[Snyk] Upgrade next from 14.2.4 to 16.0.1

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade next from 14.2.4 to 16.0.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 925 versions ahead of your current version.

• The recommended version was released 22 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Server-side Request Forgery (SSRF) SNYK-JS-NEXT-12299318	44	Proof of Concept
	Acceptance of Extraneous Untrusted Data With Trusted Data SNYK-JS-NEXT-8025427	44	Proof of Concept
	Uncontrolled Recursion SNYK-JS-NEXT-8186172	44	No Known Exploit
	Missing Authorization SNYK-JS-NEXT-8520073	44	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	44	Proof of Concept
	Improper Input Validation SNYK-JS-NANOID-8492085	44	No Known Exploit
	Race Condition SNYK-JS-NEXT-10176058	44	Proof of Concept
	Use of Cache Containing Sensitive Information SNYK-JS-NEXT-12301496	44	No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-8602067	44	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	44	No Known Exploit
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	44	No Known Exploit
	Missing Origin Validation in WebSockets SNYK-JS-NEXT-10259370	44	No Known Exploit
	Missing Source Correlation of Multiple Independent Data SNYK-JS-NEXT-12265451	44	No Known Exploit
	Improper Authorization SNYK-JS-NEXT-9508709	44	Mature
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	44	Proof of Concept

Release notes

Package name: next

• 16.0.1 - 2025-10-28
  

  Core Changes

  • fix(static-paths): add depth tracking to parallel route param resolution: #85319
  • Fix types of @ next/mdx: #82238
  • Ensure getServerInsertedHTML skips rendering correctly: #85394
  • Fix duplicate .next/types include on Windows: #85400
  • Exclude next-js condition from middleware, proxy, and instrumentation: #85321
  • remove unstable_forceStale prefetch option & restore prefetch={true} functionality: #85411
  • Upgrade React from 2bcbf254-20251020 to 6160773f-20251023: #85277
  • fix(next/image): swap dependencies: #85419
  • Handle Origin: null headers: #85402
  • Generalize Segment Cache fallback implementation: #84652
  • fix: ensure req.query is writable: #81573
  • fix: Proxy not picked up on Windows: #85443
  • [test] Ensure we can toggle the DevTools menu while status indicators are active: #85456
  • Fix crash when suspending in Components using useActionQueue: #85459

  Misc Changes

  • docs: create-next-app react-compiler and new prompts: #85213
  • docs: cache components - introduction: #85196
  • docs: use cache feedback: #85169
  • docs: stabilize apis in docs: #85219
  • docs: revalidateTag immediate expiration in Route Handlers: #85223
  • Docs/use cache feedback 2: #85222
  • docs: added use cache: remote docs: #85145
  • docs: proxy runtime defaults to nodejs: #85204
  • chore: cache components feedback: #85241
  • docs: add a note that cache components is opt-in near the top: #85245
  • Docs/v16 feedback: #85259
  • Update command to install babel-plugin-react-compiler as a devDependency: #85235
  • docs: typegen next-env.d.ts feedback: #85273
  • docs: link to MCP guide from upgrade: #85308
  • docs: regexp removed from middleware config: #85343
  • docs: simplify MCP guide to focus on next-devtools-mcp: #85353
  • docs: fix proxy matcher overflow: #85337
  • docs: point out diff in serialization types for arguments and return values: #85338
  • [test] Update snapshots: #85407
  • docs: Fix typo in SEO section of loading.mdx: #85301
  • Fix typo in Fast Refresh documentation: #85352
  • Fix grammatical errors in updating data documentation: #85067
  • [test] Skip devlow benchmarks on PRs: #85408
  • [test] Unflake typed-env suite: #85410
  • Update rust toolchain to 2025-10-27: #85409
  • [test] Speed up prefetching suite: #85417
  • docs: remove inaccuracies from use cache: private: #85425
  • [test] Exclude Next.js internal stack frames from cache-component-error CLI output assertions: #85421
  • [test] Exclude likely Next.js internal Components from component stacks in Redbox assertions: #85420
  • Turbopack: correctly trace files with npm: #85323

  Credits

  Huge thanks to @ icyJoseph, @ wyattjoh, @ devjiwonchoi, @ arnabsen, @ remcohaszing, @ denesbeck, @ gaojude, @ mhart, @ eps1lon, @ jesuistuan, @ codr, @ InfiniteCodeMonkeys, @ gnoff, @ ztanner, @ wbinnssmith, @ styfle, @ acdlite, @ ale-grosselle, and @ mischnic for helping!

• 16.0.1-canary.6 - 2025-10-28
  

  Core Changes

  • fix(next/image): swap dependencies: #85419
  • Handle Origin: null headers: #85402
  • Generalize Segment Cache fallback implementation: #84652
  • fix: ensure req.query is writable: #81573
  • fix: Proxy not picked up on Windows: #85443
  • [test] Ensure we can toggle the DevTools menu while status indicators are active: #85456
  • Fix crash when suspending in Components using useActionQueue: #85459

  Misc Changes

  • docs: remove inaccuracies from use cache: private: #85425
  • [test] Exclude Next.js internal stack frames from cache-component-error CLI output assertions: #85421
  • [test] Exclude likely Next.js internal Components from component stacks in Redbox assertions: #85420
  • Turbopack: correctly trace files with npm: #85323

  Credits

  Huge thanks to @ styfle, @ ztanner, @ eps1lon, @ acdlite, @ ale-grosselle, @ devjiwonchoi, and @ mischnic for helping!

• 16.0.1-canary.5 - 2025-10-27
  

  Core Changes

  • Upgrade React from 2bcbf254-20251020 to 6160773f-20251023: #85277

  Misc Changes

  • Update rust toolchain to 2025-10-27: #85409
  • [test] Speed up prefetching suite: #85417

  Credits

  Huge thanks to @ wbinnssmith and @ eps1lon for helping!

• 16.0.1-canary.4 - 2025-10-27
  

  Core Changes

  • Ensure getServerInsertedHTML skips rendering correctly: #85394
  • Fix duplicate .next/types include on Windows: #85400
  • Exclude next-js condition from middleware, proxy, and instrumentation: #85321
  • remove unstable_forceStale prefetch option & restore prefetch={true} functionality: #85411

  Misc Changes

  • docs: regexp removed from middleware config: #85343
  • docs: simplify MCP guide to focus on next-devtools-mcp: #85353
  • docs: fix proxy matcher overflow: #85337
  • docs: point out diff in serialization types for arguments and return values: #85338
  • [test] Update snapshots: #85407
  • docs: Fix typo in SEO section of loading.mdx: #85301
  • Fix typo in Fast Refresh documentation: #85352
  • Fix grammatical errors in updating data documentation: #85067
  • [test] Skip devlow benchmarks on PRs: #85408
  • [test] Unflake typed-env suite: #85410

  Credits

  Huge thanks to @ denesbeck, @ gaojude, @ mhart, @ icyJoseph, @ eps1lon, @ jesuistuan, @ codr, @ InfiniteCodeMonkeys, @ gnoff, and @ ztanner for helping!

• 16.0.1-canary.3 - 2025-10-27
  

  Core Changes

  • Fix types of @ next/mdx: #82238

  Credits

  Huge thanks to @ remcohaszing for helping!

• 16.0.1-canary.2 - 2025-10-24
  

  Core Changes

  • fix(static-paths): add depth tracking to parallel route param resolution: #85319

  Misc Changes

  • docs: link to MCP guide from upgrade: #85308

  Credits

  Huge thanks to @ icyJoseph and @ wyattjoh for helping!

• 16.0.1-canary.1 - 2025-10-23
  

  Misc Changes

  • docs: add a note that cache components is opt-in near the top: #85245
  • Docs/v16 feedback: #85259
  • Update command to install babel-plugin-react-compiler as a devDependency: #85235
  • docs: typegen next-env.d.ts feedback: #85273

  Credits

  Huge thanks to @ icyJoseph and @ arnabsen for helping!

• 16.0.1-canary.0 - 2025-10-22
  

  Misc Changes

  • docs: create-next-app react-compiler and new prompts: #85213
  • docs: cache components - introduction: #85196
  • docs: use cache feedback: #85169
  • docs: stabilize apis in docs: #85219
  • docs: revalidateTag immediate expiration in Route Handlers: #85223
  • Docs/use cache feedback 2: #85222
  • docs: added use cache: remote docs: #85145
  • docs: proxy runtime defaults to nodejs: #85204
  • chore: cache components feedback: #85241

  Credits

  Huge thanks to @ icyJoseph, @ wyattjoh, and @ devjiwonchoi for helping!

• 16.0.0 - 2025-10-22
  

  Tip

  Check out our Next v16 Blog Post to learn more about this release.

  Core Changes

  • Development: Don't import app-router / hot-reloader through next/link in application code: #83656
  • Remove clientParamParsing requirement from RDC for Navigations: #83661
  • Upgrade React from 6b70072c-20250909 to 886b3d36-20250910: #83650
  • Turbopack: Use readFileSync / writeFileSync for manifest writing: #83694
  • Upgrade React from 886b3d36-20250910 to f3a80361-20250911: #83696
  • Don't create client-side debug channel if the feature is disabled: #83699
  • fix: dev should produce the correct default fallback regex to match builds/Turbopack: #83701
  • [devtool] fix overlay styles are missing: #83721
  • Revert "Remove clientParamParsing requirement from RDC for Navigations": #83725
  • Only enable unhandledRejection filtering when opted in: #83726
  • Fix index data route for adapter build-complete: #83730
  • Remove leading underscore for unhandledRejection envvar: #83732
  • Upgrade React from f3a80361-20250911 to 93d7aa69-20250912: #83729
  • Upgrade React from 93d7aa69-20250912 to 8a8e9a7e-20250912: #83742
  • Fix reentrancy of unhandledRejection filtering: #83741
  • Fix type for unhandled rejection handler process.removeListener: #83748
  • [OTel] fix: Root span name should not include high cardinality URL: #75416
  • Turbopack: Remove matchers.reload() call on each request: #83720
  • [Breaking] Flat config as default in @ next/eslint-plugin-next: #83763
  • fix: Rspack splitChunks.chunks regex: #83670
  • Revert "Turbopack: Re...