Commit 4ab5740
fix(core): TRAC-668 bump Next.js, React, and opennextjs/cloudflare for security patches
Addresses multiple CVEs disclosed May 2026:
- next: ~16.1.6 → ~16.2.6 (middleware bypass, SSRF, XSS, cache poisoning)
- react/react-dom: 19.1.5 → 19.1.7 (GHSA-rv78-f8rc-xrxh DoS via OOM/CPU on server function endpoints)
- @opennextjs/cloudflare: 1.17.3 → 1.19.8 in native-hosting workflow
eslint-config-next intentionally left at 15.5.10 — @16.x requires ESLint 9+/flat config migration.
Fixes TRAC-668
Co-Authored-By: Claude <noreply@anthropic.com>1 parent 37e0a7c commit 4ab5740
3 files changed
Lines changed: 558 additions & 503 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
29 | | - | |
| 29 | + | |
30 | 30 | | |
31 | 31 | | |
32 | 32 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
63 | | - | |
| 63 | + | |
64 | 64 | | |
65 | 65 | | |
66 | 66 | | |
67 | 67 | | |
68 | | - | |
| 68 | + | |
69 | 69 | | |
70 | | - | |
| 70 | + | |
71 | 71 | | |
72 | 72 | | |
73 | 73 | | |
| |||
0 commit comments