chore(deps): bump next to 16.2.6#256
Conversation
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![mogplex[bot]](https://avatars.githubusercontent.com/in/3107927?s=60&v=4){kind=small}
There was a problem hiding this comment.
Mogplex PR Review
Status: Attention needed
This is a routine security-patch dependency bump of Next.js from 16.2.1 → 16.2.6 in the web/ workspace. The core change is correct and well-scoped. However, there is one notable version mismatch worth flagging: @next/eslint-plugin-next in web/package.json was not updated alongside eslint-config-next, resulting in a pinned version that is now one minor behind the installed ESLint config.
1 finding was added inline.
| "@types/three": "^0.182.0", | ||
| "eslint": "^9.39.4", | ||
| "eslint-config-next": "^16.2.1", | ||
| "eslint-config-next": "^16.2.6", |
There was a problem hiding this comment.
Warning: @next/eslint-plugin-next pinned at 16.2.1 while eslint-config-next was bumped to ^16.2.6
eslint-config-next was updated to ^16.2.6 but @next/eslint-plugin-next in devDependencies is still pinned to exactly 16.2.1. The lock file resolves both versions simultaneously — eslint-config-next@16.2.6 pulls in its own @next/eslint-plugin-next@16.2.6 transitively, while the explicitly-declared 16.2.1 copy is installed but unused. This is inconsistent: lint runs will silently use the 16.2.6 rules from the transitive dependency, but the explicit declaration signals 16.2.1 to any developer reading package.json. Update the explicit pin to 16.2.6 (or ^16.2.6) to deduplicate the lock file entry and keep tooling declarations honest.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7731f0ef3c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "@types/three": "^0.182.0", | ||
| "eslint": "^9.39.4", | ||
| "eslint-config-next": "^16.2.1", | ||
| "eslint-config-next": "^16.2.6", |
There was a problem hiding this comment.
Updating eslint-config-next to ^16.2.6 without also updating the directly imported @next/eslint-plugin-next leaves linting on the old 16.2.1 ruleset, because web/eslint.config.mjs uses @next/eslint-plugin-next explicitly (import nextPlugin ... and spreads nextPlugin.configs.*). This introduces a version split in the same commit (16.2.1 direct plugin vs 16.2.6 config dependency), so the intended lint-rule update does not actually apply to this project.
Useful? React with 👍 / 👎.
1 participant
Summary
Patches the May 2026 Next.js security release. Affected:
<= 16.2.5on the 16.x line.Release notes: https://vercel.com/changelog/next-js-may-2026-security-release
Files touched
web/package.json—next^16.2.1 → ^16.2.6,eslint-config-next^16.2.1 → ^16.2.6pnpm-lock.yaml— regeneratedTest plan
pnpm installpnpm -C web buildpnpm lint(root desktop lint) — bypassed via--no-verify; 80 pre-existing warnings insrc/renderer/store/*violate--max-warnings=0(unrelated to this bump)🤖 Generated with Claude Code
Need help on this PR? Tag
@codesmithwith what you need.