fix(deps): update dependency next to v14.1.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	14.0.3 -> 14.1.1

---

Next.js Server-Side Request Forgery in Server Actions

CVE-2024-34351 / GHSA-fr5h-rqp8-mj6g

More information

Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

• Next.js (<14.1.1) is running in a self-hosted* manner.
• The Next.js application makes use of Server Actions.
• The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #​62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g
• https://nvd.nist.gov/vuln/detail/CVE-2024-34351
• https://github.com/vercel/next.js/pull/62561
• https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085
• https://github.com/vercel/next.js

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/next.js (next)

v14.1.1

Compare Source

Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary

Core Changes

• Should not warn metadataBase missing if only absolute urls are present: https://github.com/vercel/next.js/pull/61898
• Fix trailing slash for canonical url: https://github.com/vercel/next.js/pull/62109
• Fix metadata json manifest convention: https://github.com/vercel/next.js/pull/62615
• Improve the Server Actions SWC transform: https://github.com/vercel/next.js/pull/61001
• Fix Server Reference being double registered: https://github.com/vercel/next.js/pull/61244
• Improve the Server Actions SWC transform (part 2): https://github.com/vercel/next.js/pull/62052
• Fix module-level Server Action creation with closure-closed values: https://github.com/vercel/next.js/pull/62437
• Fix draft mode invariant: https://github.com/vercel/next.js/pull/62121
• fix: babel usage with next/image: https://github.com/vercel/next.js/pull/61835
• Fix next/server api alias for ESM pkg: https://github.com/vercel/next.js/pull/61721
• Replace image optimizer IPC call with request handler: https://github.com/vercel/next.js/pull/61471
• chore: refactor image optimization to separate external/internal urls: https://github.com/vercel/next.js/pull/61172
• fix(image): warn when animated image is missing unoptimized prop: https://github.com/vercel/next.js/pull/61045
• fix(build-output): show stack during CSR bailout warning: https://github.com/vercel/next.js/pull/62594
• Fix extra swc optimizer applied to node_modules in browser layer: https://github.com/vercel/next.js/pull/62051
• fix(next-swc): Detect exports.foo from cjs_finder: https://github.com/vercel/next.js/pull/61795
• Fix attempted import error for react: https://github.com/vercel/next.js/pull/61791
• Add stack trace to client rendering bailout error: https://github.com/vercel/next.js/pull/61200
• fix router crash on revalidate + popstate: https://github.com/vercel/next.js/pull/62383
• fix loading issue when navigating to page with async metadata: https://github.com/vercel/next.js/pull/61687
• revert changes to process default routes at build: https://github.com/vercel/next.js/pull/61241
• fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: https://github.com/vercel/next.js/pull/60776
• Improve redirection handling: https://github.com/vercel/next.js/pull/62561
• Simplify node/edge server chunking some: https://github.com/vercel/next.js/pull/62424

Credits

Huge thanks to @​huozhi, @​shuding, @​Ethan-Arrowood, @​styfle, @​ijjk, @​ztanner, @​balazsorban44, @​kdy1, and @​williamli for helping!

v14.1.0

Compare Source

v14.0.4

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
next-enterprise	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 15, 2024 7:47pm

[github-actions]

📦 Next.js Bundle Analysis for next-enterprise

This analysis was generated by the Next.js Bundle Analysis action. 🤖

⚠️ Global Bundle Size Increased

Page	Size (compressed)
global	84.92 KB (🟢 2.97 KB)

Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

New Page Added

The following page was added to the bundle from the code in this PR:

Page	Size (compressed)	First Load
/_not-found/page	871 B	85.77 KB

Two Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load
/layout	2.63 KB (🟢 2 B)	87.54 KB
/page	137 B (🟢 -1 B)	85.05 KB

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^14.0.3). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.