fix(deps): update dependency next (16.2.7 → 16.2.9) by its-miso[bot] · Pull Request #341 · misospace/dispatch

its-miso · 2026-06-09T22:21:41Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	`16.2.7` → `16.2.9`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

vercel/next.js (next)

`v16.2.9`

Compare Source

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

`v16.2.8`

Compare Source

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Superseded by a newer automated review for this pull request.

its-saffron

AI Automated Review

Full PR review.

Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic) — escalated (fast_low_confidence)

PR Review: fix(deps): update dependency next (16.2.7 → 16.2.9)

Recommendation

Approve — this is a clean version bump with documented zero-functional changes. Both v16.2.8 and v16.2.9 were released exclusively to correct the next@latest NPM dist-tag that was incorrectly pointing at a prerelease version. No code changes exist in either release.

Change-by-Change Summary

File	Change
`package-lock.json`	Version pins for `next` and all `@next/*` packages updated from 16.2.7 → 16.2.9

All other changes in the diff are lockfile entry renumbering (integrity hashes, resolved URLs) consistent with the version bump.

Standards Compliance

Dependency upgrade conventions: Follows standard pattern — lockfile-only change, no source modifications.
Release cut process (AGENTS.md): N/A — this is a dependency update, not a Dispatch release.
No secrets committed: N/A — only lockfile modified.
CI validation: Repository requires npm run lint, npm run typecheck, and npm run test (per AGENTS.md key commands). Automerge is disabled on this PR per Renovate config, requiring manual validation.

Required Checks

✅ Check for breaking API changes in updated dependencies

Verified via release notes and GitHub compare metadata:

v16.2.8 release notes: "Release with no changes in an attempt to fix next@latest pointing at a prerelease version."
v16.2.9 release notes: "Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled."

The GitHub compare metadata confirms:

v16.2.7 → v16.2.8: 5 commits, only workflow file and action pin changes — no Next.js package code changes.
v16.2.8 → v16.2.9: 2 commits, only version number bumps in monorepo package.json files — no code changes.

Result: No breaking API changes. Both releases are explicitly documented as empty/unchanged.

⚠️ Run full test suite after upgrade

Not verifiable from this review context. This PR only modifies package-lock.json with no source code changes. The repository's CI pipeline runs npm run lint, npm run typecheck, and npm run test (per AGENTS.md key commands). Automerge is disabled, so manual validation before merging is required — the reviewer must run npm run test locally or trust CI to validate the branch once merged to main.

Repository Impact Scan

SECURITY-ACCEPTED-RISKS.md references next@16.2.7 bundling postcss@8.4.31 (< 8.5.10). The diff does not show a postcss version change, meaning this advisory likely remains accepted. This is unchanged by the current upgrade and not a blocker for this PR.

Linked Issue Fit

No linked issue found in PR body. N/A.

Evidence Provider Findings

No evidence provider findings to report.

Tool Harness Findings

No tool harness findings to report.

Unknowns / Needs Verification

Test suite execution: Cannot be verified from this context. Must be run manually before merge due to automerge being disabled.

Summary

This is a zero-risk version bump — both releases (16.2.8 and 16.2.9) contain no functional code changes and exist solely to correct NPM dist-tags. The upgrade is safe but requires manual test suite execution before merging given the automerge-disabled configuration.

its-miso Bot added the type/patch label Jun 9, 2026