Skip to content

security(deps): upgrade Next 14 → 15.5.16 + React 19 (AVO-3258, PR 2 of 3)#1731

Merged
logason merged 1 commit into
mainfrom
claude/exciting-planck-lv2t8j-next15
Jul 6, 2026
Merged

security(deps): upgrade Next 14 → 15.5.16 + React 19 (AVO-3258, PR 2 of 3)#1731
logason merged 1 commit into
mainfrom
claude/exciting-planck-lv2t8j-next15

Conversation

@ada-avo

@ada-avo ada-avo commented Jul 6, 2026

Copy link
Copy Markdown

What & why

The final phase of the AVO-3258 docs remediation. PR 1 (#1729) cannot fully clear the Vanta test — 4 of the 6 next advisories are fixed only in 15.5.15 / 15.5.16, so full clearance requires the next 14 → 15 major upgrade (which requires React 19).

Clears: GHSA-h25m-26qc-wcjf (< 15.0.8), GHSA-q4gf-8mx6-v5v3 (< 15.5.15), CVE-2026-44573, CVE-2026-44578, GHSA-8h8q-6873-q5fj (< 15.5.16).

Pinned to 15.5.16 (the minimal version for clearance) rather than next@latest, which is now 16.x — a larger change beyond this remediation's scope and the approved decision (Next 15.5.16 + React 19).

Changes

Package From To Why
next ^14.2.32 15.5.16 clears the 4 remaining advisories
react ^18.3.1 19.2.7 required by Next 15
react-dom ^18.3.1 19.2.7 required by Next 15
@types/react ^18.3.12 ^19.2.17 React 19 types
@types/react-dom ^18.3.1 ^19.2.3 React 19 types
react-medium-image-zoom 5.2.5 5.4.8 official React 19 support; used on the landing page (<Zoom>); clears its runtime peer warning

Code change — just one line

+import type { JSX } from 'react';
 import Document, { ... } from 'next/document';

@types/react 19 removed the global JSX namespace; _document.tsx's render(): JSX.Element now imports the type from react.

This is a Pages-router Nextra 3 site. The headline Next 15 breaking change — async cookies() / headers() / params — is app-router only and does not apply here. _document.tsx's getInitialProps is a standard Pages-router pattern, unaffected. next.config.mjs uses no Next-15-removed options (no swcMinify, no images.domains, no i18n). next-env.d.ts was regenerated by Next 15 (typed-routes reference).

Verification — production build + next start + browser spot-check (per the brief)

  • yarn build ✅ · tsc --noEmit ✅ · yarn lint ✅ · yarn spellcheck ✅ (164 files, 0 issues)
  • Chromium spot-check under React 19 (next start, real browser):
    • Landing, content pages, search, navigation all render correctly (full Nextra theme, sidebar, TOC, theme toggle).
    • Search — flexsearch index loads and returns highlighted results ("inspector" → 105, "tracking plan" → 98).
    • Navigation — sidebar links work.
    • react-medium-image-zoom — the zoom modal opens on click ✓.
    • mermaid / SVG render.
    • Zero uncaught exceptions and zero hydration warnings on every page.
    • The only console errors are external analytics CDNs (FullStory, GTM, iubenda, Segment) blocked by this sandbox's network egress — environmental, not code regressions (they load on Vercel).

Every bumped package was verified against the registry (publish age > 7 days, no preinstall/install/postinstall scripts, not deprecated, dependency-delta clean).

Known non-blocking items

  • Remaining peer warning: nextra > @theguild/remark-mermaid@0.1.3 wants react@^18.2.0. It is a build-time remark plugin, not runtime React, and mermaid renders correctly — a Nextra transitive we don't control directly. Left as-is.
  • next lint deprecation: Next 15.5 prints a notice that next lint is deprecated in favor of the ESLint CLI. Lint still passes; the migration is intentionally left out of this security PR to keep the diff focused.

Merge

Per the ticket, Solvi makes the merge call on PR 2 given the regression surface. Independent of #1729 / #1730 (they touch resolutions; this touches core dependencies); expect a trivial package.json reconciliation if merged after them.


Generated by Claude Code

Summary by CodeRabbit

  • Chores
    • Updated the app to newer platform and UI library versions for improved compatibility and support.
    • Added route type support from the latest build output to help keep TypeScript checks in sync with navigation changes.

@linear-code

linear-code Bot commented Jul 6, 2026

Copy link
Copy Markdown

AVO-3258

@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jul 6, 2026 2:21pm

Request Review

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f85522e8-f7a9-4577-9a2b-d5ebc1b134a8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR upgrades core dependencies: next to 15.5.16, react and react-dom to 19.2.7, react-medium-image-zoom to 5.4.8, and @types/react to ^19.2.17. It also adds a routes.d.ts reference in next-env.d.ts and a type-only JSX import in pages/_document.tsx.

Changes

Dependency Upgrade

Layer / File(s) Summary
Dependency version bumps
package.json
Updates next, react, react-dom, react-medium-image-zoom in dependencies, and @types/react in devDependencies to new major versions.
TypeScript environment and import updates
next-env.d.ts, pages/_document.tsx
Adds a reference directive for .next/types/routes.d.ts, updates the documentation URL comment, and adds a type-only JSX import from react.

Estimated code review effort: 2 (Simple) | ~10 minutes

Poem

Hop, hop, upgrade time is near,
New React, new Next, no need to fear,
A JSX import, a routes.d.ts line,
Small little tweaks, all working fine,
This bunny thumps with joy so bright! 🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: upgrading Next.js 14 to 15.5.16 and React to 19.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/exciting-planck-lv2t8j-next15

Comment @coderabbitai help to get the list of available commands.

@ada-avo ada-avo requested a review from logason July 6, 2026 12:48
… of 3)

Completes the docs Dependabot remediation. PR 1 (#1729) could not clear 4 of the
6 `next` advisories (fixed only in 15.5.15/15.5.16), so full Vanta clearance
requires the 14 -> 15 major upgrade.

Clears: GHSA-h25m-26qc-wcjf, GHSA-q4gf-8mx6-v5v3, CVE-2026-44573, CVE-2026-44578,
GHSA-8h8q-6873-q5fj.

- next             ^14.2.32 -> 15.5.16  (minimal for clearance; not 16.x latest)
- react            ^18.3.1  -> 19.2.7   (required by Next 15)
- react-dom        ^18.3.1  -> 19.2.7
- @types/react     ^18.3.12 -> ^19.2.17
- @types/react-dom ^18.3.1  -> ^19.2.3
- react-medium-image-zoom 5.2.5 -> 5.4.8  (official React 19 support; it is used
                   on the landing page; clears its runtime peer warning)

Code change: pages/_document.tsx now imports the `JSX` type from 'react'
(@types/react 19 removed the global JSX namespace). This is a Pages-router
Nextra 3 site, so the app-router async request API changes
(cookies()/headers()/params) do not apply -- _document's getInitialProps is
unaffected. next.config.mjs uses no Next-15-removed options. next-env.d.ts was
regenerated by Next 15 (typed-routes reference).

Verification (production build + `next start` + browser spot-check, per the brief):
- yarn build / tsc --noEmit / yarn lint / yarn spellcheck all green
- Chromium spot-check of landing, content pages, search and navigation under
  React 19: pages render, flexsearch returns results, sidebar nav works, the
  image-zoom modal opens, mermaid/SVG render. ZERO uncaught errors and ZERO
  hydration warnings across all pages. (The only console errors are external
  analytics CDNs blocked by the sandbox network egress -- environmental, not code.)

Every bumped package verified against the registry (age > 7d, no install scripts,
not deprecated, dependency-delta clean). The one remaining peer warning is a
Nextra build-time transitive (@theguild/remark-mermaid wants react ^18.2.0) -- a
remark plugin, not runtime React; mermaid renders correctly.

Note: the mandated live alert re-pull (gh api dependabot/alerts) was not
available in this session (GitHub REST not enabled); relied on the brief's alert
list (verified 2026-07-06) plus per-package registry verification.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018xytCgBQ6DmXUEMKWbKKBH
@ada-avo ada-avo force-pushed the claude/exciting-planck-lv2t8j-next15 branch from fdff35d to a5569fc Compare July 6, 2026 14:20
@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@logason logason merged commit 45c3457 into main Jul 6, 2026
4 checks passed
@logason logason deleted the claude/exciting-planck-lv2t8j-next15 branch July 6, 2026 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants