deps: bump the dependencies-major group across 1 directory with 2 updates

[dependabot]

Bumps the dependencies-major group with 2 updates in the / directory: next and zod.

Updates next from 15.5.3 to 16.0.0

Release notes

Sourced from next's releases.

v16.0.0

[!TIP]
Check out our Next v16 Blog Post to learn more about this release.

Core Changes

• Development: Don't import app-router / hot-reloader through next/link in application code: #83656
• Remove clientParamParsing requirement from RDC for Navigations: #83661
• Upgrade React from 6b70072c-20250909 to 886b3d36-20250910: #83650
• Turbopack: Use readFileSync / writeFileSync for manifest writing: #83694
• Upgrade React from 886b3d36-20250910 to f3a80361-20250911: #83696
• Don't create client-side debug channel if the feature is disabled: #83699
• fix: dev should produce the correct default fallback regex to match builds/Turbopack: #83701
• [devtool] fix overlay styles are missing: #83721
• Revert "Remove clientParamParsing requirement from RDC for Navigations": #83725
• Only enable unhandledRejection filtering when opted in: #83726
• Fix index data route for adapter build-complete: #83730
• Remove leading underscore for unhandledRejection envvar: #83732
• Upgrade React from f3a80361-20250911 to 93d7aa69-20250912: #83729
• Upgrade React from 93d7aa69-20250912 to 8a8e9a7e-20250912: #83742
• Fix reentrancy of unhandledRejection filtering: #83741
• Fix type for unhandled rejection handler process.removeListener: #83748
• [OTel] fix: Root span name should not include high cardinality URL: #75416
• Turbopack: Remove matchers.reload() call on each request: #83720
• [Breaking] Flat config as default in @next/eslint-plugin-next: #83763
• fix: Rspack splitChunks.chunks regex: #83670
• Revert "Turbopack: Remove matchers.reload() call on each request": #83819
• fix: unstable_cache should perform blocking revalidation during ISR revalidation: #83820
• fix(Rspack): resolve HMR unresponsiveness or unexpected full reload & update dev snapshot: #83480
• Allow next.config.mts for Node.js native TS resolver: #83556
• chore: Ensure Import Trace starts in a newline: #83638
• Development: Remove matchers.reload() on each request: #83829
• Upgrade React from 8a8e9a7e-20250912 to 5e0c951b-20250916: #83850
• Bump typescript 5.9.2: #83833
• Allow headers, rewrites and redirects to be defined as sync functions: #83743
• Turbopack: Optimize addedRoutes and removedRoutes calculation: #83840
• [next-config-ts] Set Node.js native TS loader fallback flag to process.env: #83832
• Development: Clarify TypescriptStatus in watcher: #83857
• Upgrade sharp dependency to version ^0.34.4: #83892
• Upgrade React from 5e0c951b-20250916 to 128abcfa-20250917: #83906
• Add native ts resolver docs link to transpile-config: #83914
• OTel: use srcPage for templates when next.route is unavailable: #83911
• Remove inline CSS sourcemaps from next-devtools: #83917
• Development: Move all TypeScript related work in watcher together: #83912
• [Cache Components] Allow sync IO inside console methods : #83843
• Upgrade React from 128abcfa-20250917 to 84af9085-20250917: #83959
• Build: Add .next/trace-build with high level trace: #83949
• Remove force writing **/*.mts to tsconfig: #83967
• feat: Isolate dev build from prod: #83961
• Remove JS size reporting from next build: #83815

... (truncated)

Commits

• 950609f v16.0.0
• fcc3157 v16.0.0-canary.19
• c0b086c v16.0.0-canary.18
• f770793 logger: skip logging full element (#85194)
• 074262b Only allow node runtime in proxy (#85139)
• 47ceda3 [cache components] persist cache bypass UI until it's disabled (#85190)
• b66c1d6 Remove layout-router sticky/fixed debug warning (#85193)
• 96754b6 Tweaks to blocking route error message (#85191)
• 48bb490 docs: upgrade from 15 to 16 (#85176)
• 9b34b65 [upgrade] Version gate adding --turbopack flag (#85180)
• Additional commits viewable in compare view

Updates zod from 3.25.76 to 4.1.12

Release notes

Sourced from zod's releases.

v4.1.12

Commits:

• 0b109c37c6b0b10e3901b56bcccb72e29a0b846f docs(ecosystem): add bupkis to the ecosystem section (#5237)
• d22ec0d26fab27151b0f1d1f98bffeaf8b011f57 docs(ecosystem): add upfetch (#5238)
• c56a4f6fab42c542b191228af61974b2328dc52f docs(ecosystem): add eslint-plugin-zod-x (#5261)
• a0abcc02900a4293dd4f30cd81580efcdd5230bb docs(metadata.mdx): fix a mistake in an example output (#5248)
• 62bf4e439e287e55c843245b49f8d34b1ad024ee fix(ZodError): prevent flatten() from crashing on 'toString' key (#5266)
• 02a584010ac92ac8a351632ae5aea3983a6f17d8 refac(errors): Unify code structure and improve types (#5278)
• 4b1922ad714e12dafaa83a40ec03275a39ac980c docs(content/v4/index): fix zod version (#5289)
• 3fcb20ff348e49aec70f45e0dca3de8a61450e77 Add frrm to ecosystem (#5292)
• fda4c7c2afbd7649261be1e7954f8c4d4de24a07 Make docs work without token
• af447384379faef28aa857fb53ef1da702c6d408 Fix lint
• 77c3c9f069a4cf168c0cbc58432803de887a6b1b Export bg.ts
• 3b946107b6c94b2ac8ff9fb451160c34dc4dd794 v4.1.12

v4.1.11

Commits:

• 2bed4b39760d8e4d678203b5c8fcaf24c182fc9f 4.1.11

v4.1.10

Commits:

• 7ffedd00169d8dc2e7cb7c6d878f29b03e05b3a3 Fix shape caching (#5263)
• 82cd717a0e7ee4e1737a783c7be278fa93fd8104 v4.1.10

v4.1.9

Commits:

• a78716d91da7649a61016b81c27f49fd9e79a81e Update zshy (#5249)
• 923af801fde9f033cfd7e0e753b421a554fe3be8 Publish zod@4.1.9

v4.1.8

Commits:

• 36c4ee354d0c1f47b7311e49f6dd4b7a11de04f5 Switch back to weakmap
• a1726d53172ba52ecf90999df73778cf416264fd 4.1.8

v4.1.7

Commits:

• 0cca351c8b152d7c4113ab7c2a44675efb060677 Fix variable name inconsistency in coercion documentation (#5188)
• aa78c270f1b43f4665339f4b61e7cb88037b8c84 Add copy/edit buttons
• 76452d4119d800a722b692755c1168627bc95f0f Update button txt
• 937f73c90cac90bd3b99b12c792c289b50416510 Fix tsconfig issue in bench
• 976b43657d4aff6d47c73c1c86125623ea08752d v4.1.6 (#5222)
• 4309c61304daf40aab2124b5f513abe2b4df8637 Fix cidrv6 validation - cidrv6 should reject invalid strings with multiple slashes (#5196)
• ef95a73b6d33299743e5ff4f0645b98c1b0d6f72 feat(locales): Add Lithuanian (lt) locale (#5210)
• 3803f3f37168212f2178e8b8deceb7bad78ed904 docs: update wrong contents in codeblocks in api.mdx (#5209)

... (truncated)

Commits

• 3b94610 v4.1.12
• 77c3c9f Export bg.ts
• af44738 Fix lint
• fda4c7c Make docs work without token
• 3fcb20f Add frrm to ecosystem (#5292)
• 4b1922a docs(content/v4/index): fix zod version (#5289)
• 02a5840 refac(errors): Unify code structure and improve types (#5278)
• 62bf4e4 fix(ZodError): prevent flatten() from crashing on 'toString' key (#5266)
• a0abcc0 docs(metadata.mdx): fix a mistake in an example output (#5248)
• c56a4f6 docs(ecosystem): add eslint-plugin-zod-x (#5261)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
arcjet-js-example	Error			Oct 24, 2025 11:53pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​15.5.4 ⏵ 16.0.0
	zod@​3.25.76 ⏵ 4.1.12	+1			+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		next@16.0.0 has a License Policy Violation. License: CC-BY-SA-4.0 (package/dist/compiled/glob/LICENSE) From: package-lock.json → npm/next@16.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report