-
Notifications
You must be signed in to change notification settings - Fork 27.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert server action optimization #69925
Conversation
Stats from current PRDefault BuildGeneral
Client Bundles (main, webpack)
Legacy Client Bundles (polyfills)
Client Pages
Client Build Manifests
Rendered Page Sizes
Edge SSR bundle Size
Middleware size
Next Runtimes
build cache
Diff detailsDiff for page.jsDiff too large to display Diff for edge-ssr.jsDiff too large to display |
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@next/env](https://redirect.github.com/vercel/next.js) ([source](https://redirect.github.com/vercel/next.js/tree/HEAD/packages/next-env)) | [`14.2.9` -> `14.2.10`](https://renovatebot.com/diffs/npm/@next%2fenv/14.2.9/14.2.10) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@next%2fenv/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@next%2fenv/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@next%2fenv/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@next%2fenv/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [@next/eslint-plugin-next](https://redirect.github.com/vercel/next.js) ([source](https://redirect.github.com/vercel/next.js/tree/HEAD/packages/eslint-plugin-next)) | [`14.2.9` -> `14.2.10`](https://renovatebot.com/diffs/npm/@next%2feslint-plugin-next/14.2.9/14.2.10) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@next%2feslint-plugin-next/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@next%2feslint-plugin-next/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@next%2feslint-plugin-next/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@next%2feslint-plugin-next/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [@next/polyfill-module](https://redirect.github.com/vercel/next.js) ([source](https://redirect.github.com/vercel/next.js/tree/HEAD/packages/next-polyfill-module)) | [`14.2.9` -> `14.2.10`](https://renovatebot.com/diffs/npm/@next%2fpolyfill-module/14.2.9/14.2.10) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@next%2fpolyfill-module/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@next%2fpolyfill-module/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@next%2fpolyfill-module/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@next%2fpolyfill-module/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [@next/polyfill-nomodule](https://redirect.github.com/vercel/next.js) ([source](https://redirect.github.com/vercel/next.js/tree/HEAD/packages/next-polyfill-nomodule)) | [`14.2.9` -> `14.2.10`](https://renovatebot.com/diffs/npm/@next%2fpolyfill-nomodule/14.2.9/14.2.10) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@next%2fpolyfill-nomodule/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@next%2fpolyfill-nomodule/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@next%2fpolyfill-nomodule/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@next%2fpolyfill-nomodule/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [@next/react-refresh-utils](https://redirect.github.com/vercel/next.js) ([source](https://redirect.github.com/vercel/next.js/tree/HEAD/packages/react-refresh-utils)) | [`14.2.9` -> `14.2.10`](https://renovatebot.com/diffs/npm/@next%2freact-refresh-utils/14.2.9/14.2.10) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@next%2freact-refresh-utils/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@next%2freact-refresh-utils/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@next%2freact-refresh-utils/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@next%2freact-refresh-utils/14.2.9/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>vercel/next.js (@​next/env)</summary> ### [`v14.2.10`](https://redirect.github.com/vercel/next.js/compare/v14.2.9...v14.2.10) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.9...v14.2.10) </details> <details> <summary>vercel/next.js (@​next/eslint-plugin-next)</summary> ### [`v14.2.10`](https://redirect.github.com/vercel/next.js/compare/v14.2.9...v14.2.10) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.9...v14.2.10) </details> <details> <summary>vercel/next.js (@​next/polyfill-module)</summary> ### [`v14.2.10`](https://redirect.github.com/vercel/next.js/releases/tag/v14.2.10) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.9...v14.2.10) > \[!NOTE]\ > This release is backporting bug fixes. It does **not** include all pending features/changes on canary. ##### Core Changes - Remove invalid fallback revalidate value ([https://github.com/vercel/next.js/pull/69990](https://redirect.github.com/vercel/next.js/pull/69990)) - Revert server action optimization ([https://github.com/vercel/next.js/pull/69925](https://redirect.github.com/vercel/next.js/pull/69925)) - Add ability to customize Cache-Control ([#​69802](https://redirect.github.com/vercel/next.js/issues/69802)) ##### Credits Huge thanks to [@​huozhi](https://redirect.github.com/huozhi) and [@​ijjk](https://redirect.github.com/ijjk) for helping! </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Canary-nextjs).
So, the convenience of not having to split a file is more important than the security of not leaking actions? |
@TheDevMinerTV We'll investigate another solution and will fix on canary first, once it's stable we can backport again. On the other side we give better error messaging so they users can get hint to split the modules if possible, and documentation to improve the existign examples. |
I'd rather have the convenience of it just working securely as expected instead of getting compiler warnings / errors for actions. Just disable top-level magic strings. (or, y'know, remove the magic strings entirely and replace it with a function that you pass your own action functions into). |
This a very strange logic ! so while you are "investigate another solution" it was better to leave the fix for now and when there is a better stable solution replace the existing with the new one! Not remove the fix at all and leave a security issue just because it's not the optimal solution, And "better error messaging" is not a solution for a security issue. God help us if this is the main mindset for every action in this framework. I still remember the answer to the slowest ever dev server that it's the users problem not nextjs! |
@FairyPenguin An incorrect implementation of tree-shaking server actions caused breaking changes in production apps on a semver-patch release. The “security issue” of “leaking” actions is really a developer experience issue, where users misunderstand the documented behavior of server actions (to create an endpoint for functions that are exported from a file explicitly marked for server actions). DX improvements to prevent footguns are a “nice to have,” and cannot come at the cost of production-breaking framework bugs, which is why this feature was reverted. @huozhi has said the team intends to work on bringing the feature back once there’s time to implement it without unexpected breaking changes, which is the correct approach. In the meantime, if the security model of your app depends on explicitly creating endpoints which you never use and which must never be called, you should either (1) pin |
You are not embarrassed of yourself ?!! Your reply needs not just to be a screenshot for learning how to do every logical fallacy and manipulate the words of others and finally play the victim but it's a lesson for how much far people can go behind the words of contributor and opensource to justify the right from the wrong and enforce a lie and wrong technical decisions in a very clear situation that doesn't need any Justifications, fabrications, and twisting and turning! When there was a memory leak in framework and many dev includes me reported that and you replied no no no memory leak and at the end turns there is a memory leak and was fixed !! and the slowness of the dev server and i lost count !! If you are not embarrassing yourself you need to take care of your mental health very well. |
The problem could have been solved long time ago if they acknowledged the issue before hand, not acting like was a quirk and not a security issue. When the main issue first appeared, took weeks and clout for it to be really seen, ack'd and fixed. Now reverting back to a known issue just because "the dx of the other app" is worse is such a weird move. |
This happened exactly in every issue was reported i lost the count 1- The memory leak issue 2- the slow dev server 3- the problem with sharp 4- the server actions ...... I really can't remember how many times it the same attitude and playing the victim and blame the developers for each wrong technical decision they made or an issue appears. |
"The “security issue” of “leaking” actions is really a developer experience issue" The first paragraph from Authentication and authorization says: The root issue lies on the fact that every async function exported from the file with top level Acting as if it wasn't an issue is just lolz. |
Reverting unused server actions optimization on 14.2 to avoid complex nested server actions failing. We're addressing the documentation updates in vercel/ai#2956
Revert #69788
Revert #69178