[Snyk] Upgrade next from 13.1.6 to 15.4.5

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade next from 13.1.6 to 15.4.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 1534 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	140	Proof of Concept
	Uncontrolled Recursion SNYK-JS-NEXT-8186172	140	No Known Exploit
	Missing Authorization SNYK-JS-NEXT-8520073	140	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIMECOREJS3-9397696	140	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	140	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	140	No Known Exploit
	Race Condition SNYK-JS-NEXT-10176058	140	Proof of Concept
	Resource Exhaustion SNYK-JS-NEXT-6032387	140	Proof of Concept
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-8602067	140	No Known Exploit
	Improper Input Validation SNYK-JS-POSTCSS-5926692	140	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	140	Proof of Concept
	Missing Origin Validation in WebSockets SNYK-JS-NEXT-10259370	140	No Known Exploit
	Improper Authorization SNYK-JS-NEXT-9508709	140	Mature

Release notes

Package name: next

• 15.4.5 - 2025-07-29
• 15.4.4 - 2025-07-24
  

  Note

  This release is backporting bug fixes. It does not include all pending features/changes on canary.

  Core Changes

  • Fix dynamicParams false layout case in dev (#82026)
  • Turbopack: fix scope hoisting variable renaming bug (#81640)
  • Upgrade to swc v33 (#81750)
  • Revert "[metadata] use https protocol for schema urls" (#81934)

  Credits

  Huge thanks to @ bgw @ mischnic @ huozhi @ lukesandberg and @ ijjk for helping!

• 15.4.3 - 2025-07-22
  

  Note

  This release is backporting bug fixes. It does not include all pending features/changes on canary.

  Core Changes

  • Turbopack: fix dist dir on Windows (#81758)

  Credits

  Huge thanks to @ mischnic for helping!

• 15.4.2 - 2025-07-18
• 15.4.2-canary.56 - 2025-08-19
• 15.4.2-canary.55 - 2025-08-19
• 15.4.2-canary.54 - 2025-08-19
• 15.4.2-canary.53 - 2025-08-18
• 15.4.2-canary.52 - 2025-08-17
• 15.4.2-canary.51 - 2025-08-16
• 15.4.2-canary.50 - 2025-08-16
• 15.4.2-canary.49 - 2025-08-15
• 15.4.2-canary.48 - 2025-08-14
• 15.4.2-canary.47 - 2025-08-14
• 15.4.2-canary.46 - 2025-08-13
• 15.4.2-canary.45 - 2025-08-13
• 15.4.2-canary.44 - 2025-08-13
• 15.4.2-canary.43 - 2025-08-13
• 15.4.2-canary.42 - 2025-08-12
• 15.4.2-canary.41 - 2025-08-12
• 15.4.2-canary.40 - 2025-08-12
• 15.4.2-canary.39 - 2025-08-12
• 15.4.2-canary.38 - 2025-08-11
• 15.4.2-canary.37 - 2025-08-11
• 15.4.2-canary.36 - 2025-08-11
• 15.4.2-canary.35 - 2025-08-09
• 15.4.2-canary.34 - 2025-08-08
• 15.4.2-canary.33 - 2025-08-07
• 15.4.2-canary.32 - 2025-08-06
• 15.4.2-canary.31 - 2025-08-05
• 15.4.2-canary.30 - 2025-08-04
• 15.4.2-canary.29 - 2025-08-03
• 15.4.2-canary.28 - 2025-08-02
• 15.4.2-canary.27 - 2025-08-01
• 15.4.2-canary.26 - 2025-08-01
• 15.4.2-canary.25 - 2025-07-31
• 15.4.2-canary.24 - 2025-07-31
• 15.4.2-canary.23 - 2025-07-31
• 15.4.2-canary.22 - 2025-07-30
• 15.4.2-canary.21 - 2025-07-30
• 15.4.2-canary.20 - 2025-07-29
• 15.4.2-canary.19 - 2025-07-28
  

  Core Changes

  • Turbopack: write tasks doesn't need to be session dependent, as effects will restore: #78727
  • [sourcemaps] Fully sourcemap stacks on the Server: #81904
  • fix(Rspack): use loaderContext.utils.contextify to replace ModuleFilenameHelpers.createFilename: #82104
  • next/root-params: #80255
  • fix(next/image): fix image-optimizer.ts headers: #82114
  • Upgrade React from 19baee81-20250725 to eaee5308-20250728: #82120
  • Fix validateRSCRequestHeaders incorrect redirect: #82119
  • fix(next/image): improve and simplify detect-content-type: #82118
  • [CacheComponents] Use fallback params when validating dynamic routes in dev: #82069

  Misc Changes

  • Turbopack: only schedule tasks when task becomes active on active counter increase: #81414
  • docs: Update styling example links : #82111
  • [turbopack] Documentation fixes for rcstr! and a tiny improvement to hash: #82084
  • [turbopack] Improve our const compatible hash routine performance: #82088

  Credits

  Huge thanks to @ sokra, @ eps1lon, @ icyJoseph, @ SyMind, @ lubieowoce, @ styfle, @ gaojude, and @ lukesandberg for helping!

• 15.4.2-canary.18 - 2025-07-26
  

  Core Changes

  • Revert "Upgrade vercel og and remove yoga type patching (#81937)": #82066
  • Optimize segment data routes: #82033

  Credits

  Huge thanks to @ huozhi and @ ijjk for helping!

• 15.4.2-canary.17 - 2025-07-25
  

  Core Changes

  • Upgrade vercel og and remove yoga type patching: #81937
  • [perf] cache load config results: #80570
  • Turbopack: use prototype for turbopack context for better runtime performance: #81547
  • [reactcompiler] Test with latest RC: #82002
  • [devtools] Fix various exhaustive-deps violations: #82010
  • [devtools] Apply React Compiler to Next.js DevTools source: #82004
  • Upgrade React from edac0dde-20250723 to 3d14fcf0-20250724: #82020
  • Adjusted the warning message to be more descriptive: #82054
  • Track fallback params on workUnitStore: #82003
  • Fix API stripping JSON incorrectly: #82061
  • Upgrade React from 3d14fcf0-20250724 to 19baee81-20250725: #82063
  • use FetchStrategy to control prefetching behavior everywhere: #82032
  • [Segment Cache] set fetchStrategy on segments from a dynamic request: #82059

  Misc Changes

  • Update Rspack development test manifest: #82038
  • [test] Allow running lint-eslint on a specific directory: #82009
  • Adjusted the warning message to be more descriptive: #82052
  • Update Rspack production test manifest: #82039
  • [turbopack] mark rcstr! allocated Rcstr values as 'static' and stop refcounting them: #81994

  Credits

  Huge thanks to @ huozhi, @ vercel-release-bot, @ sokra, @ eps1lon, @ Cy-Tek, @ gnoff, @ lukesandberg, @ ijjk, and @ lubieowoce for helping!

• 15.4.2-canary.16 - 2025-07-24
  

  Core Changes

  • Initial MCP implementation: #81770
  • Fix: Unresolved param in x-nextjs-rewritten-query: #81991
  • Turbopack: Add an option to use system TLS certificates (fixes #79060, fixes #79059): #81818
  • Turbopack: Remove unused proxy option in turbo-tasks-fetch, lightly document HTTP_PROXY/HTTPS_PROXY environment variables: #81905
  • Upgrade React from 7513996f-20250722 to edac0dde-20250723: #81984
  • [devtools] Cleanup folder structure: #82012
  • [devtools] Fix "open in editor" for locations in stackframes: #82013
  • [Segment Cache] Fix: Key by rewritten search: #81986

  Misc Changes

  • Turbopack: improve named spans in tracing: #81458
  • Turbopack: update mimalloc: #81993
  • Turbopack: Update bundled webpki-roots: #81906
  • Allow specifying CLI version for e2e deploy: #81998
  • Turbopack: Move fs watcher anyhow::Context import inline to fix compilation warnings: #81997
  • Add link to manually trigger preview builds: #81977
  • Update Rspack production test manifest: #82007
  • Update Rspack development test manifest: #82008
  • Turbopack: Make turbo-tasks-fetch a bit more OOP-like: #81995

  Credits

  Huge thanks to @ sokra, @ acdlite, @ bgw, @ ijjk, @ eps1lon, and @ vercel-release-bot for helping!

• 15.4.2-canary.15 - 2025-07-23
  

  Core Changes

  • Upgrade React from e9638c33-20250721 to 7513996f-20250722: #81940
  • Upgrade to swc v33: #81750
  • Remove extra base-server code: #81944
  • Turbopack: flatten sourceInfo to avoid objects, reorder args, compress node.js entry: #81545
  • Fix dynamicParams false layout case in dev: #81990

  Misc Changes

  • [test] workaround test that needs stylus: #81965
  • Bump to swc_sourcemap 9.3.3: #81971
  • fix(Turbopack): Remove the duplicate SlowFilesystem warning: #81972
  • CI: add workflow_branch data to deploy test failure message: #81949
  • Update Rspack production test manifest: #81961
  • Update Rspack development test manifest: #81960
  • [turbopack] Rename ClientReferenceSet: #81942
  • Turbopack: fix scope hoisting variable renaming bug: #81640
  • Revert "[test] workaround test that needs stylus": #81981
  • [docs] fix rewrites example wording: #81985

  Credits

  Huge thanks to @ huozhi, @ mischnic, @ Cy-Tek, @ ztanner, @ vercel-release-bot, @ ijjk, @ lukesandberg, @ sokra, and @ allenzhou101 for helping!

• 15.4.2-canary.14 - 2025-07-22
  

  Misc Changes

  • Update Rspack development test manifest: #81913
  • Update Rspack production test manifest: #81914
  • Turbopack: Use workaround for rustc miscompilation bug on macos intel: #81950

  Credits

  Huge thanks to @ vercel-release-bot and @ bgw for helping!

• 15.4.2-canary.13 - 2025-07-22
  

  Core Changes

  • Stabilize node middleware support: #81907
  • Add run-turbopack-compiler trace span: #81917
  • fix: support calling onClose multiple times in edge-ssr-app: #81911
  • fix: logging the correct process for listened port: #81903
  • Build: Include rewrites in manifest generation: #81894
  • Routing: Clean up some code: #81932
  • [sourcemaps] Ensure codeframe when calling Client Functions from Server: #81918
  • [segment explorer] missing file suggestion: #81617
  • [turbopack] Always print trace labels in headers: #81728
  • Revert "[metadata] use https protocol for schema urls": #81934

  Misc Changes

  • Turbopack: Track variable usage inside of visit_assign_target_pat: #81654
  • Turbopack: Replace current_value set/restore mutation pattern with a safer with_pat_value helper: #81696
  • Docs: Document global-not-found: #81803
  • [router-act] Fixes related to segment inlining: #81896
  • [test] Add dedicated test for error when client functions are called from server components: #81930
  • Fix an issue in how css references are collected under next build --turbopack: #81704
  • Turbopack: Update notify-rs crate, remove workaround for fixed bug: #81909

  Credits

  Huge thanks to @ bgw, @ ijjk, @ mischnic, @ delbaoliveira, @ lubieowoce, @ huozhi, @ timneutkens, @ acdlite, @ eps1lon, and @ lukesandberg for helping!

• 15.4.2-canary.12 - 2025-07-21
  

  Core Changes

  • Upgrade React from dffacc7b-20250717 to e9638c33-20250721: #81899
  • chore(devtools): sync todos to linear: #81901
  • Introduce 'use cache: private':