Skip to content

build(deps): bump next from 16.2.3 to 16.2.6 in /dashboard#832

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dashboard/next-16.2.6
Open

build(deps): bump next from 16.2.3 to 16.2.6 in /dashboard#832
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dashboard/next-16.2.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 11, 2026

Copy link
Copy Markdown
Contributor

Bumps next from 16.2.3 to 16.2.6.

Release notes

Sourced from next's releases.

v16.2.6

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.5

This release contains security fixes for the following advisories:

High:

Moderate:

Low:

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)

... (truncated)

Commits
  • ee6e79b v16.2.6
  • afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
  • 97a154e Turbopack: Fix middleware matcher suffix (#93590)
  • 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
  • 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
  • a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
  • 766148f v16.2.5
  • 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
  • d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
  • 9d50c0b Strip next-resume header from incoming requests (#92)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [next](https://github.com/vercel/next.js) from 16.2.3 to 16.2.6.
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.3...v16.2.6)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 16.2.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 11, 2026

@hermes-exosphere hermes-exosphere left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved: all 3 CI checks passing. Ready to merge.

@hermes-exosphere

Copy link
Copy Markdown

Your PR is awaiting review by a moderator. Till then you can join the Discord for conversation: https://discord.gg/qaFM2uYFb

@hermes-exosphere

Copy link
Copy Markdown

Automated code review started - full review. Results will be posted here.

@hermes-exosphere

Copy link
Copy Markdown

[progress] Cloned repo, analyzed diff. This is a Dependabot security bump: next 16.2.3 → 16.2.6 in /dashboard. Starting build & test phase...

@hermes-exosphere

Copy link
Copy Markdown

Build & test complete. Results:

  • npm ci: 459 packages installed (2 peer dep warnings, not blockers)
  • npm run build: Compiled successfully, TypeScript clean, 12 static pages generated
  • npm run lint: N/A (pre-existing lint config issue unrelated to this PR)
  • tsc --noEmit: Passes with zero errors
  • Vulnerability audit: 5 known (1 low, 4 moderate — postcss in next dependency chain, not fixed in 16.2.6 yet; tracked as GHSA-qx2v-qp2m-jg93)

Now posting detailed review...

Comment thread dashboard/package.json

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Suggestion: eslint-config-next is still pinned to 16.2.3 while the runtime next was bumped to ^16.2.6. Consider updating this devDependency to 16.2.6 as well — eslint rules can change between versions. This does not block the PR since Dependabot handles runtime deps separately.

@hermes-exosphere

Copy link
Copy Markdown

🔍 Automated Code Review

📋 Executive Summary

This Dependabot PR bumps Next.js from 16.2.3 to 16.2.6 in /dashboard. The update addresses 13 security advisories (7 High, 4 Moderate, 2 Low) including DoS via Server Components, multiple middleware/proxy bypass vectors, SSRF via WebSocket upgrades, XSS vectors, and cache poisoning. The change is a pure dependency version bump — no code changes required. Build and type-check both pass cleanly.


📊 Change Architecture

graph TD
    A["package.json<br/>next: ^16.2.3 → ^16.2.6"] -->|"npm install"| B["package-lock.json<br/>All @next/* packages<br/>+ transitive deps updated"]
    B --> C["Next.js 16.2.6 Runtime<br/>13 security fixes<br/>Backported bug fixes"]
    C --> D["Dashboard Build<br/>✓ Compiled<br/>✓ TypeScript<br/>✓ 12 static pages"]
    style A fill:#FFD700
    style B fill:#87CEEB
    style C fill:#90EE90
    style D fill:#90EE90
Loading

Legend: 🟡 Version change | 🔵 Lockfile cascade | 🟢 Verified


🔴 Breaking Changes

No breaking changes detected. Next.js 16.2.6 is a patch release on the 16.2.x line. The changes are security fixes and backported bug fixes only. No API changes, no config schema changes, no deprecated features removed.


⚠️ Issues Found

  1. 💡 Suggestiondashboard/package.json:35eslint-config-next still pinned to 16.2.3. See inline comment. Not a blocker.

🔬 Logical / Bug Analysis

Change scope: 2 files, 41 insertions, 41 deletions — entirely within lockfile + one version string in package.json.

  • No code paths changed — this is a pure dependency version bump
  • No API surface changes — next@16.2.6 is fully backwards-compatible with 16.2.3
  • No config changes needed — next.config.ts doesn't need modification
  • No new transitive dependencies added — only version bumps within existing dependency tree
  • Lockfile integrity: All 8 @next/swc-* optional platform packages bumped in lockstep, @next/env bumped consistently, integrity hashes match npm registry

Security analysis of the fixes (why this matters for this project):

  • Middleware bypass fixes (4 advisories): The dashboard uses Next.js App Router with API routes (/api/*) — if middleware is used for auth, these fixes prevent bypass via prefetch routes and dynamic route parameter injection
  • DoS via Server Components: Dashboard pages use React Server Components — this fix prevents resource exhaustion attacks
  • XSS via CSP nonces: Relevant if CSP headers are used
  • Cache poisoning: Relevant for any cached server responses

🧪 Evidence — Build & Test Results

Build Output (npm run build)
Creating an optimized production build ...
✓ Compiled successfully in 8.2s
  Running TypeScript ...
  Finished TypeScript in 9.7s
  Collecting page data using 3 workers ...
  Generating static pages using 3 workers (0/12) ...
✓ Generating static pages using 3 workers (12/12) in 316ms
  Finalizing page optimization ...

Route (app)
┌ ○ /
├ ○ /_not-found
├ ƒ /api/config
├ ƒ /api/graph-structure
├ ƒ /api/graph-template
├ ƒ /api/manual-retry-state
├ ƒ /api/namespace-overview
├ ƒ /api/namespaces
├ ƒ /api/node-run-details
├ ƒ /api/runs
└ ƒ /graph/[namespace]/[runId]

○  (Static)   prerendered as static content
ƒ  (Dynamic)  server-rendered on demand
TypeScript Check (tsc --noEmit)
No errors — clean compilation.
npm audit
5 vulnerabilities (1 low, 4 moderate)
  - postcss XSS (GHSA-qx2v-qp2m-jg93) — in next dependency chain, 
    not fixed in 16.2.6 yet

Note: The postcss vulnerability is a transitive dep of next itself and cannot be fixed without a next release that updates its postcss pin. Not an issue introduced by this PR.


🔗 Issue Linkage

⚠️ No linked issue. This is a Dependabot security PR — the PR body documents all 13 addressed CVEs.


👥 Human Review Feedback

No human review comments on this PR. The only prior comments are from hermes-exosphere (this bot) — an auto-reply and a review-start notification.


💡 Suggestions

  1. Update eslint-config-next to 16.2.6 — see inline comment. This keeps lint rules aligned with the runtime. npm install --save-dev eslint-config-next@16.2.6 would do it.
  2. Consider enabling Dependabot for devDependencies as well or adding a grouped update config so eslint-config-next tracks alongside next.

🏆 Verdict

VERDICT: APPROVED

This is a clean, well-formed Dependabot security bump. The 13 patched advisories include critical middleware bypass and DoS fixes that directly benefit this project. Build, TypeScript, and dependency resolution all pass. No breaking changes. Ready to merge.


Automated code review · 2026-07-17 07:08:23 UTC

@hermes-exosphere hermes-exosphere left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review: Approved. Security bump from next 16.2.3 to 16.2.6 — 13 CVE fixes, clean build, no breaking changes. ✅

@hermes-exosphere hermes-exosphere left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review: Approved. ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant