security(deps): upgrade Next 14 → 15.5.16 + React 19 (AVO-3258, PR 2 of 3)#1731
Conversation
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughThis PR upgrades core dependencies: next to 15.5.16, react and react-dom to 19.2.7, react-medium-image-zoom to 5.4.8, and ChangesDependency Upgrade
Estimated code review effort: 2 (Simple) | ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
… of 3) Completes the docs Dependabot remediation. PR 1 (#1729) could not clear 4 of the 6 `next` advisories (fixed only in 15.5.15/15.5.16), so full Vanta clearance requires the 14 -> 15 major upgrade. Clears: GHSA-h25m-26qc-wcjf, GHSA-q4gf-8mx6-v5v3, CVE-2026-44573, CVE-2026-44578, GHSA-8h8q-6873-q5fj. - next ^14.2.32 -> 15.5.16 (minimal for clearance; not 16.x latest) - react ^18.3.1 -> 19.2.7 (required by Next 15) - react-dom ^18.3.1 -> 19.2.7 - @types/react ^18.3.12 -> ^19.2.17 - @types/react-dom ^18.3.1 -> ^19.2.3 - react-medium-image-zoom 5.2.5 -> 5.4.8 (official React 19 support; it is used on the landing page; clears its runtime peer warning) Code change: pages/_document.tsx now imports the `JSX` type from 'react' (@types/react 19 removed the global JSX namespace). This is a Pages-router Nextra 3 site, so the app-router async request API changes (cookies()/headers()/params) do not apply -- _document's getInitialProps is unaffected. next.config.mjs uses no Next-15-removed options. next-env.d.ts was regenerated by Next 15 (typed-routes reference). Verification (production build + `next start` + browser spot-check, per the brief): - yarn build / tsc --noEmit / yarn lint / yarn spellcheck all green - Chromium spot-check of landing, content pages, search and navigation under React 19: pages render, flexsearch returns results, sidebar nav works, the image-zoom modal opens, mermaid/SVG render. ZERO uncaught errors and ZERO hydration warnings across all pages. (The only console errors are external analytics CDNs blocked by the sandbox network egress -- environmental, not code.) Every bumped package verified against the registry (age > 7d, no install scripts, not deprecated, dependency-delta clean). The one remaining peer warning is a Nextra build-time transitive (@theguild/remark-mermaid wants react ^18.2.0) -- a remark plugin, not runtime React; mermaid renders correctly. Note: the mandated live alert re-pull (gh api dependabot/alerts) was not available in this session (GitHub REST not enabled); relied on the brief's alert list (verified 2026-07-06) plus per-package registry verification. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018xytCgBQ6DmXUEMKWbKKBH
fdff35d to
a5569fc
Compare
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
What & why
The final phase of the AVO-3258 docs remediation. PR 1 (#1729) cannot fully clear the Vanta test — 4 of the 6
nextadvisories are fixed only in 15.5.15 / 15.5.16, so full clearance requires thenext14 → 15 major upgrade (which requires React 19).Clears:
GHSA-h25m-26qc-wcjf(< 15.0.8),GHSA-q4gf-8mx6-v5v3(< 15.5.15),CVE-2026-44573,CVE-2026-44578,GHSA-8h8q-6873-q5fj(< 15.5.16).Changes
nextreactreact-dom@types/react@types/react-domreact-medium-image-zoom<Zoom>); clears its runtime peer warningCode change — just one line
+import type { JSX } from 'react'; import Document, { ... } from 'next/document';@types/react19 removed the globalJSXnamespace;_document.tsx'srender(): JSX.Elementnow imports the type fromreact.This is a Pages-router Nextra 3 site. The headline Next 15 breaking change — async
cookies()/headers()/params— is app-router only and does not apply here._document.tsx'sgetInitialPropsis a standard Pages-router pattern, unaffected.next.config.mjsuses no Next-15-removed options (noswcMinify, noimages.domains, noi18n).next-env.d.tswas regenerated by Next 15 (typed-routes reference).Verification — production build +
next start+ browser spot-check (per the brief)yarn build✅ ·tsc --noEmit✅ ·yarn lint✅ ·yarn spellcheck✅ (164 files, 0 issues)next start, real browser):react-medium-image-zoom— the zoom modal opens on click ✓.Every bumped package was verified against the registry (publish age > 7 days, no
preinstall/install/postinstallscripts, not deprecated, dependency-delta clean).Known non-blocking items
nextra > @theguild/remark-mermaid@0.1.3wantsreact@^18.2.0. It is a build-time remark plugin, not runtime React, and mermaid renders correctly — a Nextra transitive we don't control directly. Left as-is.next lintdeprecation: Next 15.5 prints a notice thatnext lintis deprecated in favor of the ESLint CLI. Lint still passes; the migration is intentionally left out of this security PR to keep the diff focused.Merge
Per the ticket, Solvi makes the merge call on PR 2 given the regression surface. Independent of #1729 / #1730 (they touch
resolutions; this touches coredependencies); expect a trivialpackage.jsonreconciliation if merged after them.Generated by Claude Code
Summary by CodeRabbit