[Snyk] Upgrade next from 15.1.4 to 15.3.1

[nn6n]

Snyk has created this PR to upgrade next from 15.1.4 to 15.3.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 162 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	417	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-9292519	417	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-9403194	417	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	417	No Known Exploit
	Improper Authorization SNYK-JS-NEXT-9508709	417	Mature

Release notes

Package name: next

• 15.3.1 - 2025-04-17
• 15.3.1-canary.15 - 2025-04-19
• 15.3.1-canary.14 - 2025-04-18
• 15.3.1-canary.13 - 2025-04-17
• 15.3.1-canary.12 - 2025-04-17
  

  Core Changes

  • fix: alternate bundler support for dropping client pages in AMP: #77601
  • [errors] refactor default global-error into a separate file: #78182
  • [metadata] render streaming metadata on the top level: #77620
  • [metadata] skip head cache in default slot: #78206

  Misc Changes

  • Docs IA 2.0: Move Production Checklist under Guides: #78240
  • Docs: Fix nav item lettercasing for multi-zones: #78250
  • [docs] fix function signature of og image: #78277
  • Turbopack: dedupe additional traced references: #78241
  • Update Turbopack development test manifest: #78274
  • [test] Improve coverage for fetch errors in Edge runtime: #78257
  • Update Turbopack production test manifest: #78273

  Credits

  Huge thanks to @ delbaoliveira, @ ScriptedAlchemy, @ huozhi, @ mischnic, and @ eps1lon for helping!

• 15.3.1-canary.11 - 2025-04-16
  

  Core Changes

  • Preserve slashes when custom URL schemes are used in redirects: #78176
  • ignore-list published sources if they have a sourcemap: #78242
  • Upgrade React from 1d6c8168-20250411 to 39cad7af-20250411: #78152
  • Turbopack: add test case for persistent caching: #77030
  • Upgrade React from 39cad7af-20250411 to b04254fd-20250415: #78253

  Misc Changes

  • Turbopack: Support ECMAScript styleregex with negative lookahead in require.context calls: #78251

  Credits

  Huge thanks to @ eps1lon, @ sokra, and @ lukesandberg for helping!

• 15.3.1-canary.10 - 2025-04-16
  

  Core Changes

  • [dev-overlay] Add dedicated label for recoverable errors: #78186
  • [chore] remove unused __NEXT_PRIVATE_RUNTIME_TYPE: #78230

  Misc Changes

  • [docs] Update 03-fonts.mdx: #77965
  • Turbopack Persistent Caching: Use SmallVec to avoid allocations for small values written to DB: #78136
  • Turbopack: wait for tracing to be written before exiting: #78210
  • refactor(turbopack): Prepare removal of fake AST in tree-shaking: #78172
  • Turbopack: more module ident collisions: #78207
  • fix(turbo-tasks-fs): Update notify-rs, handle recursive symlinks in realpath implementation, add an e2e test for symlinked files: #78220
  • Update Turbopack production test manifest: #78224
  • Update Turbopack development test manifest: #78225
  • Turbopack: normalize ref type for external tracing: #78226
  • Update Rspack production test manifest: #78222
  • Getting Started Docs: Add deploying page: #77720
  • Docs IA 2.0: Move multi-zones docs to Guides: #78238
  • Turbopack: Do multiple unit test runs: #78212
  • Turbopack: fix cell not found bug: #78246
  • Prevent typescript errors in IDE for newly generated tests: #78247

  Credits

  Huge thanks to @ praizjosh, @ sokra, @ kdy1, @ mischnic, @ eps1lon, @ bgw, @ huozhi, @ delbaoliveira, and @ unstubbable for helping!

• 15.3.1-canary.9 - 2025-04-15
  

  Core Changes

  • [dev-overlay] Stop squashing hydration related errors in App Router: #78140
  • [test] Enable strictNullChecks in test utils: #78142
  • Document Turbopack trace viewer: #78184
  • [dev-overlay] Fix error dialog resizing logic: #78144
  • Include types in published eslint-plugin-next: #78109
  • [dev-overlay] Stop appending wrong Owner Stacks to SSR-only shell errors: #77302

  Misc Changes

  • [test] Assert on all errors in app/ hydration-error suite: #78132
  • Skip failing test via manifest instead: #78161
  • Update Turbopack development test manifest: #78179
  • Correct require.context relative import keys to match Webpack: #78148
  • Getting Started Docs: Clean up docs/app and docs/pages pages: #78151
  • Update Rspack production test manifest: #78177
  • Update Turbopack production test manifest: #78180
  • Update Rspack development test manifest: #78178
  • Turbopack: fix duplicate facade module: #78191
  • Added @ types/jest in installtion commands.: #78090
  • Update turbopack.mdx: #78082
  • docs: improve wording around NextRequest and query params: #77923
  • Docs IA 2.0: Move version upgrade docs under Guides: #78189
  • Docs IA 2.0: Move SPA docs under Guides: #78195
  • Docs IA 2.0: Move migration docs under Guides: #78193
  • Docs Papercuts: #78200
  • feat(turbo-tasks): Generate a trace of transient tasks when panicking: #77600
  • Turbopack: fix duplicate module from internal ref: #78194
  • Fix externals doc validation: #78208

  Credits

  Huge thanks to @ eps1lon, @ mischnic, @ Cy-Tek, @ delbaoliveira, @ timneutkens, @ raunofreiberg, @ devchaudhary24k, @ Neschadin, @ OreQr, @ drewlong314, @ bgw, and @ ijjk for helping!

• 15.3.1-canary.8 - 2025-04-14
  

  Core Changes

  • [next-server] remove unnecessary query shallow copy: #78003
  • [dev-overlay] disable copy button when clipboard is not available: #78101
  • [dev-overlay] Stop stashing React error details on error instances: #77975
  • [dynamicIO] Model invalid dynamic on empty shells: #77270
  • fix: bump image-size@1.2.1: #78149
  • Handle graceful fallback for custom error boundaries: #78121

  Misc Changes

  • refactor(turbo-tasks): Check for transient tasks called from persistent tasks in more places: #77760
  • [font] prefix leading numeric google-font name with underscore: #78127
  • build: Update swc_core to v22.3.1: #78129
  • Update Turbopack production test manifest: #78124
  • [test] isolate parallel metadata test: #78134
  • Update Turbopack development test manifest: #78125
  • Update Rspack production test manifest: #78123
  • [test] Add dedicated tsconfig for test utils: #78141
  • Turbopack: load chunks only once: #75143
  • Reenable a few more Turbopack tests: #78153
  • test: remove "@ testing-library/jest-dom" from default jest setup: #78157
  • Turbopack: Update toolchain to 2025-04-14 (Reapply #78062): #78167

  Credits

  Huge thanks to @ bgw, @ Fonger, @ huozhi, @ ospira, @ eps1lon, @ kdy1, @ gnoff, @ styfle, @ mischnic, @ lubieowoce, and @ wbinnssmith for helping!

• 15.3.1-canary.7 - 2025-04-12
  

  Core Changes

  • Upgrade React from c44e4a25-20250409 to 1d6c8168-20250411: #78067

  Misc Changes

  • chore(CI): Add lukesandberg to turbopack team: #78074
  • [test] Activity has types and supports react-server: #78066

  Credits

  Huge thanks to @ bgw and @ eps1lon for helping!

• 15.3.1-canary.6 - 2025-04-11
  

  Core Changes

  • Add graceful error fallback for bots requests: #77916

  Misc Changes

  • chore(github): remove redundant markdown body: #76187
  • chore(CI): Mention Rspack explicitly, use arewerspackyet.com domain: #77995
  • Update Turbopack production test manifest: #78053
  • Turbopack: support for CSS Modules in Data URLs: #78040
  • test: adjust default timeouts for [waitFor]elementByCss: #78026
  • Revert Rust upgrade to nightly-2025-04-10: #78062
  • Update Rspack development test manifest: #78049
  • Update Rspack production test manifest: #78050

  Credits

  Huge thanks to @ Marukome0743, @ bgw, @ jantimon, @ lubieowoce, @ mischnic, and @ huozhi for helping!

• 15.3.1-canary.5 - 2025-04-11
  

  Core Changes

  • Experimental bfcache: Restore state w/ : #77992

  Misc Changes

  • [test] separate rsc-basic tests: #78038

  Credits

  Huge thanks to @ huozhi and @ acdlite for helping!

• 15.3.1-canary.4 - 2025-04-10
  

  Core Changes

  • fix: ensure app router not found works when deployed with pages i18n config: #77905
  • Uninstall existing uncaughtException listeners to prevent the process from crashing: #78042

  Misc Changes

  • Update Rust toolchain to nightly-2025-04-10: #78039

  Credits

  Huge thanks to @ wbinnssmith, @ ztanner, and @ acdlite for helping!

• 15.3.1-canary.3 - 2025-04-10
  

  Core Changes

  • Move unhandled rejection handling to shared path: #77997

  Misc Changes

  • Turbopack: bundle only new Worker with new URL: #78010
  • Turbopack: use hashbrown HashMaps instead of now-removed std raw entry api: #78032
  • Turbopack: proper error message for swcPlugins: #77990

  Credits

  Huge thanks to @ mischnic, @ wbinnssmith, and @ acdlite for helping!

• 15.3.1-canary.2 - 2025-04-10
• 15.3.1-canary.1 - 2025-04-10
• 15.3.1-canary.0 - 2025-04-09
• 15.3.0 - 2025-04-09
• 15.3.0-canary.46 - 2025-04-09
• 15.3.0-canary.45 - 2025-04-08
• 15.3.0-canary.44 - 2025-04-08
• 15.3.0-canary.43 - 2025-04-08
• 15.3.0-canary.42 - 2025-04-07
• 15.3.0-canary.41 - 2025-04-07
• 15.3.0-canary.40 - 2025-04-06
• 15.3.0-canary.39 - 2025-04-05
• 15.3.0-canary.38 - 2025-04-04
• 15.3.0-canary.37 - 2025-04-04
• 15.3.0-canary.36 - 2025-04-04
• 15.3.0-canary.35 - 2025-04-04
• 15.3.0-canary.34 - 2025-04-04
• 15.3.0-canary.33 - 2025-04-03
• 15.3.0-canary.32 - 2025-04-03
• 15.3.0-canary.31 - 2025-04-02
• 15.3.0-canary.30 - 2025-04-02
• 15.3.0-canary.29 - 2025-04-01
• 15.3.0-canary.28 - 2025-04-01
• 15.3.0-canary.27 - 2025-04-01
• 15.3.0-canary.26 - 2025-03-30
• 15.3.0-canary.25 - 2025-03-29
• 15.3.0-canary.24 - 2025-03-26
• 15.3.0-canary.23 - 2025-03-26
• 15.3.0-canary.22 - 2025-03-25
• 15.3.0-canary.21 - 2025-03-24
• 15.3.0-canary.20 - 2025-03-23
• 15.3.0-canary.19 - 2025-03-22
• 15.3.0-canary.18 - 2025-03-21
• 15.3.0-canary.17 - 2025-03-21
• 15.3.0-canary.16 - 2025-03-20
• 15.3.0-canary.15 - 2025-03-20
• 15.3.0-canary.14 - 2025-03-19
• 15.3.0-canary.13 - 2025-03-18
• 15.3.0-canary.12 - 2025-03-17
• 15.3.0-canary.11 - 2025-03-17
• 15.3.0-canary.10 - 2025-03-15
• 15.3.0-canary.9 - 2025-03-14
• 15.3.0-canary.8 - 2025-03-14
• 15.3.0-canary.6 - 2025-03-13
• 15.3.0-canary.5 - 2025-03-13
• 15.3.0-canary.4 - 2025-03-12
• 15.3.0-canary.3 - 2025-03-12
• 15.3.0-canary.2 - 2025-03-12
• 15.3.0-canary.1 - 2025-03-11
• 15.3.0-canary.0 - 2025-03-11
• 15.2.5 - 2025-04-08
• 15.2.4 - 2025-03-24
• 15.2.3 - 2025-03-18
• 15.2.2 - 2025-03-11
• 15.2.2-canary.7 - 2025-03-11
• 15.2.2-canary.6 - 2025-03-09
• 15.2.2-canary.5 - 2025-03-08
• 15.2.2-canary.4 - 2025-03-07
• 15.2.2-canary.3 - 2025-03-06
• 15.2.2-canary.2 - 2025-03-05
• 15.2.2-canary.1 - 2025-03-04
• 15.2.2-canary.0 - 2025-03-03
• 15.2.1 - 2025-03-03
• 15.2.1-canary.6 - 2025-03-03
• 15.2.1-canary.5 - 2025-03-01
• 15.2.1-canary.4 - 2025-02-28
• 15.2.1-canary.3 - 2025-02-28
• 15.2.1-canary.2 - 2025-02-27
• 15.2.1-canary.1 - 2025-02-27
• 15.2.1-cana...

[restack-app]

No applications have been configured for previews targeting branch: main. To do so go to restack console and configure your applications for previews.

[gemini-code-assist]

Hello @nn6n, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello team! Gemini here, providing a quick summary of this pull request to help everyone get up to speed.

This PR, automatically generated by Snyk, aims to upgrade the next dependency from version 15.1.4 to 15.3.1. The primary motivation for this upgrade, as indicated by the Snyk description, is to address several security vulnerabilities found in the current version, including a critical Improper Authorization vulnerability (SNYK-JS-NEXT-9508709) and other high and medium severity issues like ReDoS and SSRF.

The upgrade spans 162 versions and includes changes released over the past month, incorporating various core fixes, miscellaneous changes, and dependency updates within Next.js itself, as detailed in the release notes provided by Snyk.

Highlights

• Dependency Upgrade: Upgrades the next framework dependency from version 15.1.4 to 15.3.1.
• Security Fixes: Addresses multiple security vulnerabilities, including a critical Improper Authorization issue (SNYK-JS-NEXT-9508709), high severity ReDoS, and medium severity SSRF and Improper Input Validation issues.
• Latest Features and Fixes: Incorporates numerous bug fixes, performance improvements, and potentially new features introduced in the versions between 15.1.4 and 15.3.1, as outlined in the detailed release notes.

Changelog

• package.json
  • Updated the next dependency version from 15.1.4 to 15.3.1.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

New version arrives,
Fixing bugs and closing holes,
Codebase is safer.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, generated by Snyk, proposes an upgrade of the next package from version 15.1.4 to 15.3.1. This is a valuable update as it addresses several security vulnerabilities, including one critical issue (SNYK-JS-NEXT-9508709: Improper Authorization) and multiple medium-severity issues.

The change itself is a straightforward version bump in package.json. While this is a minor version increment (15.1.x to 15.3.x), upgrading a core framework like Next.js requires careful validation to ensure no regressions or breaking changes are introduced into the application. The provided release notes indicate a number of changes, including bug fixes and refactors, across various canary releases leading up to 15.3.1.

Summary of Findings

• Security Vulnerabilities Addressed: The upgrade to Next.js 15.3.1 resolves multiple security vulnerabilities, including one critical (SNYK-JS-NEXT-9508709: Improper Authorization) and several medium severity issues (SNYK-JS-AXIOS-9292519, SNYK-JS-AXIOS-9403194, SNYK-JS-NANOID-8492085). This is a significant improvement to the application's security posture.
• Necessity of Thorough Testing: Upgrading a core framework like Next.js, even across minor versions, carries a risk of introducing regressions or unexpected behavior. It is crucial to conduct comprehensive testing (unit, integration, E2E, and manual QA) to ensure application stability and functionality post-upgrade.

Merge Readiness

This pull request is crucial for improving the application's security by upgrading Next.js and addressing known vulnerabilities. The code change itself is minimal. However, due to the foundational role of the Next.js framework, I strongly recommend that this PR only be merged after comprehensive testing has been completed and has confirmed that no regressions or breaking changes have been introduced. As an AI, I am not authorized to approve pull requests; please ensure appropriate human review and sign-off after successful validation.

[gemini-code-assist]

This upgrade from Next.js 15.1.4 to 15.3.1 is important for addressing several security vulnerabilities, including a critical one (SNYK-JS-NEXT-9508709).

While this is a minor version bump (15.1.x to 15.3.x), Next.js is a critical framework for the application. Could you please confirm that this upgrade will be or has been thoroughly tested across the application before merging? This should ideally include:

• Unit tests
• Integration tests
• End-to-end tests
• Manual QA for critical user flows

Particular attention should be paid to potential regressions in areas such as:

• Routing (App Router and Pages Router, if applicable)
• Server Components and Client Components
• API routes and Middleware
• Build processes and deployment
• Any custom webpack configurations (like those for the edge runtime in next.config.ts)

Reviewing the Next.js release notes between these versions for any specific changes or deprecations that might affect your project's usage of Next.js would also be highly beneficial.