IRL-32: Bump Next 16.2.1 → 16.2.4 (high-severity DoS)#37
Conversation
Patches GHSA-q4gf-8mx6-v5v3 — Denial of Service in Server Components affecting Next.js 16.0.0-beta.0 through 16.2.2. Bumped both `next` and `eslint-config-next` to `^16.2.4`. `npm audit` now shows 0 vulnerabilities. Lint and build pass clean. Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Updates the project’s Next.js dependency to a patched release to address GHSA-q4gf-8mx6-v5v3 (high-severity DoS in Server Components) and keeps the Next ESLint config in sync.
Changes:
- Bump
nextfrom16.2.1to16.2.4(now specified as^16.2.4). - Bump
eslint-config-nextfrom16.2.1to16.2.4(now specified as^16.2.4). - Update
package-lock.jsonto reflect the new resolved Next.js 16.2.4 dependency graph.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| package.json | Updates Next.js and eslint-config-next version specifiers to 16.2.4 to patch the advisory. |
| package-lock.json | Updates resolved Next.js/eslint-config-next packages (and Next SWC artifacts) to 16.2.4. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dotenv": "^17.3.1", | ||
| "lucide-react": "^1.7.0", | ||
| "next": "16.2.1", | ||
| "next": "^16.2.4", |
There was a problem hiding this comment.
next was changed from a pinned version to a caret range (^16.2.4). In this repo the core runtime packages appear to be pinned exactly (e.g., react, react-dom, @prisma/client), and previously next was pinned as well; keeping next pinned (e.g., 16.2.4 or at most ~16.2.4) helps avoid unexpected behavior changes from automatic patch/minor upgrades outside of an explicit bump PR.
| "next": "^16.2.4", | |
| "next": "16.2.4", |
| "@types/react-dom": "^19", | ||
| "eslint": "^9", | ||
| "eslint-config-next": "16.2.1", | ||
| "eslint-config-next": "^16.2.4", |
There was a problem hiding this comment.
eslint-config-next was changed from a pinned version to a caret range (^16.2.4). If the intent is reproducible toolchain behavior (consistent with pinning other core packages), consider pinning this to an exact version to prevent silent lint rule changes landing via transitive updates.
| "eslint-config-next": "^16.2.4", | |
| "eslint-config-next": "16.2.4", |
| "dotenv": "^17.3.1", | ||
| "lucide-react": "^1.7.0", | ||
| "next": "16.2.1", | ||
| "next": "^16.2.4", |
There was a problem hiding this comment.
Next 16.2.4 declares a Node engine requirement of ">=20.9.0" (see package-lock.json for node_modules/next). Since package.json doesn't currently declare an engines.node, it's easy to deploy/build with an older Node and fail at runtime; consider adding an engines entry aligned with Next's requirement.
Summary
Resolves IRL-32. Patches GHSA-q4gf-8mx6-v5v3 — Denial of Service in Server Components affecting Next.js 16.0.0-beta.0 through 16.2.2.
Bumped both
nextandeslint-config-nextto^16.2.4.npm auditnow reportsfound 0 vulnerabilities.Note on merge order
This PR is independent of #34 (bug bundle) and #35 (tests + CI), but #35 will need a rebase when this merges — both touch
package.json/package-lock.json. Conflict is mechanical (different keys) and trivial to resolve.Recommended merge order: this PR → #34 → #35 (rebase #35 onto main after each merge).
Test plan
npm installcleannpm auditreports 0 vulnerabilitiesnpm run lintcleannpm run buildgreennpm run dev, click through tasks/notes/links/weather widgets🤖 Generated with Claude Code