fix(deps): bump next 15.0.3 → 16.2.6 to clear trivy CVEs
trivy fs scan failed the M0.2 CI gate on the skeleton commit because
next 15.0.3 has 9 known vulns (CRITICAL CVE-2025-29927 auth bypass in
middleware, plus 7 HIGH advisories). 16.2.6 is current latest and
covers every fixed-version range trivy listed.
Side effects of the major bump:
- next 16 dropped 'next lint' — switched the lint script to call eslint
directly ('eslint . --max-warnings 0').
- eslint-config-next 16 ships flat-config exports natively, so
eslint.config.mjs imports core-web-vitals + typescript directly
(no FlatCompat shim, no @eslint/eslintrc dep).
- Typed vi.fn<typeof fetch>() in tenant-registry.test to satisfy
stricter tuple inference under the new types.
All 4 gates green locally:
pnpm lint / typecheck / test --coverage (100% on src/lib) / build
Refs: M5.1 (skeleton)
This commit is contained in:
Vendored
+2
-1
@@ -1,5 +1,6 @@
|
||||
/// <reference types="next" />
|
||||
/// <reference types="next/image-types/global" />
|
||||
import "./.next/types/routes.d.ts";
|
||||
|
||||
// NOTE: This file should not be edited
|
||||
// see https://nextjs.org/docs/app/building-your-application/configuring/typescript for more information.
|
||||
// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
|
||||
|
||||
Reference in New Issue
Block a user