-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency next to v14 [security] #631
base: main
Are you sure you want to change the base?
Conversation
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
8053b38
to
1481b8d
Compare
1481b8d
to
12a7c46
Compare
12a7c46
to
b7749d2
Compare
Quality Gate passedIssues Measures |
b7749d2
to
62ac1e2
Compare
Quality Gate passedIssues Measures |
Report too large to display inline |
This PR contains the following updates:
^11.1.2
->^14.0.0
13.0.5
->14.2.15
GitHub Vulnerability Alerts
CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the
next.config.js
file must have animages.domains
array assigned and the image host assigned inimages.domains
must allow user-provided SVG. If thenext.config.js
file hasimages.loader
assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, changenext.config.js
to use a differentloader configuration
other than the default.Impact
next.config.js
file has images.domains array assignednext.config.js
file has images.loader assigned to something other than defaultPatches
Next.js 12.1.0
Workarounds
Change
next.config.js
to use a different loader configuration other than the default, for example:Or if you want to use the
loader
prop on the component, you can usecustom
:CVE-2023-46298
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
CVE-2024-47831
Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Not affected:
next.config.js
file is configured withimages.unoptimized
set totrue
orimages.loader
set to a non-default value.Patches
This issue was fully patched in Next.js
14.2.7
. We recommend that users upgrade to at least this version.Workarounds
Ensure that the
next.config.js
file has eitherimages.unoptimized
,images.loader
orimages.loaderFile
assigned.Credits
Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras
CVE-2024-51479
Impact
If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.
Patches
This issue was patched in Next.js
14.2.15
and later.If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.
Release Notes
vercel/next.js (next)
v14.2.15
Compare Source
Core Changes
Credits
Huge thanks to @ztanner, @agadzik, @huozhi, @styfle, @icyJoseph and @wyattjoh for helping!
v14.2.14
Compare Source
Core Changes
Credits
Huge thanks to @styfle, @ztanner, @ijjk, @huozhi and @wyattjoh for helping!
v14.2.13
Compare Source
v14.2.12
Compare Source
v14.2.11
Compare Source
v14.2.10
Compare Source
v14.2.9
Compare Source
v14.2.8
Compare Source
v14.2.7
Compare Source
v14.2.6
Compare Source
v14.2.5
Compare Source
v14.2.4
Compare Source
Core Changes
Credits
Huge thanks to @ztanner, @ijjk, @wbinnssmith, @huozhi, and @lubieowoce for helping!
v14.2.3
Compare Source
v14.2.2
Compare Source
v14.2.1
Compare Source
v14.2.0
Compare Source
v14.1.4
Compare Source
v14.1.3
Compare Source
v14.1.2
Compare Source
v14.1.1
Compare Source
Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary
Core Changes
Credits
Huge thanks to @huozhi, @shuding, @Ethan-Arrowood, @styfle, @ijjk, @ztanner, @balazsorban44, @kdy1, and @williamli for helping!
v14.1.0
Compare Source
v14.0.4
Compare Source
v14.0.3
Compare Source
v14.0.2
Compare Source
v14.0.1
Compare Source
Core Changes
8c8ee9e
to0c63487
and types: #57772Documentation Changes
Example Changes
with-youtube-embed
example: #57367with-google-maps-embed
example: #57365Misc Changes
create-next-app
: #57262Credits
Huge thanks to @dijonmusters, @sokra, @philwolstenholme, @IgorKowalczyk, @housseindjirdeh, @Zoe-Bot, @HanCiHu, @JackHowa, @goncy, @hirotomoyamada, @pveyes, @yeskunall, @vinaykulk621, @ChendayUP, @leerob, @dvoytenko, @mknichel, @ijjk, @hmaesta, @ajz003, @its-kunal, @joelhooks, @blurrah, @tariknh, @Vinlock, @Nayeem-XTREME, @aziyatali, @aspehler, @huozhi, @ztanner, @ForsakenHarmony, @moka-ayumu, and @gnoff for helping!
v14.0.0
Compare Source
v13.5.7
Compare Source
v13.5.6
Compare Source
Core Changes
Credits
Huge thanks to @ijjk @huozhi @gnoff for helping!
v13.5.5
Compare Source
v13.5.4
Compare Source
Core Changes
beta.nextjs.org
Links: #55924config.experimental.workerThreads
: #55257swc_core
tov0.83.26
: #55780swc_core
tov0.83.26
": #56077permanentRedirect
return 308 in route handlers: #56065boolean
instead offalse
for experimental logging config: #56110postcss
: #56225Documentation Changes
not-found
to file conventions page: #55944extension
option tocreateMDX()
: #55967.bind
method: #56164Response.json
overNextResponse.json
: #56173Example Changes
with-jest
: #56152with-jest
types: #56193with-stripe-typescript
example: #56274Misc Changes
swc_core
tov0.83.28
: #56134Credits
Huge thanks to @balazsorban44, @sdkdeepa, @aayman997, @mayank1513, @timneutkens, @2XG-DEV, @eliot-akira, @hi-matthew, @riobits, @wbinnssmith, @ijjk, @sokra, @dvoytenko, @rishabhpoddar, @manovotny, @A7med3bdulBaset, @huozhi, @jridgewell, @joulev, @SukkaW, @kdy1, @feedthejim, @Fredkiss3, @styfle, @MildTomato, @ForsakenHarmony, @walfly, @bzhn, @shuding, @boylett, @Loki899899, @devrsi0n, @ImBIOS, @vinaykulk621, @ztanner, @sdaigo, @hamirmahal, @blurrah, @omarmciver, and @alexBaizeau for helping!
v13.5.3
Compare Source
v13.5.2
Compare Source
Core Changes
d6dcad6
to2807d78
: #55590@vercel/og
andsatori
: #55654named_import
transform: #55664Documentation Changes
create-next-app
templates: Changebun run dev
commands tobun dev
: #55603Example Changes
Misc Changes
Credits
Huge thanks to @padmaia, @mayank1513, @jakeboone02, @balazsorban44, @kwonoj, @huozhi, @Yovach, @ztanner, @wyattjoh, @GabenGar, @timneutkens, and @shuding for helping!
v13.5.1
Compare Source
Core Changes
output: export
in app router: #54202ua-parser-js
: #54404ssr: false
in App Router: #54411named_import_transform
: #54530optimize_barrel
SWC transform and newoptimizePackageImports
config: #54572permanentRedirect
function in App Router: #54047preload
is not exported fromreact-dom
: #54688@visx/visx
to the import optimization list: #54778/
: [#54744](https://redirect.githuConfiguration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.