fix(deps): update dependency next to v15.2.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	15.2.3 -> 15.2.4

GitHub Vulnerability Alerts

CVE-2025-30218

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

---

Next.js may leak x-middleware-subrequest-id to external hosts

CVE-2025-30218 / GHSA-223j-4rm8-mrmf

More information

Details

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf
• https://nvd.nist.gov/vuln/detail/CVE-2025-30218
• https://github.com/vercel/next.js
• https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/next.js (next)

v15.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Match subrequest handling for edge and node (#​77474)
• exclude images and static media from dev origin check (#​77417)
• ensure /__next middleware URLs are included in the origin check (#​77416)
• remove direct ip/port bypass in dev origin check (#​77414)
• switch development origin verification to be opt-in rather than opt-out (#​77395)

Credits

Huge thanks to @​ijjk and @​ztanner for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for celo-composer ready!

Name	Link
🔨 Latest commit	c30444a
🔍 Latest deploy log	https://app.netlify.com/projects/celo-composer/deploys/689e6d1149f83c0008e4eb16
😎 Deploy Preview	https://deploy-preview-352--celo-composer.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​next/​swc-darwin-arm64@​15.2.3 ⏵ 15.4.6
	@​next/​swc-darwin-x64@​15.2.3 ⏵ 15.4.6
	@​next/​swc-linux-arm64-gnu@​15.2.3 ⏵ 15.4.6
	@​next/​swc-linux-arm64-musl@​15.2.3 ⏵ 15.4.6
	@​next/​swc-linux-x64-gnu@​15.2.3 ⏵ 15.4.6
	@​next/​swc-linux-x64-musl@​15.2.3 ⏵ 15.4.6
	@​next/​swc-win32-arm64-msvc@​15.2.3 ⏵ 15.4.6
	@​next/​swc-win32-x64-msvc@​15.2.3 ⏵ 15.4.6
	@​img/​sharp-linux-ppc64@​0.34.3
	@​img/​sharp-darwin-arm64@​0.33.5 ⏵ 0.34.3
	@​img/​sharp-darwin-x64@​0.33.5 ⏵ 0.34.3
	@​img/​sharp-linux-arm64@​0.33.5 ⏵ 0.34.3
	@​img/​sharp-linux-arm@​0.33.5 ⏵ 0.34.3
	@​img/​sharp-linux-s390x@​0.33.5 ⏵ 0.34.3
	@​img/​sharp-linux-x64@​0.33.5 ⏵ 0.34.3
	@​img/​sharp-linuxmusl-arm64@​0.33.5 ⏵ 0.34.3
	@​img/​sharp-linuxmusl-x64@​0.33.5 ⏵ 0.34.3
	@​next/​env@​15.2.3 ⏵ 15.4.6
	eslint-config-next@​15.2.3 ⏵ 15.4.6	+1		+1
	@​next/​eslint-plugin-next@​15.2.3 ⏵ 15.4.6	+1		+1
	@​emnapi/​runtime@​1.3.1 ⏵ 1.4.5
	caniuse-lite@​1.0.30001706 ⏵ 1.0.30001735	+1		+1	+3
	@​img/​sharp-libvips-linux-ppc64@​1.2.0
	@​img/​sharp-libvips-linuxmusl-x64@​1.0.4 ⏵ 1.2.0
	@​img/​sharp-libvips-linux-x64@​1.0.4 ⏵ 1.2.0
	@​img/​sharp-libvips-darwin-arm64@​1.0.4 ⏵ 1.2.0
	@​img/​sharp-libvips-darwin-x64@​1.0.4 ⏵ 1.2.0
	@​img/​sharp-libvips-linux-arm64@​1.0.4 ⏵ 1.2.0
	@​img/​sharp-libvips-linux-arm@​1.0.5 ⏵ 1.2.0
	@​img/​sharp-libvips-linux-s390x@​1.0.4 ⏵ 1.2.0
	@​img/​sharp-libvips-linuxmusl-arm64@​1.0.4 ⏵ 1.2.0
	detect-libc@​2.0.3 ⏵ 2.0.4
	@​img/​sharp-win32-arm64@​0.34.3
See 5 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		sharp@0.34.3 has Install scripts. Install script: install Source: node install/check.js From: packages/react-app/yarn.lock → npm/sharp@0.34.3 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sharp@0.34.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		next@15.4.6 is a AI-detected potential code anomaly. Notes: The fragment represents a sophisticated Edge VM sandbox aimed at running untrusted code with controlled IO. While not overtly malicious, its capability to patch native constructors, generate and evaluate runtime code, and route network-like fetch events through sandboxed listeners creates meaningful security risks if misused or insufficiently isolated. This warrants thorough threat modeling, strict supply-chain controls, and explicit isolation guarantees in the hosting environment before deploying in production. Confidence: 1.00 Severity: 0.60 From: packages/react-app/package.json → npm/next@15.4.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@15.4.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report