[Snyk] Upgrade next from 14.2.3 to 16.0.0

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade next from 14.2.3 to 16.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 918 versions ahead of your current version.

• The recommended version was released 21 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	140	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	140	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-NEXT-12299318	140	Proof of Concept
	Acceptance of Extraneous Untrusted Data With Trusted Data SNYK-JS-NEXT-8025427	140	Proof of Concept
	Uncontrolled Recursion SNYK-JS-NEXT-8186172	140	No Known Exploit
	Missing Authorization SNYK-JS-NEXT-8520073	140	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	140	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	140	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	140	No Known Exploit
	Race Condition SNYK-JS-NEXT-10176058	140	Proof of Concept
	Use of Cache Containing Sensitive Information SNYK-JS-NEXT-12301496	140	No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-8602067	140	No Known Exploit
	Directory Traversal SNYK-JS-SUPABASEAUTHJS-10255365	140	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	140	Proof of Concept
	Missing Origin Validation in WebSockets SNYK-JS-NEXT-10259370	140	No Known Exploit
	Missing Source Correlation of Multiple Independent Data SNYK-JS-NEXT-12265451	140	No Known Exploit
	Improper Authorization SNYK-JS-NEXT-9508709	140	Mature

Release notes

Package name: next

• 16.0.0 - 2025-10-22
  

  Tip

  Check out our Next v16 Blog Post to learn more about this release.

  Core Changes

  • Development: Don't import app-router / hot-reloader through next/link in application code: #83656
  • Remove clientParamParsing requirement from RDC for Navigations: #83661
  • Upgrade React from 6b70072c-20250909 to 886b3d36-20250910: #83650
  • Turbopack: Use readFileSync / writeFileSync for manifest writing: #83694
  • Upgrade React from 886b3d36-20250910 to f3a80361-20250911: #83696
  • Don't create client-side debug channel if the feature is disabled: #83699
  • fix: dev should produce the correct default fallback regex to match builds/Turbopack: #83701
  • [devtool] fix overlay styles are missing: #83721
  • Revert "Remove clientParamParsing requirement from RDC for Navigations": #83725
  • Only enable unhandledRejection filtering when opted in: #83726
  • Fix index data route for adapter build-complete: #83730
  • Remove leading underscore for unhandledRejection envvar: #83732
  • Upgrade React from f3a80361-20250911 to 93d7aa69-20250912: #83729
  • Upgrade React from 93d7aa69-20250912 to 8a8e9a7e-20250912: #83742
  • Fix reentrancy of unhandledRejection filtering: #83741
  • Fix type for unhandled rejection handler process.removeListener: #83748
  • [OTel] fix: Root span name should not include high cardinality URL: #75416
  • Turbopack: Remove matchers.reload() call on each request: #83720
  • [Breaking] Flat config as default in @ next/eslint-plugin-next: #83763
  • fix: Rspack splitChunks.chunks regex: #83670
  • Revert "Turbopack: Remove matchers.reload() call on each request": #83819
  • fix: unstable_cache should perform blocking revalidation during ISR revalidation: #83820
  • fix(Rspack): resolve HMR unresponsiveness or unexpected full reload & update dev snapshot: #83480
  • Allow next.config.mts for Node.js native TS resolver: #83556
  • chore: Ensure Import Trace starts in a newline: #83638
  • Development: Remove matchers.reload() on each request: #83829
  • Upgrade React from 8a8e9a7e-20250912 to 5e0c951b-20250916: #83850
  • Bump typescript 5.9.2: #83833
  • Allow headers, rewrites and redirects to be defined as sync functions: #83743
  • Turbopack: Optimize addedRoutes and removedRoutes calculation: #83840
  • [next-config-ts] Set Node.js native TS loader fallback flag to process.env: #83832
  • Development: Clarify TypescriptStatus in watcher: #83857
  • Upgrade sharp dependency to version ^0.34.4: #83892
  • Upgrade React from 5e0c951b-20250916 to 128abcfa-20250917: #83906
  • Add native ts resolver docs link to transpile-config: #83914
  • OTel: use srcPage for templates when next.route is unavailable: #83911
  • Remove inline CSS sourcemaps from next-devtools: #83917
  • Development: Move all TypeScript related work in watcher together: #83912
  • [Cache Components] Allow sync IO inside console methods : #83843
  • Upgrade React from 128abcfa-20250917 to 84af9085-20250917: #83959
  • Build: Add .next/trace-build with high level trace: #83949
  • Remove force writing **/*.mts to tsconfig: #83967
  • feat: Isolate dev build from prod: #83961
  • Remove JS size reporting from next build: #83815
  • Docs/workspace setup: #83490
  • Turbopack: support import ... with {type: "bytes"}: #83896
  • fix: error overlay not closing when backdrop clicked: #83981
  • Upgrade React from 84af9085-20250917 to d415fd3e-20250919: #84003
  • fix: worker logs should still support color: #84024
  • Update font data: #84005
  • Allow passing port to next internal trace: #83907
  • Turbopack: error when importing Typescript in node_modules: #83990
  • Turbopack: Deterministic builds (prerender-manifest, .next/package.json, ./next/postcss.js): #84081
  • Turbopack: Fix babel-loader (allowing built-in or manual configuration): #82676
  • [Cache Components] allow using headers() in runtime prefetches: #83838
  • [Breaking] Remove deprecated publicRuntimeConfig and serverRuntimeConfig: #83944
  • Turbopack: mode to disable tracing: #83683
  • babel-loader: Fix a few issues with config caching: #83973
  • Turbopack: Merge babel-loader and react-compiler configuration logic to avoid running babel twice: #83502
  • [breaking]: enable router scroll optimization by default: #84102
  • Fix layout for ssgPageRoutes in the file tree: #84104
  • Turbopack: Remove useless 'default' built-in webpack loader condition: #84111
  • Fix: Client should auto reload after server restarts: #83971
  • trace-build: Add missing spans: #84080
  • Development: Remove TypeScript from the hot path during bootup: #84090
  • Guide users to experimental.cacheComponents config: #84121
  • Development: Only load webpack when used: #84123
  • Turbopack: Skip loading webpack plugin: #84125
  • Development: Only load createEnvDefinitions when used: #83935
  • BREAKING CHANGE!: bump default images.minimumCacheTTL from 1 min to 4 hours: #84105
  • Feat: Add Model Context Protocol (MCP) server to Next.js dev server: #84100
  • Upgrade React from d415fd3e-20250919 to 1eca9a27-20250922: #84093
  • Turbopack: Remove the deprecated .turbo config object: #84109
  • Flag excess properties in Next.js config with TypeScript: #84069
  • docs: update Security section to direct disclosures : #84156
  • ci: Enable experimental.isolatedDevBuild for test-experimental-dev: #84099
  • [turbopack] Ensure React Compiler options are based dev vs prod: #84062
  • Enable anonymous function naming in React Compiler: #84070
  • Revert "[Breaking] Remove deprecated publicRuntimeConfig and serverRuntimeConfig (#83944)": #84167
  • Fix double comma in build manifest: #84131
  • [turbopack] set app dir only to true when no pages entries detected: #84144
  • Split code-frame into separate compiled package: #84174
  • refactor: separate forward browser logs utils: #84151
  • Upgrade React from 1eca9a27-20250922 to e2332183-20250924: #84189
  • [Cache Components] default to filtering unhandledRejection after abort: #84192
  • fix: prevent URL mutation in router rewrites: #83963
  • fix(server): fix pages router resume router matching: #84158
  • Feat: get_errors MCP endpoint: #84161
  • Add internal environment variable for enabling React Compiler: #84176
  • [devtools] Disable React's default Transition indicator: #84202
  • Upgrade React from e2332183-20250924 to b0c1dc01-20250925: #84248
  • Feat: get_page_metadata MCP endpoint: #84211
  • feat: capture logs into logging file during development: #84183
  • babel-loader: Avoid calling expensive isReactCompilerRequired check when we must run Babel anyways: #84103
  • [mcp] expose logging: #84226
  • Move config.turbopack.moduleIds to config.experimental.turbopackModuleIds: #84230
  • Show invalid default export errors during prerendering: #84242
  • fix: make sure caller exists in babel preset: #84154
  • [mcp] allow to enable mcp server through env var: #84278
  • fix(metadata): make formatDetection respect true/false properly: #83924
  • Upgrade React from b0c1dc01-20250925 to df38ac9a-20250926: #84276
  • Add a --webpack flag and default --turbopack to true: #84216
  • fix: Update URL resolution logic to handle search parameters on root path /?foo=bar: #78262
  • [Breaking] Remove deprecated sync access to Dynamic APIs: #84179
  • Move config.turbopack.moduleIds to config.experimental.turbopackModuleIds: #84230
  • Show invalid default export errors during prerendering: #84242
  • fix: make sure caller exists in babel preset: #84154
  • [mcp] allow to enable mcp server through env var: #84278
  • fix(metadata): make formatDetection respect true/false properly: #83924
  • Upgrade React from b0c1dc01-20250925 to df38ac9a-20250926: #84276
  • Add a --webpack flag and default --turbopack to true: #84216
  • fix: Update URL resolution logic to handle search parameters on root path /?foo=bar: #78262
  • [Breaking] Remove deprecated sync access to Dynamic APIs: #84179
  • Turbopack: only write merged manifests when they have been changed: #84261
  • Turbopack: add separate turbopackPersistentCachingForBuild/ForDev flags: #84215
  • Revert "Add a --webpack flag and default --turbopack to true (#84216)": #84348
  • Upgrade React from df38ac9a-20250926 to d15d7fd7-20250929: #84347
  • Mark React Compiler integration as stable: #84220
  • [cna] Add reactCompiler option: #82251
  • Turbopack: remove canary version check for turbopackPersistentCachingForDev: #84277
  • [turbopack] Add support for debug_ids: #84319
  • Revert "Revert "Add a --webpack flag and default --turbopack to true (#84216)"": #84351
  • [Breaking] Remove AMP codemod: #84356
  • [Breaking] Remove deprecated built-in AMP: #84312
  • auto-enable clientParamParsing and clientSegmentCache w/ cacheComponents: #84250
  • [mcp] get server action tool: #84382
  • Revert "Revert "Revert "Add a --webpack flag and default --turbopack to true (#84216)""": #84389
  • Update otel test assertions and pages span_name: #84393
  • [Breaking] Bump minimum TypeScript version to 5.1.0: #84384
  • Upgrade React from d15d7fd7-20250929 to ef889445-20250930: #84383
  • [Breaking] Remove deprecated unstable_rootParams: #84373
  • [metadata] remove falsy dynamicParams approach: #84405
  • fix: next rspack binding NextExternalsPlugin: