Skip to content

fix(deps): vuln major upgrades — 8 packages (major: 1 · minor: 4 · patch: 3) [website]#102

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/major/npm/website/5-1781532235
Draft

fix(deps): vuln major upgrades — 8 packages (major: 1 · minor: 4 · patch: 3) [website]#102
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/major/npm/website/5-1781532235

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 11 packages upgraded (MAJOR changes included)

Manifests changed:

  • website (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
next 14.0.4 16.2.9 major Direct 2 CRITICAL, 13 HIGH, 19 MEDIUM, 6 LOW
postcss 8.4.31 8.5.15 minor Transitive 1 MEDIUM
@next/env 14.0.4 14.2.35 minor Transitive -
picocolors 1.0.0 1.1.1 minor Transitive -
react 18.2.0 18.3.1 minor Transitive -
react-dom 18.2.0 18.3.1 minor Transitive -
source-map-js 1.0.2 1.2.1 minor Transitive -
tslib 2.4.0 2.8.1 minor Transitive -
picocolors 1.0.0 1.0.1 patch Transitive -
source-map-js 1.0.2 1.0.3 patch Transitive -
tslib 2.4.0 2.4.1 patch Transitive -

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (15 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
next GHSA-f82v-jwr5-mffw CRITICAL Authorization Bypass in Next.js Middleware 14.0.4 13.5.9
next CVE-2025-29927 CRITICAL Authorization Bypass in Next.js Middleware 14.0.4 -
next GHSA-8h8q-6873-q5fj HIGH Next.js Vulnerable to Denial of Service with Server Components 14.0.4 15.5.16
next GHSA-36qx-fr4f-26g5 HIGH Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n 14.0.4 15.5.16
next GHSA-q4gf-8mx6-v5v3 HIGH Next.js has a Denial of Service with Server Components 14.0.4 15.5.15
next GHSA-h25m-26qc-wcjf HIGH Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components 14.0.4 15.0.8
next CVE-2024-34351 HIGH Next.js Server-Side Request Forgery in Server Actions 14.0.4 -
next CVE-2024-46982 HIGH Cache Poisoning in next.js 14.0.4 -
next GHSA-c4j6-fc7j-m34r HIGH Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades 14.0.4 15.5.16
next GHSA-gp8f-8m3g-qvj9 HIGH Next.js Cache Poisoning 14.0.4 13.5.7
next GHSA-mwv6-3258-q52c HIGH Next Vulnerable to Denial of Service with Server Components 14.0.4 14.2.34
next GHSA-5j59-xgg2-r9c4 HIGH Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up 14.0.4 14.2.35
next CVE-2024-51479 HIGH Authorization bypass in Next.js 14.0.4 -
next GHSA-7gfc-8cq8-jh5f HIGH Next.js authorization bypass vulnerability 14.0.4 14.2.15
next GHSA-fr5h-rqp8-mj6g HIGH Next.js Server-Side Request Forgery in Server Actions 14.0.4 14.1.1
ℹ️ Other Vulnerabilities (26)
Package CVE Severity Summary Unsafe Version Fixed In
next CVE-2026-27980 MODERATE Next.js: Unbounded next/image disk cache growth can exhaust storage 14.0.4 -
next CVE-2026-29057 MODERATE Next.js: HTTP request smuggling in rewrites 14.0.4 -
next GHSA-9g9p-9gw9-jx7f MODERATE Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration 14.0.4 15.5.10
next CVE-2025-59471 MODERATE - 14.0.4 -
next GHSA-h64f-5h5j-jqjh MODERATE Next.js has a Denial of Service in the Image Optimization API 14.0.4 15.5.16
next CVE-2024-47831 MODERATE Next.js image optimization has Denial of Service condition 14.0.4 -
next GHSA-g77x-44xx-532m MODERATE Denial of Service condition in Next.js image optimization 14.0.4 14.2.7
next GHSA-4342-x723-ch2f MODERATE Next.js Improper Middleware Redirect Handling Leads to SSRF 14.0.4 14.2.32
next CVE-2025-57822 MODERATE Next.js Improper Middleware Redirect Handling Leads to SSRF 14.0.4 -
next GHSA-3x4c-7xq6-9pq8 MODERATE Next.js: Unbounded next/image disk cache growth can exhaust storage 14.0.4 16.1.7
next GHSA-ffhc-5mcf-pf4q MODERATE Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces 14.0.4 15.5.16
next CVE-2024-56332 MODERATE Next.js Vulnerable to Denial of Service (DoS) with Server Actions 14.0.4 -
next GHSA-gx5p-jg67-6x7h MODERATE Next.js has cross-site scripting in beforeInteractive scripts with untrusted input 14.0.4 15.5.16
next GHSA-7m27-7ghc-44w9 MODERATE Next.js Allows a Denial of Service (DoS) with Server Actions 14.0.4 13.5.8
next GHSA-ggv3-7p47-pfv8 MODERATE Next.js: HTTP request smuggling in rewrites 14.0.4 16.1.7
next CVE-2025-57752 MODERATE Next.js Affected by Cache Key Confusion for Image Optimization API Routes 14.0.4 -
next GHSA-xv57-4mr9-wg8v MODERATE Next.js Content Injection Vulnerability for Image Optimization 14.0.4 14.2.31
next CVE-2025-55173 MODERATE Next.js Content Injection Vulnerability for Image Optimization 14.0.4 -
next GHSA-g5qg-72qw-gw5v MODERATE Next.js Affected by Cache Key Confusion for Image Optimization API Routes 14.0.4 14.2.31
postcss GHSA-qx2v-qp2m-jg93 MODERATE PostCSS has XSS via Unescaped </style> in its CSS Stringify Output 8.4.31 8.5.10
next CVE-2025-48068 LOW Information exposure in Next.js dev server due to lack of origin verification 14.0.4 -
next GHSA-3h52-269p-cp9r LOW Information exposure in Next.js dev server due to lack of origin verification 14.0.4 15.2.2
next GHSA-qpjv-v59x-3qc4 LOW Next.js Race Condition to Cache Poisoning 14.0.4 14.2.24
next CVE-2025-32421 LOW Next.js Race Condition to Cache Poisoning 14.0.4 -
next GHSA-3g8h-86w9-wvmq LOW Next.js's Middleware / Proxy redirects can be cache-poisoned 14.0.4 15.5.16
next GHSA-vfv6-92ff-j949 LOW Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting 14.0.4 15.5.16

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-datadog-prod-us1

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

Run linters | Format   View in Datadog   GitHub Actions

Run linters | Protobuf generate delta   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 83852c0 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants