chore(deps): update dependency next to v16.0.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	16.0.2 -> 16.0.9
next (source)	16.0.7 -> 16.0.9
next (source)	^15.4.8 -> ^16.0.0
next (source)	^14.2.33 -> ^16.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-9qr9-h5gf-34mp

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

GHSA-mwv6-3258-q52c

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

GHSA-w37m-7fhw-fmv9

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

GHSA-5j59-xgg2-r9c4

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and did not fully prevent denial-of-service attacks in all payload types. This affects React package versions 19.0.2, 19.1.3, and 19.2.2 and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious HTTP request can be crafted and sent to any Server Function endpoint that, when deserialized, can enter an infinite loop within the React Server Components runtime. This can cause the server process to hang and consume CPU, resulting in denial of service in unpatched environments.

---

Release Notes

vercel/next.js (next)

v16.0.9

Compare Source

v16.0.8

Compare Source

v16.0.7

Compare Source

v16.0.6

Compare Source

v16.0.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix(nodejs-middleware): await for body cloning to be properly finalized (#​85418)

Credits

Huge thanks to @​lucasadrianof for helping!

v16.0.4

Compare Source

v16.0.3

Compare Source

Core Changes

• fix: Rspack throw error when using ForceCompleteRuntimePlugin: #​85221
• fix: build CLI output not displaying Proxy (Middleware) when nodejs runtime: #​85403
• fix: staleTimes.static should consistently enforce a 30s minimum: #​85479
• [turbopack] fix build of empty entries of pages: #​84873
• Cache the head separately from the route tree: #​84724
• Allow inspecting dev server on default port with next dev --inspect: #​85037
• Avoid proxying React modules through workUnitStore: #​85486
• fix: redirect should always return updated router state: #​85533
• Upgrade React from b4455a6e-20251027 to 4f931700-20251029: #​85518
• [turbopack] Move generation of cacheLife types out of the webpack plugin and into the dev bundler directly: #​85539
• Ensure user-space stack frame for 'use cache' in page/layout component: #​85519
• Update parallel routes in build-complete: #​85546
• fully remove clientSegmentCache flag: #​85541
• [turbopack] Support relative paths in turbopack source maps.: #​85146
• Release unnecessary memory on hydration finish: #​84967
• Preserve interception markers in parameter types: #​85526
• move segment cache entries to top level segment-cache dir: #​85542
• Upgrade React from 4f931700-20251029 to 561ee24d-20251101: #​85670
• [devtools] Remove title from preferences: #​85698
• Update font data: #​85708
• Don't invalidate hot reloader excessively during dev server boot: #​85732
• [codemod] fix: next-lint-to-eslint-cli did not handle 'next' plugin: #​85749
• Upgrade React from 561ee24d-20251101 to 67f7d47a-20251103: #​85762
• Tracing: Fix memory leak in span map: #​85529
• Fix documentation typo in refresh function: #​85696
• fix: eslint-config-next types was exporting to dist/src: #​85768
• Upgrade React from 67f7d47a-20251103 to f646e8ff-20251104: #​85772
• remove unused RSC payload property: #​85746
• [runtime prefetching]: fix runtime prefetching when deployed: #​85595
• Turbopack: next build --analyze: #​85197
• Build: Log amount of workers during static generation: #​85706
• Upgrade React from f646e8ff-20251104 to dd048c3b-20251105: #​85819
• Sync devFallbackParams when generateStaticParams change: #​85741
• chore: upgrade rspack 1.6.0: #​84210
• [mcp] get_routes mcp tool: #​85773
• Split each path param into a separate cache key : #​85758
• [turbopack] change server source maps in production to use relative paths: #​85576
• fix: skip collecting metadata for app-error in webpack: #​85892
• fix: support root span attributes with a custom server: #​85521
• fix isDynamicRSC condition when deployed: #​85919
• [turbopack] Make it possible to synchronously access native bindings: #​85787
• Upgrade React from dd048c3b-20251105 to fa50caf5-20251107: #​85906
• Fix telemetry event loss on build failures and server shutdown: #​85867
• Remove one stack frame from 'use cache' call stacks: #​85966
• Upgrade React from fa50caf5-20251107 to 52684925-20251110: #​85980
• Deployment adapter: fix metadata for "/" route: #​85820
• Enable React's default Transition indicator behind a flag: #​86000
• update routes-manifest to include whether app has pages routes: #​86051

Misc Changes

• chore: Add opt-level = s for not frequently used crates: #​85426
• [test] Deflake cache-components-allow-otel-spans: #​85466
• [test] Move remaining experimental.cacheLife: #​85467
• Turbopack: chore: Remove mopa dependency in turbo-tasks (2nd attempt): #​85286
• Update Proxy docs: #​85439
• [CNA] Do not prompt for Turbopack: #​85404
• Clean up new release process: #​85458
• Update E2E tests workflow: #​85485
• Update E2E deploy tests manifest: #​85483
• docs: example are incorrect async function exports only: #​85453
• [test] Handle CLI assertions where no "Compiling..." log is present: #​85499
• [test] Speed up refresh test: #​85505
• [test] Add test cases for dynamic caches without suspense boundaries: #​85500
• docs: Routes are wrapped w/ Activity in Cache Components: #​85309
• docs: GET handler behavior under cache components: #​85389
• [test] Avoid needless start/stop from using createSandbox: #​85507
• [test] Use --debug-build-paths instead of NEXT_PRIVATE_APP_PATHS: #​85504
• docs: revalidateTag requires second argument: #​85284
• Refactor GTM implementation to support google tag gateway: #​81011
• Update Rspack production test manifest: #​85494
• Update Rspack development test manifest: #​85495
• [docs] Fix a typo: #​85492
• [test] Regenerate tsconfig.json files: #​85515
• [Turbopack] clean up completion.rs a bit: #​84863
• [test] Remove maxRetries and hardError parameters: #​85536
• Turbopack: remove the .into() alias to .cell(): #​85516
• [test] Consolidate identical snapshots across different bundlers: #​85532
• [turbopack] Change where cells are created in resolve_raw to make cell allocation order deterministic.: #​85525
• Turbopack: Make tasks deterministic: #​85524
• [test] Separate act and assertions: #​85508
• [test] assert* -> waitFor* when the util is not instant: #​85450
• Turbopack: move whole_app_module_graphs to top level: #​84897
• [test] Bail on sending requests to Next.js instance if it's no longer available: #​85557
• [test] Deflake tests comparing two random numbers: #​85571
• [test] Disallow custom RegExp-like implementations in check: #​85537
• [test] Deflake prerender suite: #​85563
• Turbopack: chore: Remove some dead MagicAny serialization code from turbo_tasks::value: #​85577
• [test]: fix broken scroll restoration test: #​85599
• [test] Deflake nested after() tests: #​85566
• [test] Stop installing unused dependencies: #​85569
• [test] Consider test/integration/ in flake detection tests: #​85590
• Turbopack: more checks on verify_serialization: #​84952
• Turbopack: add track_caller to improve panics: #​85565
• Turbopack: add verify_determinism feature to check if tasks are deterministic: #​85559
• docs: cache life rework: #​85224
• Turbopack: fix hanging dev server and builds with fs cache: #​85606
• Turbopack: Fix compound assignment expression evaluation (#​85478): #​85593
• Turbopack: fix Scope holding Arc too long: #​85611
• [ci] Improve change detection logic in run-for-change script: #​85619
• [test] Ignore in deploy tests if a child process isn't available: #​85636
• Turbopack: add size_hint and len for Chunk iterator: #​85622
• [test]: move resume-data-cache to e2e test: #​85647
• Update Rspack development test manifest: #​85662
• Update Rspack production test manifest: #​85661
• Update Rspack production test manifest: #​85688
• Update Rspack development test manifest: #​85689
• [test] Deflake root-optional-revalidate: #​85584
• docs: fix generateImageMetadata example to use normal params object: #​85658
• Turbopack: Upgrade image crate: #​85084
• docs: update multi sitemap argumenmt type: #​85701
• [test] Move all files to .ts (6/6): #​85641
• Turbopack: add a batch add method to the storage: #​84270
• docs: recommend reverse-proxy when self-hosting: #​85650
• [test] Deflake prefetching.stale-times: #​85733
• [test] Deflake custom cache handler test: #​85610
• [test] Allow CLI integration test to be retryable: #​85586
• docs: update docs to mention ESLint as default: #​85740
• docs(next.config): this docs should remove ".mts" is not supported.: #​85716
• Turbopack: cleanup StyleSheetLike: #​85718
• Turbopack: disable tree shaking for tracing: #​85722
• [test] Move all files to .ts (3/6): #​85638
• [test] Move all files to .ts (2/6): #​85637
• [test] Move all files to .ts (1/6): #​85634
• docs: generateSitemap passes id as promise: #​85767
• [test] Move all files to .ts (4/6): #​85639
• docs: disclosure on path-to-regexp: #​85629
• chore: update rspack binding to 1.6.0: #​85717
• Turbopack: trace worker_threads worker entry: #​85734
• Update Rspack development test manifest: #​85761
• Turbopack: chore: Remove extern crate and macro_use syntax: #​85778
• [turbopack] Drop duration and allocation tracking from CaptureFuture: #​85534
• Turbopack: chore: Remove dead RouteMatcher stuff: #​85784
• docs: fresh up getting started 00: #​85736
• Turbopack: chore: Remove the serde_regex dependency, which wasn't very heavily used: #​85578
• Turbopack: use batch add in connect children: #​85623
• [test] Move all files to .ts (5/6): #​85640
• [test] Deflake legacy-link-behavior: #​85805
• Resolve request ID confusion: #​85809
• Turbopack: use batch add to add initial followers: #​85624
• Turbopack: chore: Remove dead experimental.ppr struct field: #​85792
• Turbopack: chore: Avoid string clones in Glob::parse by using RcStr: #​85579
• Update Rspack production test manifest: #​85795
• docs: getting started updates 01: #​85750
• chore: Update patricia_tree dependency, remove manual serde impls: #​85785
• docs: keywords in system reqs and add browserslist: #​85838
• Honour NEXT_TEST_PREFER_OFFLINE in install-native.mjs: #​85850
• Turbopack: chore: Update anyhow, remove old backtrace feature: #​85844
• Turbopack: Remove some dead (or useless) code from next-core/src/next_client_reference/visit_client_reference.rs: #​85843
• sort dependencies for smaller diffs: #​82291
• Update Rspack development test manifest: #​85846
• Turbopack: Remove non_operation_vc_strongly_consistent feature usage from next-api: #​85874
• Turbopack: remove the streaming hack for improved stability: #​85858
• test: Port clean-distdir integration test to the modern e2e test framework: #​85828
• Update font data: #​85920
• Update deploy manifest: #​85924
• Turbopack: chore: Merge turbo-tasks-macros-shared crate into turbo-tasks-macros: #​85917
• Turbopack: Fix IO concurrency for MacOS: #​85861
• Add Appwrite Sites to supported adapters: #​85830
• [turbopack] Remove LocalTaskType::Native, it is dead: #​85480
• [test] Increase response timeout in next.browserWithResponse(): #​85911
• Hoist inner 'use cache' functions to reduce function allocations: #​85904
• docs: eslint config update: #​85969
• Fix Turbopack local font font-family declaration: #​85913
• switch to slice in createRuntimePrefetchTransformStream: #​85822
• Update authentication.mdx: Fix Auth0 Link: #​85953
• Turbopack: remove unused function: #​85974
• docs: cacheHandlers: #​85311
• docs: Feedback item on proxy default: #​86004
• [test] Add missing test fixtures for cacheLife & cacheTag in client: #​85872
• Fix false-positive build error for cacheLife & cacheTag: #​85875
• [cna] For pnpm ignore postinstall from sharp and unrs-resolver: #​83168
• Turbopack: refactor evaluate to take module_graph: #​85971
• Turbopack: remove duplicate traversal implementations: #​85853
• Omit unused encryptActionBoundArgs/decryptActionBoundArgs imports: #​86015
• Turbopack: cleanup db log and add verbose option: #​85965
• [ci]: fix retry_deploy_test workflow: #​85981
• Fix typo in documentation: #​86054

Credits

Huge thanks to @​kdy1, @​eps1lon, @​SyMind, @​bgw, @​swarnava, @​devjiwonchoi, @​ztanner, @​ijjk, @​huozhi, @​icyJoseph, @​acdlite, @​unstubbable, @​gnoff, @​gusfune, @​vercel-release-bot, @​lukesandberg, @​sokra, @​hayes, @​shuding, @​wyattjoh, @​marjan-ahmed, @​timneutkens, @​ajstrongdev, @​zigang93, @​mischnic, @​Nayeem-XTREME, @​hamirmahal, @​eli0shin, @​tessamero, @​gaojude, @​jamesdaniels, @​georgesfarah, and @​timeyoutakeit for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

• Chores
  • Updated framework dependencies to the latest versions across integration packages.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: bcd89cf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Two Next.js integration packages update their next dependency to ^16.0.0 (integrations/react-next-14 from ^14.2.33, integrations/react-next-15 from ^15.4.8). No code, exported signatures, or runtime control flow were changed.

Changes

Cohort / File(s)	Summary
Next.js 16 dependency upgrades integrations/react-next-14/package.json, integrations/react-next-15/package.json	Bumped dependencies.next to ^16.0.0 in both integration package manifests; no other dependency, script, or source changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat(react-query-next-experimental): support Next.js 16 #9868: Updates Next.js version requirements to add support for Next.js 16 across multiple integration packages.

Suggested reviewers

• TkDodo
• dagamo

Poem

🐰 With a twitch and a hop I cheer,

Next jumps forward, new release near.
From fourteen and fifteen we spring,
Sixteen arrives — let updates sing! 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description lacks key template sections. It is missing the required '🎯 Changes' section with motivation, the '✅ Checklist' with contributing guide confirmation and local testing, and the '🚀 Release Impact' section about changesets or release relevance.	Fill in the missing template sections: add a '🎯 Changes' summary explaining the motivation, complete the '✅ Checklist' confirming testing and contributing guide compliance, and clarify the '🚀 Release Impact' section regarding whether this is a published code change requiring a changeset.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: updating the Next.js dependency to v16.0.9 with a security focus indicator.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/npm-next-vulnerability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit bcd89cf

Command	Status	Duration	Result
nx affected --targets=test:sherif,test:knip,tes...	❌ Failed	2m 29s	View ↗
nx run-many --target=build --exclude=examples/*...	❌ Failed	1m 23s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-12-27 16:47:29 UTC

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

integrations/react-next-14/package.json (1)

10-12: Consider upgrading React to 19 to use Next.js 16's new features.

React 18.2.0 remains compatible with Next.js 16, but Next.js 16 is designed for React 19 and includes first-class support for React 19 features like React Compiler and View Transitions. Update react and react-dom to ^19.0.0 to take full advantage of Next.js 16's capabilities.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0e75fda and bcd89cf.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• integrations/react-next-14/package.json
• integrations/react-next-15/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• integrations/react-next-15/package.json

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-02T17:57:33.184Z

Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.

Applied to files:

• integrations/react-next-14/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Preview
• GitHub Check: Test

🔇 Additional comments (1)

integrations/react-next-14/package.json (1)

10-10: No action needed. The integration code is compatible with Next.js 16.0.0 without modifications. The example uses only basic React Query patterns (client-side hooks and providers) that are unaffected by Next.js 15→16 breaking changes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Package naming inconsistency: "react-next-14" now uses Next.js 16.

The package is named react-next-14 but now depends on next: ^16.0.0. This creates confusion about which Next.js version this integration example demonstrates. Consider either:

1. Renaming the package/folder to react-next-16, or
2. Creating a separate react-next-16 integration example while keeping this one on Next.js 14

🤖 Prompt for AI Agents

integrations/react-next-14/package.json lines 10-10: the package folder/name
indicates Next.js 14 but package.json depends on "next": "^16.0.0"; either
rename the package/folder to react-next-16 or downgrade the dependency to a
Next.js 14 release. To fix, choose one approach and apply these steps: if
renaming to react-next-16, rename the directory, update the "name" field in
package.json, update any README/docs and CI/workflow references to the new
path/name; if keeping as react-next-14, change the next dependency to a 14.x
compatible version (and run install/test to confirm compatibility), update
lockfile, and verify any code uses Next 14 APIs.