fix(deps): update dependency next to v15.5.16 (main)

[mend-for-github-com]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	15.5.5 → 15.5.16
next (source)	15.5.4 → 15.5.16

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	Vulnerability	Reachability
Critical	10.0	CVE-2025-55182	Reachable
High	8.6	CVE-2026-44578
High	8.1	CVE-2026-44574
High	7.5	CVE-2025-55184	Reachable
High	7.5	CVE-2025-67779	Reachable
High	7.5	CVE-2026-44573
High	7.5	CVE-2026-44575
Medium	6.5	CVE-2026-29057	Unreachable
Medium	5.9	CVE-2025-59471	Reachable
Medium	5.3	CVE-2025-55183	Reachable
Medium	5.3	CVE-2026-27980	Reachable

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	Vulnerability	Reachability
Critical	10.0	CVE-2025-55182	Reachable
High	8.6	CVE-2026-44578
High	8.1	CVE-2026-44574
High	7.5	CVE-2025-55184	Reachable
High	7.5	CVE-2025-67779	Reachable
High	7.5	CVE-2026-44573
High	7.5	CVE-2026-44575
Medium	6.5	CVE-2026-29057	Unreachable
Medium	5.9	CVE-2025-59471	Reachable
Medium	5.3	CVE-2025-55183	Reachable
Medium	5.3	CVE-2026-27980	Reachable

---

Release Notes

vercel/next.js (next)

v15.5.16

Compare Source

This release contains security fixes for the following advisories:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

v15.5.15

Compare Source

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#​91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#​90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#​85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#​89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#​82340)
• Turbopack: support pattern into exports field (#​82757)
• NFT tracing fixes (#​84155 and #​85323)
• Turbopack: validate CSS without computing all paths (#​83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#​89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

v15.5.10

Compare Source

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.5.9

Compare Source

Please see the Next.js Security Update for information about this security patch.

v15.5.8

Compare Source

v15.5.7

Compare Source

Please see CVE-2025-66478 for additional details about this release.

v15.5.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: don't define process.cwd() in node_modules #​83452

Credits

Huge thanks to @​mischnic for helping!

---

• If you want to rebase/retry this PR, check this box