-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency @sentry/nextjs to v7.77.0 [security] - autoclosed #596
Conversation
55a1773
to
92b65f9
Compare
Kudos, SonarCloud Quality Gate passed! |
92b65f9
to
b2d80d6
Compare
b2d80d6
to
203a581
Compare
203a581
to
abe7676
Compare
abe7676
to
c258817
Compare
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is an install script?Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts. Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
c258817
to
274767c
Compare
274767c
to
a7a6778
Compare
a7a6778
to
d64ef31
Compare
d64ef31
to
29e8afc
Compare
29e8afc
to
4407323
Compare
Quality Gate passedIssues Measures |
4407323
to
8d8d708
Compare
Quality Gate passedIssues Measures |
8d8d708
to
79d039e
Compare
Quality Gate passedIssues Measures |
This PR contains the following updates:
7.74.1
->7.77.0
GitHub Vulnerability Alerts
CVE-2023-46729
Impact
An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors:
This issue only affects users who have Next.js SDK tunneling feature enabled.
Patches
The problem has been fixed in sentry/nextjs@7.77.0
Workarounds
Disable tunneling by removing the
tunnelRoute
option from Sentry Next.js SDK config —next.config.js
ornext.config.mjs
.References
Credits
Release Notes
getsentry/sentry-javascript (@sentry/nextjs)
v7.77.0
Compare Source
v7.76.0
Compare Source
Important Changes
This release adds
Sentry.withMonitor()
, a wrapping function that wraps a callback with a cron monitor that will automatically report completions and failures:Other Changes
jsx
andtsx
file extensions (#9362)replay_id
is not added to DSC if session expired (#9359)Work in this release contributed by @LubomirIgonda1. Thank you for your contribution!
v7.75.1
Compare Source
v7.75.0
Compare Source
Important Changes
@sentry/opentelemetry
package (#9238)This release publishes a new package,
@sentry/opentelemetry
. This is a runtime agnostic replacement for@sentry/opentelemetry-node
and exports a couple of useful utilities which can be used to use Sentry together with OpenTelemetry.You can read more about @sentry/opentelemetry in the Readme.
Starting with this release, you can configure the following build-time flags in order to reduce the SDK bundle size:
__RRWEB_EXCLUDE_CANVAS__
__RRWEB_EXCLUDE_IFRAME__
__RRWEB_EXCLUDE_SHADOW_DOM__
You can read more about tree shaking in our docs.
Other Changes
lru_map
dependency (#9300)cookie
module (#9308)Replay
andBrowserTracing
integrations tree-shakeable (#9287)autoInstrumentMiddleware
functionality (#9323)getInitialProps
may return undefined (#9342)Bundle size 📦
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.