chore(deps): bump next from 16.2.4 to 16.2.5 in /frontend by dependabot[bot] · Pull Request #13 · Teguh010/visiontrack

dependabot · 2026-05-07T06:31:31Z

Bumps next from 16.2.4 to 16.2.5.

Release notes

v16.2.5

This release contains security fixes for the following advisories:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Commits

766148f v16.2.5
0dd9483 fix: add explicit checks for RSC header (#83) (#98)
d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
9d50c0b Strip next-resume header from incoming requests (#92)
df7ab5a fix: skip internal param normalization in unsupported environments
ed41d1d Move htmlescape to shared/lib (#91)
b4c6705 Ignore malformed CSP nonce headers
5b194ee router-server: guard upgrade proxy against absolute-url SSRF (#77)
cb171d7 Fix i18n middleware matching for default-locale data routes (#82)
89e9954 [16.x] Type hardening and performance improvements (#80)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Bumps [next](https://github.com/vercel/next.js) from 16.2.4 to 16.2.5. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.2.4...v16.2.5) --- updated-dependencies: - dependency-name: next dependency-version: 16.2.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 7, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/frontend/next-16.2.5 branch from e247982 to b6561c7 Compare May 7, 2026 07:17

dependabot Bot force-pushed the dependabot/npm_and_yarn/frontend/next-16.2.5 branch from b6561c7 to 5a53002 Compare May 7, 2026 17:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump next from 16.2.4 to 16.2.5 in /frontend#13

chore(deps): bump next from 16.2.4 to 16.2.5 in /frontend#13
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/frontend/next-16.2.5

dependabot Bot commented on behalf of github May 7, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v16.2.5

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 7, 2026 •

edited

Loading