chore(nextjs): Update next to patched versions for CVE-2026-23869 [SECURITY]

jacekradko · jacekradko · commit adc653528338 · 2026-04-09T10:58:27.000-05:00
Bump next devDep to 15.5.15, narrow peerDep to ^15.5.15 || ^15.6.0-0 || ^16.2.3,
and update integration templates and playgrounds to patched version floors.
diff --git a/.changeset/nextjs-security-update.md b/.changeset/nextjs-security-update.md
@@ -2,4 +2,4 @@
 '@clerk/nextjs': patch
 ---
 
-Bump `next` devDependency floor to `15.5.13` to pick up an upstream security fix.
+Update `next` peer dependency to recommend patched versions (`^15.5.15 || ^15.6.0-0 || ^16.2.3`) to address CVE-2026-23869, a high-severity (CVSS 7.5) denial-of-service vulnerability in React Server Components. If you are on an older Next.js version, please upgrade to a patched release as soon as possible.
diff --git a/integration/templates/next-app-router-bundled-ui/package.json b/integration/templates/next-app-router-bundled-ui/package.json
@@ -12,7 +12,7 @@
     "@types/node": "^20.12.12",
     "@types/react": "19.2.14",
     "@types/react-dom": "19.2.3",
-    "next": "^15.0.1",
+    "next": "^15.5.15",
     "react": "19.2.4",
     "react-dom": "19.2.4",
     "typescript": "^5.7.3"
diff --git a/integration/templates/next-app-router-quickstart-v6/package.json b/integration/templates/next-app-router-quickstart-v6/package.json
@@ -12,7 +12,7 @@
     "@types/node": "^20.12.12",
     "@types/react": "18.3.12",
     "@types/react-dom": "18.3.1",
-    "next": "^15.0.1",
+    "next": "^15.5.15",
     "react": "18.3.1",
     "react-dom": "18.3.1",
     "typescript": "^5.7.3"
diff --git a/integration/templates/next-app-router-quickstart/package.json b/integration/templates/next-app-router-quickstart/package.json
@@ -12,7 +12,7 @@
     "@types/node": "^20.12.12",
     "@types/react": "18.3.12",
     "@types/react-dom": "18.3.1",
-    "next": "^15.0.1",
+    "next": "^15.5.15",
     "react": "18.3.1",
     "react-dom": "18.3.1",
     "typescript": "^5.7.3"
diff --git a/integration/templates/next-app-router/package.json b/integration/templates/next-app-router/package.json
@@ -13,7 +13,7 @@
     "@types/node": "^18.19.33",
     "@types/react": "18.3.12",
     "@types/react-dom": "18.3.1",
-    "next": "^15.0.1",
+    "next": "^15.5.15",
     "react": "18.3.1",
     "react-dom": "18.3.1",
     "typescript": "^5.7.3"
diff --git a/integration/templates/next-cache-components/package.json b/integration/templates/next-cache-components/package.json
@@ -13,7 +13,7 @@
     "@types/node": "^18.19.33",
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",
-    "next": "^16.2.1",
+    "next": "^16.2.3",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "typescript": "^5.7.3"
diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json
@@ -92,10 +92,10 @@
   },
   "devDependencies": {
     "crypto-es": "^2.1.0",
-    "next": "15.5.13"
+    "next": "15.5.15"
   },
   "peerDependencies": {
-    "next": "^15.2.8 || ^15.3.8 || ^15.4.10 || ^15.5.9 || ^15.6.0-0 || ^16.0.10 || ^16.1.0-0",
+    "next": "^15.5.15 || ^15.6.0-0 || ^16.2.3",
     "react": "catalog:peer-react",
     "react-dom": "catalog:peer-react"
   },
diff --git a/playground/nextjs/package.json b/playground/nextjs/package.json
@@ -12,7 +12,7 @@
     "@clerk/nextjs": "canary",
     "@clerk/ui": "canary",
     "@clerk/types": "canary",
-    "next": "^15",
+    "next": "^15.5.15",
     "react": "^19.1.1",
     "react-dom": "^19.1.1"
   },
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -35,6 +35,9 @@ minimumReleaseAgeExclude:
   - '@clerk/*'
   - 'pkglab'
   - 'pkglab-*'
+  # CVE-2026-23869: React Server Components DoS
+  - 'next@15.5.15'
+  - '@next/*'
   # Renovate security update: @modelcontextprotocol/sdk@1.26.0
   - '@modelcontextprotocol/sdk@1.26.0'
   # Renovate security update: esbuild@0.25.0
