build(deps): bump next from 16.1.7 to 16.2.6

[dependabot]

Bumps next from 16.1.7 to 16.2.6.

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
• 97a154e Turbopack: Fix middleware matcher suffix (#93590)
• 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
• 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
• a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
• 766148f v16.2.5
• 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
• d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
• 9d50c0b Strip next-resume header from incoming requests (#92)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nodes-dashboard	Ready	Preview, Comment	May 25, 2026 10:03pm

[greptile-apps]

Greptile Summary

This PR is an automated dependabot bump of next from 16.1.7 to 16.2.6, a security-focused patch release that addresses 12 CVEs across high, moderate, and low severity bands.

• Security fixes (high): Middleware/proxy bypass via segment-prefetch routes (GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, GHSA-492v-c6pp-mqqv, GHSA-36qx-fr4f-26g5), DoS in Server Components and Cache Components, and SSRF via WebSocket upgrades (GHSA-c4j6-fc7j-m34r).
• Security fixes (moderate/low): XSS via CSP nonces and beforeInteractive scripts, Image Optimization DoS, and several cache-poisoning vectors.
• Lock file: All @next/* sub-packages are updated consistently; sharp's peer requirement moves from ^0.34.4 to ^0.34.5 (resolved version stays at 0.34.5).

Confidence Score: 5/5

Safe to merge — this is a focused security patch release with no breaking changes and consistent lock file updates.

The change is a single dependency bump generated by dependabot. All sub-packages are updated consistently in the lock file, the resolved sharp version is unchanged, and the release notes confirm this is a backport-only patch release with no new canary features. No application code is touched.

No files require special attention.

Important Files Changed

Filename	Overview
package.json	Bumps next from 16.1.7 to 16.2.6 to pull in critical security fixes; no other dependency changes.
yarn.lock	Lock file updated consistently: all @next/* packages and next itself move to 16.2.6; sharp minimum bumped from ^0.34.4 to ^0.34.5 (resolved version unchanged at 0.34.5).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[dependabot PR] --> B[next 16.1.7 → 16.2.6]
    B --> C[package.json updated]
    B --> D[yarn.lock updated]
    D --> E[All @next/* sub-packages → 16.2.6]
    D --> F[sharp peer req: ^0.34.4 → ^0.34.5\nresolved version unchanged: 0.34.5]
    B --> G{Security fixes}
    G --> H[High: DoS, Middleware/Proxy bypass,\nSSRF via WebSocket]
    G --> I[Moderate: XSS via CSP nonces,\nImage Optimization DoS, Cache poisoning]
    G --> J[Low: Cache poisoning, Redirect poisoning]

Loading

_{Reviews (1): Last reviewed commit: "build(deps): bump next from 16.1.7 to 16..." | Re-trigger Greptile}