fix(repo): bump next to 15.5.18#3182
Merged
Merged
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (2)
📝 WalkthroughWalkthroughBumps Next/React/types and eslint-config-next across packages, converts many Next page props to Promise-wrapped params/searchParams and updates metadata/page functions, makes serverFetch/header handling async and adjusts tests, and applies config/lint/coverage and small wiring fixes. ChangesDependency & config updates
Next config image allowlist & experimental removal
Stats-web runtime and serverFetch
Small fixes and test wiring
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Suggested labels
Suggested reviewers
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 67: The repository’s package.json was updated (e.g., dependency "next":
"^15.5.18" and related changes around the same block) but the lockfile was not
regenerated, causing npm ci / EUSAGE failures; run a clean install to update the
lockfile (npm install or npm ci after removing node_modules and
package-lock.json or run npm install --package-lock-only), verify the lockfile
changes include the updated "next" version and any other edits around the same
dependency group, and commit the regenerated lockfile (package-lock.json or
npm-shrinkwrap.json) alongside the package.json change so CI and container
builds are reproducible.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: bd88a0a3-7d5a-4209-9d6e-dff2a9e4446d
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (32)
apps/api/package.jsonapps/deploy-web/.eslintrc.jsapps/deploy-web/next-env.d.tsapps/deploy-web/next.config.jsapps/deploy-web/package.jsonapps/deploy-web/src/components/shared/Editor/monaco-editor.tsapps/deploy-web/src/lib/nextjs/api-routes-specs/proxy-path.spec.tsapps/deploy-web/src/pages/_document.tsxapps/indexer/package.jsonapps/provider-console/next.config.jsapps/provider-console/package.jsonapps/stats-web/next.config.jsapps/stats-web/package.jsonapps/stats-web/src/app/addresses/[address]/deployments/[dseq]/page.tsxapps/stats-web/src/app/addresses/[address]/deployments/page.tsxapps/stats-web/src/app/addresses/[address]/page.tsxapps/stats-web/src/app/addresses/[address]/transactions/page.tsxapps/stats-web/src/app/blocks/[height]/page.tsxapps/stats-web/src/app/bme-graph/[snapshot]/page.tsxapps/stats-web/src/app/graph/[snapshot]/page.tsxapps/stats-web/src/app/layout.tsxapps/stats-web/src/app/provider-graph/[snapshot]/page.tsxapps/stats-web/src/app/transactions/[hash]/page.tsxapps/stats-web/src/app/validators/[address]/page.tsxapps/stats-web/src/lib/serverFetch.spec.tsapps/stats-web/src/lib/serverFetch.tsapps/tx-signer/package.jsonpackage.jsonpackages/dev-config/.eslintrc.base.jspackages/dev-config/package.jsonpackages/react-query-proxy/package.jsonpackages/ui/package.json
💤 Files with no reviewable changes (1)
- apps/stats-web/next.config.js
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3182 +/- ##
==========================================
+ Coverage 63.98% 64.04% +0.05%
==========================================
Files 1100 1097 -3
Lines 26711 26687 -24
Branches 6475 6473 -2
==========================================
Hits 17092 17092
+ Misses 8417 8394 -23
+ Partials 1202 1201 -1
🚀 New features to boost your workflow:
|
baktun14
changed the title
Bump Next.js from 14.2.35 to 15.5.18 across deploy-web, stats-web, and provider-console; React/react-dom to ^18.3.1 (Next 15 minimum); align eslint-config-next to ^15.5.18 in every workspace to deduplicate the bundled @next/next plugin; add a single root next override so all transitive consumers (auth0/nextjs-auth0, mui/material-nextjs, next-pwa, next-themes, geist, next-seo, etc.) resolve to 15.5.18. stats-web (App Router) migrates the now-async request APIs: cookies(), headers(), route params, and route searchParams are all awaited in layout.tsx, serverFetch.ts, and ten page files. Test mocks and the abort-timer test updated to match. deploy-web (Pages Router) migrates images.domains to images.remotePatterns, drops experimental.instrumentationHook (now auto-detected), casts DocumentContext in _document.tsx to bridge the MUI 5 bundled Next 14 type, fixes a pair of monaco-editor `vs//base` double-slash imports that Next 15's stricter resolver rejects, and moves one in-pages spec out of src/pages so Next 15's API-route type validator doesn't treat it as a handler. Playwright fixtures get a local override for react-hooks/rules-of-hooks since the rule misreads Playwright's destructured `use` callback as the React 19 `use` hook. provider-console gets the same images.domains -> remotePatterns migration. vite ^8.0.0 is declared as a direct devDep of deploy-web so @vitejs/plugin-react@6 can resolve its peer; postcss and autoprefixer are declared in packages/ui (used by its postcss.config.js). The shared eslint base now ignores next-env.d.ts and env-config.schema.js generated files. .codecov.yml ignores Next.js framework files (_document/_app/_error/next-env), Monaco wiring, and spec files so the deploy-web patch coverage isn't dragged to 0% by infrastructure-only diffs.
baktun14
force-pushed
the
fix/deps-bump-nextjs-15-security
branch
from
701ff5c to
2b6f762
Compare
Contributor
what does it mean |
Add react, react-dom, and @types/react(-dom) to root overrides so a single copy survives across the workspace. Without this, future incremental npm installs can leave the root node_modules/react pinned at 18.2.0 (still satisfies @interchain-ui/react's ^18.2.0 peer) while workspace-local copies bump to 18.3.1, producing two React instances and breaking hooks at test time. The lockfile diff is the dedup ripple from npm re-resolving against the new overrides.
Recompute package-lock.json via npm install --package-lock-only under the new root overrides so the lockfile is npm-ci-clean and includes all cross- platform optional dep entries (@img/sharp-*, @esbuild/*, @next/swc-*).
Contributor
Author
I restored from main and made sure it's incrementally updated. |
Same workaround as for proxy-path: Next 15's API-route type validator treats any *.spec.ts under src/pages/api/ as a route module and demands a default export shaped like ApiRouteConfig, breaking next build. Move the two email-code auth specs to src/lib/nextjs/api-routes-specs/ and switch their handler imports to the absolute @src/pages/api/... path.
stalniy
approved these changes
May 19, 2026
Contributor
Author
|
There's potentially more issues with Next version and SSR, but these will be resolved when we refactor the app to be fully CSR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Bump Next.js from 14.2.35 to 15.5.18 across all three Next.js apps (deploy-web, stats-web, provider-console) in a single change so they share one lockfile update.
What
Dependencies
next14.2.35 → 15.5.18 in deploy-web / stats-web / provider-consolereact/react-dom18.2.0 → 18.3.1 (minimum required by Next 15)eslint-config-next14.x → 15.5.18 across all workspaces (api, indexer, tx-signer, dev-config, react-query-proxy too) to deduplicate the bundled@next/nextESLint plugin@mui/material-nextjsstays on 5.x; a one-line cast in_document.tsxbridges its bundled Next 14DocumentContextto Next 15's structurally-equivalent typepackage.jsonnow declaresnextas a direct dep +\"overrides\": { \"next\": \"$next\" }to force every transitive consumer (auth0/nextjs-auth0, mui/material-nextjs, next-pwa, next-themes, geist, next-seo, etc.) onto the single 15.5.18 install — without this the dual-version install blew up SSR withCannot find module 'next/dist/server/route-modules/pages/vendored/contexts/html-context'vite ^8.0.0added as a direct devDep of deploy-web so@vitejs/plugin-react@6can resolve its peerstats-web (App Router) async-request migration
cookies()/headers()/ routeparams/ routesearchParamsnow return promises. Updatedapp/layout.tsx,lib/serverFetch.ts, and 10 page files to await them. Test mocks updated;vi.advanceTimersByTimeAsyncused for the abort timer test now that the chain has an extra microtask.deploy-web (Pages Router) build fixes
images.domains→images.remotePatternsexperimental.instrumentationHook(instrumentation.tsis auto-detected in 15)monaco-editorimport paths that had strayvs//basedouble-slashes (Next 15's webpack resolver rejects them)src/pages/api/proxy/[...path].spec.ts→src/lib/nextjs/api-routes-specs/proxy-path.spec.tsbecause Next 15's API-route type validator was treating the spec file as a handler and demanding a default exportreact-hooks/rules-of-hooksfor Playwright fixtures — the rule misreads Playwright's destructuredusecallback as the React 19usehookprovider-console (Pages Router)
images.domains→images.remotePatternsmigrationLint and coverage config
packages/dev-config/.eslintrc.base.jsnow ignores**/next-env.d.tsand**/env-config.schema.js(generated artifacts that fail the triple-slash-reference and parser-options rules)packages/uideclarespostcssandautoprefixeras devDeps (referenced by itspostcss.config.js).codecov.ymlignores Next.js framework files (_document.tsx,_app.tsx,_error.tsx,next-env.d.ts), Monaco editor wiring, and spec files so the patch coverage isn't dragged down by infrastructure changesTest plan
Summary by CodeRabbit
New Features
Bug Fixes
Chores