fix(deps): vuln major upgrades — 6 packages (major: 3 · minor: 2 · patch: 1) [services/frontend]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 7 packages upgraded (MAJOR changes included)

Manifests changed:

• services/frontend (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
next	12.3.7	16.2.9	major	Direct	3 HIGH, 15 MEDIUM, 5 LOW
react	17.0.2	19.2.7	major	Direct	-
react-dom	17.0.2	19.2.7	major	Direct	-
@opentelemetry/api	1.8.0	1.9.1	minor	Transitive	-
semver	7.7.2	7.8.4	minor	Transitive	-
styled-jsx	5.0.7	5.1.7	minor	Transitive	-
semver	7.7.2	7.7.4	patch	Transitive	-

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
next	GHSA-36qx-fr4f-26g5	HIGH	Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n	12.3.7	15.5.16
next	CVE-2024-51479	HIGH	Authorization bypass in Next.js	12.3.7	-
next	GHSA-7gfc-8cq8-jh5f	HIGH	Next.js authorization bypass vulnerability	12.3.7	14.2.15

ℹ️ Other Vulnerabilities (20)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
next	GHSA-xv57-4mr9-wg8v	MODERATE	Next.js Content Injection Vulnerability for Image Optimization	12.3.7	14.2.31
next	CVE-2025-59471	MODERATE	-	12.3.7	-
next	CVE-2024-47831	MODERATE	Next.js image optimization has Denial of Service condition	12.3.7	-
next	GHSA-g77x-44xx-532m	MODERATE	Denial of Service condition in Next.js image optimization	12.3.7	14.2.7
next	GHSA-h64f-5h5j-jqjh	MODERATE	Next.js has a Denial of Service in the Image Optimization API	12.3.7	15.5.16
next	GHSA-g5qg-72qw-gw5v	MODERATE	Next.js Affected by Cache Key Confusion for Image Optimization API Routes	12.3.7	14.2.31
next	CVE-2025-57752	MODERATE	Next.js Affected by Cache Key Confusion for Image Optimization API Routes	12.3.7	-
next	GHSA-3x4c-7xq6-9pq8	MODERATE	Next.js: Unbounded next/image disk cache growth can exhaust storage	12.3.7	16.1.7
next	GHSA-9g9p-9gw9-jx7f	MODERATE	Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration	12.3.7	15.5.10
next	CVE-2026-27980	MODERATE	Next.js: Unbounded next/image disk cache growth can exhaust storage	12.3.7	-
next	GHSA-4342-x723-ch2f	MODERATE	Next.js Improper Middleware Redirect Handling Leads to SSRF	12.3.7	14.2.32
next	CVE-2025-57822	MODERATE	Next.js Improper Middleware Redirect Handling Leads to SSRF	12.3.7	-
next	CVE-2026-29057	MODERATE	Next.js: HTTP request smuggling in rewrites	12.3.7	-
next	CVE-2025-55173	MODERATE	Next.js Content Injection Vulnerability for Image Optimization	12.3.7	-
next	GHSA-ggv3-7p47-pfv8	MODERATE	Next.js: HTTP request smuggling in rewrites	12.3.7	16.1.7
next	GHSA-3g8h-86w9-wvmq	LOW	Next.js's Middleware / Proxy redirects can be cache-poisoned	12.3.7	15.5.16
next	CVE-2025-32421	LOW	Next.js Race Condition to Cache Poisoning	12.3.7	-
next	GHSA-qpjv-v59x-3qc4	LOW	Next.js Race Condition to Cache Poisoning	12.3.7	14.2.24
next	GHSA-c59h-r6p8-q9wc	LOW	Next.js missing cache-control header may lead to CDN caching empty reply	12.3.7	13.4.20-canary.13
next	CVE-2023-46298	LOW	-	12.3.7	-

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System