Lockfile-only patch: 16 added, 9 removed, 58 packages updated. No package.json edits required (within existing ^16.2.3 range).
| Package | Severity | Advisory |
|---|---|---|
| fast-uri | high | path traversal via percent-encoded dot segments |
| fast-uri | high | host confusion via percent-encoded authority delimiters |
| next | high | DoS with Server Components |
| next | moderate | XSS in App Router with CSP nonces |
| next | low | cache poisoning via RSC cache-busting collisions |
| next | moderate | XSS in beforeInteractive scripts |
| next | high | DoS via connection exhaustion (Cache Components) |
| next | moderate | DoS in Image Optimization API |
| next | high | SSRF via WebSocket upgrades |
| next | high | Middleware/Proxy bypass via dynamic route parameter injection |
| next | moderate | cache poisoning in RSC responses |
| next | high | Middleware/Proxy bypass via segment-prefetch (App Router) |
| next | high | Middleware/Proxy bypass in i18n (Pages Router) |
| next | low | Middleware/Proxy redirect cache poisoning |
| next | high | App Router segment-prefetch bypass — incomplete fix follow-up |
# Before
$ bash tests/security/test-npm-audit.sh
✗ docs/site: 15 findings ≥ moderate (NOT in allowlist)
Total: 16 | Passed: 1 | Failed: 15
# Fix
$ cd docs/site && npm audit fix
added 16, removed 9, changed 58 packages; found 0 vulnerabilities
# After
$ bash tests/security/test-npm-audit.sh
✓ docs/site: 0 findings ≥ moderate
✓ src/hooks: 0 findings ≥ moderate
Total: 2 | Passed: 2 | Failed: 0
The CVEs were disclosed after PR #1798 opened. They block the local pre-push security gate for any new PR but don't appear in the diff of recent feature work. Splitting into a dedicated chore PR keeps scope reviewable and avoids coupling unrelated test/hook changes with a 58-package lockfile churn.