Update next in / from 4.1.4 to 5.0.0 #23
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dependencies.io has updated
next
(a npm dependency in/
) from "4.1.4" to "5.0.0".5.0.0
Read more here: https://zeit.co/blog/next5
Major Changes
Minor Changes
Patches
Credits
Huge thanks to connor-baer, lucleray, arunoda, hankmander, malixsys, Shalzz, Gavin1995, sarovin, impronunciable, alexindigo, lfades, sergiodxa, mcansh, stephenmathieson, brikou, JeromeFitz, shogunsea, soulmachine, johnpolacek, unregistered, jonespen, mpacer, timhuff and tomaswitek for helping!
4.2.3
Release notes
This upgrade is completely backwards compatible and recommended for all users
For future security related communications of our OSS projects, please join this mailing list.
We were notified of a directory traversal issue under the
/_next
request namespace.An attacker can craft a request that accesses potentially sensitive information in your filesystem.
How to upgrade
beta
releases.similar problems in the future
npm install next@latest --save
canary
release channel usenpm install next@canary --save
Impact
next export
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
Container-based deployments,
chroot
environments and virtualization users are at significantly less risk of sensitive data exposure. In most scenarios, an attacker would only be able to access frontend JavaScript components exclusively.How to assess impact
If you think sensitive code or data could have been exposed, please filter logs of affected sites by
..
(excluding quotes in all cases) and check for 200 responses.What is being done
As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Orange Tsai from DEVCORE for his investigation and discovery of the original bug and subsequent responsible disclosure.
6 months ago there was a similar, but different, path traversal possible on paths under the
/static
directory. To prevent future regressions regarding path traversal we have separated all security related tests to a common file called security.js so that any future commit will be verified against these known fixed vulnerabilities.4.2.2
No content found. Please open an issue at https://github.com/dependencies-io/support if you think this content could have been found.
4.2.1
Patches
Credits
Huge thanks to i8ramin for helping!
4.2.0
Minor Changes
Patches
Credits
Huge thanks to brikou, dargue3, arunoda and yashha for helping!