Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency next to v14.2.15 [security] #79

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency next to v14.2.15 [security] #79

wants to merge 1 commit into from
+45 −45

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 24, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 14.2.5 -> 14.2.15 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-46982

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

  • Next.js between 13.5.1 and 14.2.9
  • Using pages router
  • Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

  • Deployments using only app router
  • Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

  • Allam Rachid (zhero_)
  • Henry Chen

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

  • The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
  • The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

CVE-2024-51479

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example:

  • [Not affected] https://example.com/
  • [Affected] https://example.com/foo
  • [Not affected] https://example.com/foo/bar

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

Release Notes

vercel/next.js (next)

v14.2.15

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • support breadcrumb style catch-all parallel routes #​65063
  • Provide non-dynamic segments to catch-all parallel routes #​65233
  • Fix client reference access causing metadata missing #​70732
  • feat(next/image): add support for decoding prop #​70298
  • feat(next/image): add images.localPatterns config #​70529
  • fix(next/image): handle undefined images.localPatterns config in images-manifest.json
  • fix: Do not omit alt on getImgProps return type, ImgProps #​70608
  • [i18n] Routing fix #​70761
Credits

Huge thanks to @​ztanner, @​agadzik, @​huozhi, @​styfle, @​icyJoseph and @​wyattjoh for helping!

v14.2.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: clone response in first handler to prevent race (#​70082) (#​70649)
  • Respect reexports from metadata API routes (#​70508) (#​70647)
  • Externalize node binary modules for app router (#​70646)
  • Fix revalidateTag() behaviour when invoked in server components (#​70446) (#​70642)
  • Fix prefetch bailout detection for nested loading segments (#​70618)
  • Add missing node modules to externals (#​70382)
  • Feature: next/image: add support for images.remotePatterns.search (#​70302)
Credits

Huge thanks to @​styfle, @​ztanner, @​ijjk, @​huozhi and @​wyattjoh for helping!

v14.2.13

Compare Source

v14.2.12

Compare Source

v14.2.11

Compare Source

v14.2.10

Compare Source

v14.2.9

Compare Source

v14.2.8

Compare Source

v14.2.7

Compare Source

v14.2.6

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner September 24, 2024 20:10
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 24, 2024
edited
Loading

Visit the preview URL for this PR (updated for commit 192572f):

https://community-cookbook-staging--pr79-renovate-npm-next-vu-t7cqtgbm.web.app

(expires Thu, 26 Dec 2024 00:42:33 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 1b876338aafcf55b4a02f1877984e116731756b1

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 8 times, most recently from d683ca0 to df15079 Compare October 2, 2024 16:10
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 2 times, most recently from 3135a94 to d432f51 Compare October 14, 2024 15:30
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from d432f51 to 6b76540 Compare October 16, 2024 21:13
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 2 times, most recently from c6afcdc to c0102e3 Compare November 19, 2024 21:29
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from c0102e3 to 4b34bd2 Compare November 25, 2024 15:37
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 4b34bd2 to c389933 Compare December 6, 2024 13:57
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from c389933 to 192572f Compare December 19, 2024 00:40
@renovate renovate bot changed the title chore(deps): update dependency next to v14.2.10 [security] chore(deps): update dependency next to v14.2.15 [security] Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants