Skip to content

Upgrade dependencies to latest non-breaking + Next.js 16 + fix all CVEs#40

Open
alexphiev wants to merge 5 commits into
masterfrom
claude/upgrade-dependencies-UexEr
Open

Upgrade dependencies to latest non-breaking + Next.js 16 + fix all CVEs#40
alexphiev wants to merge 5 commits into
masterfrom
claude/upgrade-dependencies-UexEr

Conversation

@alexphiev
Copy link
Copy Markdown
Owner

@alexphiev alexphiev commented Apr 1, 2026
edited
Loading

Summary

  • Switch from npm to pnpm (package-lock.jsonpnpm-lock.yaml)
  • Non-breaking bumps across all packages (minor/patch within semver ranges)
  • Next.js 14 → 16.2.2 (latest) to resolve all 5 security CVEs
  • ESLint 8 → 9 with flat config migration (required by eslint-config-next 16)

Security vulnerabilities fixed

Severity Package CVE Description
High next GHSA-h25m-26qc-wcjf HTTP request deserialization DoS via insecure RSC
High glob (via eslint-config-next) GHSA-5j98-mcp5-4vw2 Command injection via -c/--cmd
Moderate next GHSA-9g9p-9gw9-jx7f Image Optimizer remotePatterns DoS
Moderate next GHSA-ggv3-7p47-pfv8 HTTP request smuggling in rewrites
Moderate next GHSA-3x4c-7xq6-9pq8 Unbounded next/image disk cache growth

pnpm audit reports 0 vulnerabilities.

Notable non-breaking upgrades

  • All @radix-ui/* packages to latest compatible versions
  • @slack/web-api 7.5 → 7.15
  • embla-carousel-* 8.3/8.1 → 8.6
  • i18next 23.12 → 23.16
  • react-i18next 15.0 → 15.7
  • react-icons 5.3 → 5.6
  • sonner 1.5 → 1.7
  • tailwind-merge 2.3 → 2.6
  • prettier → 3.8.1, typescript → 5.9.3, postcss → 8.5.8

⚠️ Breaking changes

Next.js 14 → 16

  • Async Request APIs: cookies(), headers(), params, and searchParams are now async — server components/route handlers using these need to await them
  • next lint command removed — lint script now calls eslint . directly
  • See the Next.js 15 upgrade guide and Next.js 16 changelog for the full list

ESLint 8 → 9 (flat config)

  • .eslintrc.json replaced by eslint.config.mjs (ESLint 9 flat config format)
  • Same rules applied: next/core-web-vitals + prettier

Packages held back (major version available)

Package Current Latest Reason
react / react-dom 18.3.1 19.x Major — React 19 breaking changes
lucide-react 0.383.0 1.x Major
next-themes 0.3.0 0.4.x Breaking for 0.x semver
sonner 1.7.4 2.x Major
tailwind-merge 2.6.1 3.x Major
i18next 23.16.8 26.x Major
eslint 9.x 10.x Major

https://claude.ai/code/session_01AHqazcB2hcRzu2yLJhGYQK

@claude
Upgrade dependencies: non-breaking bumps + Next.js 15 for security fixes
c140ab7 
- Switch from npm to pnpm (replace package-lock.json with pnpm-lock.yaml)
- Bump all Radix UI packages to latest compatible minor/patch versions
- Upgrade @slack/web-api 7.5→7.15, embla-carousel 8.3→8.6, i18next 23.12→23.16,
  react-i18next 15.0→15.7, react-icons 5.3→5.6, sonner 1.5→1.7,
  tailwind-merge 2.3→2.6, and other minor/patch bumps
- Upgrade next 14.2→15.5.14 (breaking) to fix 5 CVEs:
  GHSA-h25m-26qc-wcjf (high), GHSA-5j98-mcp5-4vw2 (high),
  GHSA-9g9p-9gw9-jx7f (moderate), GHSA-ggv3-7p47-pfv8 (moderate),
  GHSA-3x4c-7xq6-9pq8 (moderate)
- eslint-config-next bumped to 15.5.14 to match Next.js version

https://claude.ai/code/session_01AHqazcB2hcRzu2yLJhGYQK
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
collective_website Ready Ready Preview, Comment Apr 1, 2026 3:48pm
collective-website-staging Ready Ready Preview, Comment Apr 1, 2026 3:48pm

@claude
Upgrade to Next.js 16 + ESLint 9 with flat config
b56677d 
- Bump next 15.5.14 → 16.2.2 and eslint-config-next to match
- Upgrade eslint 8 → 9 (required by eslint-config-next 16)
- Migrate from .eslintrc.json to eslint.config.mjs (ESLint 9 flat config)
- Update lint script: next lint removed in Next 16, now calls eslint directly

https://claude.ai/code/session_01AHqazcB2hcRzu2yLJhGYQK
@alexphiev alexphiev changed the title Upgrade dependencies + fix 5 security vulnerabilities Upgrade dependencies to latest non-breaking + Next.js 16 + fix all CVEs Apr 1, 2026
@claude
Fix build errors from react-icons 5.6 and Turbopack strict imports
987d20c 
- SiCss3 → SiCss (renamed in react-icons 5.6)
- SiAwslambda → TbFileLambda (removed in react-icons 5.6, no si replacement)
- /public/... → @/public/... in projects.tsx and project-details.tsx
  (Turbopack in Next 16 does not support server-relative imports)

https://claude.ai/code/session_01AHqazcB2hcRzu2yLJhGYQK
claude added 2 commits April 1, 2026 15:45
@claude
Fix Vercel build: local font, async params, react-icons renames
8145c34 
- Replace next/font/google with @fontsource-variable/inter to eliminate
  Google Fonts network dependency at build time (hard error in Next 16 Turbopack)
- Await params in layout.tsx and page.tsx (Next 15/16: params is now a Promise)
- Already committed: SiCss3→SiCss, SiAwslambda→TbFileLambda (react-icons 5.6),
  /public/...→@/public/... server-relative imports (Turbopack)

Build now passes locally with zero errors.

https://claude.ai/code/session_01AHqazcB2hcRzu2yLJhGYQK
@claude
Update tsconfig.json for Next.js 16 compatibility
b69ae2b 
Auto-updated by Next.js 16 build: jsx set to react-jsx, target set to ES2017,
and .next/dev/types/**/*.ts added to include paths.

https://claude.ai/code/session_01AHqazcB2hcRzu2yLJhGYQK
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexphiev @claude