fix(deps): update dependency next [security]

[ham-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	15.5.10 → 15.5.13
next (source)	15.5.10 → 15.5.14

GitHub Vulnerability Alerts

CVE-2026-29057

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

Patches

The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path.

Workarounds

If upgrade is not immediately possible:

• Block chunked DELETE/OPTIONS requests on rewritten routes at your edge/proxy.
• Enforce authentication/authorization on backend routes per our security guidance.

CVE-2026-27980

Summary

The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.

Impact

An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.

Workarounds

If upgrade is not immediately possible:

• Periodically clean .next/cache/images.
• Reduce variant cardinality (e.g., tighten values for images.localPatterns, images.remotePatterns, and images.qualities)

---

Release Notes

vercel/next.js (next)

v15.5.13

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#​85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#​89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#​82340)
• Turbopack: support pattern into exports field (#​82757)
• NFT tracing fixes (#​84155 and #​85323)
• Turbopack: validate CSS without computing all paths (#​83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#​89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 53c01e7e-8d44-4280-992b-dcea50490ce2

📥 Commits

Reviewing files that changed from the base of the PR and between 50a738d and 25ddd25.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• platforms/blabsy/client/package.json
• platforms/calendar/client/package.json
• platforms/emover/client/package.json
• platforms/evoting/api/package.json
• platforms/evoting/client/package.json
• platforms/group-charter-manager/client/package.json

✅ Files skipped from review due to trivial changes (6)

• platforms/calendar/client/package.json
• platforms/blabsy/client/package.json
• platforms/evoting/api/package.json
• platforms/evoting/client/package.json
• platforms/group-charter-manager/client/package.json
• platforms/emover/client/package.json

---

📝 Walkthrough

Walkthrough

Bumped the next dependency in six platform package.json files: platforms/blabsy/client and platforms/evoting/api to 15.5.14; platforms/calendar/client, platforms/emover/client, platforms/evoting/client, and platforms/group-charter-manager/client to 15.5.13. No other changes.

Changes

Cohort / File(s)	Summary
Next.js Version Bump platforms/blabsy/client/package.json, platforms/evoting/api/package.json	Updated next dependency from 15.5.10 to 15.5.14.
Next.js Version Bump platforms/calendar/client/package.json, platforms/emover/client/package.json, platforms/evoting/client/package.json, platforms/group-charter-manager/client/package.json	Updated next dependency from 15.5.10 to 15.5.13.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Chore/fix lockfile dependency versions #475: Similar Next.js dependency version bumps across platform package.json files.

Suggested reviewers

• sosweetham
• xPathin

Poem

🐰 Hopped the package.json fence with cheer,

Pushed Next forward, versions now clear.
Clients and API got their lightfoot tune,
Spring in the codebase, under a bright dev moon.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description deviates significantly from the required template structure, lacking required sections such as 'Issue Number', 'Type of change', 'How the change has been tested', and the 'Change checklist'. Instead, it contains a Renovate-generated summary with vulnerability details.	Add the missing required sections from the template: Issue Number, Type of change selection, testing information, and complete the change checklist with checkmarks for applicable items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: updating the Next.js dependency to address security vulnerabilities. It is concise, specific, and clearly indicates the nature and purpose of the change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/npm-next-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

platforms/evoting/client/package.json (1)

68-68: Consider updating eslint-config-next to match Next.js version.

The eslint-config-next is at version 15.5.9 while next is being updated to 15.5.13. Aligning these versions is recommended.

📦 Suggested version alignment

-    "eslint-config-next": "15.5.9",
+    "eslint-config-next": "15.5.13",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platforms/evoting/client/package.json` at line 68, The package.json
dependency "eslint-config-next" is pinned to 15.5.9 while "next" is 15.5.13;
update the "eslint-config-next" entry to match the Next.js version (e.g., set
"eslint-config-next": "15.5.13") so the ESLint config aligns with the Next
version and avoid potential linting mismatches; locate the "eslint-config-next"
key in package.json and bump its version accordingly, then run install and
verify linting passes.

platforms/emover/client/package.json (1)

34-34: Consider updating eslint-config-next to match Next.js version.

The eslint-config-next is at version 15.5.9 while next is being updated to 15.5.13. Version alignment ensures consistency.

📦 Suggested version alignment

-    "eslint-config-next": "15.5.9",
+    "eslint-config-next": "15.5.13",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platforms/emover/client/package.json` at line 34, Update the
eslint-config-next dependency to match the Next.js version: change the
"eslint-config-next" entry in package.json to "15.5.13" (same as "next"), then
run your package manager to install and update lockfiles (e.g., npm/yarn/pnpm
install) so versions stay aligned and linting rules match the Next.js release.

platforms/calendar/client/package.json (1)

72-72: Consider updating eslint-config-next to match Next.js version.

The eslint-config-next is at version 15.1.2 while next is being updated to 15.5.13. Aligning these versions ensures linting rules are compatible with the framework version.

📦 Suggested version alignment

-    "eslint-config-next": "15.1.2",
+    "eslint-config-next": "15.5.13",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platforms/calendar/client/package.json` at line 72, Update the
eslint-config-next dependency to match the Next.js version used in the project:
change the "eslint-config-next" entry in package.json to the same
major/minor/patch as the "next" dependency (e.g., set "eslint-config-next" to
15.5.13) so lint rules stay compatible with the framework version and then run
npm/yarn install and lint to verify no rule regressions.

platforms/blabsy/client/package.json (1)

47-47: Consider updating eslint-config-next to match Next.js version.

The eslint-config-next is at version 15.5.9 while next is being updated to 15.5.13. While not critical for security, keeping these versions aligned helps ensure linting rules match the framework version in use.

📦 Suggested version alignment

-    "eslint-config-next": "15.5.9",
+    "eslint-config-next": "15.5.13",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platforms/blabsy/client/package.json` at line 47, Update the package.json
dependency for eslint-config-next to match the Next.js version by changing
"eslint-config-next" from 15.5.9 to 15.5.13 (to align with the "next" dependency
at 15.5.13), then reinstall dependencies (npm/yarn/pnpm) to update the lockfile
and run the linter (or CI) to verify there are no rule regressions.

platforms/group-charter-manager/client/package.json (1)

67-67: Consider updating eslint-config-next to match Next.js version.

The eslint-config-next is at version 15.5.9 while next is being updated to 15.5.13. Version alignment is recommended for consistency.

📦 Suggested version alignment

-    "eslint-config-next": "15.5.9",
+    "eslint-config-next": "15.5.13",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@platforms/group-charter-manager/client/package.json` at line 67, The
package.json has "eslint-config-next": "15.5.9" that is out of sync with the
updated "next" (15.5.13); update the "eslint-config-next" dependency to
"15.5.13" to align versions, then reinstall dependencies (npm/yarn/pnpm install)
and run your lint/build/test commands to verify no breakages; look for and
update any lockfile changes as needed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@platforms/evoting/api/package.json`:
- Line 25: Update the Next.js dependency in package.json to the patched version
"15.5.13" (replace the existing "next" entry), then run your package manager to
update node_modules and the lockfile (npm install or yarn install), commit the
updated lockfile, run the test suite and any integration checks for rewrites,
and run a security audit (npm audit or yarn audit) to confirm CVE-2026-29057 is
resolved.

---

Nitpick comments:
In `@platforms/blabsy/client/package.json`:
- Line 47: Update the package.json dependency for eslint-config-next to match
the Next.js version by changing "eslint-config-next" from 15.5.9 to 15.5.13 (to
align with the "next" dependency at 15.5.13), then reinstall dependencies
(npm/yarn/pnpm) to update the lockfile and run the linter (or CI) to verify
there are no rule regressions.

In `@platforms/calendar/client/package.json`:
- Line 72: Update the eslint-config-next dependency to match the Next.js version
used in the project: change the "eslint-config-next" entry in package.json to
the same major/minor/patch as the "next" dependency (e.g., set
"eslint-config-next" to 15.5.13) so lint rules stay compatible with the
framework version and then run npm/yarn install and lint to verify no rule
regressions.

In `@platforms/emover/client/package.json`:
- Line 34: Update the eslint-config-next dependency to match the Next.js
version: change the "eslint-config-next" entry in package.json to "15.5.13"
(same as "next"), then run your package manager to install and update lockfiles
(e.g., npm/yarn/pnpm install) so versions stay aligned and linting rules match
the Next.js release.

In `@platforms/evoting/client/package.json`:
- Line 68: The package.json dependency "eslint-config-next" is pinned to 15.5.9
while "next" is 15.5.13; update the "eslint-config-next" entry to match the
Next.js version (e.g., set "eslint-config-next": "15.5.13") so the ESLint config
aligns with the Next version and avoid potential linting mismatches; locate the
"eslint-config-next" key in package.json and bump its version accordingly, then
run install and verify linting passes.

In `@platforms/group-charter-manager/client/package.json`:
- Line 67: The package.json has "eslint-config-next": "15.5.9" that is out of
sync with the updated "next" (15.5.13); update the "eslint-config-next"
dependency to "15.5.13" to align versions, then reinstall dependencies
(npm/yarn/pnpm install) and run your lint/build/test commands to verify no
breakages; look for and update any lockfile changes as needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 00478f85-7f62-4cfe-8889-c142ac10115e

📥 Commits

Reviewing files that changed from the base of the PR and between d2efd8b and 50a738d.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• platforms/blabsy/client/package.json
• platforms/calendar/client/package.json
• platforms/emover/client/package.json
• platforms/evoting/api/package.json
• platforms/evoting/client/package.json
• platforms/group-charter-manager/client/package.json