chore(deps): bump next 15.2.9→15.5.18 + drizzle-orm 0.38.4→0.45.2 (Phase 1b/c)
Security-driven version bumps; both stay within their existing major.
next 15.2.9 → 15.5.18 closes (1 high + 6 moderate next-specific CVEs):
- DoS via Server Components (high)
- Image Optimizer cache key confusion / content injection (moderate)
- Improper middleware redirect handling → SSRF (moderate)
- HTTP request smuggling in rewrites (moderate)
- Unbounded next/image disk cache growth → storage exhaustion (moderate)
- Self-hosted DoS via Image Optimizer remotePatterns (moderate)
drizzle-orm 0.38.4 → 0.45.2 closes:
- SQL injection via improperly escaped SQL identifiers (high)
Drizzle 0.45 changed query-error wrapping: outer Error.message is now
generic ("Failed query: insert into ...") with the postgres error on
.cause. Two integration test suites updated to assert on
cause.code === '23505' (postgres unique_violation) instead of message
regex — more robust + unambiguous.
eslint-config-next bumped 15.2.9 → 15.5.18 to match.
drizzle-kit bumped 0.30.6 → 0.31.10 to match.
Note: next-env.d.ts is auto-generated by next at build time; not
committed here (the new triple-slash routes reference would fail the
project's eslint rule, and CI regenerates it anyway).
Tests: 1185/1185 vitest passing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
682
pnpm-lock.yaml
generated
682
pnpm-lock.yaml
generated
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user