[Snyk] Security upgrade next from 14.2.13 to 15.5.16

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• payment-components/next-js/package.json
• payment-components/next-js/pnpm-lock.yaml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-16638674	710

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

The upgrade from Next.js v14 to v15 is a major version change with significant breaking changes that require code modifications and careful review of application behavior. The two most impactful changes are the move to asynchronous request APIs and a fundamental shift in caching strategy.

Key Breaking Changes:

• Async Request APIs: Request-scoped APIs including cookies(), headers(), draftMode(), params, and searchParams are now asynchronous and must be awaited. This change is necessary for future performance optimizations. A codemod is available to help automate this migration.

  • Before: const cookieStore = cookies()
  • After: const cookieStore = await cookies()

• Caching is Now Opt-In: In a major reversal, fetch requests, GET Route Handlers, and client-side navigations are no longer cached by default. Previously, these were cached unless explicitly opted out with cache: 'no-store'. Applications relying on the old default caching behavior may experience performance degradation or an increase in API requests. You must now explicitly opt-in to caching where needed.

• React 19 and Node.js Version: Next.js 15 requires React 19 (or its RC) for the App Router and updates the minimum Node.js version to 18.18. The Pages Router maintains backward compatibility with React 18.

• Image Optimization: The squoosh image optimization library has been removed in favor of sharp as an optional dependency.

Recommendation:
This is a high-risk upgrade. Use the provided @next/codemod to automatically update the newly async APIs. Thoroughly review your application's data fetching and caching strategy to explicitly opt into caching where necessary to avoid performance regressions. Test routing, API routes, and data-dependent pages carefully after the upgrade.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

⛔ Snyk checks have failed. 2 issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (2)
⛔	Open Source Security	0	2	0	0	2 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[hivel-marco]

PR Complexity Score: 1.8 - Trivial

View Breakdown

• Lines Changed: 444
• Files Changed: 2
• Complexity Added: 0
• Raw Score: 14.88

Overview

This PR upgrades the payment-components/next-js app from Next.js 14.2.13 to 15.5.16 and refreshes its dependency lockfile.
The primary goal is to align with the latest Next.js major version, including its new engine, peer dependency, and optional dependency requirements.
Changes are confined to the Next.js dependency declaration and the pnpm lockfile resolution graph.

Key Changes

• Bumps next from 14.2.13 to 15.5.16 in payment-components/next-js/package.json to adopt the newest major Next.js release.
• Updates pnpm-lock.yaml to:
  • Resolve next@15.5.16 and the corresponding platform-specific @next/swc-* binaries.
  • Switch from @swc/helpers@0.5.5 to @swc/helpers@0.5.15 and remove @swc/counter.
  • Update styled-jsx from 5.1.1 to 5.1.6 with extended React peer support (incl. React 19).
  • Introduce new optional dependencies such as sharp@0.34.5 (plus its @img/* platform packages), detect-libc, and semver@7.8.0, and drop busboy/streamsearch that were previously pulled in by older Next.js.

Risks & Considerations

• Next.js 15 is a major version bump and may introduce breaking changes in routing, app directory behavior, server actions, or build/runtime semantics; existing pages and API routes should be regression-tested.
• The Next.js engine requirement tightens to ^18.18.0 || ^19.8.0 || >= 20.0.0, so CI/CD and runtime environments must run a compatible Node.js version.
• New optional sharp and @img/* platform packages expand native dependency surface; image optimization behavior and build times on various platforms should be validated.
• Next.js now declares peer compatibility with React 19/RC; while the project remains on React 18, future React upgrades could surface new compatibility issues that weren’t present with Next 14.

File-level change summary

File	Change summary
payment-components/next-js/package.json	Updated the Next.js dependency from version 14.2.13 to 15.5.16.
payment-components/next-js/pnpm-lock.yaml	Regenerated lockfile to resolve Next.js 15.5.16 and its updated/transitive dependencies (including swc binaries, styled-jsx, sharp, and related packages).