Hahn-Solo Product Management
  • Dashboard
  • Technologies
  • Competitors
  • Tasks
Theme
Basic Information
Status
Open
Priority
Now
Category
Version Update
Repo
Content SDK PM
Effort
Trivial
Task ID
T-50975D9A
Details
Raise Next.js Peer Floor to 16.1.7
Bump the `next` peerDependency floor from `^16.1.1` to `>=16.1.7` in `packages/nextjs/package.json`. This closes both CVE-2026-23864 (fixed in 16.1.5) and CVE-2026-27979 (fixed in 16.1.7). Update CI matrix to test against 16.1.7 as the minimum.
Why
Next.js 16.1.1--16.1.6 are vulnerable to two High-severity CVEs: DoS via RSC memory exhaustion and PPR unbounded request buffering. The current peer floor permits all of these.
Evidence
CVE-2026-23864, CVE-2026-27979; Next.js research report; Vercel research report
Details
Context: The `nextjs` package declares `"next": "^16.1.1"` as a peer dependency. Next.js 16.1.1 through 16.1.6 are vulnerable to two High-severity CVEs: CVE-2026-23864 (DoS via RSC memory exhaustion, fixed in 16.1.5) and CVE-2026-27979 (PPR unbounded request buffering, fixed in 16.1.7). Raising the floor to 16.1.7 closes both.

Steps:
1. Open `packages/nextjs/package.json` -- change `"next": "^16.1.1"` to `"next": ">=16.1.7"`
2. Run `yarn install` and verify no peer conflicts
3. Update CI matrix to test minimum version 16.1.7
4. Run full test suite
5. Update CHANGELOG

Acceptance criteria:
`next` peer dependency floor is `>=16.1.7` in `packages/nextjs/package.json`
CI passes with Next.js 16.1.7 as the minimum tested version
CHANGELOG entry references both CVEs

Risks: Teams on Next.js 16.1.1--16.1.6 will need to upgrade. Given both CVEs are High severity, this is the correct forcing function.
Source Report
reports/product-management/content-sdk/2026-04-05-content-sdk-pm.md
Report date: Apr 5, 2026