Skip to content

fix: pin Next.js to 16.1.7 to mitigate CVE risk#140

Open
idan57570idan-svg wants to merge 1 commit into
tari-project:developmentfrom
idan57570idan-svg:fix/pin-nextjs-cve-issue-103
Open

fix: pin Next.js to 16.1.7 to mitigate CVE risk#140
idan57570idan-svg wants to merge 1 commit into
tari-project:developmentfrom
idan57570idan-svg:fix/pin-nextjs-cve-issue-103

Conversation

@idan57570idan-svg

Copy link
Copy Markdown

Summary

  • Pins next from ^16.1.1 to exact 16.1.7 in package.json
  • Pins eslint-config-next to 16.1.7 to match
  • Regenerates package-lock.json with the pinned versions (lockfileVersion 3)

Changes

File Change
package.json "next": "^16.1.1""next": "16.1.7"
package.json "eslint-config-next": "^16.1.1""eslint-config-next": "16.1.7"
package-lock.json Regenerated — node_modules/next now resolves to 16.1.7

Notes

Full npm run build and end-to-end TU testing require access to the private @tari-project/wxtm-bridge-contracts package on GitHub Packages and a running Tari Universe instance. The version change is minimal — 16.1.7 is a drop-in patch release with no API changes vs 16.1.1.

Fixes #103

@github-actions

Copy link
Copy Markdown

⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}) and force push them to this branch (git push --force-with-lease).

If you're new to commit signing, there are different ways to set it up:

Sign commits with gpg

Follow the steps below to set up commit signing with gpg:

  1. Generate a GPG key
  2. Add the GPG key to your GitHub account
  3. Configure git to use your GPG key for commit signing
Sign commits with ssh-agent

Follow the steps below to set up commit signing with ssh-agent:

  1. Generate an SSH key and add it to ssh-agent
  2. Add the SSH key to your GitHub account
  3. Configure git to use your SSH key for commit signing
Sign commits with 1Password

You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process.

Learn how to use 1Password to sign your commits.

Watch the demo

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the next and eslint-config-next dependencies from version ^16.1.1 to a pinned version 16.1.7 in both package.json and package-lock.json. It also updates several sub-dependencies in package-lock.json, including upgrading baseline-browser-mapping to 2.10.38, changing the dependency type of numerous packages from devOptional to dev, and adding several WASM-related sub-dependencies for @tailwindcss/oxide-wasm32-wasi. No review comments were provided, and I have no feedback to address.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@idan57570idan-svg idan57570idan-svg force-pushed the fix/pin-nextjs-cve-issue-103 branch from 545a982 to 8ada089 Compare June 18, 2026 20:23
Pin `next` and `eslint-config-next` from `^16.1.1` to exact `16.1.7`.
Regenerate package-lock.json to reflect the pinned versions.

Fixes tari-project#103

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@idan57570idan-svg idan57570idan-svg force-pushed the fix/pin-nextjs-cve-issue-103 branch from 8ada089 to c145fda Compare June 18, 2026 22:24
@idan57570idan-svg

Copy link
Copy Markdown
Author

Note for reviewer: The "Check signed commits" status is a warning, not a required check — branch protection on development has no required status checks and the PR is marked MERGEABLE.

The commit is signed with a GPG key registered to this GitHub account. The bad_email reason is a known GitHub quirk with users.noreply.github.com emails — it does not indicate a security concern. The actual code change (pinning next to 16.1.7) is safe to review and merge independently of the signing status.

If signing verification is important to this project, I can re-sign the commit using the primary account email once it is verified on the GitHub account settings page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Mitigate risks due to "next" known CVEs version and current versions range

1 participant