fix(deps): update dependency next to v15 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	14.2.35 → 15.0.8

GitHub Vulnerability Alerts

GHSA-h25m-26qc-wcjf

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

---

Release Notes

vercel/next.js (next)

v15.0.8

Compare Source

Please see this changelog for more information about this security patch.

v15.0.7

Compare Source

v15.0.6

Compare Source

v15.0.5

Compare Source

Please see CVE-2025-66478 for additional details about this release.

v15.0.4

Compare Source

[!NOTE]
This release is backporting changes. It does not include all pending features/changes on canary.

Core Changes

• Use React 19 stable in Pages Router: #​73564

Credits

Huge thanks to @​eps1lon

v15.0.3

Compare Source

Core Changes

• Read page name from work store in server module map proxy: #​71669
• codemod: should not transform when param is not used: #​71664
• [dynamicIO] complete refactor to prerender: #​71687
• fix: metadata image route normalize path posix for windows: #​71673
• next-codemod(upgrade): optional catch when missing dev script: #​71598
• Avoid server action function indirection in Turbopack: #​71628
• fix: exclude basePath in findSourceMapURL: #​71719
• fix: stack frame text color in dark mode: #​71656
• Fix: revert the bad node binary handling: #​71723
• next-codemod: add empty pnpm-workspace.yaml to test fixtures to bypass PNPM workspace checks: #​71726
• warn on sync access if dynamicIO is not enabled: #​71696
• Update React from 69d4b800-20241021 to 45804af1-20241021: #​71718
• next-upgrade: do not add --turbopack flag when --turbo exists in next dev: #​71730
• feat: stitch errors with react owner stack: #​70393
• [dynamicIO] update data access error and documentation: #​71738
• Test cached form action with revalidate: #​71591
• Upgrade React from 45804af1-20241021 to 28668d39-20241023: #​71745
• Fix race condition when setting client reference manifests: #​71741
• Fix fetch with no-store inside of use cache: #​71754
• Remove the bottom collapse button in dev overlay: #​71658
• [dynamicIO] unify cache filling and lazy-module warming: #​71749
• Don't filter out source location frames through RSC: #​71752
• fix undefined default export error msg: #​71762
• Upgrade React from 28668d39-20241023 to 1631855f-20241023: #​71769
• Enable owner stack in experimental build: #​71716
• feat: add experiment for sharpjs cpu flags: #​71733
• fix: handle server component replay error in error overlay: #​71772
• Don't error asking for prebuilt bundles: #​71778
• Replace turbopack://[project]/... sourcemap uris with file://... in development: #​71489
• misc: update source map paths for bundled Next.js runtime: #​71779
• [dynamicIO] refine error message and docs: #​71781
• next-upgrade: change --turbo to --turbopack if applicable: #​71737
• Show all diff when uncollapse: #​71792
• Sourcemap errors in terminal by default : #​71444
• Fully enable custom error callbacks for app router: #​71794
• Simplify Server Action Webpack plugin: #​71721
• ensure DIO development segment errors are cleared after correcting: #​71811
• Include sourceframe in errors logged in the terminal during development: #​71803
• [dynamicIO] update prerender cache scoping and cache warming for validation: #​71822
• only force stack frame color in tty: #​71860
• Add test for fetch with auth in use cache: #​71768
• Fix race with hot-reloader-client clearing overlay errors: #​71771
• Fix dynamic tracking in dev: #​71867
• Revert "Sourcemap errors in terminal by default (#​71444)": #​71868
• Fix fetch caching inside of "use cache": #​71793
• Trace upload: only send traces for current session: #​71838
• Reland "Sourcemap errors in terminal by default": #​71877
• Implement information byte in Server Reference ID and other optimizations: #​71463
• fix: webpack build error on Windows: #​71943
• Run with --enable-source-maps by default in next dev: #​71820
• fix global-error styles: #​71914
• Use registerClientReference for ESM client component modules: #​71968
• Fix missing await of params when metadata is used with an image file: #​71871
• Upgrade React from 1631855f-20241023 to 02c0e824-20241028: #​71979
• Populate sourcemap ignoreList when Webpack is used: #​71821
• [dynamicIO] unify server and client prerender for non-ppr pathway: #​71764
• codemod: add separator to the parenthenese expr: #​71993
• Respect sourcemap's ignore list when printing errors in the terminal: #​71908
• fix console color to be compatible in chrome devtools: #​71939
• Delete obsolete codemod next-dynamic-access-named-export: #​72016
• fix: log the error instance modified extra location info: #​71930
• Compare error stack to dedupe error: #​71798

Example Changes

• experimental.instrumentationHook is not necessary anymore: #​71808
• Add Jude to nextjs team: #​71936

Misc Changes

• docs: fix broken link in Architecture/Turbopack documentation: #​71412
• test: migrate rest async api usage in tests: #​71663
• fix: docs for dynamic routing in next 15: #​71531
• Remove the 'new' keyword from the GET function sample code.: #​71671
• chore: fix wrong path of comments: #​71682
• docs(next-config): remove mention of appIsrStatus is on canary: #​71695
• react-sync: Ignore update notices from npm: #​71717
• Docs: Update default marker for fetch cache option: #​71728
• [docs] Fix page.tsx parameter types: #​71680
• [docs] Fix table.js containing TS code: #​71677
• docs(ppr): update note about ppr: #​71697
• docs lint: #​71748
• fixes error message asserts and lints: #​71747
• Fix docs for configuring Turbopack: #​71755
• docs(turbo): add experimental icon to turbo config section: #​71761
• feat(turbopack): Add __turbopack_original__ while tree shaking: #​71547
• test: re-enable test with note: #​71789
• Docs: Remove beta marker from Turbopack docs: #​71796
• Update docs 1: #​71812
• docs lint fixes: #​71813
• docs: remove "use cache" on before code snippet: #​71815
• Next docs broken links: #​71823
• [Turbopack] add optimization based on upper count: #​71606
• chore(turbo-tasks-backend): Use let instead of match for macro bindings: #​71756
• chore(turbo-tasks-backend): Remove collapsible-if lints: #​71758
• removing extra reference: #​71853
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 3): #​71665
• Update sync-dynamic-apis.mdx: #​71907
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 4): #​71804
• test: remove duplicated flaky test: #​71967
• docs: Fix typo in cacheLife configs in use-cache docs: #​71921
• Fix use cache example line highlights: #​71883
• Allow breakpoints to be set in packages/next/src/compiled: #​71986
• updated upgrade to v15 command in docs: #​71643
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 5): #​71861
• Clarify that streaming is blocked on generateMetadata for initial load: #​71985
• Docs: Add legacy tags: #​71964
• Docs: Fix broken link: #​72021
• (docs) use cache: Add text code formatting: #​71999
• docs: update file structure: #​71951
• Documentation Fix: Correct cacheTag Function Usage: #​71912
• correct expire calc & and Nested usage import in use-cache docs: #​71899
• Docs: Address internal use cache comments : #​71981
• Fix swc version mismatch when checking out an older version: #​71978

Credits

Huge thanks to @​ytori, @​unstubbable, @​huozhi, @​SebassNoob, @​tatsuteb, @​Marukome0743, @​gnoff, @​samcx, @​devjiwonchoi, @​imprakharshukla, @​migueldamota, @​eps1lon, @​ztanner, @​timneutkens, @​cantemizyurek, @​sebmarkbage, @​padmaia, @​ijjk, @​styfle, @​wbinnssmith, @​feedthejim, @​kdy1, @​shuding, @​molebox, @​ismaelrumzan, @​sokra, @​bgw, @​timeyoutakeit, @​AdonisAgelis, @​chicoxyzzy, @​gaojude, @​elitalpa, @​t3dotgg, @​gaearon, @​nisabmohd, @​gadcam, @​delbaoliveira, @​bennettdams, @​wiscaksono, and @​Developerayo for helping!

v15.0.2

Compare Source

Core Changes

• Read page name from work store in server module map proxy: #​71669
• codemod: should not transform when param is not used: #​71664
• [dynamicIO] complete refactor to prerender: #​71687
• fix: metadata image route normalize path posix for windows: #​71673
• next-codemod(upgrade): optional catch when missing dev script: #​71598
• Avoid server action function indirection in Turbopack: #​71628
• fix: exclude basePath in findSourceMapURL: #​71719
• fix: stack frame text color in dark mode: #​71656
• Fix: revert the bad node binary handling: #​71723
• next-codemod: add empty pnpm-workspace.yaml to test fixtures to bypass PNPM workspace checks: #​71726
• warn on sync access if dynamicIO is not enabled: #​71696
• Update React from 69d4b800-20241021 to 45804af1-20241021: #​71718
• next-upgrade: do not add --turbopack flag when --turbo exists in next dev: #​71730
• feat: stitch errors with react owner stack: #​70393
• [dynamicIO] update data access error and documentation: #​71738
• Test cached form action with revalidate: #​71591
• Upgrade React from 45804af1-20241021 to 28668d39-20241023: #​71745
• Fix race condition when setting client reference manifests: #​71741
• Fix fetch with no-store inside of use cache: #​71754
• Remove the bottom collapse button in dev overlay: #​71658
• [dynamicIO] unify cache filling and lazy-module warming: #​71749
• Don't filter out source location frames through RSC: #​71752
• fix undefined default export error msg: #​71762
• Upgrade React from 28668d39-20241023 to 1631855f-20241023: #​71769
• Enable owner stack in experimental build: #​71716
• feat: add experiment for sharpjs cpu flags: #​71733
• fix: handle server component replay error in error overlay: #​71772
• Don't error asking for prebuilt bundles: #​71778
• Replace turbopack://[project]/... sourcemap uris with file://... in development: #​71489
• misc: update source map paths for bundled Next.js runtime: #​71779
• [dynamicIO] refine error message and docs: #​71781
• next-upgrade: change --turbo to --turbopack if applicable: #​71737
• Show all diff when uncollapse: #​71792
• Sourcemap errors in terminal by default : #​71444
• Fully enable custom error callbacks for app router: #​71794
• Simplify Server Action Webpack plugin: #​71721
• ensure DIO development segment errors are cleared after correcting: #​71811
• Include sourceframe in errors logged in the terminal during development: #​71803
• [dynamicIO] update prerender cache scoping and cache warming for validation: #​71822
• only force stack frame color in tty: #​71860
• Add test for fetch with auth in use cache: #​71768
• Fix race with hot-reloader-client clearing overlay errors: #​71771
• Fix dynamic tracking in dev: #​71867
• Revert "Sourcemap errors in terminal by default (#​71444)": #​71868
• Fix fetch caching inside of "use cache": #​71793
• Trace upload: only send traces for current session: #​71838
• Reland "Sourcemap errors in terminal by default": #​71877
• Implement information byte in Server Reference ID and other optimizations: #​71463
• fix: webpack build error on Windows: #​71943
• Run with --enable-source-maps by default in next dev: #​71820
• fix global-error styles: #​71914
• Use registerClientReference for ESM client component modules: #​71968
• Fix missing await of params when metadata is used with an image file: #​71871
• Upgrade React from 1631855f-20241023 to 02c0e824-20241028: #​71979
• Populate sourcemap ignoreList when Webpack is used: #​71821
• [dynamicIO] unify server and client prerender for non-ppr pathway: #​71764
• codemod: add separator to the parenthenese expr: #​71993
• Respect sourcemap's ignore list when printing errors in the terminal: #​71908
• fix console color to be compatible in chrome devtools: #​71939
• Delete obsolete codemod next-dynamic-access-named-export: #​72016
• fix: log the error instance modified extra location info: #​71930
• Compare error stack to dedupe error: #​71798

Example Changes

• experimental.instrumentationHook is not necessary anymore: #​71808
• Add Jude to nextjs team: #​71936

Misc Changes

• docs: fix broken link in Architecture/Turbopack documentation: #​71412
• test: migrate rest async api usage in tests: #​71663
• fix: docs for dynamic routing in next 15: #​71531
• Remove the 'new' keyword from the GET function sample code.: #​71671
• chore: fix wrong path of comments: #​71682
• docs(next-config): remove mention of appIsrStatus is on canary: #​71695
• react-sync: Ignore update notices from npm: #​71717
• Docs: Update default marker for fetch cache option: #​71728
• [docs] Fix page.tsx parameter types: #​71680
• [docs] Fix table.js containing TS code: #​71677
• docs(ppr): update note about ppr: #​71697
• docs lint: #​71748
• fixes error message asserts and lints: #​71747
• Fix docs for configuring Turbopack: #​71755
• docs(turbo): add experimental icon to turbo config section: #​71761
• feat(turbopack): Add __turbopack_original__ while tree shaking: #​71547
• test: re-enable test with note: #​71789
• Docs: Remove beta marker from Turbopack docs: #​71796
• Update docs 1: #​71812
• docs lint fixes: #​71813
• docs: remove "use cache" on before code snippet: #​71815
• Next docs broken links: #​71823
• [Turbopack] add optimization based on upper count: #​71606
• chore(turbo-tasks-backend): Use let instead of match for macro bindings: #​71756
• chore(turbo-tasks-backend): Remove collapsible-if lints: #​71758
• removing extra reference: #​71853
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 3): #​71665
• Update sync-dynamic-apis.mdx: #​71907
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 4): #​71804
• test: remove duplicated flaky test: #​71967
• docs: Fix typo in cacheLife configs in use-cache docs: #​71921
• Fix use cache example line highlights: #​71883
• Allow breakpoints to be set in packages/next/src/compiled: #​71986
• updated upgrade to v15 command in docs: #​71643
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 5): #​71861
• Clarify that streaming is blocked on generateMetadata for initial load: #​71985
• Docs: Add legacy tags: #​71964
• Docs: Fix broken link: #​72021
• (docs) use cache: Add text code formatting: #​71999
• docs: update file structure: #​71951
• Documentation Fix: Correct cacheTag Function Usage: #​71912
• correct expire calc & and Nested usage import in use-cache docs: #​71899
• Docs: Address internal use cache comments : #​71981
• Fix swc version mismatch when checking out an older version: #​71978

Credits

Huge thanks to @​ytori, @​unstubbable, @​huozhi, @​SebassNoob, @​tatsuteb, @​Marukome0743, @​gnoff, @​samcx, @​devjiwonchoi, @​imprakharshukla, @​migueldamota, @​eps1lon, @​ztanner, @​timneutkens, @​cantemizyurek, @​sebmarkbage, @​padmaia, @​ijjk, @​styfle, @​wbinnssmith, @​feedthejim, @​kdy1, @​shuding, @​molebox, @​ismaelrumzan, @​sokra, @​bgw, @​timeyoutakeit, @​AdonisAgelis, @​chicoxyzzy, @​gaojude, @​elitalpa, @​t3dotgg, @​gaearon, @​nisabmohd, @​gadcam, @​delbaoliveira, @​bennettdams, @​wiscaksono, and @​Developerayo for helping!

v15.0.1

Compare Source

Core Changes

• Reland "[dynamicIO] warn for disallowed dynamic in dev": #​71567
• next-upgrade: prompt (un)install only when there's a change: #​71308
• chore(next-codemod): remove @next/font from optional Next.js packages to install: #​71563
• [dynamicIO] Avoid triggering memory leak false positive with makeHangingPromise: #​71576
• Avoid triggering memory leak false positive with makeHangingPromise: #​71579
• Upgrade React from 65a56d0e-20241020 to 69d4b800-20241021: #​71568
• avoid logging stacks for internal errors: #​71575
• Avoid server action endpoint function indirection: #​71572
• fix: handle terminal color in chrome console: #​71581
• [dynamicIO] Update prerender to use Fizz prerender: #​71580
• misc(next-upgrade): reuse process.cwd() value: #​71558
• [dynamicIO]: dev navigations should show disallowed dynamic errors: #​71595
• next-lint: Use ESLint v9 by default: #​71371
• fix: prevent router errors from being logged on the client: #​71583
• fix: next package resolving in dev overlay: #​71632
• Improve type coverage of setup-dev-bundler: #​71443
• fix(turbo-tasks): Implement ValueDebugFormat for ResolvedVc: #​71173
• Add --turbopack CLI flag: #​71657
• [dynamicIO] detect metadata boundaries in dev using server component stacks: #​71666

Example Changes

• chore: Update with-supabase to be compatible with Nextjs 15: #​71631
• Update Sanity example to next v15: #​71640

Misc Changes

• docs(ppr): remove v14 mention for ppr: #​71498
• docs: fix upgrade codemod command: #​71578
• Turbopack: Always use blob: URLs for assets in middleware: #​71471
• fix: metadata image route Windows path escaping: #​71615
• fix: third-parties package peer dependency: #​71620
• Fix module_resolution: "nodenext" with mjs or cjs: #​71635
• react-sync: Automatically update peer dependencies in libraries: #​71636
• chore(docs): fix typo in image.mdx docs: #​71647
• docs: remove the canary note on instrumentation: #​71649
• test: fix async api tests: #​71652
• Enable source maps for pnpm debug: #​71653
• codemod(turbopack): Rewrite more Vc fields in structs as ResolvedVc: #​71172

Credits

Huge thanks to @​gnoff, @​devjiwonchoi, @​samcx, @​ztanner, @​unstubbable, @​huozhi, @​mischnic, @​lubieowoce, @​eps1lon, @​ivasilov, @​styfle, @​bgw, @​stipsan, and @​timneutkens for helping!

v15.0.0

Compare Source

Core Changes

• refactor: next-flight-client-module-loader return conditions: #​64348
• Fix Server Action error logs for unhandled POST requests: #​64315
• Shared Revalidate Timings: #​64370
• Freeze loaded manifests: #​64313
• test: skip turbopack build test: #​64356
• Fix: css in next/dynamic component in edge runtime: #​64382
• Fix more Turbopack build tests: #​64384
• use pathToFileUrl to make esm import()s work with absolute windows paths: #​64386
• Improve rendering performance: #​64408
• Fix the method prop case in Server Actions transform: #​64398
• fix(next-lint): update option --report-unused-disable-directives to --report-unused-disable-directives-severity: #​64405
• Revert "Fix: css in next/dynamic component in edge runtime": #​64442
• default fetchCache to no-store when force-dynamic is set: #​64145
• router restore should take priority over pending actions: #​64449
• Fix client boundary inheritance for barrel optimization: #​64467
• improve turborepo caching: #​64493
• Update font data: #​64481
• BREAKING CHANGE: remove deprecated analyticsId from config, and the corresponding performance-relayer files and tests: #​64199
• feat: strip traceparent header from cachekey: #​64499
• Fix typo in dynamic-rendering.ts: #​64365
• fix(next): global not-found not working on multi-root layouts: #​63053
• chore(next): add keywords on package.json: #​64173
• Fix DynamicServerError not being thrown in fetch: #​64511
• fix: lib/helpers/install.ts to better support pnpm and properly respect root argument: #​64418
• fix(next): Metadata.openGraph values not resolving basic values when type is set: #​63620
• disable production chunking in dev: #​64488
• update turbopack: #​64501
• Turbopack: Allow client components to be imported in app routes: #​64520
• refactor: remove always truthy flag: #​64522
• Turbopack: don’t show long internal stack traces on build errors: #​64427
• next/script: Correctly apply async and defer props: #​52939
• chore(next/font): update @​capsizecss/metrics package: #​64528
• feat: add information that revalidate interval is in seconds: #​64229
• Typo "Minifer" in config.ts: #​64359
• Enhance types for Node and Edge envionments: #​64454
• feat: Add a validation for postcss with useLightningcss: #​64379
• fix HMR for cases where chunking changes: #​64367
• perf: improve Pages Router server rendering performance: #​64461
• Fix cjs client components tree-shaking: #​64558
• fix refresh behavior for discarded actions: #​64532
• fix: filter out middleware requests in logging: #​64549
• chore: remove unused rust dependencies: #​62176
• fix(next-swc): correctly set wasm fallback for known target triples: #​64567
• memoize layout router context: #​64575
• fix incorrect refresh request when basePath is set: #​64589
• fix TypeError edge-case for parallel slots rendered multiple times: #​64271
• Fix ASL bundling for dynamic css: #​64451
• Revert "fix(next): global not-found not working on multi-root layouts": #​64601
• chore(test): run related E2E deploy tests on PRs: #​63763
• Improve top level await coverage: #​64508
• Upgrade typescript to 5.3: #​64043
• add pathname normalizer for actions: #​64592
• Fix experimental/testmode by removing console.log: #​64670
• Don't output .test.ts files in next/font: #​63472
• Fix reporting when performance.measure doesn't exist (Edge): #​64669
• Reduce amount of data passed to collectBuildTraces: #​59665
• fix(next-server): 'quiet' setting delegate for custom server: #​64512
• Revert "chore(test): run related E2E deploy tests on PRs": #​64682
• update turbopack: #​64686
• Fix: resolve mixed re-exports module as cjs: #​64681
• Revert "fix TypeError edge-case for parallel slots rendered multiple times": #​64690
• Fix typo: 'serverComponentsExtenalPackages' should be 'serverComponentsExternalPackages': #​64705
• prevent erroneous route interception during lazy fetch: #​64692
• Add @appsignal/nodejs to the external packages list: #​64503
• fix root page revalidation when redirecting in a server action: #​64730
• Clean-up fetch metrics tracking: #​64746
• [actions] Enforce body limit using Transform stream: #​64694
• Turbopack: Don’t show stack traces for internal modules: #​64228
• Reapply "chore(test): run related E2E deploy tests on PRs" (#​64682): #​64712
• fix(fetch-cache): fix typo: #​64786
• fix: remove traceparent from cachekey should not remove traceparent from original object: #​64727
• fix interception route rewrite regex not supporting hyphenated segments: #​64805
• Disable ncc cache instead of cache cleaning: #​64804
• Move next-swc Turborepo config to packages/next-swc: #​64789
• build: Update swc_core to v0.90.33: #​64553
• Enable loading source maps for Next Server and React: #​64527
• fix: mixing namespace import and named import client components: #​64809
• fext(next): extend next.config for mdxRs support options: #​64801
• skip test_e2e_deploy_related when triggered from a fork: #​64893
• fix(fetch-cache): fix additional typo, add type & data validation: #​64799
• feat(next-core): support parsing matcher config object: #​64678
• Fix mixed exports in server component with barrel optimization: #​64894
• fix: improve tsconfig extends checks: #​61413
• Fix next/image usage in mdx: #​64875
• fix dynamic route interception not working when deployed with middleware: #​64923
• feat(turbopack): Handle fragments in requests: #​64232
• feat(turbopack): Check for duplicate parallel routes: #​64181
• Speed up createNext test suite isolation: #​64909
• fix(rewrites): support external rewrite destination: #​64943
• Ensure edge prerender-manifest is minimal: #​64946
• remove special-cased prefetch kind in dev mode: #​64941
• feat: support import attributes: #​59480
• NextJS App router: add isolated-vm to server-external-packages.json: #​64749
• Add next experimental-test command: #​64352
• Revert "feat: support import attributes": #​65001
• NODE_OPTIONS updates: #​65006
• Update React from 14898b6 to c3048aa: #​64798
• initialize ALS with cookies in middleware: #​65008
• feat(next/image)!: remove squoosh in favor of sharp as optional dependency: #​63321
• fix: Workaround acorn bug/version issue by using SWC: #​65021
• build: Update @swc/core to v1.5.0: #​65022
• Ensure escaped string are parsed in NODE_OPTIONS: #​65046
• chore(fetch-cache): remove zod from fetch cache: #​65079
• support breadcrumb style catch-all parallel routes: #​65063
• Improve initial setup with new App Router TypeScript project: #​64826
• Add experimental trace file field: #​65071
• Fix playwright config merging for webServer property: #​65090
• chore(logging): Disable info logging of critters in production: #​62776
• [unstable_cache] Don't track dynamic fetches in an unstable_cache callback: #​65010
• fix(page-static-info): refine warning message to emit once: #​65091
• update redirect handling on forwarded action requests: #​65097
• Tracing: allow opt-in flag to send build traces to url: #​65019
• Turbopack: Allow client components from foreign code in app routes: #​64751
• fix node.js module warning in middleware: #​65112
• Fix: strip _rsc query for client navigation rsc request: #​65084
• fix unhandled runtime error when notFound() triggered in generateMetadata w/ parallel routes: #​65102
• Use vercel deployment url for metadataBase fallbacks: #​65089
• Fix next/dynamic with babel and src dir: #​65177
• update turbopack: #​65191
• Fix crypto import in edge runtime with Turbopack: #​65171
• Resolve global next Webpack alias last: #​65123
• Add oslo, @​node-rs/argon2, and @​node-rs/bcrypt to external packages: #​65204
• [trace] Reduce the size of .next/trace files: #​65101
• Remove extra suspense boundary for default next/dynamic: #​64716
• Only apply metadata manifest

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7a88bc6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
wallet-api-wallet-api-tools	Ready	Preview, Comment	Feb 11, 2026 2:12pm

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Critical CVE: Authorization Bypass in Next.js Middleware CVE: GHSA-f82v-jwr5-mffw Authorization Bypass in Next.js Middleware (CRITICAL) Affected versions: >= 13.0.0 < 13.5.9; >= 14.0.0 < 14.2.25; >= 15.0.0 < 15.2.3; >= 11.1.4 < 12.3.5 Patched version: 15.2.3 From: apps/docs/package.json → npm/next@15.0.8 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@15.0.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Telemetry collection: npm next Note: Can be disabled by setting the environment variable NEXT_TELEMETRY_DISABLED=1 . See https://nextjs.org/telemetry for more information From: apps/docs/package.json → npm/next@15.0.8 ℹ Read more on: This package | This alert | What is telemetry? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@15.0.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report