[Snyk] Upgrade next from 15.3.1 to 15.3.2 #6
Conversation
Snyk has created this PR to upgrade next from 15.3.1 to 15.3.2. See this package in npm: next See this project in Snyk: https://app.snyk.io/org/kevin-VHPfrm5LbiySgmBihWDW9y/project/e13b946d-ccfb-4502-82af-15dad7231cf0?utm_source=github&utm_medium=referral&page=upgrade-pr
|
|
|
Your trial period has expired. To continue using this feature, please upgrade to a paid plan here or book a time to chat here. |
Reviewer's GuideThis PR upgrades the Next.js dependency from 15.3.1 to 15.3.2 by bumping its version in package.json, pulling in backported bug fixes and addressing a directory traversal vulnerability. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hello @KB01111, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
Summary of Changes
Hello team, Gemini here with a summary of this pull request. This PR was automatically generated by Snyk to upgrade the next dependency from version 15.3.1 to 15.3.2. The primary motivation for this upgrade is to address a medium-severity Directory Traversal vulnerability (SNYK-JS-SUPABASEAUTHJS-10255365) and to incorporate several backported bug fixes related to Turbopack, React Compiler, RSC redirects, and middleware matching, as noted in the release notes for 15.3.2. This is a minor version bump aimed at improving security and stability.
Highlights
- Automated Dependency Upgrade: This pull request was automatically created by Snyk to manage dependency updates.
- Next.js Version Bump: The
nextdependency is being upgraded from version15.3.1to15.3.2. - Security Vulnerability Fix: The upgrade addresses a medium-severity Directory Traversal vulnerability (
SNYK-JS-SUPABASEAUTHJS-10255365). - Bug Fixes Included: Version
15.3.2includes backported fixes for issues in Turbopack, React Compiler, RSC redirects, and middleware.
Changelog
- frontend/package.json
- Updated the
nextdependency version from15.3.1to15.3.2(line 39).
- Updated the
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request, automatically generated by Snyk, upgrades the next package from version 15.3.1 to 15.3.2. This is a beneficial update, as patch versions typically include important bug fixes and potential security enhancements. The release notes for next 15.3.2 confirm it's a backport of several bug fixes.
The PR description links this next upgrade to fixing a Directory Traversal vulnerability, SNYK-JS-SUPABASEAUTHJS-10255365, which is associated with Supabase Auth. While the direct relationship might not be immediately obvious from the next release notes (as next doesn't typically depend on Supabase packages), such vulnerabilities can sometimes arise from interactions between frameworks and libraries, or Snyk may have broader context for this recommendation. Applying security-motivated upgrades is generally a good practice.
The change in package.json correctly reflects the version bump for the next package.
Important Next Steps:
- Update Lockfile: After this change,
pnpm install(or your package manager's equivalent command) must be run to update thepnpm-lock.yamlfile. The updated lockfile should then be committed to this branch. - Thorough Testing: As with any dependency upgrade, comprehensive testing (including automated tests and manual QA) is crucial to ensure no regressions or unexpected behaviors are introduced, even for a patch version.
Summary of Findings
- Dependency Upgrade: The
nextpackage is correctly upgraded from version15.3.1to15.3.2infrontend/package.json. This aligns with the PR's intent and incorporates the latest bug fixes from thenextteam. - Security Improvement: The PR is aimed at improving security, potentially addressing vulnerability
SNYK-JS-SUPABASEAUTHJS-10255365as mentioned in the description, by upgrading thenextpackage. Keeping dependencies up-to-date is a key security practice. - Lockfile Update Required: The
pnpm-lock.yamlfile has not been updated in this PR. It's essential to runpnpm installto regenerate the lockfile and commit it to ensure deterministic builds and that all transitive dependencies are correctly resolved. - Testing Recommendation: Even though this is a patch upgrade, thorough testing (automated tests, E2E, and manual QA) is highly recommended to catch any potential regressions or compatibility issues introduced by the new version of
next.
Merge Readiness
This PR represents a positive step by upgrading the next dependency, likely enhancing security and stability. The change to package.json is correct.
Before merging, it is critical to:
- Update and commit the
pnpm-lock.yamlfile: Runpnpm installand add the updated lockfile to this PR. - Conduct thorough testing: Ensure all existing functionalities work as expected and that no new issues are introduced by this upgrade.
While the link between the next upgrade and the specific Supabase CVE (SNYK-JS-SUPABASEAUTHJS-10255365) in the PR description could warrant clarification if internal understanding is lacking, the upgrade itself is a standard and beneficial maintenance task.
As a reviewer, I cannot approve the PR directly. After the lockfile is updated and comprehensive testing is successfully completed, this PR should be in a good state for merging by the appropriate maintainers.
Snyk has created this PR to upgrade next from 15.3.1 to 15.3.2.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 1 version ahead of your current version.
The recommended version was released a month ago.
Issues fixed by the recommended upgrade:
SNYK-JS-SUPABASEAUTHJS-10255365
Release notes
Package name: next
-
15.3.2 - 2025-05-06
- backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#78488) (#78883)
- @ next/mdx: Use stable turbopack config options (#78880)
- Fix react-compiler: Fix detection of interest (#78879)
- Fix turbopack: Backport sourcemap bugfix (#78881)
- [next-server] preserve rsc query for rsc redirects (#78876)
- Update middleware public/static matching (#78875)
-
15.3.1 - 2025-04-17
from next GitHub release notesNote
This release is backporting bug fixes. It does not include all pending features/changes on canary.
Core Changes
Credits
Huge thanks to @ ijjk, @ huozhi, @ kdy1, @ wbinnssmith, and @ bgw for helping!
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
Summary by Sourcery
Upgrade Next.js to v15.3.2 to backport bug fixes and address a medium‐severity directory traversal vulnerability
Bug Fixes:
Enhancements: