Skip to content

chore: bump Next.js + React for May 2026 security release#2

Open
tjpinder wants to merge 1 commit into
masterfrom
chore/next-security-bump-may-2026
Open

chore: bump Next.js + React for May 2026 security release#2
tjpinder wants to merge 1 commit into
masterfrom
chore/next-security-bump-may-2026

Conversation

@tjpinder

@tjpinder tjpinder commented May 15, 2026

Copy link
Copy Markdown
Owner

Summary

  • next 16.2.4 → 16.2.6
  • react 19.2.3 → 19.2.6
  • react-dom 19.2.3 → 19.2.6

Why

Next.js + React May 2026 coordinated security release patches 10 GHSAs + CVE-2026-23870 (React 19 RSC DoS). This repo has no root middleware and no next/image imports, so structural exposure to the middleware-bypass and image-DoS advisories was already nil. The React RSC DoS is the main reason to bump — covered by React 19.2.6.

Test plan

  • Refresh node_modules and run a production build after merge
  • Verify no runtime regressions in dev

🤖 Generated with Claude Code

@tjpinder @claude
chore: bump Next.js + React for May 2026 security release
9ea98aa 
next 16.2.4 → 16.2.6
react 19.2.3 → 19.2.6
react-dom 19.2.3 → 19.2.6

Patches Next.js + React May 2026 security release (10 GHSAs + CVE-2026-23870).
No middleware.ts and no next/image usage in this repo, so structural exposure
to the bypass/image-DoS advisories was already nil; bump is hygiene.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tjpinder