fix(deps): update dependency next to v15.4.7 [security] (#6134)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [next](https://nextjs.org)
([source](https://redirect.github.com/vercel/next.js)) | [`15.3.3` ->
`15.4.7`](https://renovatebot.com/diffs/npm/next/15.3.3/15.4.7) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/next/15.4.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/next/15.3.3/15.4.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-55173](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v)

A vulnerability in **Next.js Image Optimization** has been fixed in
**v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled
external image sources to trigger file downloads with arbitrary content
and filenames under specific configurations. This behavior could be
abused for phishing or malicious file delivery.

All users relying on `images.domains` or `images.remotePatterns` are
encouraged to upgrade and verify that external image sources are
strictly validated.

More details at [Vercel
Changelog](https://vercel.com/changelog/cve-2025-55173)

####
[CVE-2025-57752](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v)

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5
and v14.2.31. When images returned from API routes vary based on request
headers (such as `Cookie` or `Authorization`), these responses could be
incorrectly cached and served to unauthorized users due to a cache key
confusion bug.

All users are encouraged to upgrade if they use API routes to serve
images that depend on request headers and have image optimization
enabled.

More details at [Vercel
Changelog](https://vercel.com/changelog/cve-2025-57752)

####
[CVE-2025-57822](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f)

A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32**
and **v15.4.7**. The issue occurred when request headers were directly
passed into `NextResponse.next()`. In self-hosted applications, this
could allow Server-Side Request Forgery (SSRF) if certain sensitive
headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted
environments are strongly encouraged to upgrade and verify correct usage
of the `next()` function.

More details at [Vercel
Changelog](https://vercel.com/changelog/cve-2025-57822)

---

### Release Notes

<details>
<summary>vercel/next.js (next)</summary>

###
[`v15.4.7`](https://redirect.github.com/vercel/next.js/compare/v15.4.6...v15.4.7)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.4.6...v15.4.7)

###
[`v15.4.6`](https://redirect.github.com/vercel/next.js/releases/tag/v15.4.6)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.4.5...v15.4.6)

> \[!NOTE]\
> This release is backporting bug fixes. It does **not** include all
pending features/changes on canary.

##### Core Changes

- fix: `_error` page's `req.url` can be overwritten to dynamic param on
minimal mode
([#&#8203;82347](https://redirect.github.com/vercel/next.js/issues/82347))
- fix: add `?dpl` to fonts in `/_next/static/media`
([#&#8203;82384](https://redirect.github.com/vercel/next.js/issues/82384))

##### Credits

Huge thanks to
[@&#8203;devjiwonchoi](https://redirect.github.com/devjiwonchoi),
[@&#8203;ijjk](https://redirect.github.com/ijjk), and
[@&#8203;styfle](https://redirect.github.com/styfle) for helping!

###
[`v15.4.5`](https://redirect.github.com/vercel/next.js/compare/v15.4.4...v15.4.5)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.4.4...v15.4.5)

###
[`v15.4.4`](https://redirect.github.com/vercel/next.js/compare/v15.4.3...fe5db65859f0658d1c4701635ec4f4e5ec507e64)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.4.3...v15.4.4)

###
[`v15.4.3`](https://redirect.github.com/vercel/next.js/compare/v15.4.2...v15.4.3)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.4.2...v15.4.3)

###
[`v15.4.2`](https://redirect.github.com/vercel/next.js/compare/v15.4.1...1617b2663777a6fe551dda6edd8b5c43470c39ca)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.4.1...v15.4.2)

###
[`v15.4.1`](https://redirect.github.com/vercel/next.js/compare/13d3c8ca0f67e25aae7485f44c7fe20e3754f9ef...079c06d3c3421c23080dffc6b3c46859f6438212)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.4.0...v15.4.1)

###
[`v15.4.0`](https://redirect.github.com/vercel/next.js/compare/v15.3.5...13d3c8ca0f67e25aae7485f44c7fe20e3754f9ef)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.3.5...v15.4.0)

###
[`v15.3.5`](https://redirect.github.com/vercel/next.js/releases/tag/v15.3.5)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.3.4...v15.3.5)

> \[!NOTE]\
> This release is backporting bug fixes. It does **not** include all
pending features/changes on canary.

##### Core Changes

- Turbopack: list assert/strict as external
([#&#8203;80884](https://redirect.github.com/vercel/next.js/issues/80884))
- omit searchParam data from FlightRouterState before transport
([#&#8203;80734](https://redirect.github.com/vercel/next.js/issues/80734))
- bugfix: propagate staleTime to seeded prefetch entry
([#&#8203;81263](https://redirect.github.com/vercel/next.js/issues/81263))

##### Misc Changes

- document turbopack trace viewer
([#&#8203;78184](https://redirect.github.com/vercel/next.js/issues/78184))

##### Credits

Huge thanks to [@&#8203;ztanner](https://redirect.github.com/ztanner),
[@&#8203;mischnic](https://redirect.github.com/mischnic), and
[@&#8203;bgw](https://redirect.github.com/bgw) for helping!

###
[`v15.3.4`](https://redirect.github.com/vercel/next.js/releases/tag/v15.3.4)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.3.3...v15.3.4)

> \[!NOTE]\
> This release is backporting bug fixes. It does **not** include all
pending features/changes on canary.

##### Core Changes

- \[metadata] render streaming metadata on the top level
([#&#8203;80566](https://redirect.github.com/vercel/next.js/issues/80566))
- \[fix] clone the config module to avoid mutation
([#&#8203;80573](https://redirect.github.com/vercel/next.js/issues/80573))

##### Credits

Huge thanks to [@&#8203;huozhi](https://redirect.github.com/huozhi) for
helping!

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Zurich,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/swisspost/design-system).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44Mi43IiwidXBkYXRlZEluVmVyIjoiNDEuMTMxLjkiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIuKbk++4jyBkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Lea <[email protected]>

Author: renovate[bot]

packages/nextjs-integration/package.json

@@ -27,7 +27,7 @@
   "dependencies": {
     "@swisspost/design-system-components-react": "workspace:10.0.0-next.49",
     "@swisspost/design-system-styles": "workspace:10.0.0-next.49",
-    "next": "15.3.3",
+    "next": "15.4.7",
     "react": "19.1.1",
     "react-dom": "19.1.1"
   },