diff --git a/.changeset/nextjs-security-update.md b/.changeset/nextjs-security-update.md index 97f7ef93024..d05008a2b8e 100644 --- a/.changeset/nextjs-security-update.md +++ b/.changeset/nextjs-security-update.md @@ -2,4 +2,4 @@ '@clerk/nextjs': patch --- -Bump `next` devDependency floor to `15.5.13` to pick up an upstream security fix. +Bump `next` devDependency to `15.5.15` to pick up the fix for CVE-2026-23869, a high-severity (CVSS 7.5) denial-of-service vulnerability in React Server Components. If you use the Next.js App Router, we recommend upgrading to Next.js `15.5.15` or `16.2.3`. diff --git a/integration/templates/next-app-router-bundled-ui/package.json b/integration/templates/next-app-router-bundled-ui/package.json index 17a85e0571f..f86df61af5e 100644 --- a/integration/templates/next-app-router-bundled-ui/package.json +++ b/integration/templates/next-app-router-bundled-ui/package.json @@ -12,7 +12,7 @@ "@types/node": "^20.12.12", "@types/react": "19.2.14", "@types/react-dom": "19.2.3", - "next": "^15.0.1", + "next": "^15.5.15", "react": "19.2.4", "react-dom": "19.2.4", "typescript": "^5.7.3" diff --git a/integration/templates/next-app-router-quickstart-v6/package.json b/integration/templates/next-app-router-quickstart-v6/package.json index 355009e1e5c..bd4b162f96b 100644 --- a/integration/templates/next-app-router-quickstart-v6/package.json +++ b/integration/templates/next-app-router-quickstart-v6/package.json @@ -12,7 +12,7 @@ "@types/node": "^20.12.12", "@types/react": "18.3.12", "@types/react-dom": "18.3.1", - "next": "^15.0.1", + "next": "^15.5.15", "react": "18.3.1", "react-dom": "18.3.1", "typescript": "^5.7.3" diff --git a/integration/templates/next-app-router-quickstart/package.json b/integration/templates/next-app-router-quickstart/package.json index f03c8bd84da..20d18645d9e 100644 --- a/integration/templates/next-app-router-quickstart/package.json +++ b/integration/templates/next-app-router-quickstart/package.json @@ -12,7 +12,7 @@ "@types/node": "^20.12.12", "@types/react": "18.3.12", "@types/react-dom": "18.3.1", - "next": "^15.0.1", + "next": "^15.5.15", "react": "18.3.1", "react-dom": "18.3.1", "typescript": "^5.7.3" diff --git a/integration/templates/next-app-router/package.json b/integration/templates/next-app-router/package.json index c2243548937..7875992f88f 100644 --- a/integration/templates/next-app-router/package.json +++ b/integration/templates/next-app-router/package.json @@ -13,7 +13,7 @@ "@types/node": "^18.19.33", "@types/react": "18.3.12", "@types/react-dom": "18.3.1", - "next": "^15.0.1", + "next": "^15.5.15", "react": "18.3.1", "react-dom": "18.3.1", "typescript": "^5.7.3" diff --git a/integration/templates/next-cache-components/package.json b/integration/templates/next-cache-components/package.json index 3a6a0b2cfaa..e2986b87f02 100644 --- a/integration/templates/next-cache-components/package.json +++ b/integration/templates/next-cache-components/package.json @@ -13,7 +13,7 @@ "@types/node": "^18.19.33", "@types/react": "^19.0.0", "@types/react-dom": "^19.0.0", - "next": "^16.2.1", + "next": "^16.2.3", "react": "^19.0.0", "react-dom": "^19.0.0", "typescript": "^5.7.3" diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json index 45d8b9bc33c..00bab502b6d 100644 --- a/packages/nextjs/package.json +++ b/packages/nextjs/package.json @@ -92,7 +92,7 @@ }, "devDependencies": { "crypto-es": "^2.1.0", - "next": "15.5.13" + "next": "15.5.15" }, "peerDependencies": { "next": "^15.2.8 || ^15.3.8 || ^15.4.10 || ^15.5.9 || ^15.6.0-0 || ^16.0.10 || ^16.1.0-0", diff --git a/playground/nextjs/package.json b/playground/nextjs/package.json index 0183351be24..20c306f7efd 100644 --- a/playground/nextjs/package.json +++ b/playground/nextjs/package.json @@ -12,7 +12,7 @@ "@clerk/nextjs": "canary", "@clerk/ui": "canary", "@clerk/types": "canary", - "next": "^15", + "next": "^15.5.15", "react": "^19.1.1", "react-dom": "^19.1.1" }, diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 34a9ee1f50e..40d4a12a207 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -697,7 +697,7 @@ importers: version: 2.11.3(@types/node@25.5.2)(typescript@5.8.3) next: specifier: '>=15.0.0' - version: 15.5.13(@babel/core@7.28.5)(@opentelemetry/api@1.9.0)(@playwright/test@1.56.1)(babel-plugin-react-compiler@1.0.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1) + version: 15.5.15(@babel/core@7.28.5)(@opentelemetry/api@1.9.0)(@playwright/test@1.56.1)(babel-plugin-react-compiler@1.0.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1) react: specifier: 18.3.1 version: 18.3.1 @@ -730,8 +730,8 @@ importers: specifier: ^2.1.0 version: 2.1.0 next: - specifier: 15.5.13 - version: 15.5.13(@babel/core@7.28.5)(@opentelemetry/api@1.9.0)(@playwright/test@1.56.1)(babel-plugin-react-compiler@1.0.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1) + specifier: 15.5.15 + version: 15.5.15(@babel/core@7.28.5)(@opentelemetry/api@1.9.0)(@playwright/test@1.56.1)(babel-plugin-react-compiler@1.0.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1) packages/nuxt: dependencies: @@ -3346,57 +3346,57 @@ packages: '@napi-rs/wasm-runtime@1.0.7': resolution: {integrity: sha512-SeDnOO0Tk7Okiq6DbXmmBODgOAb9dp9gjlphokTUxmt8U3liIP1ZsozBahH69j/RJv+Rfs6IwUKHTgQYJ/HBAw==} - '@next/env@15.5.13': - resolution: {integrity: sha512-6h7Fm29+/u1WBPcPaQl0xBov7KXB6i0c8oFlSlehD+PuZJQjzXQBuYzfkM32G5iWOlKsXXyRtcMaaqwspRBujA==} + '@next/env@15.5.15': + resolution: {integrity: sha512-vcmyu5/MyFzN7CdqRHO3uHO44p/QPCZkuTUXroeUmhNP8bL5PHFEhik22JUazt+CDDoD6EpBYRCaS2pISL+/hg==} - '@next/swc-darwin-arm64@15.5.13': - resolution: {integrity: sha512-XrBbj2iY1mQSsJ8RoFClNpUB9uuZejP94v9pJuSAzdzwFVHeP+Vu2vzBCHwSObozgYNuTVwKhLukG1rGCgj8xA==} + '@next/swc-darwin-arm64@15.5.15': + resolution: {integrity: sha512-6PvFO2Tzt10GFK2Ro9tAVEtacMqRmTarYMFKAnV2vYMdwWc73xzmDQyAV7SwEdMhzmiRoo7+m88DuiXlJlGeaw==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] - '@next/swc-darwin-x64@15.5.13': - resolution: {integrity: sha512-Ey3fuUeWDWtVdgiLHajk2aJ74Y8EWLeqvfwlkB5RvWsN7F1caQ6TjifsQzrAcOuNSnogGvFNYzjQlu7tu0kyWg==} + '@next/swc-darwin-x64@15.5.15': + resolution: {integrity: sha512-G+YNV+z6FDZTp/+IdGyIMFqalBTaQSnvAA+X/hrt+eaTRFSznRMz9K7rTmzvM6tDmKegNtyzgufZW0HwVzEqaQ==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] - '@next/swc-linux-arm64-gnu@15.5.13': - resolution: {integrity: sha512-aLtu/WxDeL3188qx3zyB3+iw8nAB9F+2Mhyz9nNZpzsREc2t8jQTuiWY4+mtOgWp1d+/Q4eXuy9m3dwh3n1IyQ==} + '@next/swc-linux-arm64-gnu@15.5.15': + resolution: {integrity: sha512-eVkrMcVIBqGfXB+QUC7jjZ94Z6uX/dNStbQFabewAnk13Uy18Igd1YZ/GtPRzdhtm7QwC0e6o7zOQecul4iC1w==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] libc: [glibc] - '@next/swc-linux-arm64-musl@15.5.13': - resolution: {integrity: sha512-9VZ0OsVx9PEL72W50QD15iwSCF3GD/dwj42knfF5C4aiBPXr95etGIOGhb8rU7kpnzZuPNL81CY4vIyUKa2xvg==} + '@next/swc-linux-arm64-musl@15.5.15': + resolution: {integrity: sha512-RwSHKMQ7InLy5GfkY2/n5PcFycKA08qI1VST78n09nN36nUPqCvGSMiLXlfUmzmpQpF6XeBYP2KRWHi0UW3uNg==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] libc: [musl] - '@next/swc-linux-x64-gnu@15.5.13': - resolution: {integrity: sha512-3knsu9H33e99ZfiWh0Bb04ymEO7YIiopOpXKX89ZZ/ER0iyfV1YLoJFxJJQNUD7OR8O7D7eiLI/TXPryPGv3+A==} + '@next/swc-linux-x64-gnu@15.5.15': + resolution: {integrity: sha512-nplqvY86LakS+eeiuWsNWvfmK8pFcOEW7ZtVRt4QH70lL+0x6LG/m1OpJ/tvrbwjmR8HH9/fH2jzW1GlL03TIg==} engines: {node: '>= 10'} cpu: [x64] os: [linux] libc: [glibc] - '@next/swc-linux-x64-musl@15.5.13': - resolution: {integrity: sha512-AVPb6+QZ0pPanJFc1hpx81I5tTiBF4VITw5+PMaR1CrboAUUxtxn3IsV0h48xI7fzd6/zw9D9i6khRwME5NKUw==} + '@next/swc-linux-x64-musl@15.5.15': + resolution: {integrity: sha512-eAgl9NKQ84/sww0v81DQINl/vL2IBxD7sMybd0cWRw6wqgouVI53brVRBrggqBRP/NWeIAE1dm5cbKYoiMlqDQ==} engines: {node: '>= 10'} cpu: [x64] os: [linux] libc: [musl] - '@next/swc-win32-arm64-msvc@15.5.13': - resolution: {integrity: sha512-FZ/HXuTxn+e5Lp6oRZMvHaMJx22gAySveJdJE0//91Nb9rMuh2ftgKlEwBFJxhkw5kAF/yIXz3iBf0tvDXRmCA==} + '@next/swc-win32-arm64-msvc@15.5.15': + resolution: {integrity: sha512-GJVZC86lzSquh0MtvZT+L7G8+jMnJcldloOjA8Kf3wXvBrvb6OGe2MzPuALxFshSm/IpwUtD2mIoof39ymf52A==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] - '@next/swc-win32-x64-msvc@15.5.13': - resolution: {integrity: sha512-B5E82pX3VXu6Ib5mDuZEqGwT8asocZe3OMMnaM+Yfs0TRlmSQCBQUUXR9BkXQeGVboOWS1pTsRkS9wzFd8PABw==} + '@next/swc-win32-x64-msvc@15.5.15': + resolution: {integrity: sha512-nFucjVdwlFqxh/JG3hWSJ4p8+YJV7Ii8aPDuBQULB6DzUF4UNZETXLfEUk+oI2zEznWWULPt7MeuTE6xtK1HSA==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -10866,8 +10866,8 @@ packages: nested-error-stacks@2.1.1: resolution: {integrity: sha512-9iN1ka/9zmX1ZvLV9ewJYEk9h7RyRRtqdK0woXcqohu8EWIerfPUjYJPg0ULy0UqP7cslmdGc8xKDJcojlKiaw==} - next@15.5.13: - resolution: {integrity: sha512-n0AXf6vlTwGuM93Z++POtjMsRuQ9pT5v2URPciXKUQIl/EB2WjXF0YiIUxaa9AEMFaMpZlaG3KPK6i4UVnx9eQ==} + next@15.5.15: + resolution: {integrity: sha512-VSqCrJwtLVGwAVE0Sb/yikrQfkwkZW9p+lL/J4+xe+G3ZA+QnWPqgcfH1tDUEuk9y+pthzzVFp4L/U8JerMfMQ==} engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0} hasBin: true peerDependencies: @@ -17813,30 +17813,30 @@ snapshots: '@tybys/wasm-util': 0.10.1 optional: true - '@next/env@15.5.13': {} + '@next/env@15.5.15': {} - '@next/swc-darwin-arm64@15.5.13': + '@next/swc-darwin-arm64@15.5.15': optional: true - '@next/swc-darwin-x64@15.5.13': + '@next/swc-darwin-x64@15.5.15': optional: true - '@next/swc-linux-arm64-gnu@15.5.13': + '@next/swc-linux-arm64-gnu@15.5.15': optional: true - '@next/swc-linux-arm64-musl@15.5.13': + '@next/swc-linux-arm64-musl@15.5.15': optional: true - '@next/swc-linux-x64-gnu@15.5.13': + '@next/swc-linux-x64-gnu@15.5.15': optional: true - '@next/swc-linux-x64-musl@15.5.13': + '@next/swc-linux-x64-musl@15.5.15': optional: true - '@next/swc-win32-arm64-msvc@15.5.13': + '@next/swc-win32-arm64-msvc@15.5.15': optional: true - '@next/swc-win32-x64-msvc@15.5.13': + '@next/swc-win32-x64-msvc@15.5.15': optional: true '@nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents.3': @@ -27272,9 +27272,9 @@ snapshots: nested-error-stacks@2.1.1: {} - next@15.5.13(@babel/core@7.28.5)(@opentelemetry/api@1.9.0)(@playwright/test@1.56.1)(babel-plugin-react-compiler@1.0.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1): + next@15.5.15(@babel/core@7.28.5)(@opentelemetry/api@1.9.0)(@playwright/test@1.56.1)(babel-plugin-react-compiler@1.0.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1): dependencies: - '@next/env': 15.5.13 + '@next/env': 15.5.15 '@swc/helpers': 0.5.15 caniuse-lite: 1.0.30001785 postcss: 8.4.31 @@ -27282,14 +27282,14 @@ snapshots: react-dom: 18.3.1(react@18.3.1) styled-jsx: 5.1.6(@babel/core@7.28.5)(react@18.3.1) optionalDependencies: - '@next/swc-darwin-arm64': 15.5.13 - '@next/swc-darwin-x64': 15.5.13 - '@next/swc-linux-arm64-gnu': 15.5.13 - '@next/swc-linux-arm64-musl': 15.5.13 - '@next/swc-linux-x64-gnu': 15.5.13 - '@next/swc-linux-x64-musl': 15.5.13 - '@next/swc-win32-arm64-msvc': 15.5.13 - '@next/swc-win32-x64-msvc': 15.5.13 + '@next/swc-darwin-arm64': 15.5.15 + '@next/swc-darwin-x64': 15.5.15 + '@next/swc-linux-arm64-gnu': 15.5.15 + '@next/swc-linux-arm64-musl': 15.5.15 + '@next/swc-linux-x64-gnu': 15.5.15 + '@next/swc-linux-x64-musl': 15.5.15 + '@next/swc-win32-arm64-msvc': 15.5.15 + '@next/swc-win32-x64-msvc': 15.5.15 '@opentelemetry/api': 1.9.0 '@playwright/test': 1.56.1 babel-plugin-react-compiler: 1.0.0 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 21d05966cae..51ff760a8c5 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -35,6 +35,9 @@ minimumReleaseAgeExclude: - '@clerk/*' - 'pkglab' - 'pkglab-*' + # CVE-2026-23869: React Server Components DoS + - 'next@15.5.15' + - '@next/*' # Renovate security update: @modelcontextprotocol/sdk@1.26.0 - '@modelcontextprotocol/sdk@1.26.0' # Renovate security update: esbuild@0.25.0