[Snyk] Security upgrade next from 13.4.7 to 16.1.7

[snyk-io]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-15674556	545
	HTTP Request Smuggling SNYK-JS-NEXT-15674558	515

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

This is a major upgrade spanning three major versions (v14, v15, and v16), introducing a very high number of significant breaking changes. A direct upgrade is not recommended. Plan for a staged migration (13 → 14, 14 → 15, 15 → 16) and allocate significant time for code refactoring, configuration updates, and thorough testing.

Key Breaking Changes & Required Actions:

• Fundamental Caching Shift (v15+): The caching model has been inverted. In v15+, fetch requests, GET Route Handlers, and client-side navigations are uncached by default. Previously, they were cached. This is a critical behavioral change that can silently impact application performance and data freshness. You must explicitly opt-in to caching where needed.

• Asynchronous Request APIs (v15+): Accessing cookies(), headers(), params, and searchParams is now asynchronous and requires await. This change affects pages, layouts, and route handlers. Vercel provides codemods to help automate this update.

  • Example: const cookieStore = cookies() becomes const cookieStore = await cookies().

• Node.js Version Requirement: The minimum Node.js version has been raised multiple times. Version 16 requires at least Node.js 20.9+. You must upgrade your deployment and development environments.

  • v14: Requires Node.js 18.17+
  • v16: Requires Node.js 20.9+

• Build System - Webpack to Turbopack (v16): Turbopack is now the default bundler, replacing Webpack. If you have a custom Webpack configuration (webpack: in next.config.js), your build will fail. You must either migrate your configuration to be Turbopack-compatible or explicitly opt-out by using the --webpack flag.

• Middleware Renamed to Proxy (v16): middleware.ts has been deprecated in favor of proxy.ts. Crucially, the new proxy.ts only supports the Node.js runtime, removing support for the Edge runtime in this context.

• Major Feature Removals:

  • AMP Support (v16): All support for AMP pages and configurations has been completely removed.
  • next export (v14): The next export command is removed. Use the output: 'export' configuration in next.config.js for static site generation.
  • next lint (v16): The built-in lint command is gone. You must now run ESLint directly via its own CLI.

Recommendation:
This upgrade is a major undertaking. Do not attempt a direct jump from v13 to v16.

1. Follow the official, sequential upgrade guides for each major version:
   • First, upgrade from 13 to 14.
   • Then, upgrade from 14 to 15.
   • Finally, upgrade from 15 to 16.
2. Utilize the `npx

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[orca-security-us]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	OSS Licenses	0   14   0   0	View in Orca
Passed	SAST	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca

📦 The following Open Source License Violations have been detected

	PACKAGE	VERSION	LICENSE	FILE PATH
	@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT	./package-lock.json	View in code
	@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later	./package-lock.json	View in code
	@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later	./package-lock.json	View in code