[Snyk] Security upgrade next from 15.3.1 to 15.4.2

[KB01111]

Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• frontend/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Server-side Request Forgery (SSRF) SNYK-JS-NEXT-12299318	701
	Use of Cache Containing Sensitive Information SNYK-JS-NEXT-12301496	601
	Missing Source Correlation of Multiple Independent Data SNYK-JS-NEXT-12265451	401

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

---

EntelligenceAI PR Summary

This PR updates the Next.js framework version from 15.3.1 to 15.4.2 in the frontend.

• Updates only the Next.js dependency while maintaining all other dependency versions
• Implements a minor version upgrade that includes bug fixes and performance improvements
• Maintains backward compatibility with existing code

[codemetrics-ai]

⚠️ Your Codemetrics free trial has expired. To continue using AI based pull request reviews, please subscribe to premium in team settings.

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-fix-a45b2f44eb9658fb78e03c841a823288

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[gemini-code-assist]

Summary of Changes

Hello @KB01111, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, aims to enhance the project's security posture by updating a core frontend dependency. The upgrade is specifically targeted at mitigating known vulnerabilities, ensuring the application remains robust against potential exploits.

Highlights

• Security Vulnerability Fixes: This pull request addresses three identified security vulnerabilities: a high-severity Server-side Request Forgery (SSRF), a medium-severity Use of Cache Containing Sensitive Information, and a low-severity Missing Source Correlation of Multiple Independent Data.
• Dependency Upgrade: The next dependency in frontend/package.json has been upgraded from version 15.3.1 to 15.4.2 to resolve the aforementioned vulnerabilities.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[entelligence-ai-pr-reviews]

🔒 Entelligence AI Vulnerability Scanner

✅ No security vulnerabilities found!

Your code passed our comprehensive security analysis.

---

[entelligence-ai-pr-reviews]

Walkthrough

This PR updates the Next.js framework in the frontend from version 15.3.1 to 15.4.2. This is a minor version upgrade that includes bug fixes, performance improvements, and potentially new features while maintaining backward compatibility. The update is isolated to only the Next.js package, with all other dependencies including React 19.1.0 remaining at their current versions.

Changes

File(s)	Summary
frontend/package.json	Updated Next.js framework version from 15.3.1 to 15.4.2 while maintaining all other dependency versions including React 19.1.0.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title Next.js 15.4.2 Application Flow

    actor User
    participant Browser
    participant NextServer as "Next.js Server"
    participant AppRouter as "App Router"
    participant PageComponent as "Page Component"
    participant ReactDOM as "React DOM"
    participant DataFetching as "Data Fetching Layer"
    
    User->>Browser: Navigate to URL
    Browser->>NextServer: HTTP Request
    
    NextServer->>AppRouter: Route request
    
    alt Server-Side Rendering
        AppRouter->>DataFetching: Fetch data (if needed)
        DataFetching-->>AppRouter: Return data
        AppRouter->>PageComponent: Render with data
        PageComponent-->>AppRouter: Return React elements
        AppRouter->>ReactDOM: Server-side render
        ReactDOM-->>NextServer: HTML content
        NextServer-->>Browser: Send HTML + JS
        Browser->>ReactDOM: Hydrate page
    else Static Generation
        NextServer-->>Browser: Send pre-rendered HTML + JS
        Browser->>ReactDOM: Hydrate page
    else Client-Side Rendering
        NextServer-->>Browser: Send minimal HTML + JS
        Browser->>DataFetching: Fetch data
        DataFetching-->>Browser: Return data
        Browser->>ReactDOM: Render page
    end
    
    Note over Browser, ReactDOM: Next.js 15.4.2 includes performance improvements and bug fixes over 15.3.1
    
    Browser-->>User: Display rendered page
    
    User->>Browser: Interact with page
    
    alt Client-side Navigation
        Browser->>AppRouter: Handle route change
        AppRouter->>DataFetching: Fetch new data (if needed)
        DataFetching-->>AppRouter: Return data
        AppRouter->>PageComponent: Render new page/component
        PageComponent-->>ReactDOM: Update DOM
        ReactDOM-->>Browser: Render updated UI
        Browser-->>User: Show updated content
    end

Loading

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

LGTM 👍

[gemini-code-assist]

Code Review

This PR from Snyk correctly upgrades next to fix security vulnerabilities. However, two important follow-up actions are needed:

1. The eslint-config-next package in devDependencies should be updated from 15.3.1 to 15.4.2 to match the new next version and prevent potential issues. I've added a specific comment on this.
2. The pnpm-lock.yaml file must be updated by running pnpm install. The current build process uses a frozen lockfile, so it will fail without this update.

After these two changes, the PR should be ready to merge.

[gemini-code-assist]

While updating next to 15.4.2 is correct, the eslint-config-next package in devDependencies (line 59) is still pinned to 15.3.1. It's crucial to keep next and eslint-config-next versions synchronized to avoid compatibility problems, linting errors, or build failures. Please update eslint-config-next to 15.4.2.