[Snyk] Security upgrade next from 10.2.3 to 13.5.4

[Woodpile37]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • examples/blog-with-comment/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	49/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00055, Social Trends: No, Days since published: 313, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.06, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	Yes	No Known Exploit
	124/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00163, Social Trends: No, Days since published: 337, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.06, Score Version: V5	Prototype Pollution SNYK-JS-LOADERUTILS-3043105	Yes	No Known Exploit
	49/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00084, Social Trends: No, Days since published: 334, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.06, Score Version: V5	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	Yes	No Known Exploit
	75/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Changed, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00061, Social Trends: No, Days since published: 786, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.54, Likelihood: 1.64, Score Version: V5	Open Redirect SNYK-JS-NEXT-1540422	Yes	No Known Exploit
	81/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00061, Social Trends: No, Days since published: 767, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 4.19, Likelihood: 1.93, Score Version: V5	Cross-site Scripting (XSS) SNYK-JS-NEXT-1577139	Yes	No Known Exploit
	134/1000 Why? Confidentiality impact: None, Integrity impact: High, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.00105, Social Trends: No, Days since published: 596, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.23, Score Version: V5	User Interface (UI) Misrepresentation of Critical Information SNYK-JS-NEXT-2405694	Yes	No Known Exploit
	104/1000 Why? Confidentiality impact: High, Integrity impact: None, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): Low, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.0011, Social Trends: No, Days since published: 628, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 5.99, Likelihood: 1.73, Score Version: V5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	49/1000 Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.00045, Social Trends: No, Days since published: 6, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.06, Score Version: V5	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	164/1000 Why? Confidentiality impact: High, Integrity impact: High, Availability impact: High, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: High, Attack Vector: Network, EPSS: 0.0016, Social Trends: No, Days since published: 715, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 9.79, Likelihood: 1.67, Score Version: V5	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: next

The new version differs by 250 commits.

• 1e8dca4 v13.5.4
• 9e24d6f v13.5.4-canary.11
• 281ae41 Fix build output logging order (Fix build output logging order vercel/next.js#56335)
• d7626ff Revert "misc: shortcut styled-jsx in external resolution (misc: shortcut styled-jsx in external resolution vercel/next.js#56291)" (Revert "misc: shortcut styled-jsx in external resolution (#56291)" vercel/next.js#56334)
• db48052 v13.5.4-canary.10
• 7df92b8 test: add flaky turbopack integration tests to manifest (test: add flaky turbopack integration tests to manifest vercel/next.js#56309)
• eeb9b33 fix: Invalid URL (404) provided on server actions error (fix: Invalid URL (404) provided on server actions error vercel/next.js#56323)
• 3172cfe fix: support both decoded and encoded url requests of conventioned files (fix: support both decoded and encoded url requests of conventioned files  vercel/next.js#56187)
• a2f9ef5 fix(next/client): keep hash when navigating from app to pages router (fix(next/client): keep hash when navigating from app to pages router vercel/next.js#56223)
• a970f28 Add code freeze GitHub actions for releasing (Add code freeze GitHub actions for releasing vercel/next.js#56325)
• 5fbc23e misc: fix instrumentation with bundled server (misc: fix instrumentation with bundled server vercel/next.js#56318)
• 98432a4 Remove buildId test as it's no longer relevant (Remove buildId test as it's no longer relevant vercel/next.js#56316)
• 86274e6 fix(app dir next.config.js option crossOrigin: 'anonymous' not working vercel/next.js#53190): add missing crossOrigin to assetsPrefix resources (fix(#53190): add missing crossOrigin to assetsPrefix resources vercel/next.js#56311)
• e970e05 Reland static prefetches & fix prefetch bailout behavior (Reland static prefetches & fix prefetch bailout behavior vercel/next.js#56228)
• be952fb fix: typo in `with-stripe-typescript` example (fix: typo in with-stripe-typescript example vercel/next.js#56274)
• 7f60cc8 Support serverRuntimeConfig and publicRuntimeConfig in Turbopack (Support serverRuntimeConfig and publicRuntimeConfig in Turbopack vercel/next.js#56310)
• 8d18ad6 update webp crate (update webp crate vercel/next.js#56307)
• ac95a20 Fix flaky test for size output (Fix flaky test for size output vercel/next.js#56303)
• dba978f misc: shortcut styled-jsx in external resolution (misc: shortcut styled-jsx in external resolution vercel/next.js#56291)
• 458dab8 misc: update code owners (misc: update code owners vercel/next.js#56290)
• 5254aae Update image.mdx (Update image.mdx vercel/next.js#56266)
• 0d4859b Update image.mdx (Update image.mdx vercel/next.js#56269)
• 59bda2d More Turbopack fixes (More Turbopack fixes vercel/next.js#56299)
• ecd94c1 misc: enable source maps for bundled runtime (misc: enable source maps for bundled runtime vercel/next.js#56289)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Open Redirect
🦉 More lessons are available in Snyk Learn

[changeset-bot]

⚠️ No Changeset found

Latest commit: 72b82a7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codeautopilot]

Pull Request Summary

This Pull Request is an automated security upgrade from Snyk to fix vulnerabilities in the next package. The vulnerable dependencies in the examples/blog-with-comment/package.json file are being upgraded from version 10.2.3 to version 13.5.4.

The vulnerabilities that will be fixed with this upgrade are:

1. Regular Expression Denial of Service (ReDoS) - Medium severity

   • Impact: Confidentiality impact: None, Integrity impact: None, Availability impact: Low
   • Exploit Maturity: No known exploit
   • More information

2. Prototype Pollution - High severity

   • Impact: Confidentiality impact: None, Integrity impact: None, Availability impact: High
   • Exploit Maturity: No known exploit
   • More information

3. Regular Expression Denial of Service (ReDoS) - Medium severity

   • Impact: Confidentiality impact: None, Integrity impact: None, Availability impact: Low
   • Exploit Maturity: No known exploit
   • More information

4. Open Redirect - Medium severity

   • Impact: Confidentiality impact: Low, Integrity impact: Low, Availability impact: None
   • Exploit Maturity: No known exploit
   • More information

5. Cross-site Scripting (XSS) - Medium severity

   • Impact: Confidentiality impact: Low, Integrity impact: Low, Availability impact: None
   • Exploit Maturity: No known exploit
   • More information

6. User Interface (UI) Misrepresentation of Critical Information - Medium severity

   • Impact: Confidentiality impact: None, Integrity impact: High, Availability impact: None
   • Exploit Maturity: No known exploit
   • More information

7. Information Exposure - Medium severity

   • Impact: Confidentiality impact: High, Integrity impact: None, Availability impact: None
   • Exploit Maturity: No known exploit
   • More information

8. Improper Input Validation - Medium severity

   • Impact: Confidentiality impact: None, Integrity impact: Low, Availability impact: None
   • Exploit Maturity: No known exploit
   • More information

9. Remote Code Execution (RCE) - High severity

   • Impact: Confidentiality impact: High, Integrity impact: High, Availability impact: High
   • Exploit Maturity: No known exploit
   • More information

These vulnerabilities have different impacts and exploit maturity levels, but they are all considered high or medium severity. The upgrade to version 13.5.4 of the next package will fix these vulnerabilities and improve the security of the project.

---

Current plan usage: 19.36%

---

Have feedback or need help?

Discord
Documentation
support@codeautopilot.com

[bridgecrew]

Bridgecrew has found errors in this PR ⬇️