Bump next from 14.2.31 to 14.2.35

[dependabot]

Bumps next from 14.2.31 to 14.2.35.

Release notes

Sourced from next's releases.

v14.2.35

Please see the Next.js Security Update for information about this security patch.

Commits

• 7b940d9 v14.2.35
• 7c1be85 Backport facebook/react#35351 for 14.2.34 (#87095)
• f307368 v14.2.34
• 8e43882 Update React Version (#36)
• 385e8c2 Backport Next.js changes to v14.2.34 (#29)
• 7a2cf51 update version script
• 778e7bf lock swc binaries
• 5a97b40 v14.2.33
• cb88824 backport(v14): omit searchParam data from FlightRouterState before transport ...
• 89ee561 v14.2.32
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

🔒 This PR updates Next.js from version 14.2.31 to 14.2.35, which includes a critical security patch as announced in the Next.js Security Update. This is an automated dependency update by Dependabot that addresses security vulnerabilities in the framework.

🔍 Detailed Analysis

Key Changes

• Dependency Update: Next.js version bumped from ^14.0.0 to ^14.2.35 in package.json
• Security Patch: Includes fixes from the official Next.js Security Update released on December 11, 2025
• React Integration: Backported React changes including [Flight] Add extra loop protection facebook/react#35351 for improved compatibility

Technical Implementation

flowchart TD
    A[Current: Next.js 14.2.31] --> B[Security Vulnerability Detected]
    B --> C[Dependabot Creates PR]
    C --> D[Update to Next.js 14.2.35]
    D --> E[Security Patch Applied]
    E --> F[Enhanced Application Security]
    
    G[Versions 14.2.32-14.2.35] --> H[Bug Fixes & Security Updates]
    H --> I[React Version Updates]
    H --> J[FlightRouterState Improvements]

Loading

Impact

• Security Enhancement: Addresses critical security vulnerabilities identified in earlier versions
• Stability Improvement: Includes bug fixes and performance optimizations from 4 patch releases
• Compatibility: Maintains backward compatibility while providing essential security updates
• Zero Breaking Changes: Patch-level update ensures existing functionality remains intact

Created with Palmier

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[codeant-ai]

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kiloconnect]

✅ No Issues Found

2 files reviewed | Confidence: 100% | Recommendation: Merge

This is an automated security dependency update by Dependabot that bumps Next.js from 14.2.31 to 14.2.35, addressing critical security vulnerabilities as detailed in the Next.js Security Update. The changes are limited to package.json and pnpm-lock.yaml with no source code modifications.

Files: package.json (dependency version update), pnpm-lock.yaml (lock file updates)

Checked: Security implications, dependency compatibility, version correctness

No security issues, bugs, or quality concerns identified in this dependency update.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​next@​14.2.31 ⏵ 14.2.35		+23	+1

View full report