chore(deps): bump next from 14.2.33 to 15.5.14

[dependabot]

Bumps next from 14.2.33 to 15.5.14.

Release notes

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#82340)
• Turbopack: support pattern into exports field (#82757)
• NFT tracing fixes (#84155 and #85323)
• Turbopack: validate CSS without computing all paths (#83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

Commits

• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• 6cef992 [backport] normalize CRLF line endings in jscodeshift tests on Windows (#8800...
• 7a94645 Apply needs for publishRelease
• bbfd4e3 v15.5.11
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade next from 14.2.33 to 15.5.14 to pick up a security fix and improved next/image caching, with no app code changes required.

• Dependencies

  • Bumped next to ^15.5.14 in apps/portal; updated lockfile.
  • Includes security patch for rewrites (CVE-2026-29057) and restored Content-Length/ETag for pages JSON responses.
  • Adds LRU disk cache for next/image (optional config: images.maximumDiskCacheSize).
  • Updates transitive deps (e.g., styled-jsx@5.1.6, optional sharp@0.34.x platform binaries).

• Migration

  • Ensure Node.js >= 18.18 (20+ recommended).
  • Clean and rebuild: remove .next, run pnpm install, then build.
  • If using next/image, set images.maximumDiskCacheSize if you want to control disk usage.

^{Written for commit d1e05e9. Summary will update on new commits.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[greptile-apps]

Greptile Summary

This PR bumps next from 14.2.33 to 15.5.14 in apps/portal — a major version upgrade that includes an important security fix (CVE-2026-29057, HTTP request smuggling via http-proxy in rewrites). The portal's next.config.js defines a /fonts/:path* rewrite, so it was directly in scope of that vulnerability, making this upgrade valuable.

Key points to be aware of before merging:

• eslint-config-next version mismatch: eslint-config-next is still pinned to 14.2.11 in devDependencies while next is now ^15.5.14. These packages must be kept in sync — the fix is a one-line update to ^15.5.14.
• Next.js 15 breaking changes: The upgrade crosses a major version boundary. Notable breaking changes include params and searchParams in App Router pages/layouts now being Promise-based (must be await-ed), and fetch requests no longer being cached by default. The portal app should be regression-tested for these areas before merging.
• images.domains deprecation: next.config.js still uses the images.domains option (not changed in this PR), which was deprecated in Next.js 14 and may generate warnings under Next.js 15. Consider migrating to images.remotePatterns as a follow-up.
• The pnpm-lock.yaml changes look correct — @sentry/nextjs and @nx/angular peer resolutions are updated alongside the next version.

Confidence Score: 3/5

• Not safe to merge until eslint-config-next is updated and the app is regression-tested against Next.js 15 breaking changes.
• The security fix (CVE-2026-29057) makes this upgrade desirable, but it crosses a major version boundary (14→15) with known breaking changes around async params/searchParams and caching semantics. Additionally, eslint-config-next was not updated alongside next, creating a version mismatch. Both items need to be addressed before this is safe to merge.
• apps/portal/package.json — eslint-config-next must be bumped to ^15.5.14 to match the new Next.js version.

Important Files Changed

Filename	Overview
apps/portal/package.json	Bumps next from ^14.2.32 to ^15.5.14 (major version upgrade), but leaves eslint-config-next at 14.2.11 — a version mismatch that can cause ESLint issues. The two packages must stay in sync.
pnpm-lock.yaml	Lock file correctly reflects the updated next@15.5.14 resolution and the cascading peer-dependency changes (e.g. @sentry/nextjs peer now resolved against Next.js 15).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Dependabot PR\nnext 14.2.33 → 15.5.14"] --> B["apps/portal/package.json\nnext updated ✅"]
    A --> C["pnpm-lock.yaml\nResolutions updated ✅"]
    B --> D{"eslint-config-next\n14.2.11 (not updated)"}
    D -->|"Version mismatch"| E["⚠️ ESLint may\nfail or behave\ninconsistently"]
    B --> F{"next.js 15\nBreaking Changes"}
    F --> G["params/searchParams\nnow async (Promises)"]
    F --> H["fetch no longer\ncached by default"]
    B --> I["Security Fix\nCVE-2026-29057\nHTTP request smuggling\nin rewrites ✅"]
    I --> J["next.config.js uses\n/fonts/:path* rewrite\n→ was vulnerable"]

Loading

Comments Outside Diff (1)

1. apps/portal/package.json, line 86 (link)

   eslint-config-next version out of sync with next

   eslint-config-next is pinned to 14.2.11 while next has been bumped to ^15.5.14. These two packages are tightly coupled — eslint-config-next ships lint rules that are specific to the Next.js version in use, and mixing major versions can cause false positives, missed lint warnings, or even ESLint resolution errors when the package looks for next internals.

   The eslint-config-next version should be updated to match the new Next.js major version:

   Rule Used: When updating dependencies via automated PRs (like... (source)

   Learnt From
   ever-co/ever-traduora#478

_{Last reviewed commit: "chore(deps): bump ne..."}

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/portal/package.json">

<violation number="1" location="apps/portal/package.json:43">
P2: `eslint-config-next` is still at `14.2.11` and should be updated to match the Next.js 15 major version. Version-mismatched ESLint configs can miss new rules and produce peer-dependency warnings.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: eslint-config-next is still at 14.2.11 and should be updated to match the Next.js 15 major version. Version-mismatched ESLint configs can miss new rules and produce peer-dependency warnings.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/portal/package.json, line 43:

<comment>`eslint-config-next` is still at `14.2.11` and should be updated to match the Next.js 15 major version. Version-mismatched ESLint configs can miss new rules and produce peer-dependency warnings.</comment>

<file context>
@@ -40,7 +40,7 @@
     "mux-embed": "^4.12.0",
     "nanoid": "^5.0.7",
-    "next": "^14.2.32",
+    "next": "^15.5.14",
     "plyr": "^3.7.8",
     "plyr-react": "^5.3.0",
</file context>

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud