chore(deps-dev): bump eslint-config-next from 15.5.7 to 16.2.6

[dependabot]

Bumps eslint-config-next from 15.5.7 to 16.2.6.

Release notes

Sourced from eslint-config-next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• 3683192 v16.2.0-canary.104
• 6689814 v16.2.0-canary.103
• ad66dbc v16.2.0-canary.102
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for eslint-config-next since your current version.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	docs-preview	7cf7502	Commit Preview URL Branch Preview URL	May 13 2026, 03:44 PM

[jrphilo]

Ralphie skipped this for: skip-needs-review (elevated scrutiny: build-tooling major + multi-major bump v15 → v16)

What I saw: pnpm lint fails on this branch with a Converting circular structure to JSON error referenced from .eslintrc.json (which only contains {"extends": "next/core-web-vitals"}). eslint-config-next v16 was rewritten for ESLint 9 flat config; next lint itself is deprecated in v16 ("next lint is deprecated and will be removed in Next.js 16. … migrate to the ESLint CLI"). Dependabot's body also flags a maintainer change ("GitHub Actions, a new releaser for eslint-config-next since your current version").

What I investigated:

• Repo's lint surface: package.json script is next lint, config is legacy .eslintrc.json extending next/core-web-vitals. No eslint.config.{js,mjs,cjs,ts} present. The shape of the fixup is clear: delete .eslintrc.json, add a flat-config eslint.config.mjs, and migrate the script off next lint (per the deprecation message, via @next/codemod next-lint-to-eslint-cli).
• Version pairing: next is pinned at 15.5.15 while this PR bumps eslint-config-next to 16.2.6. eslint-config-next historically tracks the Next.js major (the package lives in the vercel/next.js monorepo and ships in lockstep — the release notes here are literally Next.js 16.x release notes, including v16-only fixes like cache-handlers/deployment adapter). Running the v16 config against a v15 runtime is a deliberate cross-major pin that needs a human call.
• Ownership: Dependabot flagged a new releaser. The release notes are signed v16.2.6 from the canonical vercel/next.js repo, so this is a CI/publishing change rather than a fork, but it's worth a glance.

What's still unclear: whether the intent is to (a) hold this PR and bump next to v16 first (then eslint-config-next v16 lands cleanly alongside, and the flat-config migration is one piece of the larger Next 15→16 work), or (b) pin eslint-config-next at the v15 line until the Next.js upgrade happens. Either is reasonable; the loop shouldn't pick. Doing the flat-config migration in isolation while staying on next@15.5.15 would leave us running a v16-paired lint config against a v15 runtime, which is the kind of subtle drift the loop is supposed to avoid.

What would unblock it: maintainer decides between (a) bundle this with a next 15→16 upgrade (recommended — eslint-config-next is part of that migration), or (b) close this PR and let Dependabot's ignore config pin eslint-config-next to the 15.x line. If (a), the flat-config migration can land in the same PR.

[dependabot]

Superseded by #60.