Commit c699d1e
fix(core): TRAC-668 bump Next.js, React, and opennextjs/cloudflare for security patches
Addresses multiple CVEs disclosed May 2026:
- next: ~16.1.6 → ~16.2.6 (middleware bypass, SSRF, XSS, cache poisoning)
- react/react-dom: 19.1.5 → 19.1.7 (GHSA-rv78-f8rc-xrxh DoS via OOM/CPU on server function endpoints)
- @opennextjs/cloudflare: 1.17.3 → 1.19.8 in native-hosting workflow
eslint-config-next intentionally left at 15.5.10 — @16.x requires ESLint 9+/flat config migration.
Fixes TRAC-668
Co-Authored-By: Claude <noreply@anthropic.com>1 parent 37e0a7c commit c699d1e
4 files changed
Lines changed: 566 additions & 508 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
5 | | - | |
| 5 | + | |
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
29 | | - | |
| 29 | + | |
30 | 30 | | |
31 | 31 | | |
32 | 32 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
51 | 51 | | |
52 | 52 | | |
53 | 53 | | |
54 | | - | |
55 | | - | |
56 | | - | |
57 | | - | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
58 | 61 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
63 | | - | |
| 63 | + | |
64 | 64 | | |
65 | 65 | | |
66 | 66 | | |
67 | 67 | | |
68 | | - | |
| 68 | + | |
69 | 69 | | |
70 | | - | |
| 70 | + | |
71 | 71 | | |
72 | 72 | | |
73 | 73 | | |
| |||
0 commit comments