fix: pin Next.js to 16.1.7 to mitigate CVE risk#140
Conversation
|
If you're new to commit signing, there are different ways to set it up: Sign commits with
|
There was a problem hiding this comment.
Code Review
This pull request updates the next and eslint-config-next dependencies from version ^16.1.1 to a pinned version 16.1.7 in both package.json and package-lock.json. It also updates several sub-dependencies in package-lock.json, including upgrading baseline-browser-mapping to 2.10.38, changing the dependency type of numerous packages from devOptional to dev, and adding several WASM-related sub-dependencies for @tailwindcss/oxide-wasm32-wasi. No review comments were provided, and I have no feedback to address.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
545a982 to
8ada089
Compare
Pin `next` and `eslint-config-next` from `^16.1.1` to exact `16.1.7`. Regenerate package-lock.json to reflect the pinned versions. Fixes tari-project#103 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
8ada089 to
c145fda
Compare
|
Note for reviewer: The "Check signed commits" status is a warning, not a required check — branch protection on The commit is signed with a GPG key registered to this GitHub account. The If signing verification is important to this project, I can re-sign the commit using the primary account email once it is verified on the GitHub account settings page. |
Summary
nextfrom^16.1.1to exact16.1.7inpackage.jsoneslint-config-nextto16.1.7to matchpackage-lock.jsonwith the pinned versions (lockfileVersion 3)Changes
package.json"next": "^16.1.1"→"next": "16.1.7"package.json"eslint-config-next": "^16.1.1"→"eslint-config-next": "16.1.7"package-lock.jsonnode_modules/nextnow resolves to16.1.7Notes
Full
npm run buildand end-to-end TU testing require access to the private@tari-project/wxtm-bridge-contractspackage on GitHub Packages and a running Tari Universe instance. The version change is minimal —16.1.7is a drop-in patch release with no API changes vs16.1.1.Fixes #103