Next.js version 15.4.5 introduces subtle but potentially impactful changes compared to the previous stable version, 15.4.4. While the core dependencies remain largely the same, including essential packages like postcss, @next/env, and styled-jsx, the key differences lie in the @next/swc and @next/font dependencies, which have been incremented to reflect the newer version of Next.js. Developers leveraging these specific features, such as the SWC compiler for faster builds or Next.js's optimized font loading system, should carefully evaluate the update.
The change extends to optional dependencies, where the @next/swc binaries for different architectures (Darwin, Linux, Windows across x64 and ARM64) have also been updated to 15.4.5, ensuring that developers experience the latest performance improvements and bug fixes across various platforms. Furthermore, from a user perspective, the release dates indicate that version 15.4.5 was released later than 15.4.4. These differences suggest that 15.4.5 may incorporate bug fixes, performance enhancements, or minor feature additions not present in 15.4.4, making it a worthwhile upgrade for those seeking the most up-to-date and optimized Next.js experience. Be aware that Babel Plugin React Compiler did not change his number version in this release.
All the vulnerabilities related to the version 15.4.5 of the package
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog
