-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency next to v14 [security] #30
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-next-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
May 15, 2024 16:25
6306e83
to
f3e6852
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
May 15, 2024 23:56
f3e6852
to
f87e14c
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
June 4, 2024 13:24
f87e14c
to
0a36a0e
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
June 4, 2024 15:14
0a36a0e
to
461b5a7
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
June 27, 2024 06:46
461b5a7
to
4d99f0c
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
June 27, 2024 11:26
4d99f0c
to
eb61cbd
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
July 14, 2024 07:53
eb61cbd
to
0047cd9
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
October 9, 2024 14:17
6e9d4b9
to
97d0eda
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
October 16, 2024 01:36
97d0eda
to
f85d2ce
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
October 28, 2024 16:02
f85d2ce
to
2fc0245
Compare
renovate
bot
changed the title
fix(deps): update dependency next to v14 [security]
fix(deps): update dependency next to v15 [security]
Oct 28, 2024
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
October 28, 2024 19:58
2fc0245
to
5a637b2
Compare
renovate
bot
changed the title
fix(deps): update dependency next to v15 [security]
fix(deps): update dependency next to v14 [security]
Oct 28, 2024
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
December 2, 2024 09:40
5a637b2
to
9cbd694
Compare
renovate
bot
changed the title
fix(deps): update dependency next to v14 [security]
fix(deps): update dependency next to v15 [security]
Dec 2, 2024
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
December 2, 2024 14:52
9cbd694
to
a19eb02
Compare
renovate
bot
changed the title
fix(deps): update dependency next to v15 [security]
fix(deps): update dependency next to v14 [security]
Dec 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^13.4.1
->^14.2.7
GitHub Vulnerability Alerts
CVE-2024-34351
Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the
Host
header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.Prerequisites
<14.1.1
) is running in a self-hosted* manner./
.* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in #62561 and fixed in Next.js
14.1.1
.Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js
14.1.1
.Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
Adam Kues - Assetnote
Shubham Shah - Assetnote
CVE-2024-46982
Impact
By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a
Cache-Control: s-maxage=1, stale-while-revalidate
header which some upstream CDNs may cache as well.To be potentially affected all of the following must apply:
pages/dashboard.tsx
notpages/blog/[slug].tsx
The below configurations are unaffected:
Patches
This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.
Workarounds
There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.
Credits
CVE-2024-47831
Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Not affected:
next.config.js
file is configured withimages.unoptimized
set totrue
orimages.loader
set to a non-default value.Patches
This issue was fully patched in Next.js
14.2.7
. We recommend that users upgrade to at least this version.Workarounds
Ensure that the
next.config.js
file has eitherimages.unoptimized
,images.loader
orimages.loaderFile
assigned.Credits
Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras
Release Notes
vercel/next.js (next)
v14.2.7
Compare Source
v14.2.6
Compare Source
v14.2.5
Compare Source
v14.2.4
Compare Source
Core Changes
Credits
Huge thanks to @ztanner, @ijjk, @wbinnssmith, @huozhi, and @lubieowoce for helping!
v14.2.3
Compare Source
v14.2.2
Compare Source
v14.2.1
Compare Source
v14.2.0
Compare Source
v14.1.4
Compare Source
v14.1.3
Compare Source
v14.1.2
Compare Source
v14.1.1
Compare Source
Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary
Core Changes
Credits
Huge thanks to @huozhi, @shuding, @Ethan-Arrowood, @styfle, @ijjk, @ztanner, @balazsorban44, @kdy1, and @williamli for helping!
v14.1.0
Compare Source
v14.0.4
Compare Source
v14.0.3
Compare Source
v14.0.2
Compare Source
v14.0.1
Compare Source
Core Changes
8c8ee9e
to0c63487
and types: #57772Documentation Changes
Example Changes
with-youtube-embed
example: #57367with-google-maps-embed
example: #57365Misc Changes
create-next-app
: #57262Credits
Huge thanks to @dijonmusters, @sokra, @philwolstenholme, @IgorKowalczyk, @housseindjirdeh, @Zoe-Bot, @HanCiHu, @JackHowa, @goncy, @hirotomoyamada, @pveyes, @yeskunall, @vinaykulk621, @ChendayUP, @leerob, @dvoytenko, @mknichel, @ijjk, @hmaesta, @ajz003, @its-kunal, @joelhooks, @blurrah, @tariknh, @Vinlock, @Nayeem-XTREME, @aziyatali, @aspehler, @huozhi, @ztanner, @ForsakenHarmony, @moka-ayumu, and @gnoff for helping!
v14.0.0
Compare Source
v13.5.7
Compare Source
v13.5.6
Compare Source
Core Changes
Credits
Huge thanks to @ijjk @huozhi @gnoff for helping!
v13.5.5
Compare Source
v13.5.4
Compare Source
Core Changes
beta.nextjs.org
Links: #55924config.experimental.workerThreads
: #55257swc_core
tov0.83.26
: #55780swc_core
tov0.83.26
": #56077permanentRedirect
return 308 in route handlers: #56065boolean
instead offalse
for experimental logging config: #56110postcss
: #56225Documentation Changes
not-found
to file conventions page: #55944extension
option tocreateMDX()
: #55967.bind
method: #56164Response.json
overNextResponse.json
: #56173Example Changes
with-jest
: #56152with-jest
types: #56193with-stripe-typescript
example: #56274Misc Changes
swc_core
tov0.83.28
: #56134Credits
Huge thanks to @balazsorban44, @sdkdeepa, @aayman997, @mayank1513, @timneutkens, @2XG-DEV, @eliot-akira, @hi-matthew, @riobits, @wbinnssmith, @ijjk, @sokra, @dvoytenko, @rishabhpoddar, @manovotny, @A7med3bdulBaset, @huozhi, @jridgewell, @joulev, @SukkaW, @kdy1, @feedthejim, @Fredkiss3, @styfle, @MildTomato, @ForsakenHarmony, @walfly, @bzhn, @shuding, @boylett, @Loki899899, @devrsi0n, @ImBIOS, @vinaykulk621, @ztanner, @sdaigo, @hamirmahal, @blurrah, @omarmciver, and @alexBaizeau for helping!
v13.5.3
Compare Source
v13.5.2
Compare Source
Core Changes
d6dcad6
to2807d78
: #55590@vercel/og
andsatori
: #55654named_import
transform: #55664Documentation Changes
create-next-app
templates: Changebun run dev
commands tobun dev
: #55603Example Changes
Misc Changes
Credits
Huge thanks to @padmaia, @mayank1513, @jakeboone02, @balazsorban44, @kwonoj, @huozhi, @Yovach, @ztanner, @wyattjoh, @GabenGar, @timneutkens, and @shuding for helping!
v13.5.1
Compare Source
Core Changes
output: export
in app router: #54202ua-parser-js
: #54404ssr: false
in App Router: #54411named_import_transform
: #54530optimize_barrel
SWC transform and newoptimizePackageImports
config: #54572permanentRedirect
function in App Router: #54047preload
is not exported fromreact-dom
: #54688@visx/visx
to the import optimization list: #54778/
: #54744/route
suffix: #54851undici
: #55007react-hot-toast
from the optimizePackageImports list: #55029optimizePackageImports
: #55040babel/code-frame
: #55024skipTrailingSlashRedirect
being ignored inpages
: #55067Send
: #55077Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.