Skip to content

fix: update Next.js to 15.4.11 to address CVE-2026-23864 #5400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
capJavert merged 1 commit into from
Jan 27, 2026
Merged

fix: update Next.js to 15.4.11 to address CVE-2026-23864 #5400

capJavert merged 1 commit into from
Jan 27, 2026

Conversation

@dailydotdevbot
Copy link
Contributor

@dailydotdevbot dailydotdevbot commented Jan 27, 2026
edited by github-actions bot
Loading

Summary

Updates Next.js to version 15.4.11 across all packages to address CVE-2026-23864, a denial of service vulnerability in React Server Components that can cause server crashes, out-of-memory exceptions, or excessive CPU usage through specially crafted HTTP requests.

Changes

  • webapp: next 15.4.10 → 15.4.11, @next/bundle-analyzer 15.4.10 → 15.4.11
  • extension: next 15.4.10 → 15.4.11
  • shared: next peer 15.0.0 → 15.4.11, next dev 15.4.10 → 15.4.11
  • storybook: next 15.4.10 → 15.4.11
  • Updated pnpm-lock.yaml with resolved dependencies

Reference

Closes ENG-476

Created by Huginn 🐦‍⬛

Preview domain

https://eng-476-fix-cve-2026-23864.preview.app.daily.dev

@dailydotdevbot dailydotdevbot requested a review from a team as a code owner January 27, 2026 15:59
@vercel
Copy link

vercel bot commented Jan 27, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
daily-webapp Ready Ready Preview Jan 27, 2026 5:15pm
storybook Building Building Preview Jan 27, 2026 5:15pm

Request Review

@capJavert capJavert force-pushed the eng-476-fix-cve-2026-23864 branch from 4cfd50d to bf4cee7 Compare January 27, 2026 17:11
@capJavert capJavert merged commit 848ac80 into main Jan 27, 2026
11 checks passed
@capJavert capJavert deleted the eng-476-fix-cve-2026-23864 branch January 27, 2026 17:16
capJavert
capJavert reviewed Jan 27, 2026
View reviewed changes
packages/webapp/.env
NEXT_PUBLIC_SLACK_CLIENT_ID=1137730955072.7361269413077
NEXT_PUBLIC_PADDLE_TOKEN=topsecret
NEXT_PUBLIC_PADDLE_TOKEN=test_4194076987e44d19d7e0c3388d6
NEXT_PUBLIC_PADDLE_ENVIRONMENT=sandbox
Copy link
Contributor

@capJavert capJavert Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reverted and invalidated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@capJavert capJavert capJavert left review comments

@rebelchris rebelchris Awaiting requested review from rebelchris rebelchris is a code owner automatically assigned from dailydotdev/web-team

@omBratteng omBratteng Awaiting requested review from omBratteng omBratteng is a code owner automatically assigned from dailydotdev/web-team

@AmarTrebinjac AmarTrebinjac Awaiting requested review from AmarTrebinjac AmarTrebinjac is a code owner automatically assigned from dailydotdev/web-team

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dailydotdevbot @capJavert