chore(deps): bump next to 15.5.15 (GHSA-q4gf-8mx6-v5v3)

coderdan · coderdan · commit 32c08d4f039a · 2026-05-06T11:14:34.000+10:00
Patches GHSA-q4gf-8mx6-v5v3 (high): denial of service via Next.js Server Components, affecting next >= 13.0.0 and < 15.5.15. Next.js is a transitive runtime dep here (consumed by packages/nextjs via peer "^14 || ^15", and through @clerk/nextjs). The existing root override "next": ">=15.5.10" allowed the vulnerable 15.5.10; tightened to ">=15.5.15", and bumped the security catalog entry to match. Lockfile changes are a surgical hand-edit (next + @next/env + 8x @next/swc-*) rather than a full regen. Same reason as the lodash bump: a fresh resolve picks the patched version but also drags ~30 unrelated transitive bumps along. Surgical edit keeps the blast radius contained, and `pnpm install --frozen-lockfile` validates cleanly.
diff --git a/package.json b/package.json
@@ -96,7 +96,7 @@
     "minimatch": ">=10.2.3",
     "@isaacs/brace-expansion": ">=5.0.1",
     "fast-xml-parser": ">=5.3.4",
-    "next": ">=15.5.10",
+    "next": ">=15.5.15",
     "ajv": ">=8.18.0",
     "esbuild@<=0.24.2": ">=0.25.0",
     "picomatch@^4": ">=4.0.4",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -12,7 +12,7 @@ catalogs:
     vitest: 3.1.3
   security:
     '@clerk/nextjs': 6.39.3
-    next: 15.5.10
+    next: 15.5.15
     vite: 8.0.9
 
 # Supply-chain hardening — see skills/stash-supply-chain-security/
