feat: update next

[wilsonrivera]

Summary by CodeRabbit

• Chores
  • Upgraded Next.js to version 15.4.8

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

Next.js dependency version bumped from 15.4.7 to 15.4.8 across package.json files. PNPM overrides and studio package configurations updated correspondingly. No changes to exports, APIs, control flow, or error handling.

Changes

Cohort / File(s)	Change Summary
Next.js version bump package.json, studio/package.json	Upgrade Next.js from 15.4.7 to 15.4.8 in PNPM overrides and studio package dependencies

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

• Version bump is purely a dependency update with no code logic or configuration changes to review
• Homogeneous change applied consistently across two similar files

Possibly related PRs

• fix: vulnerabilities by updating packages #2339: Previous Next.js version bump to 15.4.7 in studio/package.json that this PR increments further to 15.4.8

Pre-merge checks

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'feat: update next' is vague and lacks specificity about which version of Next.js is being updated to, despite the branch name and changes indicating a version bump from 15.4.7 to 15.4.8.	Consider using a more specific title like 'feat: update next to 15.4.8' or 'feat: bump next from 15.4.7 to 15.4.8' to clearly communicate the version change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@276bc8f). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2391   +/-   ##
=======================================
  Coverage        ?   34.64%           
=======================================
  Files           ?      340           
  Lines           ?    33837           
  Branches        ?      251           
=======================================
  Hits            ?    11722           
  Misses          ?    21086           
  Partials        ?     1029           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-6b6670a14892bc153a242b6659baae8d9c820f29

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 276bc8f and 1b92598.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json (1 hunks)
• studio/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: integration_test (./events)
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: build_test
• GitHub Check: build_test
• GitHub Check: image_scan (nonroot)
• GitHub Check: image_scan
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: build_test
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

package.json (1)

71-71: Approve consistency, but enforce security-critical review process.

Both package.json (overrides) and studio/package.json (dependencies) now consistently target Next.js 15.4.8, which is good for monorepo integrity. However, since this version patches a CVSS 10.0 critical RCE vulnerability (CVE-2025-66478), ensure the test/verification checklist boxes are completed before merge.

Consider adding a release note or ADR documenting the security motivation for this patch.

[StarpTech]

LGTM