chore(nextjs): Bump nextjs version for CVE-2025-55182

[dominic-clerk]

Description

As a react2shell follow-up, this upgrades the dev version and also the peer dependency so clerk installations aren't vulnerable to react2shell.

See also

• https://github.com/clerk/javascript/security/dependabot/454
• https://github.com/clerk/javascript/security/dependabot/460

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Chores

  • Updated Next.js dependency from 15.2.3 to 15.2.6 for improved stability.
  • Aligned peer dependency constraints to ensure consistent Next.js compatibility across packages.

• Security

  • Added a patch changeset documenting a security-related dependency update (CVE-2025-55182) to keep the package secure.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 429107b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@clerk/nextjs	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Dec 10, 2025 0:12am

[coderabbitai]

Walkthrough

Bumped Next.js from 15.2.3 to 15.2.6 in packages/nextjs/package.json (devDependencies and peerDependencies) and added a changeset markdown file documenting a patch release addressing a CVE-related peerDependency update.

Changes

Cohort / File(s)	Summary
Next.js version bump packages/nextjs/package.json	Updated devDependencies: next 15.2.3 → 15.2.6; updated peerDependencies: next constraint `^15.2.3
Changeset (release note) .changeset/fuzzy-geese-guess.md	Added changeset marking a patch for @clerk/nextjs, documenting a peerDependency update related to CVE-2025-55182; no code or API changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review packages/nextjs/package.json for correct version and constraint formatting.
• Verify .changeset/fuzzy-geese-guess.md text and package target are accurate for release automation/CVE tracking.

Poem

🐇 A patch for the meadow, small and neat,
I hopped a version, light on my feet.
From 15.2.3 to 15.2.6 I go,
A tiny changeset in tow.
Happy builds and safer flow ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping Next.js version to address a specific CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dc-bump-next

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• CVE-2025: Entity not found: Issue - Could not find referenced Issue.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7423

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7423

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7423

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7423

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7423

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7423

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7423

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7423

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7423

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7423

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7423

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7423

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7423

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7423

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7423

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7423

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7423

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7423

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7423

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7423

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7423

commit: 429107b

[dominic-clerk]

I wasn't sure if this was a patch or minor?

[nikosdouvlis]

In this case its a patch as Core 3 already has a major release planned (so its going to go out as a major either way)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/fuzzy-geese-guess.md (1)

1-5: Changeset format is correct; consider enhancing the description for clarity.

The changeset follows the correct format with proper YAML frontmatter and a patch-level bump designation. However, the description is minimal and could be more informative for release notes and consumers of this package.

Consider expanding the description to specify the Next.js version bump details and the nature of the CVE fix:

---
'@clerk/nextjs': patch
---

-Updating peerDependency for CVE-2025-55182
+Bump Next.js to 15.2.6 to address CVE-2025-55182 (react2shell vulnerability)

This provides clearer context for users reviewing release notes.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f49baec and 429107b.

📒 Files selected for processing (1)

• .changeset/fuzzy-geese-guess.md (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (26)

• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

.changeset/fuzzy-geese-guess.md (1)

2-2: Package.json changes are correctly aligned with the changeset.

The Next.js versions in packages/nextjs/package.json have been properly updated to address CVE-2025-55182: devDependencies specifies 15.2.6 and peerDependencies allows ^15.2.6 || ^16. The versions are consistent across both dependency types, supporting the patch-level bump documented in the changeset.

[nikosdouvlis]

In this case its a patch as Core 3 already has a major release planned (so its going to go out as a major either way)

[dominic-clerk]

This PR focused on the next version we had as a devDependency but to be more rigorous with the version ranges we'd probably need to go with

diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json
index 9098b8f69..96b233367 100644
--- a/packages/nextjs/package.json
+++ b/packages/nextjs/package.json
@@ -95,7 +95,7 @@
     "next": "15.2.6"
   },
   "peerDependencies": {
-    "next": "^15.2.6 || ^16",
+    "next": "^15.2.6 || ^15.3.6 || ^15.4.8 || ^15.5.7 || ^15.6.0-0 || ^16.0.7 || ^16.1.0-0",
     "react": "catalog:peer-react",
     "react-dom": "catalog:peer-react"
   },
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 7c7484abc..124daef63 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -3,7 +3,7 @@ packages:
 
 catalogs:
   peer-react:
-    react: ^18.0.0 || ^19.0.0 || ^19.0.0-0
+    react: ^18.0.0 || ^19.0.1 || ^19.1.2 || ^19.2.1 || ^19.0.1-0
     react-dom: ^18.0.0 || ^19.0.0 || ^19.0.0-0
   react:
     '@types/react': 18.3.26

WDYT @nikosdouvlis ? Or maybe I'm getting carried away here 😅

[Ephem]

We should likely update this to cover the new set of CVEs too while we are at it?

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components