chore(deps): bump next from 15.5.14 to 16.2.6

[dependabot]

Bumps next from 15.5.14 to 16.2.6.

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Summary by CodeRabbit

• Chores
  • Updated Next.js framework to the latest stable version for improved performance and compatibility.

**Disclaimer This is AxiomID Review Agent.

Greptile Summary

This PR bumps next from 15.5.14 to 16.2.6, addressing multiple high-severity security advisories (middleware/proxy bypass, DoS via server components/cache/image optimization, SSRF via WebSocket upgrades, and XSS in CSP nonces). It also cleans up orphaned lock-file entries for react-hook-form, @hookform/resolvers, and minimatch that were already removed from package.json in a prior commit.

• Upgrades next across all platform-specific SWC binaries and the @next/env helper to 16.2.6.
• Next.js 16 introduces a tightened Node.js engine requirement (>=20.9.0, up from ^18.18.0 || ^19.8.0 || >=20.0.0), and adds baseline-browser-mapping as a runtime dependency.
• Orphaned dev-only packages (balanced-match, brace-expansion, minimatch) are correctly reclassified as devDependencies in the lock file.

Confidence Score: 3/5

Safe to merge only after confirming all CI runners and deployment environments are on Node 20.9.0 or later; otherwise the build will break silently.

This is a major-version Next.js upgrade driven by important security fixes. The upgrade itself is well-scoped and the lock file cleanup is a legitimate side-effect. The main risk is the tightened Node.js engine floor: any environment still running Node 18 or 19 will stop working after merge, and there is currently no engines field in package.json to make this constraint visible before deployment.

Verify CI configuration and any Dockerfile/deployment environment specifies Node ≥20.9.0; the lock file change around the node_modules/next engines declaration is where the new floor is set.

Important Files Changed

Filename	Overview
package.json	Single-line change bumping next from ^15.4.9 to ^16.2.6; no other direct dependencies changed here.
package-lock.json	Lock file regenerated to resolve Next.js 16.2.6 and all its SWC platform binaries; also removes orphaned react-hook-form, @hookform/resolvers, and @standard-schema/utils entries, and adjusts dev/prod flags for minimatch/brace-expansion/balanced-match.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot PR: next 15.5.14 → 16.2.6] --> B[package.json\nnext: ^15.4.9 → ^16.2.6]
    A --> C[package-lock.json regenerated]

    C --> D[next 16.2.6 + SWC binaries\nfor all 8 platforms]
    C --> E[Orphaned entries removed\nreact-hook-form\n@hookform/resolvers\n@standard-schema/utils\nminimatch direct dep]
    C --> F[baseline-browser-mapping\nnow a runtime dep of next 16]
    C --> G[balanced-match, brace-expansion,\nminimatch → devDependencies]

    D --> H{Node.js engine\nrequirement change}
    H -->|Before| I[^18.18.0 OR ^19.8.0 OR >=20.0.0]
    H -->|After| J[>=20.9.0]

    J --> K[⚠️ Node 18/19 environments\nwill fail at runtime]

Loading

_{Reviews (1): Last reviewed commit: "chore(deps): bump next from 15.5.14 to 1..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[blacksmith-sh]

Blacksmith Account Suspended

This Blacksmith account requires additional verification. Jobs targeting Blacksmith runners will not be picked up and will remain queued until they timeout.

Please contact Blacksmith Support for assistance.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the Next.js framework dependency from version 15.4.9 to version 16.2.6 in package.json. This is a straightforward dependency version bump with no other configuration, script, or package changes.

Changes

Next.js Dependency Update

Layer / File(s)	Summary
Next.js version bump package.json	The next dependency is updated to ^16.2.6, moving from the 15.x major version line to 16.x.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A version bump, so clean and small,
From fifteen to sixteen, a call,
Next.js grows, we hop along,
Dependencies strong and dependencies song! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating the Next.js dependency from version 15.5.14 to 16.2.6, which is the primary purpose of this dependency bump PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/next-16.2.6

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Node.js minimum version tightened to >=20.9.0

Next.js 16 drops support for Node 18 and 19 — the engine requirement narrows from ^18.18.0 || ^19.8.0 || >=20.0.0 to >=20.9.0. If any CI runner, Docker base image, or deployment environment is still on Node 18.x or 19.x, the build will fail at runtime. The project's package.json has no "engines" field, so this constraint is only visible in the lock file. Consider adding "engines": { "node": ">=20.9.0" } to package.json to surface this requirement explicitly.

[Moeabdelaziz007]

إغلاق: هذا الـ PR قديم وسيتم فتحه من جديد مع rebase لاحقاً

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.