Update dependency next-mdx-remote to v6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next-mdx-remote	^4.4.1 → ^6.0.0

---

next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content

CVE-2026-0969 / GHSA-g4xw-jxrg-5f6m

More information

Details

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content.

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-0969
• https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155
• https://github.com/hashicorp/next-mdx-remote/commit/4d527fdcaed911b87f427d0b4d3c711e817fa4b3
• https://github.com/hashicorp/next-mdx-remote/releases/tag/v6.0.0
• https://github.com/advisories/GHSA-g4xw-jxrg-5f6m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

hashicorp/next-mdx-remote (next-mdx-remote)

v6.0.0

Compare Source

Breaking/Major Changes

• #​448

• Updated unist-util-remove to ^4.0.0
• Introduced the parameters blockJS and blockDangerousJS that controls how JS in interpreted during compiling MDX. Both default to true for security reasons.
• Updated the README to explain this change: https://redirect.github.com/hashicorp/next-mdx-remote/pull/498/changes#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R393.

v5.0.0

Compare Source

Major Changes

• #​448 67a221f Thanks @​dstaley! - Update to MDX v3 and add support for React 19. Fix various TypeScript errors. Remove usage of Rollup.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: db16c04

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR