[Snyk] Security upgrade next from 14.2.13 to 16.1.7

[snyk-io]

Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• payment-components/next-js/package.json
• payment-components/next-js/pnpm-lock.yaml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-15674556	545
	HTTP Request Smuggling SNYK-JS-NEXT-15674558	515

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[snyk-io]

This is a two-major-version upgrade from Next.js v14 to v16, introducing a significant number of high-impact breaking changes. A full migration effort is required, and applications will break without manual intervention. The Next.js team provides codemods to automate parts of the upgrade process.

Next.js 15 Breaking Changes

• Async Request APIs: Previously synchronous APIs like cookies(), headers(), draftMode(), params, and searchParams are now asynchronous and must be awaited. This is a fundamental change requiring code modification across the application.
• Caching Behavior Changed: fetch requests, GET Route Handlers, and client-side navigations are no longer cached by default. Caching is now an opt-in behavior, which can significantly impact performance and application logic if not configured explicitly.
• Minimum Node.js Version: The required Node.js version has been raised to 18.18.0.
• React 19 Upgrade: Next.js 15 adopts React 19 for the App Router, which has its own set of breaking changes (e.g., useFormState is deprecated in favor of useActionState).

Next.js 16 Breaking Changes

• Middleware Renamed to proxy.ts: The middleware.ts file is deprecated and must be renamed to proxy.ts. Critically, the new proxy file only supports the Node.js runtime, removing support for the Edge runtime in this context.
• next/image Default Changes: Several defaults for the Image component have been changed for security and performance, including a much longer minimumCacheTTL (4 hours) and new restrictions on local IP addresses and redirects.
• revalidateTag() API Change: The signature for revalidateTag() has changed and now requires a second argument to define caching behavior.

Recommendation: This upgrade is a major undertaking. Use the official @next/codemod CLI to automate as much of the migration as possible, particularly for the async API changes. Pay close attention to the new caching defaults and the middleware-to-proxy transition, as these represent significant architectural shifts. Thorough testing is essential.

Source: Next.js 15 Upgrade Guide, Next.js 16 Upgrade Guide

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.