Skip to content

chore(deps): bump next and next-intl to patch security vulnerabilities#71

Merged
yahyafakhroji merged 1 commit into
mainfrom
chore/bump-next-security
Apr 14, 2026
Merged

chore(deps): bump next and next-intl to patch security vulnerabilities#71
yahyafakhroji merged 1 commit into
mainfrom
chore/bump-next-security

Conversation

@yahyafakhroji
Copy link
Copy Markdown

@yahyafakhroji yahyafakhroji commented Apr 14, 2026
edited
Loading

Summary

Patches 10 vulnerabilities reported by snyk test against apps/login. All are dependency-level issues resolved by minor version bumps; no application code changes are required.

  • next 16.1.1 → 16.2.3
  • next-intl ^4.7.0 → ^4.9.1

Snyk scan

Before

Tested 40 dependencies, 10 issues / 10 vulnerable paths.

Severity Package CWE / Advisory
High next@16.1.1 Allocation of Resources Without Limits (SNYK-JS-NEXT-15954202)
High next@16.1.1 Allocation of Resources Without Limits (SNYK-JS-NEXT-15104645)
High next@16.1.1 Allocation of Resources Without Limits (SNYK-JS-NEXT-15105315)
High next@16.1.1 Allocation of Resources Without Limits (SNYK-JS-NEXT-15921797)
Medium next@16.1.1 Allocation of Resources Without Limits (SNYK-JS-NEXT-15674556)
Medium next@16.1.1 Cross-site Request Forgery (CSRF) (SNYK-JS-NEXT-15674557)
Medium next@16.1.1 HTTP Request Smuggling (SNYK-JS-NEXT-15674558)
Medium next@16.1.1 Allocation of Resources Without Limits (SNYK-JS-NEXT-15674559)
Low next@16.1.1 Missing Origin Validation in WebSockets (SNYK-JS-NEXT-15674560)
Medium next-intl@4.7.0 Open Redirect (SNYK-JS-NEXTINTL-15995498)

After

✔ Tested 40 dependencies for known issues, no vulnerable paths found.

Verification

  • snyk test --severity-threshold=low — 0 vulnerable paths
  • pnpm turbo run build --filter=@zitadel/login — build succeeds
  • pnpm lint — 0 errors (pre-existing react-hooks/exhaustive-deps warnings unchanged)
  • pnpm test:unit — 10/10 pass

@yahyafakhroji yahyafakhroji requested review from a team, gaghan430 and kevwilliams April 14, 2026 02:19
@yahyafakhroji
chore(deps): bump next and next-intl to patch vulnerabilities
6fff280 
Snyk: 10 issues → 0 vulnerable paths.

- next 16.1.1 → 16.2.3 (4 High, 4 Medium, 1 Low)
- next-intl ^4.7.0 → ^4.9.1 (1 Medium Open Redirect)
@yahyafakhroji yahyafakhroji force-pushed the chore/bump-next-security branch from fc3f8a1 to 6fff280 Compare April 14, 2026 02:20
@yahyafakhroji yahyafakhroji merged commit 806252c into main Apr 14, 2026
4 checks passed
@yahyafakhroji yahyafakhroji deleted the chore/bump-next-security branch April 14, 2026 02:38
@yahyafakhroji yahyafakhroji self-assigned this Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gaghan430 gaghan430 gaghan430 approved these changes

@kevwilliams kevwilliams Awaiting requested review from kevwilliams

Assignees

@yahyafakhroji yahyafakhroji

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yahyafakhroji @gaghan430