🚨 [security] Update all of nextjs 16.0.3 → 16.0.7 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint-config-next (16.0.3 → 16.0.7)

Sorry, we couldn't find anything useful about this release.

✳️ next (16.0.3 → 16.0.7) · Repo

Security Advisories 🚨

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

Release Notes

16.0.6

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• bump the browserslist version to silence a warning in CI (#86625)

Credits

Huge thanks to @lukesandberg for helping!

16.0.5

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix(nodejs-middleware): await for body cloning to be properly finalized (#85418)

Credits

Huge thanks to @lucasadrianof for helping!

16.0.4

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: Rename proxy.js to middleware.js in NFT file (#86214)
• fix: prevent fetch abort errors propagating to user error boundaries (#86277)
• Turbopack: fix passing project options from napi (#86256)

Credits

Huge thanks to @devjiwonchoi, @sokra and @ztanner for helping!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• v16.0.7
• update version script
• Update React Version (#11)
• v16.0.6
• bump the browserslist version to silence a warning in CI (#86625)
• v16.0.5
• backport fix(nodejs-middleware): await for body cloning to be properly finalized (#85418) (#86561)
• v16.0.4
• Turbopack: fix passing project options from napi (#86256)
• fix: prevent fetch abort errors propagating to user error boundaries (#86277)
• fix: Rename proxy.js to middleware.js in NFT file (#86214)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coderabbitai]

Walkthrough

This pull request updates Next.js and related dependencies across two playground package configuration files. In playgrounds/nextjs/package.json and playgrounds/v3/package.json, the Next.js dependency is bumped from version ^16.0.3 to ^16.0.7, and the ESLint configuration for Next.js is similarly updated from ^16.0.3 to ^16.0.7. These version updates bring both playground environments to a more recent patch version of the Next.js 16 release line. No exported or public entity signatures are modified by these changes.

Pre-merge checks

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating Next.js from 16.0.3 to 16.0.7 to address security vulnerabilities, using appropriate security emoji and concise language.
Description check	✅ Passed	The description is directly related to the changeset, detailing security vulnerabilities fixed, affected packages, release notes, and commits for the Next.js and eslint-config-next version updates.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f107e2 and 75693bc.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• playgrounds/nextjs/package.json (2 hunks)
• playgrounds/v3/package.json (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: macOS
• GitHub Check: Linux
• GitHub Check: Windows
• GitHub Check: Linux / webpack
• GitHub Check: Linux / vite
• GitHub Check: Linux / oxide
• GitHub Check: Linux / upgrade
• GitHub Check: Linux / postcss
• GitHub Check: Linux / cli

🔇 Additional comments (2)

playgrounds/nextjs/package.json (1)

14-14: ✓ Security patch applied correctly.

The Next.js and eslint-config-next versions are updated to 16.0.7, addressing the CVE-2025-55182 RCE vulnerability in the React flight protocol. React is already at the patched version (^19.2.0). Patch-level updates within the ^16.0.x constraint are backward compatible and introduce only backported bug fixes (middleware body cloning, fetch abort error handling, Turbopack fixes).

Also applies to: 24-24

playgrounds/v3/package.json (1)

12-12: ✓ Security patch applied consistently across playgrounds.

Both playground environments now align on Next.js 16.0.7 and eslint-config-next 16.0.7. React dependencies are already patched (^19.2.0). The patch-level update maintains compatibility while addressing CVE-2025-55182.

Also applies to: 23-23

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}