deps: bump the next-react group across 1 directory with 3 updates by dependabot[bot] · Pull Request #89 · ByteVeda/byteveda.site

dependabot · 2026-05-11T07:22:35Z

Bumps the next-react group with 3 updates in the / directory: next, react and react-dom.

Updates next from 16.2.4 to 16.2.6

Release notes

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

fix: preserve HTTP access fallbacks during prerender recovery (#92231)

Fix fallback route params case in app-page handler (#91737)

Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)

Patch setHeader for direct route handlers (#93101)

Include deployment id in cacheHandlers keys (#93453)

Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

ee6e79b v16.2.6
afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
97a154e Turbopack: Fix middleware matcher suffix (#93590)
83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
7b222b9 [backport][test] Pin package manager to patch versions (#93595)
a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
766148f v16.2.5
0dd9483 fix: add explicit checks for RSC header (#83) (#98)
d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
9d50c0b Strip next-resume header from incoming requests (#92)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

Type hardening and performance improvements (#36425 by @eps1lon and @unstubbable)

Commits

eaf3e95 Version 19.2.6
See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

Type hardening and performance improvements (#36425 by @eps1lon and @unstubbable)

Commits

eaf3e95 Version 19.2.6
See full diff in compare view

dependabot · 2026-05-11T07:22:36Z

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

vercel · 2026-05-11T07:22:38Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
byteveda-site	Ready	Preview, Comment	May 12, 2026 11:42am

Bumps the next-react group with 3 updates in the / directory: [next](https://github.com/vercel/next.js), [react](https://github.com/facebook/react/tree/HEAD/packages/react) and [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom). Updates `next` from 16.2.4 to 16.2.6 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.2.4...v16.2.6) Updates `react` from 19.2.5 to 19.2.6 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react) Updates `react-dom` from 19.2.5 to 19.2.6 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react-dom) --- updated-dependencies: - dependency-name: next dependency-version: 16.2.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: next-react - dependency-name: react dependency-version: 19.2.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: next-react - dependency-name: react-dom dependency-version: 19.2.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: next-react ... Signed-off-by: dependabot[bot] <support@github.com>

vercel Bot deployed to Preview May 11, 2026 07:23 View deployment

dependabot Bot changed the title ~~deps: bump the next-react group with 3 updates~~ deps: bump the next-react group across 1 directory with 3 updates May 12, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/next-react-d35b2cbc55 branch from ff219b9 to 46db196 Compare May 12, 2026 11:41

vercel Bot deployed to Preview May 12, 2026 11:42 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deps: bump the next-react group across 1 directory with 3 updates#89

deps: bump the next-react group across 1 directory with 3 updates#89
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/next-react-d35b2cbc55

dependabot Bot commented on behalf of github May 11, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 11, 2026

Uh oh!

vercel Bot commented May 11, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v16.2.6

Security Fixes

Core Changes

v16.2.5

Security Fixes

19.2.6 (May 6th, 2026)

React Server Components

19.2.6 (May 6th, 2026)

React Server Components

Uh oh!

dependabot Bot commented on behalf of github May 11, 2026

Labels

Uh oh!

vercel Bot commented May 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 11, 2026 •

edited

Loading

vercel Bot commented May 11, 2026 •

edited

Loading