fix(deps): vuln major upgrades — 4 packages (major: 1 · unstable: 1 · minor: 2) [src/frontend]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 4 packages upgraded (MAJOR changes included)

Manifests changed:

• src/frontend (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
next	12.3.4	16.2.4	major	Direct	2 CRITICAL, 2 HIGH, 14 MODERATE, 4 LOW
sharp	0.32.6	0.34.5	unstable	Direct	-
react	18.2.0	18.3.1	minor	Direct	-
react-dom	18.2.0	18.3.1	minor	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
next	CVE-2025-29927	CRITICAL	Authorization Bypass in Next.js Middleware	12.3.4	-
next	GHSA-f82v-jwr5-mffw	CRITICAL	Authorization Bypass in Next.js Middleware	12.3.4	13.5.9
next	GHSA-7gfc-8cq8-jh5f	HIGH	Next.js authorization bypass vulnerability	12.3.4	14.2.15
next	CVE-2024-51479	HIGH	Authorization bypass in Next.js	12.3.4	-

ℹ️ Other Vulnerabilities (18)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
next	GHSA-9g9p-9gw9-jx7f	MODERATE	Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration	12.3.4	15.5.10
next	CVE-2025-57752	MODERATE	Next.js Affected by Cache Key Confusion for Image Optimization API Routes	12.3.4	-
next	GHSA-4342-x723-ch2f	MODERATE	Next.js Improper Middleware Redirect Handling Leads to SSRF	12.3.4	14.2.32
next	CVE-2025-57822	MODERATE	Next.js Improper Middleware Redirect Handling Leads to SSRF	12.3.4	-
next	GHSA-3x4c-7xq6-9pq8	MODERATE	Next.js: Unbounded next/image disk cache growth can exhaust storage	12.3.4	16.1.7
next	CVE-2026-27980	MODERATE	Next.js: Unbounded next/image disk cache growth can exhaust storage	12.3.4	-
next	GHSA-ggv3-7p47-pfv8	MODERATE	Next.js: HTTP request smuggling in rewrites	12.3.4	16.1.7
next	CVE-2025-59471	MODERATE	-	12.3.4	-
next	GHSA-g5qg-72qw-gw5v	MODERATE	Next.js Affected by Cache Key Confusion for Image Optimization API Routes	12.3.4	14.2.31
next	CVE-2026-29057	MODERATE	Next.js: HTTP request smuggling in rewrites	12.3.4	-
next	CVE-2025-55173	MODERATE	Next.js Content Injection Vulnerability for Image Optimization	12.3.4	-
next	GHSA-xv57-4mr9-wg8v	MODERATE	Next.js Content Injection Vulnerability for Image Optimization	12.3.4	14.2.31
next	GHSA-g77x-44xx-532m	MODERATE	Denial of Service condition in Next.js image optimization	12.3.4	14.2.7
next	CVE-2024-47831	MODERATE	Next.js image optimization has Denial of Service condition	12.3.4	-
next	CVE-2023-46298	LOW	-	12.3.4	-
next	GHSA-c59h-r6p8-q9wc	LOW	Next.js missing cache-control header may lead to CDN caching empty reply	12.3.4	13.4.20-canary.13
next	CVE-2025-32421	LOW	Next.js Race Condition to Cache Poisoning	12.3.4	-
next	GHSA-qpjv-v59x-3qc4	LOW	Next.js Race Condition to Cache Poisoning	12.3.4	14.2.24

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

next (12.3.4 → 16.2.4) — GitHub Release

v16.2.1-canary.46

Core Changes

• Support type cast expressions in page static info extractor: Support type cast expressions in page static info extractor vercel/next.js#92837
• Fix dev mode hydration failure when page is served from HTTP cache: Fix dev mode hydration failure when page is served from HTTP cache vercel/next.js#92892
• [devtools] Preserve full code frames in browser overlay: [devtools] Preserve full code frames in browser overlay vercel/next.js#92621
• Enable prefetchInlining by default: Enable prefetchInlining by default vercel/next.js#92863
• Replace deprecated moduleResolution: "node": Replace deprecated moduleResolution: "node" vercel/next.js#92654

Misc Changes

• turbo-tasks: add info_span for blocking waits during task restore: turbo-tasks: add info_span for blocking waits during task restore vercel/next.js#92878
• Turbopack: Use an async lock in the filesystem watcher: Turbopack: Use an async lock in the filesystem watcher vercel/next.js#92906
• [ci] Skip Playwright system deps install on subsequent self-hosted runs: [ci] Skip Playwright system deps install on subsequent self-hosted runs vercel/next.js#92893
• turbo-tasks: Reduce allocations on cache hits: turbo-tasks: Reduce allocations on cache hits vercel/next.js#92756
• CI: Remove dead yarn support from next-stats-action: CI: Remove dead yarn support from next-stats-action vercel/next.js#92587

Credits

Huge thanks to @mischnic, @sokra, @unstubbable, @aurorascharff, @acdlite, @bgw, @mmastrac, @eps1lon, and @lukesandberg for helping!

v16.2.1-canary.45

Core Changes

• Allow overriding outputHashSalt in modifyConfig: Allow overriding outputHashSalt in modifyConfig vercel/next.js#92856

Misc Changes

• Turbopack: Use lld again on ARM64 glibc Linux: Turbopack: Use lld again on ARM64 glibc Linux vercel/next.js#92860
• [ci]: add workflow to bump canary after backport: [ci]: add workflow to bump canary after backport vercel/next.js#92801
• turbopack: cache TransformPlugin in narrow-scoped turbo-tasks functions: turbopack: cache TransformPlugin in narrow-scoped turbo-tasks functions vercel/next.js#92842

Credits

Huge thanks to @bgw, @ztanner, @sokra, and @mischnic for helping!

v16.2.4

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) vercel/next.js#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (Turbopack: fix filesystem watcher config not applying follow_symlinks(false) vercel/next.js#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) vercel/next.js#92580)
• Compiler: Support boolean and number primtives in next.config defines (Compiler: Support boolean and number primtives in next.config defines vercel/next.js#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation vercel/next.js#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (Turbopack: shorter error for ChunkGroupInfo::get_index_of vercel/next.js#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index vercel/next.js#92828)
• Adding more system info to the 'initialize project' trace (Adding more system info to the 'initialize project' trace vercel/next.js#92427)

Credits

Huge thanks to @Badbird5907, @lukesandberg, @andrewimm, @sokra, and @mischnic for helping!

v16.2.1-canary.44

Core Changes

• fix(trace-server): default MCP port to --port + 1 to avoid conflicts: fix(trace-server): default MCP port to --port + 1 to avoid conflicts vercel/next.js#92831
• Revert "Node.js streams: Add forkpoint for prerenderToStream": Revert "Node.js streams: Add forkpoint for prerenderToStream" vercel/next.js#92845
• Warn for non-deterministic "use cache" args during final prerender: Warn for non-deterministic "use cache" args during final prerender vercel/next.js#92820

Misc Changes

• Share native binaries via GitHub artifacts: Share native binaries via GitHub artifacts vercel/next.js#92758
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index: Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index vercel/next.js#92828
• Turbopack: refactor export analysis: Turbopack: refactor export analysis vercel/next.js#92781
• [ci] Skip sccache on Windows runners: [ci] Skip sccache on Windows runners vercel/next.js#92847
• Turbopack: remove StarImportAnalyzer: Turbopack: remove StarImportAnalyzer vercel/next.js#92830
• Turbopack: analyzer improvement followups: Turbopack: analyzer improvement followups vercel/next.js#92834
• Update Rspack production test manifest: Update Rspack production test manifest vercel/next.js#92674
• Update Rspack development test manifest: Update Rspack development test manifest vercel/next.js#92673
• Turbopack: move assignment_scopes computation into ImportMap: Turbopack: move assignment_scopes computation into ImportMap vercel/next.js#92835
• docs: restructure instant nav guide for clarity: docs: restructure instant nav guide for clarity vercel/next.js#92684
• docs: add documentation for no-typos ESLint rule: docs: add documentation for no-typos ESLint rule vercel/next.js#92809

Credits

Huge thanks to @mmastrac, @sokra, @mischnic, @timneutkens, @vercel-release-bot, @unstubbable, @icyJoseph, and @MukundaKatta for helping!

v16.2.1-canary.43

Core Changes

• webpack: fix swcPlugins with relative paths: webpack: fix swcPlugins with relative paths vercel/next.js#92770
• Node.js streams: Add forkpoint for logMessagesAndSendErrorsToBrowser: Node.js streams: Add forkpoint for logMessagesAndSendErrorsToBrowser vercel/next.js#92510
• Node.js streams: Add forkpoint for createCombinedPayloadStream: Node.js streams: Add forkpoint for createCombinedPayloadStream vercel/next.js#92511
• Node.js streams: Add forkpoint for renderWithRestartOnCacheMissInValidation: Node.js streams: Add forkpoint for renderWithRestartOnCacheMissInValidation vercel/next.js#92512
• Node.js streams: Add forkpoint for prerenderToStream: Node.js streams: Add forkpoint for prerenderToStream vercel/next.js#92513
• Perf: Fast path for trace() when opentelemetry is not enabled: Perf: Fast path for trace() when opentelemetry is not enabled vercel/next.js#92678

Misc Changes

• turbopack: gate ValueDebugFormat and ValueDebug behind debug_assertions: turbopack: gate ValueDebugFormat and ValueDebug behind debug_assertions vercel/next.js#92628
• Add TurboMalloc::thread_park() to flush and collect on thread park: Add TurboMalloc::thread_park() to flush and collect on thread park vercel/next.js#92804
• Stop using deprecated baseUrl: Stop using deprecated baseUrl vercel/next.js#92653
• Turbopack: Use FrozenMap for module export information: Turbopack: Use FrozenMap for module export information vercel/next.js#92802
• pr-status: Show all participants in review thread overview: pr-status: Show all participants in review thread overview vercel/next.js#92730
• docs: draftMode alignment: docs: draftMode alignment vercel/next.js#92794
• Turbopack: remove webpack chunk detection: Turbopack: remove webpack chunk detection vercel/next.js#92773
• Turbopack: refactor ESM codegen generation: Turbopack: refactor ESM codegen generation vercel/next.js#92777
• Fix monorepo @next/swc binary postinstall: Fix monorepo @next/swc binary postinstall vercel/next.js#92813
• Turbopack: shorter error for ChunkGroupInfo::get_index_of: Turbopack: shorter error for ChunkGroupInfo::get_index_of vercel/next.js#92814
• Turbopack: properly set NODE_ENV for SWC plugins: Turbopack: properly set NODE_ENV for SWC plugins vercel/next.js#92579

Credits

Huge thanks to @sokra, @eps1lon, @bgw, @icyJoseph, @mischnic, and @timneutkens for helping!

v16.2.1-canary.42

Core Changes

• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router): Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) vercel/next.js#92580
• Enable wasm plugins on windows arm: Enable wasm plugins on windows arm vercel/next.js#92544
• prefetchInlining: fix build crash on notFound() pages: prefetchInlining: fix build crash on notFound() pages vercel/next.js#92806

Credits

Huge thanks to @lukesandberg and @acdlite for helping!

v16.2.1-canary.41

Misc Changes

• Fix devlow-bench: tsconfig rootDir mismatch with package.json bin: Fix devlow-bench: tsconfig rootDir mismatch with package.json bin vercel/next.js#92800

Credits

Huge thanks to @mmastrac for helping!

v16.2.1-canary.40

Misc Changes

• Fix turbo cache flag: use --force: Fix turbo cache flag: use --force vercel/next.js#92796

Credits

Huge thanks to @mmastrac for helping!

v16.2.1-canary.38

Core Changes

• Ensure x-nextjs-data header is only set during resolve: Ensure x-nextjs-data header is only set during resolve vercel/next.js#92752

Credits

Huge thanks to @ijjk for helping!

v16.2.1-canary.37

Core Changes

• Exclude trace files from directory deletion in builds: Exclude trace files from directory deletion in builds vercel/next.js#92486
• Switch segment prefetch cache miss response from 204 to 404: Switch segment prefetch cache miss response from 204 to 404 vercel/next.js#92751

Misc Changes

• Re-enable sccache: Re-enable sccache vercel/next.js#92746

(truncated — see source for full notes)

sharp (0.32.6 → 0.34.5) — GitHub Release

v0.34.5

• Upgrade to libvips v8.17.3 for upstream bug fixes.

• Add experimental support for prebuilt Linux RISC-V 64-bit binaries.

• Support building from source with npm v12+, deprecate --build-from-source flag.
  Enhancement: support building from source with npm v12+ lovell/sharp#4458

• Add support for BigTIFF output.
  https://github.com/lovell/sharp/issues/4459
  @throwbi

• Improve error messaging when only warnings issued.
  Enhancement: improve warning/error messages from GeoTiff images (currently reports "Unknown error") lovell/sharp#4465

• Simplify ICC processing when retaining input profiles.
  Image colour is changed without applying any operations lovell/sharp#4468

v0.34.5-rc.1

• Upgrade to libvips v8.17.3 for upstream bug fixes.

• Add experimental support for prebuilt Linux RISC-V 64-bit binaries.

• Support building from source with npm v12+, deprecate --build-from-source flag.
  Enhancement: support building from source with npm v12+ lovell/sharp#4458

• Add support for BigTIFF output.
  https://github.com/lovell/sharp/issues/4459
  @throwbi

• Improve error messaging when only warnings issued.
  Enhancement: improve warning/error messages from GeoTiff images (currently reports "Unknown error") lovell/sharp#4465

• Simplify ICC processing when retaining input profiles.
  Image colour is changed without applying any operations lovell/sharp#4468

v0.34.5-rc.0

• Upgrade to libvips v8.17.3 for upstream bug fixes.

• Add experimental support for prebuilt Linux RISC-V 64-bit binaries.

• Support building from source with npm v12+, deprecate --build-from-source flag.
  Enhancement: support building from source with npm v12+ lovell/sharp#4458

• Add support for BigTIFF output.
  https://github.com/lovell/sharp/issues/4459
  @throwbi

• Improve error messaging when only warnings issued.
  Enhancement: improve warning/error messages from GeoTiff images (currently reports "Unknown error") lovell/sharp#4465

• Simplify ICC processing when retaining input profiles.
  Image colour is changed without applying any operations lovell/sharp#4468

v0.34.4

• Upgrade to libvips v8.17.2 for upstream bug fixes.

• Ensure TIFF subifd and OpenSlide level input options are respected (regression in 0.34.3).

• Ensure autoOrient occurs before non-90 angle rotation.
  autoOrient misbehavior when combined with additional rotation lovell/sharp#4425

• Ensure autoOrient removes existing metadata after shrink-on-load.
  autoOrient does not work well with avif if resized lovell/sharp#4431

• TypeScript: Ensure KernelEnum includes linear.
  https://github.com/lovell/sharp/issues/4441
  @BayanBennett

• Ensure unlimited flag is passed upstream when reading TIFF images.
  Large TIFF input can generate "Cumulated memory allocation" errors, unlimited flag is ignored lovell/sharp#4446

• Support Electron memory cage when reading XMP metadata (regression in 0.34.3).
  sharp 0.34.3 + Electron with memory cage + Windows : possible race condition/crash when reading image metadata containing XMP lovell/sharp#4451

• Add sharp-libvips rpath for yarn v5 support.
  https://github.com/lovell/sharp/issues/4452
  @arcanis

v0.34.4-rc.4

• Upgrade to libvips v8.17.2 for upstream bug fixes.

• Ensure TIFF subifd and OpenSlide level input options are respected (regression in 0.34.3).

• Ensure autoOrient occurs before non-90 angle rotation.
  autoOrient misbehavior when combined with additional rotation lovell/sharp#4425

• Ensure autoOrient removes existing metadata after shrink-on-load.
  autoOrient does not work well with avif if resized lovell/sharp#4431

• TypeScript: Ensure KernelEnum includes linear.
  https://github.com/lovell/sharp/issues/4441
  @BayanBennett

• Ensure unlimited flag is passed upstream when reading TIFF images.
  Large TIFF input can generate "Cumulated memory allocation" errors, unlimited flag is ignored lovell/sharp#4446

• Support Electron memory cage when reading XMP metadata (regression in 0.34.3).
  sharp 0.34.3 + Electron with memory cage + Windows : possible race condition/crash when reading image metadata containing XMP lovell/sharp#4451

• Add sharp-libvips rpath for yarn v5 support.
  https://github.com/lovell/sharp/issues/4452
  @arcanis

v0.34.4-rc.3

• Upgrade to libvips v8.17.2 for upstream bug fixes.

• Ensure autoOrient occurs before non-90 angle rotation.
  autoOrient misbehavior when combined with additional rotation lovell/sharp#4425

• Ensure autoOrient removes existing metadata after shrink-on-load.
  autoOrient does not work well with avif if resized lovell/sharp#4431

• TypeScript: Ensure KernelEnum includes linear.
  https://github.com/lovell/sharp/issues/4441
  @BayanBennett

• Ensure unlimited flag is passed upstream when reading TIFF images.
  Large TIFF input can generate "Cumulated memory allocation" errors, unlimited flag is ignored lovell/sharp#4446

• Support Electron memory cage when reading XMP metadata (regression in 0.34.3).
  sharp 0.34.3 + Electron with memory cage + Windows : possible race condition/crash when reading image metadata containing XMP lovell/sharp#4451

• Add sharp-libvips rpath for yarn v5 support.
  https://github.com/lovell/sharp/issues/4452
  @arcanis

v0.34.4-rc.2

• Upgrade to libvips v8.17.2 for upstream bug fixes.

• Ensure autoOrient occurs before non-90 angle rotation.
  autoOrient misbehavior when combined with additional rotation lovell/sharp#4425

• Ensure autoOrient removes existing metadata after shrink-on-load.
  autoOrient does not work well with avif if resized lovell/sharp#4431

• TypeScript: Ensure KernelEnum includes linear.
  https://github.com/lovell/sharp/issues/4441
  @BayanBennett

• Ensure unlimited flag is passed upstream when reading TIFF images.
  Large TIFF input can generate "Cumulated memory allocation" errors, unlimited flag is ignored lovell/sharp#4446

• Support Electron memory cage when reading XMP metadata (regression in 0.34.3).
  sharp 0.34.3 + Electron with memory cage + Windows : possible race condition/crash when reading image metadata containing XMP lovell/sharp#4451

• Add sharp-libvips rpath for yarn v5 support.
  https://github.com/lovell/sharp/issues/4452
  @arcanis

v0.34.4-rc.1

• Ensure autoOrient occurs before non-90 angle rotation.
  autoOrient misbehavior when combined with additional rotation lovell/sharp#4425

• Ensure autoOrient removes existing metadata after shrink-on-load.
  autoOrient does not work well with avif if resized lovell/sharp#4431

v0.34.4-rc.0

---

title: v0.34.4 - TBD
slug: changelog/v0.34.4

• Ensure autoOrient occurs before non-90 angle rotation.
  autoOrient misbehavior when combined with additional rotation lovell/sharp#4425

• Ensure autoOrient removes existing metadata after shrink-on-load.
  autoOrient does not work well with avif if resized lovell/sharp#4431

(and 35 more releases — view all)

react (18.2.0 → 18.3.1) — GitHub Release

v18.3.1

• Export act from react f1338f

v18.3.0

This release is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19.

Read the React 19 Upgrade Guide for more info.

React

• Allow writing to this.refs to support string ref codemod 909071
• Warn for deprecated findDOMNode outside StrictMode c3b283
• Warn for deprecated test-utils methods d4ea75
• Warn for deprecated Legacy Context outside StrictMode 415ee0
• Warn for deprecated string refs outside StrictMode https://github.com/facebook/react/issues/25383
• Warn for deprecated defaultProps for function components https://github.com/facebook/react/issues/25699
• Warn when spreading key https://github.com/facebook/react/issues/25697
• Warn when using act from test-utils d4ea75

React DOM

• Warn for deprecated unmountComponentAtNode 8a015b
• Warn for deprecated renderToStaticNodeStream https://github.com/facebook/react/issues/28874

react-dom (18.2.0 → 18.3.1) — GitHub Release

v18.3.1

• Export act from react f1338f

v18.3.0

This release is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19.

Read the React 19 Upgrade Guide for more info.

React

• Allow writing to this.refs to support string ref codemod 909071
• Warn for deprecated findDOMNode outside StrictMode c3b283
• Warn for deprecated test-utils methods d4ea75
• Warn for deprecated Legacy Context outside StrictMode 415ee0
• Warn for deprecated string refs outside StrictMode https://github.com/facebook/react/issues/25383
• Warn for deprecated defaultProps for function components https://github.com/facebook/react/issues/25699
• Warn when spreading key https://github.com/facebook/react/issues/25697
• Warn when using act from test-utils d4ea75

React DOM

• Warn for deprecated unmountComponentAtNode 8a015b
• Warn for deprecated renderToStaticNodeStream https://github.com/facebook/react/issues/28874

---

Generated by ADMS Sources: 4 GitHub Releases.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.