Skip to content

Update locked Next.js dependency for CVE-2026-44578#697

Open
Finesssee wants to merge 2 commits into
athasdev:masterfrom
Finesssee:finesssee/effective-bassoon
Open

Update locked Next.js dependency for CVE-2026-44578#697
Finesssee wants to merge 2 commits into
athasdev:masterfrom
Finesssee:finesssee/effective-bassoon

Conversation

@Finesssee
Copy link
Copy Markdown
Contributor

@Finesssee Finesssee commented May 14, 2026

Summary

This updates the stale Next.js lockfile entry from next@15.4.4 to next@15.5.16.

next@15.4.4 is in the affected 15.x range for CVE-2026-44578, a reported WebSocket upgrade SSRF issue where crafted absolute-form upgrade requests can cause self-hosted Next.js servers to make internal HTTP requests.

Details

  • The project does not declare next directly in package.json.
  • bun.lock still contained a locked next@15.4.4 package entry and matching @next/* platform packages.
  • This PR updates those locked entries to 15.5.16, the patched 15.x mitigation target.
  • No direct Next.js dependency is added.

Validation

  • Confirmed no next@15.4.4, @next/*@15.4.4, or next@15.5.15 entries remain in bun.lock.
  • Ran bun install --frozen-lockfile --ignore-scripts successfully.

Finesssee and others added 2 commits May 12, 2026 18:38
@Finesssee
Remove shared caches from release workflow
7628274
@Finesssee
Update locked next dependency
6229df6 
Update the stale Next.js lockfile entry from 15.4.4 to 15.5.16.
This is the patched 15.x release for CVE-2026-44578.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Finesssee