-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency next to v12 [security] - autoclosed #81
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
July 27, 2022 14:22
1316c4d
to
3cd9c45
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅ ❗ Your organization needs to install the Codecov GitHub app to enable full functionality. 📢 Thoughts on this report? Let us know!. |
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
January 16, 2023 09:00
3cd9c45
to
43eb586
Compare
renovate
bot
changed the title
chore(deps): update dependency next to v12 [security]
chore(deps): update dependency next to v12 [security] - autoclosed
Feb 2, 2023
renovate
bot
changed the title
chore(deps): update dependency next to v12 [security] - autoclosed
chore(deps): update dependency next to v12 [security]
Feb 2, 2023
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
February 13, 2023 05:55
43eb586
to
1ee213c
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
March 27, 2023 06:38
1ee213c
to
67f69d4
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
April 24, 2023 03:27
67f69d4
to
ed2c54b
Compare
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
renovate
bot
changed the title
chore(deps): update dependency next to v12 [security]
chore(deps): update dependency next to v12 [security] - autoclosed
Oct 24, 2023
renovate
bot
changed the title
chore(deps): update dependency next to v12 [security] - autoclosed
chore(deps): update dependency next to v12 [security]
Oct 31, 2023
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
October 31, 2023 21:39
ed2c54b
to
47aed49
Compare
Please retry analysis of this Pull-Request directly on SonarCloud. |
renovate
bot
changed the title
chore(deps): update dependency next to v12 [security]
chore(deps): update dependency next to v12 [security] - autoclosed
Nov 1, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
11.1.3
->12.1.0
GitHub Vulnerability Alerts
CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the
next.config.js
file must have animages.domains
array assigned and the image host assigned inimages.domains
must allow user-provided SVG. If thenext.config.js
file hasimages.loader
assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, changenext.config.js
to use a differentloader configuration
other than the default.Impact
next.config.js
file has images.domains array assignednext.config.js
file has images.loader assigned to something other than defaultPatches
Next.js 12.1.0
Workarounds
Change
next.config.js
to use a different loader configuration other than the default, for example:Or if you want to use the
loader
prop on the component, you can usecustom
:Release Notes
vercel/next.js (next)
v12.1.0
Compare Source
Core Changes
artifactDirectory
: #33918react-dom/server.browser
in Node.js: #33950ReadableStream
inRenderResult
: #34005Link
to pass event toonClick
handler: #27723lazyRoot
functionality fornext/image
: #33933Router
state immutable: #33925render
andrenderError
methods fromnext/client
: #34069concurrentFeatures
withruntime
: #34068renderToStream
with React 18: #34106next/image
usage fromnode_modules
: #33559react-dom/server.browser
whenreactRoot: true
: #34116.env
file in standalone mode: #34143next-server.ts
: #34230runtime
is set tonodejs
: #34228node-sass@7
as peer dependency: #34107<RouteAnnouncer/>
shouldn't announce initial path under strict mode and React 18: #34338dangerouslyAllowSVG
andcontentSecurityPolicy
: #34431.svg
image optimization with aloader
prop: #34452Documentation Changes
.end
instead of.send
when no body is being sent: #33611profileData
todata
in CSR page: #34018async
to middleware docs.: #31356url
tonextUrl
inside delete-query-params-in-middlewa…: #33796fallback: true
: #34114invalid-api-status-body
error: #34150lazyRoot
prop: #34241getting started
: #34282getInitialProps
: #34309Example Changes
yarn lint
.: #34019next/image
in the Sanity example: #34203profile
in firebase example: #34457Misc Changes
Credits
Huge thanks to @MaedahBatool, @mutebg, @sokra, @huozhi, @hanford, @shuding, @sean6bucks, @jameshfisher, @devknoll, @yuta-ike, @zh-lx, @amandeepmittal, @alunyov, @stefanprobst, @leerob, @balazsorban44, @kdy1, @brittanyrw, @jord1e, @kara, @vvo, @ismaelrumzan, @dlindenkreuz, @MohammadxAli, @nguyenyou, @thibautsabot, @hanneslund, @vertti, @KateKate, @stefee, @mikinovation, @Leticijak, @mohsen1, @ncphillips, @ehowey, @lancechentw, @krychaxp, @fmacherey, @pklawansky, @RyanClementsHax, @lakbychance, @sannajammeh, @oliviertassinari, @alexander-akait, @u-yas, @Cheprer, @msp5382, @chrispat, @getspooky, @Ryz0nd, @klaasman, @midgleyc, @kumard3, @jesstelford, @neeraj3029, @glenngijsberts, @pie6k, @wouterraateland, @timneutkens, @11koukou, @thesyedbasim, @aeneasr, @ijjk, @lfades, @JuniorTour, @xavhan, @mattyocode, @padmaia, @Skn0tt, @gwer, @Nutlope, @styfle, @stipsan, @xhoantran, @eolme, @sespinosa, @zenorocha, @hjaber, @benmvp, @T-O-R-U-S, @dburrows, @atcastle, @kiriny, @molebox, @kitayoshi, and @Schniz for helping!
v12.0.10
Compare Source
Core Changes
compress
configurable in standalone mode: #33717stale-while-revalidate
pattern to Image Optimization API: #33735Documentation Changes
Example Changes
with-docker
example dockerfile: #33695Misc Changes
lock.yml
Credits
Huge thanks to @Vienio99, @balazsorban44, @kyliau, @molebox, @huozhi, @shuding, @PepijnSenders, @krystofex, @PizzaPete, @souljuse, @styfle, @Schniz, @Nelsonfrank, @ijjk, @Mhmdrza, @timneutkens, @hideokamoto-stripe, @Emrin, @gr-qft, @delbaoliveira, @redbar0n, @amandeepmittal, @lxy-yz, and @Divlo for helping!
v12.0.9
Compare Source
This upgrade is completely backward-compatible and recommended for all users on versions below 12.0.9
Vulnerable code could allow a bad actor to trigger a denial of service attack via the
/${locale}/_next/
route for anyone running a Next.js app at version >= 12.0.0, and using built-in i18n routing functionality.How to Upgrade
npm install next@latest --save
Impact
v12.0.0
andv12.0.9
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
How to Assess Impact
If your server has seen requests to any route under the prefix
/${locale}/_next/
that have triggered a heap overflow error, this was caused by the patched issue.What is Being Done
As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to our users for their investigation and responsible disclosure of the original bug.
We've landed a patch that ensures this is handled properly so the requested route no longer crashes and triggers a heap overflow.
Regression tests for this attack were added to the i18n integration test suite
[email protected]
. We are actively monitoring this mailbox.Core Changes
process.env
to inferred usage: #33186postcss
: #33142node-fetch
: #33466onLoadingComplete()
: #33474next-multilingual
example: #29386lazyRoot
optional property tonext/image
component : #33290Documentation Changes
next export
+next/image
error message: #33317onLoad
gottcha note tonext/script
docs: #33097next/server
documentation forgeo
: #33609next/image
usage withnext export
based on feedback.: #33555headers
config option description: #33484netlify-plugin-cache-nextjs
has been deprecated: #33629Example Changes
Misc Changes
Credits
Huge thanks to @molebox, @Schniz, @sokra, @kachkaev, @shuding, @teleaziz, @OgbeniHMMD, @goncy, @balazsorban44, @MaedahBatool, @bennettdams, @kdy1, @huozhi, @hsynlms, @styfle, @ijjk, @callumgare, @jonrosner, @karaggeorge, @rpie3, @MartijnHols, @leerob, @bashunaimiroy, @NOCELL, @rishabhpoddar, @omariosouto, @hanneslund, @theMosaad, @javivelasco, @pierrenel, @lobsterkatie, @tharakabimal, @vvo, @saevarb, @lfades, @nbouvrette, @paulnbrd, @ecklf, @11koukou, @renbaoshuo, @chozzz, @tbezman, @karlhorky, @j-mendez, and @ffan0811 for helping!
v12.0.8
Compare Source
Core Changes
<Main />
: #32184Writable
: #32247nth
: #32358jsx
transform of swc: #32383style.filter
on image withplaceholder=blur
: #32623.next
folder: #32659placeholder=blur
: #32680a
for internal url whentarget="blank"
present: #32780<head>
: [#32897](https://togithub.Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.