Update dependency next to v15 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	^14.2.18 → ^15.0.0
next (source)	^14.2.18 → ^15.0.0

GitHub Vulnerability Alerts

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

GHSA-mwv6-3258-q52c

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

GHSA-5j59-xgg2-r9c4

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

CVE-2025-59471

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

GHSA-h25m-26qc-wcjf

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

---

Release Notes

vercel/next.js (next)

v15.0.8

Compare Source

Please see this changelog for more information about this security patch.

v15.0.7

Compare Source

v15.0.6

Compare Source

v15.0.5

Compare Source

Please see CVE-2025-66478 for additional details about this release.

v15.0.4

Compare Source

[!NOTE]
This release is backporting changes. It does not include all pending features/changes on canary.

Core Changes

• Use React 19 stable in Pages Router: #​73564

Credits

Huge thanks to @​eps1lon

v15.0.3

Compare Source

Core Changes

• Read page name from work store in server module map proxy: #​71669
• codemod: should not transform when param is not used: #​71664
• [dynamicIO] complete refactor to prerender: #​71687
• fix: metadata image route normalize path posix for windows: #​71673
• next-codemod(upgrade): optional catch when missing dev script: #​71598
• Avoid server action function indirection in Turbopack: #​71628
• fix: exclude basePath in findSourceMapURL: #​71719
• fix: stack frame text color in dark mode: #​71656
• Fix: revert the bad node binary handling: #​71723
• next-codemod: add empty pnpm-workspace.yaml to test fixtures to bypass PNPM workspace checks: #​71726
• warn on sync access if dynamicIO is not enabled: #​71696
• Update React from 69d4b800-20241021 to 45804af1-20241021: #​71718
• next-upgrade: do not add --turbopack flag when --turbo exists in next dev: #​71730
• feat: stitch errors with react owner stack: #​70393
• [dynamicIO] update data access error and documentation: #​71738
• Test cached form action with revalidate: #​71591
• Upgrade React from 45804af1-20241021 to 28668d39-20241023: #​71745
• Fix race condition when setting client reference manifests: #​71741
• Fix fetch with no-store inside of use cache: #​71754
• Remove the bottom collapse button in dev overlay: #​71658
• [dynamicIO] unify cache filling and lazy-module warming: #​71749
• Don't filter out source location frames through RSC: #​71752
• fix undefined default export error msg: #​71762
• Upgrade React from 28668d39-20241023 to 1631855f-20241023: #​71769
• Enable owner stack in experimental build: #​71716
• feat: add experiment for sharpjs cpu flags: #​71733
• fix: handle server component replay error in error overlay: #​71772
• Don't error asking for prebuilt bundles: #​71778
• Replace turbopack://[project]/... sourcemap uris with file://... in development: #​71489
• misc: update source map paths for bundled Next.js runtime: #​71779
• [dynamicIO] refine error message and docs: #​71781
• next-upgrade: change --turbo to --turbopack if applicable: #​71737
• Show all diff when uncollapse: #​71792
• Sourcemap errors in terminal by default : #​71444
• Fully enable custom error callbacks for app router: #​71794
• Simplify Server Action Webpack plugin: #​71721
• ensure DIO development segment errors are cleared after correcting: #​71811
• Include sourceframe in errors logged in the terminal during development: #​71803
• [dynamicIO] update prerender cache scoping and cache warming for validation: #​71822
• only force stack frame color in tty: #​71860
• Add test for fetch with auth in use cache: #​71768
• Fix race with hot-reloader-client clearing overlay errors: #​71771
• Fix dynamic tracking in dev: #​71867
• Revert "Sourcemap errors in terminal by default (#​71444)": #​71868
• Fix fetch caching inside of "use cache": #​71793
• Trace upload: only send traces for current session: #​71838
• Reland "Sourcemap errors in terminal by default": #​71877
• Implement information byte in Server Reference ID and other optimizations: #​71463
• fix: webpack build error on Windows: #​71943
• Run with --enable-source-maps by default in next dev: #​71820
• fix global-error styles: #​71914
• Use registerClientReference for ESM client component modules: #​71968
• Fix missing await of params when metadata is used with an image file: #​71871
• Upgrade React from 1631855f-20241023 to 02c0e824-20241028: #​71979
• Populate sourcemap ignoreList when Webpack is used: #​71821
• [dynamicIO] unify server and client prerender for non-ppr pathway: #​71764
• codemod: add separator to the parenthenese expr: #​71993
• Respect sourcemap's ignore list when printing errors in the terminal: #​71908
• fix console color to be compatible in chrome devtools: #​71939
• Delete obsolete codemod next-dynamic-access-named-export: #​72016
• fix: log the error instance modified extra location info: #​71930
• Compare error stack to dedupe error: #​71798

Example Changes

• experimental.instrumentationHook is not necessary anymore: #​71808
• Add Jude to nextjs team: #​71936

Misc Changes

• docs: fix broken link in Architecture/Turbopack documentation: #​71412
• test: migrate rest async api usage in tests: #​71663
• fix: docs for dynamic routing in next 15: #​71531
• Remove the 'new' keyword from the GET function sample code.: #​71671
• chore: fix wrong path of comments: #​71682
• docs(next-config): remove mention of appIsrStatus is on canary: #​71695
• react-sync: Ignore update notices from npm: #​71717
• Docs: Update default marker for fetch cache option: #​71728
• [docs] Fix page.tsx parameter types: #​71680
• [docs] Fix table.js containing TS code: #​71677
• docs(ppr): update note about ppr: #​71697
• docs lint: #​71748
• fixes error message asserts and lints: #​71747
• Fix docs for configuring Turbopack: #​71755
• docs(turbo): add experimental icon to turbo config section: #​71761
• feat(turbopack): Add __turbopack_original__ while tree shaking: #​71547
• test: re-enable test with note: #​71789
• Docs: Remove beta marker from Turbopack docs: #​71796
• Update docs 1: #​71812
• docs lint fixes: #​71813
• docs: remove "use cache" on before code snippet: #​71815
• Next docs broken links: #​71823
• [Turbopack] add optimization based on upper count: #​71606
• chore(turbo-tasks-backend): Use let instead of match for macro bindings: #​71756
• chore(turbo-tasks-backend): Remove collapsible-if lints: #​71758
• removing extra reference: #​71853
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 3): #​71665
• Update sync-dynamic-apis.mdx: #​71907
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 4): #​71804
• test: remove duplicated flaky test: #​71967
• docs: Fix typo in cacheLife configs in use-cache docs: #​71921
• Fix use cache example line highlights: #​71883
• Allow breakpoints to be set in packages/next/src/compiled: #​71986
• updated upgrade to v15 command in docs: #​71643
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 5): #​71861
• Clarify that streaming is blocked on generateMetadata for initial load: #​71985
• Docs: Add legacy tags: #​71964
• Docs: Fix broken link: #​72021
• (docs) use cache: Add text code formatting: #​71999
• docs: update file structure: #​71951
• Documentation Fix: Correct cacheTag Function Usage: #​71912
• correct expire calc & and Nested usage import in use-cache docs: #​71899
• Docs: Address internal use cache comments : #​71981
• Fix swc version mismatch when checking out an older version: #​71978

Credits

Huge thanks to @​ytori, @​unstubbable, @​huozhi, @​SebassNoob, @​tatsuteb, @​Marukome0743, @​gnoff, @​samcx, @​devjiwonchoi, @​imprakharshukla, @​migueldamota, @​eps1lon, @​ztanner, @​timneutkens, @​cantemizyurek, @​sebmarkbage, @​padmaia, @​ijjk, @​styfle, @​wbinnssmith, @​feedthejim, @​kdy1, @​shuding, @​molebox, @​ismaelrumzan, @​sokra, @​bgw, @​timeyoutakeit, @​AdonisAgelis, @​chicoxyzzy, @​gaojude, @​elitalpa, @​t3dotgg, @​gaearon, @​nisabmohd, @​gadcam, @​delbaoliveira, @​bennettdams, @​wiscaksono, and @​Developerayo for helping!

v15.0.2

Compare Source

Core Changes

• Read page name from work store in server module map proxy: #​71669
• codemod: should not transform when param is not used: #​71664
• [dynamicIO] complete refactor to prerender: #​71687
• fix: metadata image route normalize path posix for windows: #​71673
• next-codemod(upgrade): optional catch when missing dev script: #​71598
• Avoid server action function indirection in Turbopack: #​71628
• fix: exclude basePath in findSourceMapURL: #​71719
• fix: stack frame text color in dark mode: #​71656
• Fix: revert the bad node binary handling: #​71723
• next-codemod: add empty pnpm-workspace.yaml to test fixtures to bypass PNPM workspace checks: #​71726
• warn on sync access if dynamicIO is not enabled: #​71696
• Update React from 69d4b800-20241021 to 45804af1-20241021: #​71718
• next-upgrade: do not add --turbopack flag when --turbo exists in next dev: #​71730
• feat: stitch errors with react owner stack: #​70393
• [dynamicIO] update data access error and documentation: #​71738
• Test cached form action with revalidate: #​71591
• Upgrade React from 45804af1-20241021 to 28668d39-20241023: #​71745
• Fix race condition when setting client reference manifests: #​71741
• Fix fetch with no-store inside of use cache: #​71754
• Remove the bottom collapse button in dev overlay: #​71658
• [dynamicIO] unify cache filling and lazy-module warming: #​71749
• Don't filter out source location frames through RSC: #​71752
• fix undefined default export error msg: #​71762
• Upgrade React from 28668d39-20241023 to 1631855f-20241023: #​71769
• Enable owner stack in experimental build: #​71716
• feat: add experiment for sharpjs cpu flags: #​71733
• fix: handle server component replay error in error overlay: #​71772
• Don't error asking for prebuilt bundles: #​71778
• Replace turbopack://[project]/... sourcemap uris with file://... in development: #​71489
• misc: update source map paths for bundled Next.js runtime: #​71779
• [dynamicIO] refine error message and docs: #​71781
• next-upgrade: change --turbo to --turbopack if applicable: #​71737
• Show all diff when uncollapse: #​71792
• Sourcemap errors in terminal by default : #​71444
• Fully enable custom error callbacks for app router: #​71794
• Simplify Server Action Webpack plugin: #​71721
• ensure DIO development segment errors are cleared after correcting: #​71811
• Include sourceframe in errors logged in the terminal during development: #​71803
• [dynamicIO] update prerender cache scoping and cache warming for validation: #​71822
• only force stack frame color in tty: #​71860
• Add test for fetch with auth in use cache: #​71768
• Fix race with hot-reloader-client clearing overlay errors: #​71771
• Fix dynamic tracking in dev: #​71867
• Revert "Sourcemap errors in terminal by default (#​71444)": #​71868
• Fix fetch caching inside of "use cache": #​71793
• Trace upload: only send traces for current session: #​71838
• Reland "Sourcemap errors in terminal by default": #​71877
• Implement information byte in Server Reference ID and other optimizations: #​71463
• fix: webpack build error on Windows: #​71943
• Run with --enable-source-maps by default in next dev: #​71820
• fix global-error styles: #​71914
• Use registerClientReference for ESM client component modules: #​71968
• Fix missing await of params when metadata is used with an image file: #​71871
• Upgrade React from 1631855f-20241023 to 02c0e824-20241028: #​71979
• Populate sourcemap ignoreList when Webpack is used: #​71821
• [dynamicIO] unify server and client prerender for non-ppr pathway: #​71764
• codemod: add separator to the parenthenese expr: #​71993
• Respect sourcemap's ignore list when printing errors in the terminal: #​71908
• fix console color to be compatible in chrome devtools: #​71939
• Delete obsolete codemod next-dynamic-access-named-export: #​72016
• fix: log the error instance modified extra location info: #​71930
• Compare error stack to dedupe error: #​71798

Example Changes

• experimental.instrumentationHook is not necessary anymore: #​71808
• Add Jude to nextjs team: #​71936

Misc Changes

• docs: fix broken link in Architecture/Turbopack documentation: #​71412
• test: migrate rest async api usage in tests: #​71663
• fix: docs for dynamic routing in next 15: #​71531
• Remove the 'new' keyword from the GET function sample code.: #​71671
• chore: fix wrong path of comments: #​71682
• docs(next-config): remove mention of appIsrStatus is on canary: #​71695
• react-sync: Ignore update notices from npm: #​71717
• Docs: Update default marker for fetch cache option: #​71728
• [docs] Fix page.tsx parameter types: #​71680
• [docs] Fix table.js containing TS code: #​71677
• docs(ppr): update note about ppr: #​71697
• docs lint: #​71748
• fixes error message asserts and lints: #​71747
• Fix docs for configuring Turbopack: #​71755
• docs(turbo): add experimental icon to turbo config section: #​71761
• feat(turbopack): Add __turbopack_original__ while tree shaking: #​71547
• test: re-enable test with note: #​71789
• Docs: Remove beta marker from Turbopack docs: #​71796
• Update docs 1: #​71812
• docs lint fixes: #​71813
• docs: remove "use cache" on before code snippet: #​71815
• Next docs broken links: #​71823
• [Turbopack] add optimization based on upper count: #​71606
• chore(turbo-tasks-backend): Use let instead of match for macro bindings: #​71756
• chore(turbo-tasks-backend): Remove collapsible-if lints: #​71758
• removing extra reference: #​71853
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 3): #​71665
• Update sync-dynamic-apis.mdx: #​71907
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 4): #​71804
• test: remove duplicated flaky test: #​71967
• docs: Fix typo in cacheLife configs in use-cache docs: #​71921
• Fix use cache example line highlights: #​71883
• Allow breakpoints to be set in packages/next/src/compiled: #​71986
• updated upgrade to v15 command in docs: #​71643
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 5): #​71861
• Clarify that streaming is blocked on generateMetadata for initial load: #​71985
• Docs: Add legacy tags: #​71964
• Docs: Fix broken link: #​72021
• (docs) use cache: Add text code formatting: #​71999
• docs: update file structure: #​71951
• Documentation Fix: Correct cacheTag Function Usage: #​71912
• correct expire calc & and Nested usage import in use-cache docs: #​71899
• Docs: Address internal use cache comments : #​71981
• Fix swc version mismatch when checking out an older version: #​71978

Credits

Huge thanks to @​ytori, @​unstubbable, @​huozhi, @​SebassNoob, @​tatsuteb, @​Marukome0743, @​gnoff, @​samcx, @​devjiwonchoi, @​imprakharshukla, @​migueldamota, @​eps1lon, @​ztanner, @​timneutkens, @​cantemizyurek, @​sebmarkbage, @​padmaia, @​ijjk, @​styfle, @​wbinnssmith, @​feedthejim, @​kdy1, @​shuding, @​molebox, @​ismaelrumzan, @​sokra, @​bgw, @​timeyoutakeit, @​AdonisAgelis, @​chicoxyzzy, @​gaojude, @​elitalpa, @​t3dotgg, @​gaearon, @​nisabmohd, @​gadcam, @​delbaoliveira, @​bennettdams, @​wiscaksono, and @​Developerayo for helping!

v15.0.1

Compare Source

Core Changes

• Reland "[dynamicIO] warn for disallowed dynamic in dev": #​71567
• next-upgrade: prompt (un)install only when there's a change: #​71308
• chore(next-codemod): remove @next/font from optional Next.js packages to install: #​71563
• [dynamicIO] Avoid triggering memory leak false positive with makeHangingPromise: #​71576
• Avoid triggering memory leak false positive with makeHangingPromise: #​71579
• Upgrade React from 65a56d0e-20241020 to 69d4b800-20241021: #​71568
• avoid logging stacks for internal errors: #​71575
• Avoid server action endpoint function indirection: #​71572
• fix: handle terminal color in chrome console: #​71581
• [dynamicIO] Update prerender to use Fizz prerender: #​71580
• misc(next-upgrade): reuse process.cwd() value: #​71558
• [dynamicIO]: dev navigations should show disallowed dynamic errors: #​71595
• next-lint: Use ESLint v9 by default: #​71371
• fix: prevent router errors from being logged on the client: #​71583
• fix: next package resolving in dev overlay: #​71632
• Improve type coverage of setup-dev-bundler: #​71443
• fix(turbo-tasks): Implement ValueDebugFormat for ResolvedVc: #​71173
• Add --turbopack CLI flag: #​71657
• [dynamicIO] detect metadata boundaries in dev using server component stacks: #​71666

Example Changes

• chore: Update with-supabase to be compatible with Nextjs 15: #​71631
• Update Sanity example to next v15: #​71640

Misc Changes

• docs(ppr): remove v14 mention for ppr: #​71498
• docs: fix upgrade codemod command: #​71578
• Turbopack: Always use blob: URLs for assets in middleware: #​71471
• fix: metadata image route Windows path escaping: #​71615
• fix: third-parties package peer dependency: #​71620
• Fix module_resolution: "nodenext" with mjs or cjs: #​71635
• react-sync: Automatically update peer dependencies in libraries: #​71636
• chore(docs): fix typo in image.mdx docs: #​71647
• docs: remove the canary note on instrumentation: #​71649
• test: fix async api tests: #​71652
• Enable source maps for pnpm debug: #​71653
• codemod(turbopack): Rewrite more Vc fields in structs as ResolvedVc: #​71172

Credits

Huge thanks to @​gnoff, @​devjiwonchoi, @​samcx, @​ztanner, @​unstubbable, @​huozhi, @​mischnic, @​lubieowoce, @​eps1lon, @​ivasilov, @​styfle, @​bgw, @​stipsan, and @​timneutkens for helping!

v15.0.0

Compare Source

Core Changes

• refactor: next-flight-client-module-loader return conditions: #​64348
• Fix Server Action error logs for unhandled POST requests: #​64315
• Shared Revalidate Timings: #​64370
• Freeze loaded manifests: #​64313
• test: skip turbopack build test: #​64356
• Fix: css in next/dynamic component in edge runtime: #​64382
• Fix more Turbopack build tests: #​64384
• use pathToFileUrl to make esm import()s work with absolute windows paths: #​64386
• Improve rendering performance: #​64408
• Fix the method prop case in Server Actions transform: #​64398
• fix(next-lint): update option --report-unused-disable-directives to --report-unused-disable-directives-severity: #​64405
• Revert "Fix: css in next/dynamic component in edge runtime": #​64442
• default fetchCache to no-store when force-dynamic is set: #​64145
• router restore should take priority over pending actions: #​64449
• Fix client boundary inheritance for barrel optimization: #​64467
• improve turborepo caching: #​64493
• Update font data: #​64481
• BREAKING CHANGE: remove deprecated analyticsId from config, and the corresponding performance-relayer files and tests: #​64199
• feat: strip traceparent header from cachekey: #​64499
• Fix typo in dynamic-rendering.ts: #​64365
• fix(next): global not-found not working on multi-root layouts: #​63053
• chore(next): add keywords on package.json: #​64173
• Fix DynamicServerError not being thrown in fetch: #​64511
• fix: lib/helpers/install.ts to better support pnpm and properly respect root argument: #​64418
• fix(next): Metadata.openGraph values not resolving basic values when type is set: #​63620
• disable production chunking in dev: #​64488
• update turbopack: #​64501
• Turbopack: Allow client components to be imported in app routes: #​64520
• refactor: remove always truthy flag: #​64522
• Turbopack: don’t show long internal stack traces on build errors: #​64427
• next/script: Correctly apply async and defer props: #​52939
• chore(next/font): update @​capsizecss/metrics package: #​64528
• feat: add information that revalidate interval is in seconds: #​64229
• Typo "Minifer" in config.ts: #​64359
• Enhance types for Node and Edge envionments: #​64454
• feat: Add a validation for postcss with useLightningcss: #​64379
• fix HMR for cases where chunking changes: #​64367
• perf: improve Pages Router server rendering performance: #​64461
• Fix cjs client components tree-shaking: #​64558
• fix refresh behavior for discarded actions: #​64532
• fix: filter out middleware requests in logging: #​64549
• chore: remove unused rust dependencies: #​62176
• fix(next-swc): correctly set wasm fallback for known target triples: #​64567
• memoize layout router context: #​64575
• fix incorrect refresh request when basePath is set: #​64589
• fix TypeError edge-case for parallel slots rendered multiple times: #​64271
• Fix ASL bundling for dynamic css: #​64451
• Revert "fix(next): global not-found not working on multi-root layouts": #​64601
• chore(test): run related E2E deploy tests on PRs: #​63763
• Improve top level await coverage: #​64508
• Upgrade typescript to 5.3: #​64043
• add pathname normalizer for actions: #​64592
• Fix experimental/testmode by removing console.log: #​64670
• Don't output .test.ts files in next/font: #​63472
• Fix reporting when performance.measure doesn't exist (Edge): #​64669
• Reduce amount of data passed to collectBuildTraces: #​59665
• fix(next-server): 'quiet' setting delegate for custom server: #​64512
• Revert "chore(test): run related E2E deploy tests on PRs": #​64682
• update turbopack: #​64686
• Fix: resolve mixed re-exports module as cjs: #​64681
• Revert "fix TypeError edge-case for parallel slots rendered multiple times": #​64690
• Fix typo: 'serverComponentsExtenalPackages' should be 'serverComponentsExternalPackages': #​64705
• prevent erroneous route interception during lazy fetch: #​64692
• Add @appsignal/nodejs to the external packages list: #​64503
• fix root page revalidation when redirecting in a server action: #​64730
• Clean-up fetch metrics tracking: #​64746
• [actions] Enforce body limit using Transform stream: #​64694
• Turbopack: Don’t show stack traces for internal modules: #​64228
• Reapply "chore(test): run related E2E deploy tests on PRs" (#​64682): #​64712
• fix(fetch-cache): fix typo: #​64786
• fix: remove traceparent from cachekey should not remove traceparent from original object: #​64727
• fix interception route rewrite regex not supporting hyphenated segments: #​64805
• Disable ncc cache instead of cache cleaning: #​64804
• Move next-swc Turborepo config to packages/next-swc: #​64789
• build: Update swc_core to v0.90.33: #​64553
• Enable loading source maps for Next Server and React: #​64527
• fix: mixing namespace import and named import client components: #​64809
• fext(next): extend next.config for mdxRs support options: #​64801
• skip test_e2e_deploy_related when triggered from a fork: #​64893
• fix(fetch-cache): fix additional typo, add type & data validation: #​64799
• feat(next-core): support parsing matcher config object: #​64678
• Fix mixed exports in server component with barrel optimization: #​64894
• fix: improve tsconfig extends checks: #​61413
• Fix next/image usage in mdx: #​64875
• fix dynamic route interception not working when deployed with middleware: #​64923
• feat(turbopack): Handle fragments in requests: #​64232
• feat(turbopack): Check for duplicate parallel routes: [#​64181](https://redirect.github.com/vercel/next.js/

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 8 workspace projects
Progress: resolved 0, reused 1, downloaded 0, added 0
demo/admin                               |  WARN  deprecated @gitbeaker/node@35.8.1
demo/admin                               |  WARN  deprecated eslint@8.56.0
demo/admin                               |  WARN  deprecated rimraf@3.0.2
Progress: resolved 44, reused 43, downloaded 0, added 0
Progress: resolved 49, reused 48, downloaded 0, added 0
Progress: resolved 63, reused 62, downloaded 0, added 0
Progress: resolved 63, reused 63, downloaded 0, added 0
demo/api                                 |  WARN  deprecated apollo-server-core@3.13.0
demo/api                                 |  WARN  deprecated apollo-server-express@3.13.0
Progress: resolved 129, reused 128, downloaded 0, added 0
Progress: resolved 216, reused 214, downloaded 0, added 0
Progress: resolved 299, reused 288, downloaded 0, added 0
Progress: resolved 525, reused 495, downloaded 0, added 0
Progress: resolved 666, reused 602, downloaded 0, added 0
Progress: resolved 902, reused 835, downloaded 0, added 0
Progress: resolved 1107, reused 1042, downloaded 0, added 0
Progress: resolved 1325, reused 1262, downloaded 0, added 0
Progress: resolved 1325, reused 1262, downloaded 1, added 0
Progress: resolved 1571, reused 1513, downloaded 1, added 0
Progress: resolved 1967, reused 1913, downloaded 1, added 0
Progress: resolved 1967, reused 1913, downloaded 2, added 0
Progress: resolved 1967, reused 1913, downloaded 3, added 0
Progress: resolved 1968, reused 1914, downloaded 3, added 0
Progress: resolved 1968, reused 1914, downloaded 4, added 0
Progress: resolved 1968, reused 1914, downloaded 5, added 0
Progress: resolved 2077, reused 2024, downloaded 12, added 0
Progress: resolved 2310, reused 2257, downloaded 15, added 0
Progress: resolved 2522, reused 2469, downloaded 15, added 0
 WARN  33 deprecated subdependencies found: @babel/plugin-proposal-class-properties@7.18.6, @babel/plugin-proposal-nullish-coalescing-operator@7.18.6, @babel/plugin-proposal-numeric-separator@7.18.6, @babel/plugin-proposal-object-rest-spread@7.20.7, @babel/plugin-proposal-optional-chaining@7.21.0, @babel/plugin-proposal-private-methods@7.18.6, @babel/plugin-proposal-private-property-in-object@7.21.11, @humanwhocodes/config-array@0.11.14, @humanwhocodes/object-schema@2.0.3, @types/loud-rejection@2.0.0, abab@2.0.6, acorn-import-assertions@1.9.0, apollo-datasource@3.3.2, apollo-reporting-protobuf@3.4.0, apollo-server-env@4.2.1, apollo-server-errors@3.3.1, apollo-server-plugin-base@3.7.2, apollo-server-types@3.8.0, domexception@2.0.1, fstream@1.0.12, glob@7.2.3, glob@8.1.0, har-validator@5.1.5, inflight@1.0.6, intl-messageformat-parser@6.4.3, lodash.get@4.4.2, multer@1.4.4, node-domexception@1.0.0, request@2.88.2, rimraf@2.7.1, subscriptions-transport-ws@0.11.0, uuid@3.4.0, w3c-hr-time@1.0.2
Progress: resolved 2523, reused 2470, downloaded 15, added 0
Progress: resolved 2523, reused 2470, downloaded 15, added 0, done
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

demo/campaign
└─┬ @comet/cms-site 7.21.1
  └── ✕ unmet peer next@^14.2.0: found 15.5.11

demo/site
└─┬ @comet/cms-site 7.21.1
  └── ✕ unmet peer next@^14.2.0: found 15.5.11

packages/mail-rendering
└─┬ @comet/cms-site 7.21.1
  └── ✕ unmet peer next@^14.2.0: found 15.5.11

hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.