UI5 / webcomponents-react / 23234875794
85%

DEFAULT BRANCH: main
Ran
Jobs 8
Files 428
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 84.792%. Remained the same
23234875794

push

github

web-flow 
chore(deps): update dependency next to v16.1.7 [security] (#8344)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [next](https://nextjs.org)
([source](https://redirect.github.com/vercel/next.js)) | [`16.1.6` →
`16.1.7`](https://renovatebot.com/diffs/npm/next/16.1.6/16.1.7) |
![age](https://developer.mend.io/api/mc/badges/age/npm/next/16.1.7?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/next/16.1.6/16.1.7?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-27977](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36)

## Summary
In `next dev`, cross-site protection for internal websocket endpoints
could treat `Origin: null` as a bypass case even if
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
is configured, allowing privacy-sensitive/opaque contexts (for example
sandboxed documents) to connect unexpectedly.

## Impact
If a dev server is reachable from attacker-controlled content, an
attacker may be able to connect to the HMR websocket channel and
interact with dev websocket traffic. This affects development mode only.
Apps without a configured
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
still allow connections from any origin.

## Patches
Fixed by validating `Origin: null` through the same cross-site
origin-allowance checks used for other origins.

## Workarounds
If upgrade is not immediately possible:
- Do not expose `next dev` to untrusted networks.
- Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is
`null` at your proxy.

####
[CVE-2026-27978](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx)

## Summary
`origin: null` was treated as a "missing" origin duri... (continued)

3510 of 4500 branches covered (78.0%)

Branch coverage included in aggregate %.

6520 of 7329 relevant lines covered (88.96%)

113368.73 hits per line

Subprojects
ID Flag name Job ID Ran Files Coverage
1 main/src/internal 23234875794.1 347
15.24
 GitHub Action Run
2 playwright 23234875794.2 9
86.96
 GitHub Action Run
3 main/src/webComponents 23234875794.3 346
13.53
 GitHub Action Run
4 charts 23234875794.4 407
24.78
 GitHub Action Run
5 compat 23234875794.5 361
18.15
 GitHub Action Run
6 cypress-commands 23234875794.6 346
14.95
 GitHub Action Run
7 main/src/components 23234875794.7 348
81.07
 GitHub Action Run
8 base 23234875794.8 351
16.22
 GitHub Action Run
Source Files on build 23234875794