Bump Next to >15.5.13

[AlanBreck]

npm audit produces a number of errors for Next. Could next be updated to a non-known vulnerable versions?

next  0.9.9 - 15.5.13
Severity: high
Next.js Affected by Cache Key Confusion for Image Optimization API Routes - https://github.com/advisories/GHSA-g5qg-72qw-gw5v
Next.js Improper Middleware Redirect Handling Leads to SSRF - https://github.com/advisories/GHSA-4342-x723-ch2f
Next.js Content Injection Vulnerability for Image Optimization - https://github.com/advisories/GHSA-xv57-4mr9-wg8v
Next Vulnerable to Denial of Service with Server Components - https://github.com/advisories/GHSA-mwv6-3258-q52c
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up - https://github.com/advisories/GHSA-5j59-xgg2-r9c4
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration - https://github.com/advisories/GHSA-9g9p-9gw9-jx7f
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components - https://github.com/advisories/GHSA-h25m-26qc-wcjf
Next.js: HTTP request smuggling in rewrites - https://github.com/advisories/GHSA-ggv3-7p47-pfv8
Next.js: Unbounded next/image disk cache growth can exhaust storage - https://github.com/advisories/GHSA-3x4c-7xq6-9pq8

[AlanBreck]

I'm seeing an update here to Next 15.x, but it doesn't seem to be included in the latest release for core, 6.5.2.

@emmatown, is it expected that 6.5.2 didn't include the NextJS bump to 15?

[trickreich]

@emmatown / @dcousens Are there any plans or is there an up2date roadmap somewhere? Could we provide pull requests?

[dcousens]

Pull requests are accepted, but we use "next": "^15.5.12" (see https://github.com/keystonejs/keystone/blob/main/packages/core/package.json#L280), so I don't know exactly what you want to do there when this is already in your control.

[dcousens]

Ah, sorry, you are talking about the v6 branch, yes, pull requests accepted

[dcousens]

@trickreich I will happily review and release any pull request that ports #9421 to the v6 branch

[trickreich]

@dcousens it's more like a general topic, what's the roadmap and is there still active development (prisma new version, etc.)

[dcousens]

@trickreich myself and @emmatown are in active development on the newest major version, with the next short-term target of moving isFilterable and isOrderable to .access control and graphql.omit (as I previously said in #9142 (reply in thread)); and adding .actions functionality.

With that completed, we should be ready to publish the next major. 🥳
I don't have a road-map beyond that for now.

[AlanBreck]

I'm seeing an update here to Next 15.x, but it doesn't seem to be included in the latest release for core, 6.5.2.

Ah, so this is expected then, since next@15.x doesn't apply to v6?

[dcousens]

@AlanBreck not that it doesn't apply, but that it hasn't been applied thus far.
Time has flown by, that pull request was February 2025... please make a pull request to port that to the v6 branch.

The recent cacophony of security vulnerabilities changes the equation on this somewhat compared to a few months ago.

[trickreich]

@dcousens So there will be a new version 7 (from the current main branch)?
And this new version will stick with prisma 6?

[AlanBreck]

Claude and I are working on a port. I've got the first pass in a draft PR, but need to sort out the broken tests.

[akashKumawat-cimet]

Any idea when will Keystone v7 be released to support Nextjs 15+ versions ?