Skip to content

Bump next from 16.2.2 to 16.2.3 in the security group across 1 directory#11

Merged
mellowagain merged 1 commit into
mainfrom
dependabot/npm_and_yarn/security-ad77747e51
Apr 16, 2026
Merged

Bump next from 16.2.2 to 16.2.3 in the security group across 1 directory#11
mellowagain merged 1 commit into
mainfrom
dependabot/npm_and_yarn/security-ad77747e51

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 16, 2026

Copy link
Copy Markdown
Contributor

Bumps the security group with 1 update in the / directory: next.

Updates next from 16.2.2 to 16.2.3

Release notes

Sourced from next's releases.

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

  • Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
  • Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
  • Deduplicate output assets and detect content conflicts on emit (#92292)
  • Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
  • turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

Commits
  • d5f649b v16.2.3
  • 2873928 [16.x] Avoid consuming cyclic models multiple times (#75)
  • d7c7765 [backport]: Ensure app-page reports stale ISR revalidation errors via onReque...
  • c573e8c fix(server-hmr): metadata routes overwrite page runtime HMR handler (#92273)
  • 57b8f65 next-core: deduplicate output assets and detect content conflicts on emit (#9...
  • f158df1 Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
  • 356d605 turbo-tasks-backend: stability fixes for task cancellation and error handling...
  • 3b77a6e Fix DashMap read-write self-deadlock in task_cache causing hangs (#92210)
  • b2f208a Backport: new view-transitions guide, update and fixes (#92264)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the security group with 1 update in the / directory: [next](https://github.com/vercel/next.js).


Updates `next` from 16.2.2 to 16.2.3
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.2...v16.2.3)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 16.2.3
  dependency-type: direct:production
  dependency-group: security
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 16, 2026
@vercel

vercel Bot commented Apr 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
mari.zip Ready Ready Preview, Comment Apr 16, 2026 0:39am

@mellowagain

Copy link
Copy Markdown
Owner

/oc review

@github-actions

Copy link
Copy Markdown

This is a routine Dependabot security update bumping next from 16.2.2 to 16.2.3. Here's my review:

Summary

  • Patch-level security release backporting fixes for CVE-2026-23869
  • Changes are limited to package.json (version bump) and pnpm-lock.yaml (lockfile update)
  • Vercel preview deployment succeeded

Assessment

The changes are exactly what you'd expect from a legitimate Dependabot security bump:

  1. package.json: Single version string change 16.2.216.2.3
  2. pnpm-lock.yaml: Lockfile regeneration reflecting updated dependency resolution — the 272/244 line diff is normal for a lockfile update touching transitive dependencies

The release notes confirm this is a security patch release with no new features, only backported fixes:

  • CVE-2026-23869 fix (cyclic model consumption)
  • HMR regression fix for manifest.ts
  • Styled-JSX race condition fix
  • Turbo-tasks stability fixes

Recommendation: Approve and merge. This is a low-risk, high-value security update. The successful Vercel preview build confirms no breaking changes for this project.

New%20session%20-%202026-04-16T00%3A43%3A17.484Z
opencode session  |  github run

@mellowagain mellowagain merged commit 3c71040 into main Apr 16, 2026
5 checks passed
@mellowagain mellowagain deleted the dependabot/npm_and_yarn/security-ad77747e51 branch April 16, 2026 00:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant