Update dependency next to v15.5.7 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	15.5.4 -> 15.5.7

GitHub Vulnerability Alerts

GHSA-9qr9-h5gf-34mp

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

---

Release Notes

vercel/next.js (next)

v15.5.7

Compare Source

v15.5.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: don't define process.cwd() in node_modules #​83452

Credits

Huge thanks to @​mischnic for helping!

v15.5.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Split code-frame into separate compiled package (#​84238)
• Add deprecation warning to Runtime config (#​84650)
• fix: unstable_cache should perform blocking revalidation during ISR revalidation (#​84716)
• feat: experimental.middlewareClientMaxBodySize body cloning limit (#​84722)
• fix: missing next/link types with typedRoutes (#​84779)

Misc Changes

• docs: early October improvements and fixes (#​84334)

Credits

Huge thanks to @​devjiwonchoi, @​ztanner, and @​icyJoseph for helping!

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

 WARN  deprecated @types/[email protected]: This is a stub types definition. sass provides its own type definitions, so you do not need this installed.
Progress: resolved 1, reused 0, downloaded 0, added 0
 WARN  deprecated @types/[email protected]: This is a stub types definition. sharp provides its own type definitions, so you do not need this installed.
Progress: resolved 15, reused 0, downloaded 0, added 0
Progress: resolved 17, reused 0, downloaded 0, added 0
 ERR_PNPM_NO_MATCHING_VERSION  No matching version found for [email protected] published by Fri Nov 28 2025 02:28:29 GMT+0000 (Coordinated Universal Time) while fetching it from https://registry.npmjs.org/. Version 15.5.7 satisfies the specs but was released at Wed Dec 03 2025 15:26:07 GMT+0000 (Coordinated Universal Time)

This error happened while installing a direct dependency of /tmp/renovate/repos/github/upleveled/next-js-portfolio-web

The latest release of next is "16.0.7". Published at 12/3/2025

Other releases are:
  * next-11: 11.1.4 published at 1/27/2022
  * next-12-2-6: 12.2.6 published at 9/29/2022
  * next-14-1: 14.1.1 published at 2/29/2024
  * rc: 15.0.0-rc.1 published at 10/15/2024
  * next-13: 13.5.11 published at 3/27/2025
  * next-12-3-2: 12.3.7 published at 3/28/2025
  * next-14: 14.2.33 published at 9/23/2025
  * beta: 16.0.0-beta.0 published at 10/10/2025
  * backport: 15.4.8 published at 12/3/2025
  * next-15-0: 15.1.9 published at 12/3/2025
  * next-15-0-0: 15.0.5 published at 12/3/2025
  * next-15-3: 15.3.6 published at 12/3/2025
  * next-15-2: 15.2.6 published at 12/3/2025
  * canary: 16.1.0-canary.14 published at 12/4/2025 11:36:10 PM

If you need the full list of all 3492 published versions run "$ pnpm view next versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude