chore: bump next.js version

[ymc9]

Summary by CodeRabbit

• Chores
  • Upgraded Next.js to version 16.0.10, incorporating the latest improvements and bug fixes
  • Implemented workspace-wide catalog-based dependency version management for streamlined consistency across projects

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The Next.js dependency in the pnpm workspace catalog is updated from version 16.0.7 to 16.0.10. Simultaneously, the sample Next.js project is reconfigured to reference the workspace catalog entry instead of maintaining an independent version specification.

Changes

Cohort / File(s)	Summary
Next.js Dependency Updates pnpm-workspace.yaml, samples/next.js/package.json	Catalog entry for Next.js bumped from 16.0.7 to 16.0.10; sample project changed to use catalog: reference instead of pinned version

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Straightforward dependency version bump and catalog reference migration
• Homogeneous changes with minimal complexity

Possibly related PRs

• PR #468: Both PRs modify the same "next" catalog entry in pnpm-workspace.yaml and the "next" dependency reference in samples/next.js/package.json
• PR #469: Both PRs involve updates to the Next.js dependency version in workspace manifests

Poem

🐰 Hopping through the versions with delight,
Next.js now points to catalog so bright!
16.0.10 in the workspace home,
No more scattered versions to roam~
One source of truth, unified and right! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: bump next.js version' accurately summarizes the main change: updating Next.js from 16.0.7 to 16.0.10 and converting to catalog reference.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/bump-next

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @ymc9's task —— View job

---

PR Review: Next.js Version Bump

Reviewing this Next.js dependency bump PR for code quality, security, and best practices.

Todo List

• Examine the specific version changes in package.json files
• Review workspace configuration changes
• Check for potential breaking changes or compatibility issues
• Assess security implications
• Verify consistency across the monorepo
• Provide comprehensive review feedback

Changes Analysis

Changes Made:

• Next.js version: 16.0.7 → 16.0.10 (patch version bump)
• Workspace standardization: samples/next.js/package.json now uses catalog: instead of hardcoded version "16.0.7"

Code Quality & Best Practices ✅

Excellent improvements:

1. Workspace consistency: The change to use catalog: in samples/next.js/package.json:21 standardizes dependency management across the monorepo. This follows the established pattern used by other dependencies.

2. Centralized version management: All Next.js versions are now managed from the workspace catalog in pnpm-workspace.yaml:18, eliminating version drift issues.

3. Proper semantic versioning: This is a patch version bump (16.0.7 → 16.0.10), indicating bug fixes without breaking changes.

Compatibility Assessment ✅

Cross-package compatibility verified:

• packages/server/package.json:161 declares Next.js peer dependency as ^15.0.0 || ^16.0.0 - fully compatible with 16.0.10
• samples/next.js/package.json:33 uses eslint-config-next: 16.0.1 which should work with Next.js 16.0.10
• No breaking changes expected in patch version bumps

Security Considerations ✅

Low security risk:

• Patch version updates typically include security fixes and bug fixes
• No major version changes that could introduce new attack surfaces
• Following established workspace patterns reduces dependency confusion risks

Performance Considerations ✅

• Patch versions often include performance improvements
• No negative performance impact expected from this change

Test Coverage Considerations ⚠️

Recommendations:

• The Next.js sample should be tested to ensure it builds and runs correctly with 16.0.10
• Consider running the sample's build process: cd samples/next.js && pnpm build
• Verify the sample still works with the new Next.js version

Additional Recommendations

1. PR Description: Consider adding a brief description mentioning this is a patch version bump for bug fixes/security improvements

2. eslint-config-next alignment: Consider bumping eslint-config-next from 16.0.1 to 16.0.10 for consistency, though this is not strictly necessary

3. Testing: Run the Next.js sample build to verify compatibility:

   cd samples/next.js
   pnpm install
   pnpm build

Overall Assessment: LGTM ✅

This is a well-executed dependency maintenance PR that:

• ✅ Follows monorepo best practices
• ✅ Uses proper semantic versioning
• ✅ Maintains compatibility with existing peer dependencies
• ✅ Standardizes workspace dependency management
• ✅ Poses minimal security/compatibility risks

The change improves dependency management consistency while staying current with Next.js patches.

[Copilot]

Pull request overview

This PR bumps the Next.js dependency from version 16.0.7 to 16.0.10, a minor patch update. Additionally, it improves consistency by migrating the samples/next.js package to use the centralized catalog reference instead of a hardcoded version.

Key changes:

• Updated Next.js from 16.0.7 to 16.0.10 in the pnpm workspace catalog
• Migrated samples/next.js to use catalog reference for Next.js dependency
• Updated lock file with all Next.js packages and platform-specific SWC binaries

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
samples/next.js/package.json	Changed Next.js dependency from hardcoded version to catalog reference
pnpm-workspace.yaml	Updated Next.js version in catalog from 16.0.7 to 16.0.10
pnpm-lock.yaml	Updated lock file entries for Next.js core package and all platform-specific SWC binaries

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

samples/next.js/package.json (1)

33-33: Consider updating eslint-config-next to match Next.js version.

The eslint-config-next version (16.0.1) is significantly behind the Next.js version (16.0.10 from the catalog). While this may not cause immediate issues, keeping eslint-config-next aligned with Next.js ensures linting rules match the framework version's capabilities.

Consider updating to a more recent version:

-        "eslint-config-next": "16.0.1",
+        "eslint-config-next": "16.0.10",

Alternatively, verify that 16.0.1 is still compatible with Next.js 16.0.10 by checking the package documentation.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3172523 and 09d60f0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• pnpm-workspace.yaml (1 hunks)
• samples/next.js/package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Use `pnpm` with workspaces for package management, pinned to version `pnpm10.12.1`

📚 Learning: 2025-11-26T01:55:04.540Z

Learnt from: CR
Repo: zenstackhq/zenstack-v3 PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-26T01:55:04.540Z
Learning: Use `pnpm` with workspaces for package management, pinned to version `pnpm10.12.1`

Applied to files:

• pnpm-workspace.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build-test (20.x, sqlite)
• GitHub Check: build-test (20.x, postgresql)
• GitHub Check: claude-review

🔇 Additional comments (2)

samples/next.js/package.json (1)

21-21: LGTM! Good move to centralized catalog versioning.

Using catalog: for the Next.js dependency aligns with the workspace pattern and ensures version consistency across the monorepo.

pnpm-workspace.yaml (1)

18-18: Next.js 16.0.10 is confirmed as valid and secure — good choice.

Version 16.0.10 is the latest version of Next.js and is the correct patched release for the 16.0.x line. This version addresses multiple critical security vulnerabilities including CVE-2025-55182, CVE-2025-55184, CVE-2025-55183, and CVE-2025-67779. The bump from 16.0.7 to 16.0.10 is essential for security and there is no newer stable version available in the 16.0.x series.