fix(frontend): upgrade next 16.1.6 → 16.2.6 (advisory close-out)#53
Conversation
Reverted in v0.3.0 because the initial `npm install next@16.2.6` from
the frontend/ subdir caused npm to install TWO copies of next: 16.2.6
in frontend/node_modules/ and an old 16.1.6 left at root (carried over
from next-auth's peer-dep resolution). TypeScript saw both copies and
broke next.config.ts:75 with mismatched NextConfig types.
The real fix: add `next` to root devDependencies. Even though the
root workspace doesn't import next directly, declaring it there gives
npm a single resolution target so:
- next gets hoisted ONCE to root node_modules
- frontend/node_modules has no separate copy
- next-auth's peer dep ("^14 || ^15 || ^16") is satisfied by the
hoisted root copy
- eslint-config-next (also at root) finds next via standard module
resolution
Verified: `npx -w @uconsole/frontend tsc --noEmit` exit 0, lint clean,
212 vitest tests pass, build succeeds. Closes the 19 Next.js advisories
deferred from v0.3.0 (CVSS 8.6 SSRF, 8.1 Middleware bypass, 7.5 DoS x3,
plus moderates).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Greptile SummaryThis PR upgrades Next.js from
Confidence Score: 4/5Safe to merge — the dependency upgrade is straightforward and the hoisting strategy is sound. The only rough edge is eslint-config-next trailing behind. The upgrade itself is clean and the lock file is consistent. The one thing worth fixing is eslint-config-next still being at 16.1.6 while next is now 16.2.6 — the bundled @next/eslint-plugin-next rules are one minor version behind. This won't break a build today but is easy to align in the same commit. frontend/package.json — eslint-config-next should be bumped to match next 16.2.6. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[npm install - root workspace] --> B{Hoisting decision}
B -->|Before PR: conflict| C[next 16.1.6 in node_modules/next\nfrom next-auth peer-dep]
C --> D[next 16.1.6 also in frontend/node_modules/next]
D --> E[❌ Two copies → TSC error on next.config.ts:75]
B -->|After PR: root devDep wins| F[next 16.2.6 hoisted to node_modules/next]
F --> G[frontend/ workspace symlinks to root copy]
G --> H[next-auth peer-dep satisfied by same hoisted copy]
H --> I[✅ Single copy → TSC passes]
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| "next": "^16.2.6", | ||
| "next-auth": "^5.0.0-beta.30", |
There was a problem hiding this comment.
16.1.6 has been relaxed to ^16.2.6. While package-lock.json locks the current resolved version, a future npm update or fresh workspace install could pick up an unreviewed minor release (e.g. 16.3.x). Given that the motivation here is a security advisory close-out, re-pinning to the exact resolved version keeps the dependency graph fully deterministic and makes version-bump decisions explicit.
| "next": "^16.2.6", | |
| "next-auth": "^5.0.0-beta.30", | |
| "next": "16.2.6", | |
| "next-auth": "^5.0.0-beta.30", |
1 participant
Closes the 19 Next.js advisories deferred from v0.3.0 — CVSS 8.6 SSRF (GHSA-c4j6-fc7j-m34r), 8.1 Middleware bypass (GHSA-492v-c6pp-mqqv), 7.5 DoS × 3, plus moderates.
The v0.3.0 attempt failed CI because
npm install next@16.2.6from the frontend/ subdir created two copies of next (16.2.6 in frontend, stale 16.1.6 at root from next-auth's peer-dep resolution). TSC saw both and broke next.config.ts:75.Fix: declare
nextin root devDependencies so npm hoists a single copy to root that everything (frontend, next-auth peer, eslint-config-next, @next/bundle-analyzer) shares. No more split.Verified locally: tsc / lint / 212 tests / build all pass.
Frontend-only change — no .deb, no version bump. Vercel auto-deploys on merge to main.
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com