[Snyk] Fix for 2 vulnerabilities

[arthrod]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Uncaught Exception SNYK-JS-FASTXMLPARSER-15155603	828
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-15104645	696

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncaught Exception
🦉 Allocation of Resources Without Limits or Throttling

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-fix-2611a0be9f8afb09d601d55722cc9c98

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @arthrod, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, focuses on enhancing the project's security by upgrading several key npm dependencies. The primary goal is to remediate two high-severity vulnerabilities identified in the project's dependency tree, thereby improving the overall robustness and security posture of the application through targeted package version bumps.

Highlights

• Dependency Upgrades: Upgraded @aws-sdk/client-s3 and @aws-sdk/s3-presigned-post from ^3.485.0 to ^3.894.0 to incorporate the latest features and security patches.
• Next.js Version Update: Updated the next framework from version 13.4.19 to 15.5.10, bringing significant updates and potential performance improvements.
• Vulnerability Remediation: Addressed two high-severity vulnerabilities: 'Uncaught Exception' (SNYK-JS-FASTXMLPARSER-15155603) and 'Allocation of Resources Without Limits or Throttling' (SNYK-JS-NEXT-15104645) by updating the affected packages.

Changelog

• package-lock.json
  • Updated to reflect the changes made in package.json and ensure dependency tree consistency.
• package.json
  • Updated @aws-sdk/client-s3 dependency from ^3.485.0 to ^3.894.0.
  • Updated @aws-sdk/s3-presigned-post dependency from ^3.485.0 to ^3.894.0.
  • Updated next dependency from 13.4.19 to 15.5.10.

Activity

• This pull request was automatically created by Snyk to propose fixes for identified security vulnerabilities.
• No human comments or reviews have been made yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, updates dependencies to resolve two security vulnerabilities. While addressing security issues is crucial, the proposed changes introduce significant risks. The next package is upgraded across two major versions to a canary release (15.5.10), which is not suitable for production environments due to potential instability and breaking changes. A safer alternative is to upgrade to a stable Next.js 14 release that includes the security patch. Additionally, the AWS SDK packages are updated inconsistently, which can lead to version conflicts and maintainability issues. It's recommended to align all @aws-sdk/* packages to the same version.

[gemini-code-assist]

This PR upgrades next from version 13.4.19 to 15.5.10, which is a canary (pre-release) version of Next.js 15. Using canary releases in production is highly risky as they are not stable and may contain bugs or undergo breaking changes before the final release.

The security vulnerability SNYK-JS-NEXT-15104645 is fixed in Next.js version 14.1.1 and later. It is strongly recommended to upgrade to a stable version of Next.js 14 instead of a canary release of v15. This will provide the security fix while minimizing the risk of introducing breaking changes and instability.

Additionally, your eslint-config-next dev dependency is at version 13.4.19. When upgrading next, this package should also be upgraded to a compatible version to ensure ESLint rules are aligned with the Next.js version in use.

Suggested change

	"next": "15.5.10",
	"next": "^14.1.1",

[gemini-code-assist]

While @aws-sdk/client-s3 and @aws-sdk/s3-presigned-post are being updated, other @aws-sdk/* packages like @aws-sdk/s3-request-presigner (at 3.731.1) and @aws-sdk/types (at ^3.485.0) are left on older versions.

This version mismatch can lead to multiple versions of the same transitive dependencies (like @aws-sdk/types) being installed, potentially causing type incompatibilities and subtle runtime bugs.

It is a best practice to keep all packages from the same scope (like @aws-sdk/*) aligned to the same version. Please consider updating all @aws-sdk/* dependencies in package.json to ^3.894.0 for better maintainability and stability.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 079b84a775

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Align runtime Node version with new Next 15 engine

Next 15.5.10 now declares node: ^18.18.0 || ^19.8.0 || >= 20.0.0, which is stricter than the repo’s current >=18.0.0 engine. If any CI/CD or production environment is still on Node 18.0–18.17 (allowed by the repo engine), installing or running next can fail under engine‑strict package managers or during platform validation. This upgrade should be paired with an explicit Node bump or engine update to avoid breaking deployments that were previously valid on 18.0.x.

Useful? React with 👍 / 👎.