feat: fs x

[matheusps]

[WIP]

Changeset:

• Next 15 update
• React 19 update
• App router update
• Configure third party scripts using Next Script
• Use Next font
• FS Router module
• Server side RenderSections

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[semgrep-code-vtex-org]

Risk: Affected versions of next are vulnerable to Improper Authorization. Improper authorization handling in Next.js applications enables attackers to bypass security controls for paths directly under the application's root directory, potentially exposing sensitive data or functionality. This issue affects versions prior to Next.js 14.2.15, where authorization logic based solely on pathname fails to account for certain direct page accesses.

Manual Review Advice: A vulnerability from this advisory is reachable if you use authorization to protect a page directly under the application's root directory (for example, https://example.com/foo) and you do NOT host your application on Vercel

Fix: Upgrade this library to at least version 14.2.15 at faststore/pnpm-lock.yaml:7944.

Reference(s): GHSA-7gfc-8cq8-jh5f, CVE-2024-51479

🎈 Fixed in commit 67906b0 🎈

[semgrep-code-vtex-org]

Risk: Affected versions of next are vulnerable to Improper Authorization. Next.js middleware-based authorization checks can be bypassed by an attacker who forges external requests that include a specific header, tricking the application into treating the request as a trusted internal call and thus bypassing access controls.

Manual Review Advice: A vulnerability from this advisory is reachable if you perform authorization in the middleware

Fix: Upgrade this library to at least version 15.2.3 at faststore/pnpm-lock.yaml:7843.

Reference(s): GHSA-f82v-jwr5-mffw, CVE-2025-29927

🎉 Removed in commit 3f17bfb 🎉

[semgrep-code-vtex-org]

Risk: Affected versions of next are vulnerable to Improper Authorization. Next.js middleware-based authorization checks can be bypassed by an attacker who forges external requests that include a specific header, tricking the application into treating the request as a trusted internal call and thus bypassing access controls.

Manual Review Advice: A vulnerability from this advisory is reachable if you perform authorization in the middleware

Fix: Upgrade this library to at least version 15.2.3 at faststore/pnpm-lock.yaml:7843.

Reference(s): GHSA-f82v-jwr5-mffw, CVE-2025-29927

🧼 Removed in commit 3f17bfb 🧼

[semgrep-code-vtex-org]

Risk: Affected versions of next are vulnerable to Improper Authorization. Improper authorization handling in Next.js applications enables attackers to bypass security controls for paths directly under the application's root directory, potentially exposing sensitive data or functionality. This issue affects versions prior to Next.js 14.2.15, where authorization logic based solely on pathname fails to account for certain direct page accesses.

Manual Review Advice: A vulnerability from this advisory is reachable if you use authorization to protect a page directly under the application's root directory (for example, https://example.com/foo) and you do NOT host your application on Vercel

Fix: Upgrade this library to at least version 14.2.15 at faststore/pnpm-lock.yaml:7944.

Reference(s): GHSA-7gfc-8cq8-jh5f, CVE-2024-51479

✨ Fixed in commit 67906b0 ✨

[semgrep-code-vtex-org]

Risk: Affected versions of next are vulnerable to Improper Authorization. Next.js middleware-based authorization checks can be bypassed by an attacker who forges external requests that include a specific header, tricking the application into treating the request as a trusted internal call and thus bypassing access controls.

Manual Review Advice: A vulnerability from this advisory is reachable if you perform authorization in the middleware

Fix: Upgrade this library to at least version 15.2.3 at faststore/pnpm-lock.yaml:7843.

Reference(s): GHSA-f82v-jwr5-mffw, CVE-2025-29927

_{💬 To ignore this, reply with:
• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-91c0a03f-a79a-4539-915f-c718686fa6b7.}

[semgrep-code-vtex-org]

Risk: Affected versions of next are vulnerable to Improper Authorization. Next.js middleware-based authorization checks can be bypassed by an attacker who forges external requests that include a specific header, tricking the application into treating the request as a trusted internal call and thus bypassing access controls.

Manual Review Advice: A vulnerability from this advisory is reachable if you perform authorization in the middleware

Fix: Upgrade this library to at least version 15.2.3 at faststore/pnpm-lock.yaml:7843.

Reference(s): GHSA-f82v-jwr5-mffw, CVE-2025-29927

_{💬 To ignore this, reply with:
• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-91c0a03f-a79a-4539-915f-c718686fa6b7.}