Bump the npm_and_yarn group across 5 directories with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
vite	6.4.1	6.4.2
flatted	3.3.3	3.4.2
lodash	4.17.21	4.18.1
minimatch	3.1.2	10.2.5
picomatch	2.3.1	4.0.4
postcss	8.5.6	8.5.14
rollup	4.57.1	4.60.3
tar	7.5.9	7.5.15

Bumps the npm_and_yarn group with 1 update in the /templates/nextjs/advanced-permissions-starter directory: next.
Bumps the npm_and_yarn group with 1 update in the /templates/nextjs/delegation-starter directory: next.
Bumps the npm_and_yarn group with 1 update in the /templates/nextjs/farcaster-starter directory: next.
Bumps the npm_and_yarn group with 1 update in the /templates/nextjs/starter directory: next.

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• 3f337c5 release: v6.3.6
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 10.2.5

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• 693c823 10.2.5
• 7953af1 do not allow .. to consume drive letter on Windows
• 1caf918 lint and format
• 7783ed6 ignore docs
• 6d9b356 update deps etc
• c36addb 10.2.4
• 26b9002 docs: add warning about ReDoS
• 3a0d83b fix partial matching of globstar patterns
• ea94840 10.2.3
• 0873fba update deps
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates picomatch from 2.3.1 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144

New Contributors

• @​Jason3S made their first contribution in micromatch/picomatch#144

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

3.0.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@3.0.1...3.0.2

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

• 3ec1394 Release 8.5.14 version
• f2bb827 Update dependencies
• d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
• 68bd213 fix: always call raw to retrieve raw values
• af58cf1 Release 8.5.13 version
• f227dbd Temporary ignore pnpm 11 config
• d3abd40 Update dependencies
• dd06c3e Revert stringifier changes because of the conflict with postcss-scss
• ae889c8 Try to fix CI
• e0093e4 Move to pnpm 11
• Additional commits viewable in compare view

Updates rollup from 4.57.1 to 4.60.3

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

• Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

• #6327: docs: fix various typos in source and documentation (@​Abhi3975, @​lukastaegert)
• #6331: fix(deps): update minor/patch updates (@​renovate[bot])
• #6332: chore(deps): update codecov/codecov-action action to v6 (@​renovate[bot])
• #6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@​renovate[bot])
• #6334: fix(deps): update rust crate swc_compiler_base to v51 (@​renovate[bot])
• #6335: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6346: fix(deps): update minor/patch updates (@​renovate[bot])
• #6347: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6348: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6349: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6350: fix: reset variable render names between outputs in the same generate (@​barry3406, @​lukastaegert)
• #6351: chore(deps): update minor/patch updates (@​renovate[bot])
• #6352: chore(deps): update cross-platform-actions/action action to v1 (@​renovate[bot])
• #6353: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6354: chore(deps): lock file maintenance (@​renovate[bot])
• #6355: chore(deps): lock file maintenance (@​renovate[bot])
• #6356: chore(deps): lock file maintenance (@​renovate[bot])
• #6358: chore: remove cross-env from devDeps (@​K-tecchan)

v4.60.1

4.60.1

2026-03-30

Bug Fixes

• Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

• #6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@​littlegrayss, @​TrickyPi)
• #6317: chore(deps): pin dependencies (@​renovate[bot], @​lukastaegert)
• #6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@​renovate[bot], @​lukastaegert)
• #6319: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6320: chore(deps): pin dependency typescript to v5 (@​renovate[bot], @​lukastaegert)
• #6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@​renovate[bot], @​lukastaegert)
• #6322: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6323: chore(deps): lock file maintenance (@​renovate[bot])
• #6324: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.3

2026-05-04

Bug Fixes

• Ensure nested "exports" variables are not renamed (#6360)

Pull Requests

• #6360: fix: do not rename nested "exports" bindings that do not conflict (@​tariqrafique, @​lukastaegert)
• #6364: chore(deps): update msys2/setup-msys2 digest to e989830 (@​renovate[bot])
• #6365: fix(deps): update minor/patch updates (@​renovate[bot])
• #6366: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6367: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6368: docs: add missing backticks in plugin-development (@​lumirlumir, @​lukastaegert)

4.60.2

2026-04-18

Bug Fixes

• Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

• #6327: docs: fix various typos in source and documentation (@​Abhi3975, @​lukastaegert)
• #6331: fix(deps): update minor/patch updates (@​renovate[bot])
• #6332: chore(deps): update codecov/codecov-action action to v6 (@​renovate[bot])
• #6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@​renovate[bot])
• #6334: fix(deps): update rust crate swc_compiler_base to v51 (@​renovate[bot])
• #6335: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6346: fix(deps): update minor/patch updates (@​renovate[bot])
• #6347: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6348: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6349: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6350: fix: reset variable render names between outputs in the same generate (@​barry3406, @​lukastaegert)
• #6351: chore(deps): update minor/patch updates (@​renovate[bot])
• #6352: chore(deps): update cross-platform-actions/action action to v1 (@​renovate[bot])
• #6353: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6354: chore(deps): lock file maintenance (@​renovate[bot])
• #6355: chore(deps): lock file maintenance (@​renovate[bot])
• #6356: chore(deps): lock file maintenance (@​renovate[bot])
• #6358: chore: remove cross-env from devDeps (@​K-tecchan)

4.60.1

2026-03-30

... (truncated)

Commits

• b47bdab 4.60.3
• 15c5f33 Add again some unneeded dev dependencies, to make some builds succeed
• 12195dc fix: do not rename nested "exports" bindings that do not conflict (#6360)
• b74aa39 Migrate instructions to AGENTS.md
• aa5a377 fix(deps): update minor/patch updates (#6365)
• 197e68b chore(deps): update msys2/setup-msys2 digest to e989830 (#6364)
• cded70a fix(deps): update swc monorepo (major) (#6366)
• bb2b8a5 docs: add missing backticks in plugin-development (#6368)
• 20af1c4 chore(deps): lock file maintenance (#6367)
• a6be82b 4.60.2
• Additional commits viewable in compare view

Updates tar from 7.5.9 to 7.5.15

Commits

• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

• 3ec1394 Release 8.5.14 version
• f2bb827 Update dependencies
• d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
• 68bd213 fix: always call raw to retrieve raw values
• af58cf1 Release 8.5.13 version
• f227dbd Temporary ignore pnpm 11 config
• d3abd40 Update dependencies
• dd06c3e Revert stringifier changes because of the conflict with postcss-scss
• ae889c8 Try to fix CI
• e0093e4 Move to pnpm 11
• Additional commits viewable in compare view

Updates postcss from 8.5.6 to 8.5.14

Release notes

Sourced from postcss's releases.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

• 3ec1394 Release 8.5.14 version
• f2bb827 Update dependencies
• d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
• 68bd213 fix: always call raw to retrieve raw values
• af58cf1 Release 8.5.13 version
• f227dbd Temporary ignore pnpm 11 config
• d3abd40 Update dependencies
• dd06c3e Revert stringifier changes because of the conflict with postcss-scss
• ae889c8 Try to fix CI
• e0093e4 Move to pnpm 11
• Additional commits viewable in compare view

Updates next from 15.4.10 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.16

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE]

... (truncated)

Commits

• 9ff92ce v15.5.18
• 00ebe23 [backport] Disable build caches for production/staging/force-preview deploys ...
• 62c97ab v15.5.17
• 423623a Turbopack: Match proxy matchers with webpack implementation (#93594)
• fa78739 Turbopack: Fix middleware matcher suffix (#93590)
• 36e62c6 [backport] Turbopack: more strict vergen setup (#93588)
• 36589b5 [backport][test] Pin package manager to patch versions (#93596)
• ad6fd4e v15.5.16
• 79d7dff Ignore malformed CSP nonce headers (#103)
• c4f6908 router-server: guard upgrade proxy against absolute-url SSRF (#77) (#102)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates next from 15.4.10 to 15.5.18

Release notes

Sourced from next's releases.

v15.5.18

This release contains secu...

Description has been truncated

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	postcss@​8.5.6 ⏵ 8.5.14	+1	+2
	vite@​6.4.1 ⏵ 7.3.3	+6	+18
	vite@​6.4.1 ⏵ 6.4.2	+1	+18	+1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm rollup is 100.0% likely to have a medium risk anomaly Notes: No direct evidence of hidden malware behavior (no explicit network exfiltration, credential theft, or system command execution is visible). The dominant security concern is that this build tooling intentionally enables arbitrary code execution via new Function() for inline plugin arguments and via dynamic require()/import() of plugins and configs based on runtime-provided strings/paths, plus a stdin-to-module loader and codegen+temp-file+import for transpiled configs. If an attacker can influence CLI/CI inputs (e.g., --plugin, config path, or plugin argument text), the risk is high for build-time arbitrary code execution. Confidence: 1.00 Severity: 0.60 From: ? → npm/vite@6.4.2 → npm/vite@7.3.3 → npm/vitest@3.2.4 → npm/rollup@4.60.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.60.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tar is 100.0% likely to have a medium risk anomaly Notes: This module acts as a standard tar extraction wrapper using synchronous and asynchronous code paths. There is no evident malicious activity within this fragment. Security risk hinges on the behavior of the Unpack/UnpackSync implementation and how tar entries are written to disk (e.g., path traversal). No hardcoded secrets or network calls are present here. Recommend ensuring tar extraction handles path traversal and destination path sanitization in Unpack, and consider validating opt.file presence and type before streaming. Confidence: 1.00 Severity: 0.60 From: ? → npm/@lavamoat/allow-scripts@3.4.3 → npm/vite@6.4.2 → npm/vite@7.3.3 → npm/vitest@3.2.4 → npm/tar@7.5.15 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.15. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm vite is 100.0% likely to have a medium risk anomaly Notes: This fragment performs a high-impact global namespace injection driven by a build-time DEFINES object. While not inherently malicious, it creates a significant risk surface: it can override or create global properties, potentially altering security-sensitive behavior. Strong validation, strict namespace scoping, or replacing with a controlled sandbox/namespace approach is recommended to mitigate supply-chain risk. Confidence: 1.00 Severity: 0.60 From: package.json → npm/vite@6.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@6.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report