fix(deps): bump next to 16.2.3 to patch GHSA-q4gf-8mx6-v5v3 DoS vulnerability

[LucasSantana-Dev]

Summary

• Upgrades next from ^16.2.2 to ^16.2.3 in apps/web and apps/docs
• Fixes GHSA-q4gf-8mx6-v5v3 — DoS vulnerability in Next.js Server Components
• Unblocks 7 Dependabot PRs (chore(deps): bump next from 16.2.2 to 16.2.3 #622, chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 #623, chore(deps): bump actions/github-script from 8.0.0 to 9.0.0 #624, chore(deps): bump the minor-and-patch group with 33 updates #625, chore(deps): bump lucide-react from 0.577.0 to 1.8.0 #626, chore(deps): bump marked from 17.0.6 to 18.0.0 #627, chore(deps-dev): bump electron from 40.8.5 to 41.2.0 #628) currently failing the required Trivy scan on this CVE

Test plan

• CI Trivy scan passes on this PR
• Dependabot PRs' Trivy scans turn green after this lands
• Runtime smoke: apps/web boots locally after merge

Why one consolidated fix

Dependabot PRs update lockfiles but don't bump next itself, so they each inherit the same vulnerable version from package.json. One upstream bump unblocks the whole queue.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated Next.js framework to the latest patch version across the application
  • Updated development dependencies for improved code quality
  • Updated Stripe payment API version for enhanced service compatibility

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
siza-web	Ready	Preview, Comment	Apr 20, 2026 2:19pm

[coderabbitai]

Warning

Rate limit exceeded

@LucasSantana-Dev has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 41 minutes and 3 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 41 minutes and 3 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 81b72f56-829f-4708-a1b8-f75c1aeb0ecb

📥 Commits

Reviewing files that changed from the base of the PR and between 9b6cbe2 and 147706c.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (7)

• apps/desktop/eslint.config.js
• apps/docs/package.json
• apps/web/eslint.config.js
• apps/web/package.json
• apps/web/src/components/ai-keys/EditApiKeyDialog.tsx
• apps/web/src/lib/stripe/server.ts
• package.json

Walkthrough

This PR updates Next.js from v16.2.2 to v16.2.3 across the monorepo, downgrades ESLint in the web application, adds a dependency override for the new Next.js version, and updates the Stripe API version in server configuration.

Changes

Cohort / File(s)	Summary
Next.js Dependency Updates apps/docs/package.json, apps/web/package.json, package.json	Bumped Next.js from ^16.2.2 to ^16.2.3 in apps/docs and apps/web. Added overrides.next in root package.json pinned to ^16.2.3; minor formatting adjustment to axios override entry.
ESLint Downgrade apps/web/package.json	Downgraded ESLint dev dependency from ^10.2.0 to ^9.39.4 in the web application.
Stripe Configuration apps/web/src/lib/stripe/server.ts	Updated Stripe client initialization apiVersion from 2026-02-25.clover to 2026-03-25.dahlia.

Possibly related PRs

• chore(release): v0.49.0 #551: Updates Next.js version in package.json files across the monorepo
• chore: Update 15 dependencies within semver range #255: Modifies Stripe client initialization and API version in server configuration

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: bumping Next.js to patch a specific DoS vulnerability (GHSA-q4gf-8mx6-v5v3). It is clear, specific, and aligns with the file changes and PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/next-dos-vulnerability

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Project Scorecard

Scorecard: 84/100 (B)
────────────────────────────────────────
  security: 100/100 (A)
  quality: 80/100 (B) — 1 violations
  performance: 67/100 (D) — 1 violations
  compliance: 75/100 (C) — 1 violations
  dependency: 100/100 (A)

Recommendations:
  - Increase test coverage to meet the 80% threshold
  - Extend log retention to at least 90 days for compliance

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/docs/package.json (1)

18-18: Bump eslint-config-next here as well and verify resolved Next version.

Please align eslint-config-next to ^16.2.3 in docs for consistency with next, and confirm lockfile resolution to next@16.2.3 to ensure the CVE fix is actually applied in this app.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/docs/package.json` at line 18, Update the docs app dependency: in
apps/docs package.json set "eslint-config-next" to "^16.2.3" to match the
existing "next": "^16.2.3"; then run your package manager install
(npm/yarn/pnpm) to update the lockfile and verify that the lockfile resolves
"next" to 16.2.3 (check package-lock.json / yarn.lock / pnpm-lock.yaml for
next@16.2.3), and commit both the updated package.json and the updated lockfile
so the CVE fix is applied for the docs app.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/web/package.json`:
- Line 50: Update the Next ecosystem patch versions so they match next@^16.2.3:
change the dependency entries for `@next/bundle-analyzer` and eslint-config-next
to ^16.2.3 in apps/web/package.json (the same place where "next": "^16.2.3" is
declared), then reinstall/update the lockfile (npm/yarn/pnpm install) so the
lockfile reflects `@next/bundle-analyzer`@16.2.3 and eslint-config-next@16.2.3 to
prevent version drift.

---

Nitpick comments:
In `@apps/docs/package.json`:
- Line 18: Update the docs app dependency: in apps/docs package.json set
"eslint-config-next" to "^16.2.3" to match the existing "next": "^16.2.3"; then
run your package manager install (npm/yarn/pnpm) to update the lockfile and
verify that the lockfile resolves "next" to 16.2.3 (check package-lock.json /
yarn.lock / pnpm-lock.yaml for next@16.2.3), and commit both the updated
package.json and the updated lockfile so the CVE fix is applied for the docs
app.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1641e8e2-c0a4-4638-8254-dfc0d65f561e

📥 Commits

Reviewing files that changed from the base of the PR and between 9a2526d and e2b65c3.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• apps/docs/package.json
• apps/web/package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking Next ecosystem versions in apps/web/package.json..."
python - <<'PY'
import json
p='apps/web/package.json'
j=json.load(open(p))
deps=j.get('dependencies',{})
dev=j.get('devDependencies',{})
print("next:", deps.get('next'))
print("@next/bundle-analyzer:", dev.get('@next/bundle-analyzer'))
print("eslint-config-next:", dev.get('eslint-config-next'))
PY

echo
echo "Checking lockfiles for resolved next versions..."
fd -HI '^(pnpm-lock\\.yaml|package-lock\\.json|yarn\\.lock)$' -t f | while read -r f; do
  echo "--- $f ---"
  rg -n 'next(@|":|\\s)' "$f" | head -n 20 || true
  rg -n '16\\.2\\.2|16\\.2\\.3' "$f" | head -n 40 || true
done

Repository: Forge-Space/siza

Length of output: 243

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Repository structure (top level) ==="
ls -la | head -30

echo
echo "=== Looking for lockfiles ==="
find . -maxdepth 2 -type f \( -name "pnpm-lock.yaml" -o -name "package-lock.json" -o -name "yarn.lock" \) 2>/dev/null || echo "No lockfiles found in first 2 levels"

echo
echo "=== Checking for lockfiles anywhere ==="
fd -HI 'lock\.(yaml|json|txt)$' -t f 2>/dev/null | head -20

echo
echo "=== Monorepo package manager detection ==="
if [ -f "pnpm-workspace.yaml" ]; then echo "✓ pnpm workspace detected"; fi
if [ -f "lerna.json" ]; then echo "✓ lerna detected"; fi
if [ -f ".npmrc" ]; then echo "✓ .npmrc found"; fi
if [ -f ".pnpmfile.cjs" ]; then echo "✓ .pnpmfile.cjs found"; fi

echo
echo "=== Checking apps/web/package.json for Prettier compliance ==="
head -60 apps/web/package.json | tail -15

Repository: Forge-Space/siza

Length of output: 2576

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking resolved 'next' versions in package-lock.json ==="
rg -A 5 '"name":\s*"next"' package-lock.json | head -30

echo
echo "=== Searching for specific version patterns ==="
rg '16\.(2\.[2-3]|[3-9]\.0)' package-lock.json | head -40

echo
echo "=== Checking `@next/bundle-analyzer` in package-lock.json ==="
rg -A 5 '"name":\s*"@next/bundle-analyzer"' package-lock.json | head -20

echo
echo "=== Checking eslint-config-next in package-lock.json ==="
rg -A 5 '"name":\s*"eslint-config-next"' package-lock.json | head -20

echo
echo "=== Full apps/web/package.json for Prettier formatting check ==="
cat apps/web/package.json | wc -l
head -70 apps/web/package.json

Repository: Forge-Space/siza

Length of output: 122

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Package-lock.json file info ==="
wc -l package-lock.json
head -30 package-lock.json

echo
echo "=== Searching for 'next' entries more broadly ==="
grep -n '"next"' package-lock.json | head -20

echo
echo "=== Checking for version patterns in lockfile ==="
grep '16\.2\.[23]' package-lock.json | head -20

echo
echo "=== Looking at apps/web package-lock.json section ==="
grep -A 20 '"apps/web"' package-lock.json | head -40

echo
echo "=== Verifying JSON formatting of apps/web/package.json ==="
python3 << 'EOF'
import json
with open('apps/web/package.json', 'r') as f:
    content = f.read()
    try:
        json.loads(content)
        print("✓ Valid JSON")
    except json.JSONDecodeError as e:
        print(f"✗ JSON Parse Error: {e}")

# Check for Prettier formatting
print("\n=== Checking line endings and indentation ===")
lines = content.split('\n')
for i, line in enumerate(lines[45:55], start=46):
    print(f"{i}: {repr(line)}")
EOF

Repository: Forge-Space/siza

Length of output: 2860

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Searching for `@next/bundle-analyzer` ==="
grep -n 'bundle-analyzer' package-lock.json | head -20

echo
echo "=== Full context around apps/web package in lockfile ==="
grep -A 150 '"apps/web":\s*{' package-lock.json | grep -E '(next|bundle|eslint)' | head -30

echo
echo "=== Verifying JSON formatting of apps/web/package.json ==="
python3 << 'EOF'
import json
import sys

with open('apps/web/package.json', 'r') as f:
    content = f.read()

# Check JSON validity
try:
    parsed = json.loads(content)
    print("✓ Valid JSON")
except json.JSONDecodeError as e:
    print(f"✗ Invalid JSON: {e}")
    sys.exit(1)

# Check formatting (2-space indent for Prettier default)
lines = content.split('\n')
print(f"\n✓ Total lines: {len(lines)}")

# Check line 50 (next line)
print(f"\nLine 50 context:")
for i in range(48, 52):
    if i < len(lines):
        print(f"  {i+1}: {repr(lines[i])}")

# Check indentation consistency
print("\n✓ Indentation check (2 spaces):")
for i in range(45, 60):
    if i < len(lines):
        line = lines[i]
        if line and not line.startswith('"'):
            leading = len(line) - len(line.lstrip())
            if leading > 0 and leading % 2 != 0:
                print(f"  WARNING: Line {i+1} has odd indentation: {leading} spaces")
print("✓ Indentation appears consistent")
EOF

Repository: Forge-Space/siza

Length of output: 2310

---

Align Next ecosystem patch versions to maintain consistency across CVE updates.

The bump to next@16.2.3 is correct, but @next/bundle-analyzer and eslint-config-next remain at ^16.2.2 in the lockfile. Update both to ^16.2.3 to avoid version drift and ensure CVE remediation is complete across the workspace.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/package.json` at line 50, Update the Next ecosystem patch versions
so they match next@^16.2.3: change the dependency entries for
`@next/bundle-analyzer` and eslint-config-next to ^16.2.3 in apps/web/package.json
(the same place where "next": "^16.2.3" is declared), then reinstall/update the
lockfile (npm/yarn/pnpm install) so the lockfile reflects
`@next/bundle-analyzer`@16.2.3 and eslint-config-next@16.2.3 to prevent version
drift.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud