Update dependency next to v9.3.3 - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
next (source)	dependencies	minor	9.2.1 -> 9.3.3

---

Release Notes

zeit/next.js

v9.3.3

Compare Source

Patches

• Revert "Fix assignment of props in WithApollo.getInitialProps " (#​11384): #​11236
• Add support for comments in tsconfig.json: e7ea276
• Docs: Replace micro-cors with cors middleware: #​11395
• Add support for comments in tsconfig.json: #​11392
• Fixed typo: libraray -> library: #​11435
• Minor change in README.md: #​11434
• Fix with-aphrodite readme typo: #​11436
• Update api-rest-example to SSG: #​11362
• Change mdx options description: #​11409
• Update .gitignore: #​11421
• Update emotion dependencies in with-emotion-11: #​11414
• Fix #​11396: #​11397
• Fix type ignore: #​11479
• Typos fixed: overriden --> overridden and innaccurate -->inacc…: #​11454
• Fix small punctuation issue: #​11439

Credits

Huge thanks to @​bgoerdt, @​herrstucki, @​MichelleLucero, @​liulanz, @​sdhani, @​JazibJafri, @​ElForastero, @​moeyashi, @​Andarist, @​comxd, @​chislee0708, and @​PullJosh for helping!

v9.3.2

Compare Source

This upgrade is completely backwards compatible and recommended for all users on versions below 9.3.2. For future security related communications of our OSS projects, please join this mailing list.

Next.js has just been audited by one of the top security firms in the world.

They found that attackers could craft special requests to access files in the dist directory (.next).

This does not affect files outside of the dist directory (.next).

In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

How to Upgrade

• We have released patch versions for both the stable and canary channels of Next.js.
• To upgrade run npm install next@latest --save

Impact

• Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected
• Not affected: Deployments using the serverless target
• Not affected: Deployments using next export
• Affected: Users of Next.js below 9.3.2 that use next start

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If you think sensitive code or data could have been exposed, you can filter logs of affected sites by ../ with a 200 response.

What is Being Done

As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Luca Carettoni from Doyensec for their investigation and discovery of the original bug and subsequent responsible disclosure.

We've landed a patch that ensures only known filesystem paths of .next/static are made available under /_next/static.
Regression tests for this attack were added to the security integration test suite.

• We have notified known Next.js users in advance of this publication.
• A public CVE was issued.
• If you want to stay on top of our security related news impacting Next.js or other ZEIT projects, please join this mailing list.
• We encourage responsible disclosure of future issues. Please email us at mailto:security@zeit.co. We are actively monitoring this mailbox.

---

Patches

• Add Numeric Separator Support for TypeScript: #​11308
• Update CLI custom config documentation link: #​11152
• Add error when attempting to export GSSP page: #​11154
• Update blog-starter example: #​11071
• Add CSS file to build output: #​11145
• Update <dir> reference in help text: 5274535
• Clean up examples directory: #​11169
• Remove react-ssr-prepass alias as it&#​39;s not longer needed: #​11170
• Upgrade @​ampproject/toolbox-optimizer to 2.0.1: #​11168
• Add section on reading files: #​11084
• [Examples] fix remark link in blog-starter&#​39;s README: #​11177
• Updated with-typescript example to SSG: #​11081
• Add CMS example for Sanity: #​10907
• Group CSS files in shared build output separate from JS files: #​11184
• Updating min nodejs requirement: #​11181
• Docs(ssr): req is an IncomingMessage instance, not HttpRequest: #​11194
• Add support for baseUrl option in tsconfig and jsconfig: #​11203
• [Example] with-passport: #​10529
• CMS TakeShape Example: #​11038
• Ensure hybrid AMP works correctly with SSG: #​11205
• Update mocha example with yml configuration.: #​11214
• Fix with-firebase-cloud-messaging example setup code: #​10686
• Update wording of new data fetching methods recommendation: #​11221
• Updated Api Routes Middleware example to use getServerSideProps: #​11128
• With Firebase Client-Side example: #​11053
• Docs(example): Load basic-css example on codesandbox: #​11227
• Remove mkdirp, bump fs-extra to 9.0.0: #​11251
• Add support for paths in tsconfig.json and jsconfig.json: #​11293
• Add test for single alias: #​11296
• Update GIP docs: #​11303
• Add custom amp optimizer and skip validation mode: #​10705
• Update handling for ENOENT from GSSP methods: #​11302
• Docs: clarify how to customize next/babel presets: #​11316
• Fix assignment of props in WithApollo.getInitialProps: #​11236
• Fix: typo in isStaging in with-env example: #​11305
• Skip paths that are routed to a .d.ts file: #​11322
• Upgrade loader-utils: #​11324
• Fix warning for API routes with next export: #​11330
• Make sure to copy AMP SSG files during export: #​11331
• Just a small typo I think, right?: #​11344
• [docs] Mention our channels: #​11336
• Use records to init store: #​11343
• Update data-fetching.md: 074c60e
• Fix preview-mode docs/examples typo: #​11345
• Update to prevent re-using workers for getStaticPaths in dev mode: #​11347

Credits

Huge thanks to @​chibicode, @​ijjk, @​timneutkens, @​sebastianbenz, @​zhe, @​shaswatsaxena, @​prateekbh, @​vvo, @​lfades, @​bbortt, @​aviaryan, @​mgranados, @​julianbenegas, @​gregrickaby, @​dulmandakh, @​yosuke-furukawa, @​tinymachine, @​bgoerdt, @​nicolasrouanne, @​filipesmedeiros, @​rishabhsaxena, and @​queq1890 for helping!

v9.3.1

Compare Source

Patches

• Correctly Count Object References: #​10903
• Add warning when built-in CSS/SCSS support is disabled: #​10942
• Add missing words in docs: #​10941
• Update handling for patterns in custom routes: #​10523
• Remove extra closing parenthesis: #​10948
• Fix paths.params.type in getStaticPaths(document): #​10959
• Check SSG Page via Route Lookup: #​10971
• Make sure to not show pages/404 GIP error from _app having GIP: #​10974
• Fix examples with relay-compiler: #​10976
• Use core-js promise polyfill for nomodule browsers: #​10985
• Improve Sass Error: #​10982
• Add support for getStaticProps in pages/404: #​10984
• Cms-datocms SerializableError fixes: #​10986
• Fix Lint: 39ed664
• Generic form of GetStaticProps and GetServerSideProps: #​10856
• Add Array.flat polyfill to nomodule-polyfills: #​11004
• Add "noreferrer" to the prerender indicator doc link: #​11005
• Update RegExp test and remove extra script: #​11006
• Update data-fetch example to SSG: #​11017
• Feat: update api-routes example to SSG: #​11019
• Fix Test for Windows: c135830
• Update amp-first example to use GSSP: #​11028
• Update with-zeit-fetch example to use SSG: #​11026
• Update next-sass example to use built-in sass support: #​11015
• Correct Cache-Control Behavior for GS(S)P: #​11022
• Update custom-server-fastify example to not use internal fn: #​11040
• Updated analyze-bundles example: #​11031
• Use getServerSideProps for example: #​11057
• Update custom-server-express example with getServerSideProps: #​11035
• Upgrade next.js version on datocms example: #​11039
• Update with-loading example to SSG: #​11050
• Update form handler example: #​11059
• Add support for static 404 when _error does not have custom GIP: #​11062
• Update ssr-caching example with getServerSideProps: #​11032
• Upgrade styled-jsx: #​11070
• Update preset.ts: Remove any and use updated Node.js types: #​11075
• Update @​next/bundle-analyzer dependencies: #​11068
• Update introduction.md: #​11092
• Fix prettier linting: a231315
• Add experimental support for SCSS options: #​11063
• Update API routes documentation to correctly mention middlewar…: #​11083
• Update with-react-multi-carousel example to use GSSP: #​11069
• Move public directory for development in examples/with-firebas…: #​11085
• Update examples to use getStaticProps where possible: #​11136

Credits

Huge thanks to @​ijjk, @​chibicode, @​5alidz, @​watanabeyu, @​messa, @​timneutkens, @​followbl, @​herrstucki, @​danlutz, @​Spy-Seth, @​asotoglez, @​josiahwiebe, @​ragingwind, @​ruisaraiva19, @​SarKurd, @​bobaaaaa, @​akhila-ariyachandra, @​lfades, @​matamatanot, @​JazibJafri, @​tomdohnal, @​carlospavanetti, @​giuseppeg, @​lifeiscontent, @​7ma7X, @​PaulHale, @​john015, and @​petamoriken for helping!

v9.3.0

Compare Source

Minor Changes

• Enable scss/sass support: #​10571
• Enable pages/404.js support: #​10572
• Enable polyfillsOptimization: #​10574
• Prefetch SSG Data: #​10127
• Adding conformance checks: #​10314
• Preview mode documentation: #​10863
• Add TypeScript docs for SSG: #​10865
• Verify GS(S)P Serializability: #​10857

Patches

• Adds a missing dependency: #​10570
• Add missin create permission for faunadb example: #​10575
• Decrease number of expected preloads in safari: #​10578
• Make sure to handle rejection when prefetching pages: #​10579
• Add NextApiHandler type: #​10573
• Update error message for invalid return value from getStaticPaths: #​10580
• Update to latest watchpack with dynamic route rename fix: #​10351
• Bump amphtml-validator to 1.0.30: #​10588
• Add Failing CSS Test Case: #​10590
• Do not cache 404 SSR responses: #​10596
• Fix Nested Index Dynamic Routes in Development: #​10595
• Emit ES5 Friendly Code in Program#exit Visitor: #​10591
• Fixed pathname check in router: #​10547
• Use clearInterval instead of clearTimer on a timer: #​10597
• Fix AMP Validator Version: #​10600
• Fix: Improve grammar of apollo.js comments: #​10601
• Clean up landed experimental flags: #​10593
• Updated links: #​10604
• Add err.sh for invalid getStaticPaths return value: #​10605
• Remove extra whitespace: 80bdf73
• Upgrade next-transpile-modules to latest everywhere: #​10607
• Disable setImmediate polyfill: #​10612
• Add navigation test specific for Safari 10: #​10616
• Make sure to handle failing to load _error: #​10617
• Update legacy safari test for GitHub actions: #​10618
• Add err.sh for getStaticProps error: #​10619
• Add error messages for dynamic SSG page without getStaticPaths: #​10620
• Remove next/link from chakra-ui example: #​10625
• Update error-load-fail test to use check to handle reload taking longer on windows: #​10631
• Remove deprecated static folder: #​10632
• Fix Cookie Expiration: #​10634
• Preview Mode Should Not Cache: #​10636
• Invalidate cache for link[preload] in dev for CSS files: #​10630
• Update link to GitHub Discussions beta: b331338
• Make sure to log errors from data fetching in dev mode in the console: #​10652
• Fix typo in invalid getStaticPaths value example: #​10657
• Update with-mobx-keystone-typescript example: #​10638
• Test Prerender in Emulated Serverless Mode: #​10660
• Improve Nested Catch-All Coverage: #​10659
• Fix Double URL Encoding for Serverless: #​10663
• Add calling getStaticPaths in development before showing fallback: #​10611
• Show better error when non-array is returned from custom-routes: #​10670
• Update error load fail test so that webdriver can still connect to app: #​10673
• Rename zeit.co/new → zeit.co/import: #​10674
• Update example "with-typescript-graphql": #​10637
• Create config.yml: cedd6fa
• Update 1.Bug_report.md: fc9f18d
• Fix apollo example: #​10696
• Update head-manager to compress better: #​10687
• Update README.md: c0f4283
• Make sure rewrites are handled in serverless mode correctly: #​10697
• Update url prop handling for pages with new data methods: #​10653
• Add dataRoutes field to routes-manifest for SSG and serverProps routes: #​10622
• Ability to Disable SSG Fallback: #​10701
• Fix Error Message: 663f5c4
• Add --example=<github-url> to create-next-app: #​10226
• Rename getServerProps to getServerSideProps: #​10722
• Remove unstable_ prefix from new methods: #​10723
• Fix buildId being escaped breaking test with certain build ids: #​10728
• Fix url-polyfill dep and re-enable native-url: #​10726
• Extract sendPayload and prepareServerlessUrl: #​10732
• Extract getStaticPaths helper: #​10731
• Remove old eslint-ignores from unstable_ prefix: #​10740
• Move upgrading guide to /docs: #​10727
• Adding new types of performance monitoring: #​10421
• Separate Low Priority Files from Main Files: #​10756
• Consistently Type GS(S)P: #​10757
• Correctly Dedupe Prefetching: #​10758
• Add params to getStaticProps on err.sh: #​10751
• Updating links to dynamic-routes section of docs: #​10759
• Remove dangerousAsPath from RenderOpts: #​10773
• Remove Dead Code from Next Server: #​10772
• Examples: react-native-web: fix config to prefer .web.* exts: #​10774
• Fix RenderOpts in next-server: #​10776
• Fix next/config module mismatch in new serverless mode: #​10792
• Remove old env from workflow since it is replaced with WebHook: #​10798
• Measure getStaticProps, getServerSideProps: #​10800
• Throw NoFallbackError instead of returning: #​10793
• Add identifier to NEXT_DATA for gs(s)p: #​10812
• Update to output jest data for posting failed tests comment: #​10814
• Fix(cli): inspect flag is deprecated: #​10819
• Update to make sure preview mode works with getServerSideProps: #​10813
• Send Credentials for getServerSideProps Requests: #​10826
• Update release stats with different name from pr stats: #​10827
• Add docs for static 404 and pages/404: #​10811
• Make sure to error when setting too large of preview data: #​10831
• Ensure an accessible default viewport meta tag: #​10823
• Update Pages and Data Fetching docs for SSG improvements: #​10837
• Update Custom Server README&#​39;s: #​10843
• Fix data fetching learn more links: a61dfb2
• Re-add Sass Docs: #​10850
• Update README-template.md: 69ba793
• Fix getStaticPaths modules being cached in dev mode: #​10852
• Add example for why-did-you-render: #​10662
• Update method for attaching GS(S)P identifier to page: #​10859
• Fix getServerSideProps Test Case: #​10862
• Fix Prerender Test Cases: #​10861
• Add Test Case for SSG Full Re-Export: #​10864
• Test child_process with API route: #​10872
• Typo on preview mode documentation: #​10892
• Fix getStaticPaths example code: #​10893
• Fix linting of markdown documentation: 83b4fd1
• DatoCMS Example: #​10891
• Upgrade webpack: #​10895
• Fix Azure Pipelines: #​10896
• Add demo URL for the DatoCMS example: #​10901

Credits

Huge thanks to @​arcanis, @​lgordey, @​ijjk, @​martpie, @​jaywink, @​fabianishere, @​dijs, @​TheRusskiy, @​quinnturner, @​timneutkens, @​lfades, @​vvo, @​adithwip, @​rafaelalmeidatk, @​bmathews, @​Spy-Seth, @​EvgeniyKumachev, @​chibicode, @​piglovesyou, @​HaNdTriX, @​Timer, @​janicklas-ralph, @​devknoll, @​prateekbh, @​ethanryan, @​MoOx, @​rifaidev, @​msweeneydev, @​motiko, and @​balazsorban44 for helping!

v9.2.2

Compare Source

Patches

• Fix missing file extensions in docs: #​10251
• De-dupe escape-regex with escape-string-regexp: #​10257
• Update static check vars and fix types: #​10260
• Update SSG types and clean up RenderOpts type: #​10259
• Update _next/data URL handling in serverless-loader: #​10261
• [example with-typescript-graphql] Fix type error: #​10269
• Update built-in-css-support.md: c71694e
• Update typo in typescript docs: #​10276
• Update FaunaDB Example Instructions: #​10280
• Add .jsx as a valid file extension in the pages directory: #​10281
• Improved wording in comment: #​10277
• Improve Stalled Requests Grammar: #​10283
• Added support for BigInt to API routes: #​10215
• Docs: remove --save from npm install; avoid system-ui: #​10252
• Add catch all routes example and a link to it in docs: #​10202
• Migrate CircleCi config to GitHub actions: #​10274
• Fix Experimental Modern Mode with CSS: #​10289
• Add initial support for unstable_getServerProps: #​10077
• Fix with-orbit-components&#​39;s name in package.json: #​10307
• Fix typo in FaunaDB example: #​10304
• Updated PostCSS docs and added a link to it: #​10292
• Make sure to exit publish script with correct code: #​10310
• Allowing skipping local selenium server when not needed: #​10312
• Fix missing file extensions in docs: #​10251
• De-dupe escape-regex with escape-string-regexp: #​10257
• Update static check vars and fix types: #​10260
• Update SSG types and clean up RenderOpts type: #​10259
• Update _next/data URL handling in serverless-loader: #​10261
• [example with-typescript-graphql] Fix type error: #​10269
• Update built-in-css-support.md: c71694e
• Update typo in typescript docs: #​10276
• Update FaunaDB Example Instructions: #​10280
• Add .jsx as a valid file extension in the pages directory: #​10281
• Improved wording in comment: #​10277
• Improve Stalled Requests Grammar: #​10283
• Added support for BigInt to API routes: #​10215
• Docs: remove --save from npm install; avoid system-ui: #​10252
• Add catch all routes example and a link to it in docs: #​10202
• Migrate CircleCi config to GitHub actions: #​10274
• Fix Experimental Modern Mode with CSS: #​10289
• Add initial support for unstable_getServerProps: #​10077
• Fix preprocessor loader error: #​10235
• Enable static 404 config to allow static 404 page when availab…: #​10290
• Small grammar fix: #​10317
• Fix: 9919 Add warning when no config is exported from next.con…: #​10228
• Update workflow for testing against react@next: #​10323
• Repair advanced feature reference: #​10330
• Disable caching for react@next workflow as its not supported: #​10331
• [Experimental] Nomodule polyfills chunk: #​10212
• Update note about public and pages overlap: #​10287
• Update the default template of create-next-app: #​10327
• Upgrade with-carbon-components to built-in SCSS: #​10321
• Fixes #​10333 with-next-seo sample issues: #​10335
• Fix api-routes-apollo-server-and-client-auth Example: #​10334
• TypeScript documentation for _app.tsx: #​10345
• Improve api-routes-apollo-server-and-client-auth Example: #​10358
• Increase watch limit for GitHub actions testing: #​10367
• Added fix for #​8893: #​10370
• Make sure to not override initial navigation when refreshing static page&#​39;s query: #​10353
• Add support for runtimeConfigs in serverless mode: #​10365
• Add check that dynamic route is API route in handleApiRequest: #​10360
• Implement experimental pages/404.js for custom 404 page: #​10329
• Update Preact Example: #​10380
• Custom AMP Validator Variable Name Collision Fix: #​10371
• Fix bug in catch-all routes with SSG: #​10379
• Update create app docs: #​10382
• Make sure runtime config is set before any imports for serverless: #​10386
• Update to not show API not ended warning when response is piped to: #​10342
• Add TypeScript Definitions for Sass: #​10363
• Remove Old Records: #​10398
• Fix with-reasonml example: #​10399
• New Jest Example: #​10396
• Skip undefined attribute in Head: #​9856
• Make sure runtime config works in dev mode for serverless targ…: #​10402
• Check for invalid pages: #​10403
• Remove builds from examples: #​10417
• Detect Invalid Pages Before Optimize: #​10418
• Add support for rewriting to external resources: #​10041
• Modify splitChunksPlugin to give shared CSS chunks different names: #​10408
• Re-enable native-url: #​10419
• Update optimize event with static 404 status: #​10420
• De-dupe paths returned in getStaticPaths: #​10423
• Make apollo HOC composable: #​10422
• Adjust README of example: #​10426
• Remove old ts-ignores and extra value in routeInfo: #​10429
• Update to use existing util to de-dupe path check: #​10431
• Make missing param error message more specific: #​10433
• Update size-limit test to be more fine grained: #​10434
• Update utm links in create-next-app: #​10442
• Remove unused dependency @​types/babel-types: #​10448
• Add initial SSG fallback handling: #​10424
• Redesign custom-routes output and show headers in output: #​10444
• Make withApollo work with _app.js components: #​8801
• With threejs example: #​10301
• Add paths field for unstable_getStaticPaths: #​10454
• Add error message when rewriting to dynamic SSG page: #​10458
• Upgrade koa router in example: #​10469
• Get the http2 example to work: #​10470
• Make Missing Prerender Manifest Fatal: #​10485
• Update next-server routes order for expected priority: #​10326
• Add Stripe TypeScript Example: #​10482
• Update README.md: #​10487
• Use filter for create-next-app template: #​10496
• Upgrade next-transpile-modules in workspace examples: #​10492
• Builds with Warnings Still Complete: #​10498
• Update deploy doc to surface ZEIT Now / DPS: #​10412
• SSG Preview Mode: #​10459
• Fix typo in ignoring-typescript-errors.md: #​10499
• [Docs] Apply updates based on feedback: #​10352
• Remove Now CLI reference from examples: #​10501
• Adjust SSG Loading Behavior: #​10510
• Update wording for custom server: #​10512
• Retry Static Data Fetch on Hydration: #​10513
• Remove with-data-prefetch Example: #​10514
• Clean up async in next-server: #​10476
• Improve error for invalid page configurations: #​10441
• Add handling for default as named export in SSG transform: #​10486
• Update withApollo example: #​10451
• Add global CSS styles to example/with-stripe-typescript: #​10520
• Remove native-url Again: #​10526
• Make sure to encode pathname for custom-route destination: #​10536
• Check next.config.js settings: #​10425
• Migrate to AMP Optimizer 2.0: #​10535
• Implement isFallback Router Property: #​10539

Credits

Huge thanks to @​borisowsky, @​piglovesyou, @​dannytatom, @​msweeneydev, @​bartdeslagmulder, @​stigkj, @​jamesmosier, @​chibicode, @​lfades, @​Timer, @​RobinCsl, @​apollonian, @​alejalapeno, @​dmitrika, @​micahalcorn, @​ijjk, @​pacocoursey, @​zhe, @​ivan-kleshnin, @​stryder03, @​38elements, @​msnider, @​TheDSCPL, @​vasco3, @​lachlanjc, @​AndyBitz, @​atcastle, @​pex, @​Janpot, @​HaNdTriX, @​afsanefda, @​Nainterceptor, @​areai51, @​thorsten-stripe, @​vvo, @​markhaslam, @​devknoll, and @​sebastianbenz for helping!

---

Renovate configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by WhiteSource Renovate. View repository job log here.