[Snyk] Security upgrade next from 14.2.13 to 15.5.16

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• payment-components/next-js/package.json
• payment-components/next-js/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-16638674	710

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

The upgrade from Next.js v14 to v15 is a major version change with significant breaking changes that require code modifications and careful review of application behavior. The two most impactful changes are the move to asynchronous request APIs and a fundamental shift in caching strategy.

Key Breaking Changes:

• Async Request APIs: Request-scoped APIs including cookies(), headers(), draftMode(), params, and searchParams are now asynchronous and must be awaited. This change is necessary for future performance optimizations. A codemod is available to help automate this migration.

  • Before: const cookieStore = cookies()
  • After: const cookieStore = await cookies()

• Caching is Now Opt-In: In a major reversal, fetch requests, GET Route Handlers, and client-side navigations are no longer cached by default. Previously, these were cached unless explicitly opted out with cache: 'no-store'. Applications relying on the old default caching behavior may experience performance degradation or an increase in API requests. You must now explicitly opt-in to caching where needed.

• React 19 and Node.js Version: Next.js 15 requires React 19 (or its RC) for the App Router and updates the minimum Node.js version to 18.18. The Pages Router maintains backward compatibility with React 18.

• Image Optimization: The squoosh image optimization library has been removed in favor of sharp as an optional dependency.

Recommendation:
This is a high-risk upgrade. Use the provided @next/codemod to automatically update the newly async APIs. Thoroughly review your application's data fetching and caching strategy to explicitly opt into caching where necessary to avoid performance regressions. Test routing, API routes, and data-dependent pages carefully after the upgrade.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[hivel-marco]

PR Complexity Score: 2.0 - Simple

View Breakdown

• Lines Changed: 702
• Files Changed: 2
• Complexity Added: 0
• Raw Score: 20.04

⚠️ Sensitive Data (PII/ Secrets) Detected

File	Types	Count
payment-components/next-js/package-lock.json Line Type Preview 46 Secret: Base64 High Entropy String [Base64 High Entropy String] 245 Secret: Base64 High Entropy String [Base64 High Entropy String] 255 Secret: Base64 High Entropy String [Base64 High Entropy String] 277 Secret: Base64 High Entropy String [Base64 High Entropy String] 299 Secret: Base64 High Entropy String [Base64 High Entropy String] 315 Secret: Base64 High Entropy String [Base64 High Entropy String] 331 Secret: Base64 High Entropy String [Base64 High Entropy String] 347 Secret: Base64 High Entropy String [Base64 High Entropy String] 363 Secret: Base64 High Entropy String [Base64 High Entropy String] 379 Secret: Base64 High Entropy String [Base64 High Entropy String] 395 Secret: Base64 High Entropy String [Base64 High Entropy String] 411 Secret: Base64 High Entropy String [Base64 High Entropy String] 427 Secret: Base64 High Entropy String [Base64 High Entropy String] 443 Secret: Base64 High Entropy String [Base64 High Entropy String] 459 Secret: Base64 High Entropy String [Base64 High Entropy String] 481 Secret: Base64 High Entropy String [Base64 High Entropy String] 503 Secret: Base64 High Entropy String [Base64 High Entropy String] 525 Secret: Base64 High Entropy String [Base64 High Entropy String] 547 Secret: Base64 High Entropy String [Base64 High Entropy String] 569 Secret: Base64 High Entropy String [Base64 High Entropy String] 591 Secret: Base64 High Entropy String [Base64 High Entropy String] 613 Secret: Base64 High Entropy String [Base64 High Entropy String] 635 Secret: Base64 High Entropy String [Base64 High Entropy String] 654 Secret: Base64 High Entropy String [Base64 High Entropy String] 673 Secret: Base64 High Entropy String [Base64 High Entropy String] 692 Secret: Base64 High Entropy String [Base64 High Entropy String] 811 Secret: Base64 High Entropy String [Base64 High Entropy String] 827 Secret: Base64 High Entropy String [Base64 High Entropy String] 843 Secret: Base64 High Entropy String [Base64 High Entropy String] 859 Secret: Base64 High Entropy String [Base64 High Entropy String] 875 Secret: Base64 High Entropy String [Base64 High Entropy String] 891 Secret: Base64 High Entropy String [Base64 High Entropy String] 907 Secret: Base64 High Entropy String [Base64 High Entropy String] 923 Secret: Base64 High Entropy String [Base64 High Entropy String] 939 Secret: Base64 High Entropy String [Base64 High Entropy String] 2180 Secret: Base64 High Entropy String [Base64 High Entropy String] 4253 Secret: Base64 High Entropy String [Base64 High Entropy String] 5174 Secret: Base64 High Entropy String [Base64 High Entropy String] 5236 Secret: Base64 High Entropy String [Base64 High Entropy String] 5642 Secret: Base64 High Entropy String [Base64 High Entropy String]	Base64 High Entropy String	40

Overview

This PR upgrades the Next.js dependency for the payment-components/next-js package from 14.2.13 to 15.5.16.
The change brings in updated transitive dependencies, new optional image-processing tooling, and revised Node.js and React compatibility constraints through the lockfile.
It is primarily a framework/runtime upgrade, with no direct application code modifications.

Key Changes

• Bump next from 14.2.13 to 15.5.16 in payment-components/next-js/package.json to align with the latest Next.js major version.
• Update the lockfile to pull in Next 15’s dependency tree, including:
  • New/updated @next/* SWC binaries for various platforms and removal of the @next/swc-win32-ia32-msvc package.
  • Upgraded @next/env and @swc/helpers, and removal of the older nested @swc/helpers and @swc/counter.
  • Introduction of sharp and a suite of @img/* platform-specific image-processing packages, plus detect-libc, and an updated semver dependency.
  • Removal of busboy and streamsearch from the dependency graph and upgrade of styled-jsx to 5.1.6 with expanded React 19 support.
• Reflect new engine and peer dependency expectations from Next 15, including stricter Node.js version ranges and support for React 19 and an optional babel-plugin-react-compiler.

Risks & Considerations

• Next.js 15 raises the required Node.js version to ^18.18.0 || ^19.8.0 || >= 20.0.0; CI/CD and runtime environments must meet this or builds may fail.
• Introduction of sharp and many optional @img/* binaries can increase install complexity, especially on less common architectures or constrained environments (native binaries, WASM, libc detection).
• Removal of internal dependencies like busboy/streamsearch is handled by Next.js, but any implicit reliance on previous internal behavior (e.g., file upload edge cases) should be validated.
• Next 15 may introduce breaking changes or subtle behavior differences (routing, app router semantics, server actions, etc.); a regression test pass of core flows is advisable.
• Expanded React 19 support in dependencies suggests future upgrades to React 19; ensure current code remains compatible if/when React is bumped.

File-level change summary

File	Change summary
payment-components/next-js/package-lock.json	Regenerated lockfile to reflect upgrading Next.js to 15.5.16, adding/removing and updating numerous transitive dependencies (e.g., SWC binaries, sharp, styled-jsx, semver).
payment-components/next-js/package.json	Updated the next dependency version from 14.2.13 to 15.5.16 for the payment components Next.js app.