[Snyk] Upgrade next from 14.1.1 to 14.2.28

[nejidevelops]

Snyk has created this PR to upgrade next from 14.1.1 to 14.2.28.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 116 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-8602067	559	No Known Exploit
	Improper Authorization SNYK-JS-NEXT-9508709	559	Mature
	Acceptance of Extraneous Untrusted Data With Trusted Data SNYK-JS-NEXT-8025427	559	No Known Exploit
	Uncontrolled Recursion SNYK-JS-NEXT-8186172	559	No Known Exploit
	Missing Authorization SNYK-JS-NEXT-8520073	559	No Known Exploit

Release notes

Package name: next

• 14.2.28 - 2025-04-08
  

  Note

  This release is backporting bug fixes. It does not include all pending features/changes on canary.

  Core Changes

  • fix: node.js module import error when using middleware (#77945)

  Credits

  Huge thanks to @ ztanner for helping!

• 14.2.27 - 2025-04-07
  

  Note

  This release is backporting bug fixes. It does not include all pending features/changes on canary.

  Core Changes

  • fix dynamic route interception not working when deployed with middleware (#64923)

  Credits

  Huge thanks to @ ztanner for helping!

• 14.2.26 - 2025-03-24
• 14.2.25 - 2025-03-17
• 14.2.24 - 2025-02-11
• 14.2.23 - 2025-01-07
• 14.2.22 - 2024-12-26
• 14.2.21 - 2024-12-19
• 14.2.20 - 2024-12-04
• 14.2.19 - 2024-12-03
• 14.2.18 - 2024-11-13
• 14.2.17 - 2024-11-05
• 14.2.16 - 2024-10-23
• 14.2.15 - 2024-10-08
• 14.2.14 - 2024-10-01
• 14.2.13 - 2024-09-20
• 14.2.12 - 2024-09-17
• 14.2.11 - 2024-09-12
• 14.2.10 - 2024-09-11
• 14.2.9 - 2024-09-09
• 14.2.8 - 2024-09-04
• 14.2.7 - 2024-08-27
• 14.2.6 - 2024-08-21
• 14.2.5 - 2024-07-10
• 14.2.4 - 2024-06-11
• 14.2.3 - 2024-04-24
• 14.2.2 - 2024-04-18
• 14.2.1 - 2024-04-12
• 14.2.1-canary.7 - 2024-04-15
• 14.2.1-canary.6 - 2024-04-15
• 14.2.1-canary.5 - 2024-04-14
• 14.2.1-canary.4 - 2024-04-13
• 14.2.1-canary.3 - 2024-04-12
• 14.2.1-canary.2 - 2024-04-12
• 14.2.1-canary.1 - 2024-04-12
• 14.2.1-canary.0 - 2024-04-11
• 14.2.0 - 2024-04-11
• 14.2.0-canary.67 - 2024-04-11
• 14.2.0-canary.66 - 2024-04-11
• 14.2.0-canary.65 - 2024-04-10
• 14.2.0-canary.64 - 2024-04-09
• 14.2.0-canary.63 - 2024-04-08
• 14.2.0-canary.62 - 2024-04-07
• 14.2.0-canary.61 - 2024-04-06
• 14.2.0-canary.60 - 2024-04-05
• 14.2.0-canary.59 - 2024-04-05
• 14.2.0-canary.58 - 2024-04-05
• 14.2.0-canary.57 - 2024-04-04
• 14.2.0-canary.56 - 2024-04-04
• 14.2.0-canary.55 - 2024-04-03
• 14.2.0-canary.54 - 2024-04-02
• 14.2.0-canary.53 - 2024-04-02
• 14.2.0-canary.52 - 2024-04-01
• 14.2.0-canary.51 - 2024-04-01
• 14.2.0-canary.50 - 2024-03-30
• 14.2.0-canary.49 - 2024-03-29
• 14.2.0-canary.48 - 2024-03-28
• 14.2.0-canary.47 - 2024-03-28
• 14.2.0-canary.46 - 2024-03-27
• 14.2.0-canary.45 - 2024-03-27
• 14.2.0-canary.44 - 2024-03-26
• 14.2.0-canary.43 - 2024-03-25
• 14.2.0-canary.42 - 2024-03-25
• 14.2.0-canary.41 - 2024-03-24
• 14.2.0-canary.40 - 2024-03-23
• 14.2.0-canary.39 - 2024-03-22
• 14.2.0-canary.38 - 2024-03-22
• 14.2.0-canary.37 - 2024-03-22
• 14.2.0-canary.36 - 2024-03-21
• 14.2.0-canary.35 - 2024-03-21
• 14.2.0-canary.34 - 2024-03-20
• 14.2.0-canary.33 - 2024-03-19
• 14.2.0-canary.32 - 2024-03-19
• 14.2.0-canary.31 - 2024-03-19
• 14.2.0-canary.30 - 2024-03-18
• 14.2.0-canary.29 - 2024-03-18
• 14.2.0-canary.28 - 2024-03-18
• 14.2.0-canary.27 - 2024-03-17
• 14.2.0-canary.26 - 2024-03-16
• 14.2.0-canary.25 - 2024-03-16
• 14.2.0-canary.24 - 2024-03-15
• 14.2.0-canary.23 - 2024-03-14
• 14.2.0-canary.22 - 2024-03-14
• 14.2.0-canary.21 - 2024-03-13
• 14.2.0-canary.20 - 2024-03-13
• 14.2.0-canary.19 - 2024-03-12
• 14.2.0-canary.18 - 2024-03-12
• 14.2.0-canary.17 - 2024-03-12
• 14.2.0-canary.16 - 2024-03-11
• 14.2.0-canary.15 - 2024-03-11
• 14.2.0-canary.14 - 2024-03-11
• 14.2.0-canary.13 - 2024-03-10
• 14.2.0-canary.12 - 2024-03-09
• 14.2.0-canary.11 - 2024-03-08
• 14.2.0-canary.10 - 2024-03-08
• 14.2.0-canary.9 - 2024-03-08
• 14.2.0-canary.8 - 2024-03-07
• 14.2.0-canary.7 - 2024-03-07
• 14.2.0-canary.6 - 2024-03-06
• 14.2.0-canary.5 - 2024-03-06
• 14.2.0-canary.4 - 2024-03-06
• 14.2.0-canary.3 - 2024-03-06
• 14.2.0-canary.2 - 2024-03-05
• 14.2.0-canary.1 - 2024-03-05
• 14.2.0-canary.0 - 2024-03-05
• 14.1.4 - 2024-03-20
• 14.1.3 - 2024-03-06
• 14.1.2 - 2024-03-04
• 14.1.2-canary.7 - 2024-03-04
• 14.1.2-canary.6 - 2024-03-04
• 14.1.2-canary.5 - 2024-03-04
• 14.1.2-canary.4 - 2024-03-04
• 14.1.2-canary.3 - 2024-03-03
• 14.1.2-canary.2 - 2024-03-02
• 14.1.2-canary.1 - 2024-03-01
• 14.1.2-canary.0 - 2024-03-01
• 14.1.1 - 2024-02-29

from next GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[gemini-code-assist]

Hello @nejidevelops, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello team, gemini-code-assist here with a summary of this pull request. This PR, automatically generated by Snyk, aims to upgrade the next dependency from version 14.1.1 to 14.2.28. The primary motivation for this significant version jump (116 versions according to Snyk) is to address several security vulnerabilities identified in the current version, including critical, high, and medium severity issues related to authorization, resource allocation, and data handling. The changes primarily involve updating the version specification in package.json and updating the locked versions and integrity hashes for next and its related @next/swc-* and @swc/helpers dependencies in package-lock.json. A new optional dependency, @swc/counter, is also added as part of the @swc/helpers update, and @playwright/test is added as an optional peer dependency for next.

Highlights

• Dependency Upgrade: Upgrades the next dependency from version 14.1.1 to 14.2.28.
• Security Fixes: Addresses multiple security vulnerabilities reported by Snyk, including critical, high, and medium severity issues.
• Dependency Tree Updates: Updates locked versions and integrity hashes for next and related @next/swc-* and @swc/helpers packages in package-lock.json.
• New Optional Dependencies: Adds @swc/counter as a dependency of @swc/helpers and @playwright/test as an optional peer dependency of next in the lock file.

Changelog

Click here to see the changelog

• package-lock.json
  • Updated next version from 14.1.1 to 14.2.28 (Line 17)
  • Updated @next/env version, resolved URL, and integrity hash, added license (Lines 259-262)
  • Updated @next/swc-darwin-arm64 version, resolved URL, and integrity hash, added license (Lines 274-276)
  • Updated @next/swc-darwin-x64 version, resolved URL, and integrity hash, added license (Lines 290-292)
  • Updated @next/swc-linux-arm64-gnu version, resolved URL, and integrity hash, added license (Lines 306-308)
  • Updated @next/swc-linux-arm64-musl version, resolved URL, and integrity hash, added license (Lines 322-324)
  • Updated @next/swc-linux-x64-gnu version, resolved URL, and integrity hash, added license (Lines 338-340)
  • Updated @next/swc-linux-x64-musl version, resolved URL, and integrity hash, added license (Lines 354-356)
  • Updated @next/swc-win32-arm64-msvc version, resolved URL, and integrity hash, added license (Lines 370-372)
  • Updated @next/swc-win32-ia32-msvc version, resolved URL, and integrity hash, added license (Lines 386-388)
  • Updated @next/swc-win32-x64-msvc version, resolved URL, and integrity hash, added license (Lines 402-404)
  • Added @swc/counter dependency with version, resolved URL, integrity hash, and license (Lines 624-627)
  • Updated @swc/helpers version, resolved URL, and integrity hash, added license and @swc/counter dependency (Lines 630-637)
  • Updated next entry with new version, resolved URL, integrity hash, license, and updated @next/env and @swc/helpers dependency versions (Lines 3599-3605)
  • Updated next optional dependencies to version 14.2.28 for all @next/swc-* packages (Lines 3619-3627)
  • Added @playwright/test as an optional peer dependency for next (Line 3631)
  • Added @playwright/test optional flag in next peer dependencies (Lines 3640-3642)
• package.json
  • Updated next dependency version from 14.1.1 to 14.2.28 (Line 18)

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

A package old,
Has vulns untold.
Upgrade it fast,
Make safety last.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the next dependency from version 14.1.1 to 14.2.28. This upgrade is important as it addresses several security vulnerabilities, including critical and high severity issues, as indicated by Snyk. The changes are limited to updating the version in package.json and the corresponding entries and hashes in package-lock.json.

Summary of Findings

• Security Vulnerabilities Addressed: The primary finding is that this PR successfully upgrades the next dependency to a version that fixes several reported security vulnerabilities, including critical and high severity issues. This is a significant improvement for the project's security posture.
• package.json vs package-lock.json Version Inconsistency: There is a minor inconsistency in how the next version is specified between package.json (exact version) and the top-level dependencies section of package-lock.json (caret version). While the actual locked version is correct, this discrepancy could potentially cause confusion or issues if the lock file is not strictly used.

Merge Readiness

This pull request is valuable for addressing known security vulnerabilities by upgrading the next dependency. However, dependency upgrades, especially across multiple patch versions, can sometimes introduce unexpected issues or require code adjustments in the application. Additionally, there is a minor inconsistency in the version specification between package.json and package-lock.json that should ideally be resolved. Therefore, I recommend thorough testing of the application with these updated dependencies before merging. I am unable to approve this pull request; please ensure other reviewers have signed off before merging.

[gemini-code-assist]

The package.json file specifies the next version as "14.2.28" (exact), but the top-level dependencies section in package-lock.json lists it with a caret "^14.2.28". While the main next entry later in the file correctly shows the locked version 14.2.28, this inconsistency in the top-level dependencies block of the lock file might be confusing or indicate an unexpected state. It's generally best practice for the top-level dependencies in package-lock.json to mirror the version specifiers in package.json for clarity and consistency. Could this discrepancy lead to unexpected behavior if the lock file were to be regenerated without the exact version specified in package.json?

"next": "14.2.28",