Bump next from 14.2.3 to 16.1.7

[dependabot]

Bumps next from 14.2.3 to 16.1.7.

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.0.11

Please see this changelog for more information about this security patch.

v15.6.0-canary.61

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

... (truncated)

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade next from 14.2.3 to 16.1.7 to pick up security fixes, SWC updates, and improved caching/image handling. No app code changes included in this PR.

• Dependencies

  • Bumped next to 16.1.7.
  • Updates: styled-jsx@5.1.6, @swc/helpers@0.5.15, baseline-browser-mapping.
  • Adds optional sharp@^0.34.4 and platform binaries for Next Image.
  • Includes multiple security patches (server actions, dev websockets, http-proxy).

• Migration

  • Requires Node.js 18.18+ (or 20+).
  • Clean build: delete .next/, reinstall, rebuild.
  • If using Next Image, consider images.maximumDiskCacheSize (new LRU disk cache).
  • Server Actions are stricter by default; verify any form submissions or cross-origin contexts.

^{Written for commit fd3c307. Summary will update on new commits.}

[netlify]

❌ Deploy Preview for alloradocs failed. Why did it fail? →

Name	Link
🔨 Latest commit	fd3c307
🔍 Latest deploy log	https://app.netlify.com/projects/alloradocs/deploys/69b98a6f9b166b000841e292

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="package.json">

<violation number="1" location="package.json:4">
P0: Bumping `next` to 16.x will break the build because `nextra@2.13.4` uses a custom webpack plugin (`withNextra`) that is incompatible with Next.js 16's default Turbopack bundler. The Next.js 16 upgrade guide explicitly warns that custom webpack configurations will cause build failures. Nextra v2 was designed for Next.js 12–14; you need to upgrade `nextra` and `nextra-theme-docs` to v4+ (which supports Next.js 15+/16) before bumping Next.js, and adapt the project's configuration and content files accordingly.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Client as Browser / Client
    participant Proxy as HTTP Proxy (Rewrites)
    participant App as Next.js Server Runtime
    participant Img as Next Image Optimizer
    participant Cache as LRU Disk/Response Cache
    participant Action as Server Action / Route Handler

    Note over Client, Action: Next.js 16.1.7 Runtime Request Flow

    Client->>Proxy: Request (with Headers/Cookies)
    Proxy->>Proxy: CHANGED: Validated via patched http-proxy
    Note right of Proxy: Prevents Request Smuggling (CVE-2026-29057)

    alt Image Request
        Client->>Img: GET /_next/image?url=...
        Img->>Cache: NEW: Check LRU Disk Cache
        Note right of Cache: Respects images.maximumDiskCacheSize
        alt Cache Hit
            Cache-->>Img: Optimized Image
        else Cache Miss
            Img->>Img: Optimize Image
            Img->>Cache: NEW: Store in LRU Disk Cache
        end
        Img-->>Client: 200 OK (Optimized Image)
    end

    alt Server Action Submission
        Client->>Action: POST (Action ID)
        Action->>Action: NEW: Validate Origin Context
        Note right of Action: Blocks submissions from privacy-sensitive origins
        
        opt Node Modules Integration
            Action->>Action: NEW: Apply server actions transform
            Note right of Action: Now supports node_modules in route handlers
        end
        
        Action-->>Client: Action Response
    end

    alt Data Fetching / Rendering
        App->>App: CHANGED: Stream/Fetch Execution
        Note right of App: Prevents streaming fetch hangs in dev mode
        
        App->>Cache: NEW: Check Minimal Mode Response Cache
        Note right of Cache: Uses Invocation ID scoping & LRU sentinel
        
        App->>App: NEW: Enforce maxPostponedStateSize
        Note right of App: Limits state size for PPR/postponed renders
        
        App-->>Client: Rendered HTML / Stream
    end

    opt Dev Mode WebSockets
        Client->>App: WebSocket Upgrade (Dev Server)
        App->>App: NEW: Origin Validation
        Note right of App: Blocks cross-site dev-only connections
    end

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P0: Bumping next to 16.x will break the build because nextra@2.13.4 uses a custom webpack plugin (withNextra) that is incompatible with Next.js 16's default Turbopack bundler. The Next.js 16 upgrade guide explicitly warns that custom webpack configurations will cause build failures. Nextra v2 was designed for Next.js 12–14; you need to upgrade nextra and nextra-theme-docs to v4+ (which supports Next.js 15+/16) before bumping Next.js, and adapt the project's configuration and content files accordingly.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 4:

<comment>Bumping `next` to 16.x will break the build because `nextra@2.13.4` uses a custom webpack plugin (`withNextra`) that is incompatible with Next.js 16's default Turbopack bundler. The Next.js 16 upgrade guide explicitly warns that custom webpack configurations will cause build failures. Nextra v2 was designed for Next.js 12–14; you need to upgrade `nextra` and `nextra-theme-docs` to v4+ (which supports Next.js 15+/16) before bumping Next.js, and adapt the project's configuration and content files accordingly.</comment>

<file context>
@@ -1,7 +1,7 @@
   "dependencies": {
     "katex": "^0.16.11",
-    "next": "^14.2.3",
+    "next": "^16.1.7",
     "nextra": "^2.13.4",
     "nextra-theme-docs": "^2.13.4",
</file context>