Skip to content

Update npm package next to v16 [SECURITY] - autoclosed #8334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
hash-worker wants to merge 1 commit into from
+190 −158
Closed

Update npm package next to v16 [SECURITY] - autoclosed #8334

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/hash-frontend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@
"marked": "4.3.0",
"material-ui-popup-state": "4.1.0",
"millify": "6.1.0",
"next": "15.5.10",
"next": "16.0.10",
Copy link

@augmentcode augmentcode bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With next bumped to 16, @next/bundle-analyzer is still pinned to 15.5.9; can we confirm this combination is supported (or that the analyzer isn’t used here) to avoid peer-dep/install or build-time issues?

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎

Copy link

@cursor cursor bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Webpack config ignored due to Turbopack default change

Medium Severity

Upgrading next to 16.0.10 changes the default bundler for next dev from webpack to Turbopack. The project's next.config.js contains custom webpack configuration including @svgr/webpack for SVG handling, async WASM support, and custom resolve aliases—none of which will be applied when Turbopack runs. The dev script still runs plain next dev without the --webpack flag, so development server functionality will break. Either the dev script needs --webpack flag or equivalent Turbopack configuration (turbopack.rules) needs to be added.

Fix in Cursor Fix in Web

"next-seo": "6.8.0",
"nextjs-progressbar": "0.0.16",
"notistack": "2.0.8",
Expand Down
2 changes: 1 addition & 1 deletion libs/@local/hash-isomorphic-utils/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@
"@vitest/coverage-istanbul": "3.2.4",
"eslint": "9.39.2",
"graphql": "16.11.0",
"next": "15.5.10",
"next": "16.0.10",
Copy link

@augmentcode augmentcode bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description for CVE-2025-59472 recommends upgrading to 16.1.5 to mitigate; can we confirm 16.0.10 fully addresses the vulnerability alert for our deployment mode (especially if PPR/minimal mode is enabled)?

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎

"react": "19.2.3",
"rimraf": "6.1.2",
"typescript": "5.9.3",
Expand Down
Loading
Loading