fix: bump Next.js to 16.2.7 and resolve dependency vulnerabilities#48
Open
chapzin wants to merge 1 commit into
Open
fix: bump Next.js to 16.2.7 and resolve dependency vulnerabilities#48chapzin wants to merge 1 commit into
chapzin wants to merge 1 commit into
Conversation
Resolve 8 of 10 npm audit findings (3 high, 5 moderate -> 2 moderate): - Bump next 16.2.1 -> 16.2.7 (HIGH): fixes Server Component DoS, middleware/proxy bypass, cache poisoning and CSP-nonce XSS advisories. These are the only remotely-reachable issues for a deployed app. - Keep eslint-config-next in lockstep at 16.2.7. - npm audit fix (non-breaking) for transitive deps: hono, @hono/node-server, fast-uri, ip-address, brace-expansion, qs. - Move shadcn to devDependencies: it is a build-only dependency (globals.css imports "shadcn/tailwind.css"; the CLI is dev tooling), so it should not ship in production installs. Removes the express / hono / @modelcontextprotocol/sdk subtree from --omit=dev production installs. Remaining 2 moderate findings are postcss bundled inside Next.js (node_modules/next/node_modules/postcss); not fixable without an upstream Next patch (audit fix --force would downgrade Next to 9.3.3) and not practically exploitable at build time on author-controlled CSS. Validated with `npm run check` (lint + typecheck + build all pass).
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the Next.js toolchain versions and adjusts dependency classification for the shadcn CLI.
Changes:
- Bump
nextfrom16.2.1to16.2.7 - Bump
eslint-config-nextfrom16.2.1to16.2.7 - Move
shadcnfromdependenciestodevDependencies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR resolves the dependency security vulnerabilities reported by
npm audit, taking the template from 10 findings (3 high, 7 moderate) down to 2 moderate. The two remaining are inside Next.js's own bundledpostcssand are not fixable without an upstream Next patch (details below).The most important fix is the Next.js bump, since those are the only remotely-reachable vulnerabilities for anyone who deploys the template and serves traffic.
Changes
next16.2.1→16.2.7eslint-config-next16.2.1→16.2.7next, per Next.js convention.npm audit fix(non-breaking)hono,@hono/node-server,fast-uri,ip-address,brace-expansion,qs.shadcntodevDependenciesWhy move
shadcntodevDependencies?shadcnis a build-only dependency here:src/app/globals.cssdoes@import "shadcn/tailwind.css"— resolved at build time and inlined into the compiled CSS.shadcnCLI itself is dev tooling (scaffolding components), not runtime code.Keeping it in
dependenciespulls a large server-side subtree (@modelcontextprotocol/sdk→express,hono,@hono/node-server,express-rate-limit;@dotenvx/dotenvx→eciesjs→@noble/ciphers) into production installs that usenpm ci --omit=dev. None of that code is reachable at runtime in this template. MovingshadcntodevDependenciesremoves that subtree from production installs and correctly reflects that it is a build-time dependency. The production build is unaffected because the build step installs devDependencies.Remaining findings (intentionally not "fixed")
Two moderate
postcssfindings remain innode_modules/next/node_modules/postcss— i.e. thepostcssthat Next.js bundles internally. They are left as-is because:16.2.7is the latest patch in the16.2line; the fix has to come from an upstream Next.js release.npm audit fix --force"resolves" this by downgrading Next to9.3.3— a massive breaking change and a net security regression. That is not acceptable.</style>in CSS stringify output) requires attacker-controlled CSS being stringified. In this template, CSS is author-controlled and processed at build time, so it is not practically exploitable.Test plan
npm run check(lint + typecheck + production build) passes@import "shadcn/tailwind.css"still resolves withshadcnindevDependenciesnpm audit: 10 → 2 (only the upstream Next-bundledpostcssremains)Notes