Use new Redbox matchers in app/ undefined-default-export: #​76781
• [test] Use new Redbox matchers in server-navigation-error: #​76787
• [test] Fix flaky error-recovery test: #​76789
• [test] Use new Redbox matchers in pages/ gssp-ssr-change-reloading: #​76788
• [docs] update Tailwind CSS installation and configuration instructions: #​76259
• docs: Tailwind v4: #​76801
• chore(docs): update minimumCacheTTL example to 31 days: #​76796
• Turbopack: improve sectioned source maps: #​76627
• [test] Use new Redbox matchers in pages/ middleware-errors: #​76797
• doc: use redirect in client components: #​76332
• [docs] document experimental viewTransition flag: #​76832
• docs(errors): remove confusing good-to-know since global-errors.tsx also show in dev as of 15.2: #​76825
• Turbopack: don't use HashMap in manifests: #​76833
• Update labeler.json: #​76828
• Fix missing turbo command for rust-check: #​76851
• fix(turbopack): Use correct SyntaxContext for __turbopack_esm__: #​73544
• Cleanup pure span handling: #​76846
• Turbopack: remove unused IncludeModulesModule: #​76868
• Update test snapshots for alternative bundler [5/n]: #​76617
• Update test snapshots for alternative bundler [6/n]: #​76768
• [test] Use next.browser instead of webdriver in pages/ client-navigation: #​76867
• fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files: #​76773
• Revert "fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files": #​76879
• build: Update swc_core to v16.4.0: #​76596
• docs: update Turbopack docs: #​76799
• build: Update lightningcss to v1.0.0-alpha.64: #​76856
• build: Fix warning: #​76890
• Turbopack: fix __dirname: #​76902
• Turbopack: deterministic server action order: #​76905
• docs: reword the docs of veiw transition flag: #​76841
• fix(turbopack): Use vergen-gitcl instead of shadow-rs (or vergen-git2) for napi and next-api crates to fix stale git lock files: #​76889
• Turbopack: ensure default layout is provided in default not-found entrypoint: #​76912
• chore(github): add moar labels: #​76922
• [test] Use new Redbox matchers in pages/ client-navigation/rendering: #​76798
• docs: fix create-next-app cli title: #​76908

Credits

Huge thanks to @​pranathip, @​gaojude, @​ijjk, @​eps1lon, @​Nayeem-XTREME, @​leerob, @​styfle, @​samcx, @​sokra, @​huozhi, @​raunofreiberg, @​mischnic, @​lubieowoce, @​unstubbable, @​ztanner, @​kdy1, @​timneutkens, @​wbinnssmith, @​bgw, and @​oscr for helping!

v15.2.1

Compare Source

Core Changes

• Unify Link and Form prefetching: #​76184
• Turbopack: Ensure server actions sourcemaps tests pass: #​76157
• [dev-overlay] control dark theme in one place: #​76528
• [dev-overlay] change css var for terminal: #​76590
• [dev-overlay] Discriminate stack frame settled typed: #​76517
• Remove obsolete sourcePackage references: #​76550
• refactor: remove unused variable in externals handling: #​76599
• fix: Add popular embedding libraries to serverExternalPackages: #​76574
• [Segment Cache] Implement hash-only navigations: #​76179
• Webpack: abstract away getting compilation spans: #​76579
• report compiler duration for webpack and improve numbers: #​76665
• [dev-overlay] fix dark theme missing close bracket: #​76672
• Remove revalidate property from incremental cache ctx for FETCH kind: #​76500
• [dev-overlay] fix: env name label style was out of sync with error type label: #​76668
• Turbopack: avoid celling source maps before minify: #​76626
• refactor(CI): Merge all four bundler test manifest scripts into one: #​76652
• [metadata] fix duplicate metadata for parallel routes: #​76669
• [Segment Cache] Omit from bundle if flag disabled: #​76622
• [Segment Cache] Support output: "export" mode: #​75671
• [Segment Cache] Refresh on same-page navigation: #​76223
• [metadata] re-enable streaming metadata with PPR: #​76119
• [Segment Cache] Search param fallback handling: #​75990
• [Segment Cache] Fix: canonicalURL omits origin: #​76444
• fix metadata basePath for manifest: #​76681
• Propagate expire time to cache-control header and prerender manifest: #​76207
• Show revalidate/expire columns in build output: #​76343
• Gate alternate bundler behind canary only: #​76634
• [dynamicIO] routes with dynamic segments should be able to be static in dev: #​76691
• [repo] upgrade ts 5.8.2: #​76709
• [metadata]: ensure metadata boundary is only rendered once on client nav: #​76692
• [metadata] clean up redudant options: #​76712
• Fix uniqueness detection for generateStaticParams: #​76713
• Upgrade React from 22e39ea7-20250225 to d55cc79b-20250228: #​76680
• [Turbopack] Compute module batches and use them for chunking: #​76133
• [Dev Tools] Improve keyboard interactions for menu & overlays: #​76754
• Keep server code out of browser chunks: #​76660
• Turbopack: inline minify into code generation and make it a plain function instead of a turbo tasks function: #​76628
• fix edge runtime asset fetch in pages api: #​76750
• Update use-cache-unknown-cache-kind.test.ts snapshot for alternate bundler: #​76682

Example Changes

• docs: fix reading params code blocks: #​76705

Misc Changes

• fix(rustdoc): Fix rustdoc warnings, block on rustdoc failures in CI: #​76448
• Update more global turbo CLI usage: #​76576
• docs: Node.js runtime support for Middleware: #​76556
• build: Update swc_core to v16.0.0: #​76414
• Turbopack: prevent panic in swc issue emitter: #​76595
• Unflake parallel-routes-revalidation test: #​76600
• Fix octokit.rest.issues.addLabels call: #​76601
• [test] Use new Redbox matchers in app/ error-recovery: #​76552
• [test] Use new Redbox matchers in pages/ ReactRefreshLogBox-app-doc: #​76551
• Run nightly bundler integration tests also with React 18: #​76606
• 15.2: Add version history for devIndicators and note on deprecated options: #​76611
• 15.2 docs: document missing htmlLimitedBots option: #​76616
• Update bundler production test manifest: #​76584
• Update bundler development test manifest: #​76585
• Fix test after CI switched to pnpm 10: #​76615
• chore(cna): fix theme extend for tailwind v4: #​76583
• [test] Use new Redbox matchers in app/ ReactRefreshLogBoxMisc: #​76563
• Don’t use native built-ins for additional bundler: #​76577
• Revert "Run nightly bundler integration tests also with React 18": #​76640
• Update bundler production test manifest: #​76643
• Update bundler development test manifest: #​76644
• Turbopack: dedupe middleware-manifest entries: #​76621
• Turbopack: Improve edge tests: #​76607
• Turbopack: add test test for css order: #​76675
• Turbopack: fix order of chunk items in cycles: #​76676
• [ci] Fix test-turbopack-integration not having any shards : #​76355
• Update Turbopack development test manifest: #​76658
• Update Turbopack production test manifest: #​76659
• fix(CI): Upload to areweturboyet immediately after a manifest is updated, not only on a fixed cron schedule: #​76688
• Update test snapshots for alternative bundler [4/n]: #​76578
• fix(turbopack): Fix analysis of private properties: #​76654
• Turbopack: Simplify emitDecoratorMetadata test: #​76678
• [test] Use new Redbox matchers in pages/ ReactRefreshRegression: #​76743
• [test] Remove describeVariants helper: #​76631
• [test] Fix flaky error-recovery test: #​76753
• [test] Use new Redbox matchers in app/ dynamic-error: #​76744
• [test] Use new Redbox matchers in app/ rsc-runtime-errors: #​76745
• Turbopack: avoid panic in module batches: #​76757
• Revert "test: temporarily disable after deploy test": #​74990
• toDisplayRedbox(): replace all occurrences of testDir: #​76618
• Fix: missing close brace in demo code: #​76549
• Disable flaky Turbopack tests: #​76760
• feat(CI): Revalidate vercel data cache on areweturboyet after uploading data to KV store: #​76693
• chore(github): move top prs and feature requests to different Slack channel: #​76764
• Fix flaky Bun test: #​76763

Credits

Huge thanks to @​acdlite, @​bgw, @​ijjk, @​molebox, @​kdy1, @​timneutkens, @​devjiwonchoi, @​mischnic, @​unstubbable, @​eps1lon, @​huozhi, @​philipithomas, @​delbaoliveira, @​samcx, @​wbinnssmith, @​sokra, @​gnoff, @​leerob, @​ztanner, @​raunofreiberg, @​lubieowoce, and @​LihaoWang for helping!

v15.2.0

Compare Source

v15.1.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: work around setTimeout memory leak, improve wrappers (#​75727)
• add additional x-middleware-set-cookie filtering (#​75869)
• fix: ensure lint worker errors aren't silenced (#​75766)

Credits

Huge thanks to @​lubieowoce and @​ztanner for helping!

v15.1.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: don't memory-leak promises passed to waitUntil (#​75041)
• backport: fix prerender issue with intercepting routes + generateStaticParams (#​75170)

Credits

Huge thanks to @​lubieowoce and @​ztanner for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: [email protected]
npm error Found: [email protected]
npm error node_modules/react
npm error   react@"^19" from the root project
npm error   peer react@"^18.0.0 || ^19.0.0 || ^19.0.0-0" from @clerk/[email protected]
npm error   node_modules/@clerk/clerk-react
npm error     @clerk/clerk-react@"^5.22.3" from @clerk/[email protected]
npm error     node_modules/@clerk/nextjs
npm error       @clerk/nextjs@"^6.9.15" from the root project
npm error   45 more (@clerk/nextjs, @clerk/shared, @floating-ui/react-dom, ...)
npm error
npm error Could not resolve dependency:
npm error peer react@"^17.x || ^18.x" from [email protected]
npm error node_modules/typewriter-effect
npm error   typewriter-effect@"^2.21.0" from the root project
npm error
npm error Conflicting peer dependency: [email protected]
npm error node_modules/react
npm error   peer react@"^17.x || ^18.x" from [email protected]
npm error   node_modules/typewriter-effect
npm error     typewriter-effect@"^2.21.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-03-21T18_08_17_277Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-03-21T18_08_17_277Z-debug-0.log