Conversation
fix: Bump Next.js to fix multiple CVEs
There was a problem hiding this comment.
Pull request overview
This PR bumps the package version from 1.1.0 to 1.1.1 and updates the Next.js framework dependency from version 15.4.7 to 15.4.10, along with corresponding changes to platform-specific compiler packages in the lockfile.
Key changes:
- Package version incremented to 1.1.1
- Next.js updated to 15.4.10 (with semantic versioning prefix removed)
- Platform-specific Next.js SWC compiler packages updated to 15.4.8
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updated package version to 1.1.1 and Next.js dependency to 15.4.10 (without caret prefix) |
| package-lock.json | Updated lockfile with new versions for Next.js core (15.4.10), @next/env (15.4.10), and platform-specific SWC packages (15.4.8) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "fuse.js": "^7.1.0", | ||
| "gray-matter": "^4.0.3", | ||
| "next": "^15.4.7", | ||
| "next": "15.4.10", |
There was a problem hiding this comment.
The caret (^) prefix was removed from the Next.js version. This changes the semantic versioning behavior - the caret allows automatic minor and patch updates, while the exact version pins to 15.4.10 specifically. This means npm install will only install exactly 15.4.10, not any newer patch versions like 15.4.11. If this strict pinning is intentional, consider documenting why. Otherwise, the caret should be restored to maintain consistency with other dependencies like react and postcss.
|
Need to manually sync these changes in a different branch. There are merge conflicts because of the package version changes. |
No description provided.