Skip to content

Hotfix/web 380 CVE next#381

Merged
jbuiquan merged 3 commits into
mainfrom
hotfix/web-380-cve-next
Dec 8, 2025
Merged

Hotfix/web 380 CVE next#381
jbuiquan merged 3 commits into
mainfrom
hotfix/web-380-cve-next

Conversation

@jbuiquan

@jbuiquan jbuiquan commented Dec 6, 2025

Copy link
Copy Markdown
Collaborator

Description

Github issue : #380

Cette PR a pour objectif de corriger la vulnérabilité critique associé à l'issue.
En complément, la version mineure de Next a été upgradé pour corriger d'autre CVE critiques remontées par l'audit npm (voir issue).
Des patchs d'autres dépendances sont aussi intégrées.

Comment tester ?

npm run build et navigation sur l'appli OK

Pour faciliter la validation de ma PR

  • J'ai pris connaissance et respecté les règles de contribution
  • Les pre-commit passent
  • Les test unitaires passent
  • Le code modifié fonctionne en local
  • J'ai demandé une peer-review à un autre bénévole du projet
  • J'ai ajouté / mis à jour de la documentation sur outline

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses critical security vulnerabilities (CVE-380) by upgrading Next.js from version 15.1.8 to 15.5.7, along with updating related dependencies to resolve additional CVEs identified by npm audit. The update represents a minor version jump for Next.js and includes patches for React, SWR, ESLint tooling, and various optional dependencies like Sharp image processing libraries.

Key Changes

  • Next.js upgrade: From ~15.1.8 to ^15.5.7 (minor version upgrade with versioning strategy change from tilde to caret)
  • React ecosystem updates: React and React-DOM updated from ^19.0.0 to ^19.0.1 (patch update)
  • Development tooling: ESLint config, Prettier plugin, and related tooling updated to latest compatible versions
  • Transitive dependency updates: Numerous security patches for indirect dependencies including Sharp, ESLint core components, and various build tools

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
application/package.json Updates 8 direct dependencies: Next.js, @next/third-parties, React, React-DOM, SWR (runtime) and eslint-config-next, prettier-plugin-tailwindcss (dev). Changes Next.js version constraint from tilde (~) to caret (^).
application/package-lock.json Comprehensive lockfile update with hundreds of transitive dependency version updates, including security patches for @eslint/* packages, @img/sharp-* platform-specific binaries, and removal of deprecated dependencies like @swc/counter, busboy, color, and streamsearch.
Files not reviewed (1)
  • application/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread application/package.json Outdated
@jbuiquan
jbuiquan force-pushed the hotfix/web-380-cve-next branch from 366e078 to 60da89f Compare December 6, 2025 18:04
@jbuiquan
jbuiquan requested review from Oce-ane and machbry December 6, 2025 18:04
@jbuiquan
jbuiquan merged commit a5bc331 into main Dec 8, 2025
1 check passed
@jbuiquan
jbuiquan deleted the hotfix/web-380-cve-next branch December 8, 2025 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants