chore(deps): update dependency next to v9.3.2 [security] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	9.2.2 -> 9.3.2

GitHub Vulnerability Alerts

CVE-2020-5284

Impact

• Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected
• Not affected: Deployments using the serverless target
• Not affected: Deployments using next export
• Affected: Users of Next.js below 9.3.2

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

Patches

https://github.com/zeit/next.js/releases/tag/v9.3.2

References

https://github.com/zeit/next.js/releases/tag/v9.3.2

---

Release Notes

vercel/next.js

v9.3.2

Compare Source

This upgrade is completely backwards compatible and recommended for all users on versions below 9.3.2. For future security related communications of our OSS projects, please join this mailing list.

Next.js has just been audited by one of the top security firms in the world.

They found that attackers could craft special requests to access files in the dist directory (.next).

This does not affect files outside of the dist directory (.next).

In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

How to Upgrade

• We have released patch versions for both the stable and canary channels of Next.js.
• To upgrade run npm install next@latest --save

Impact

• Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected
• Not affected: Deployments using the serverless target
• Not affected: Deployments using next export
• Affected: Users of Next.js below 9.3.2 that use next start

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If you think sensitive code or data could have been exposed, you can filter logs of affected sites by ../ with a 200 response.

What is Being Done

As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Luca Carettoni from Doyensec for their investigation and discovery of the original bug and subsequent responsible disclosure.

We've landed a patch that ensures only known filesystem paths of .next/static are made available under /_next/static.
Regression tests for this attack were added to the security integration test suite.

• We have notified known Next.js users in advance of this publication.
• A public CVE was issued.
• If you want to stay on top of our security related news impacting Next.js or other ZEIT projects, please join this mailing list.
• We encourage responsible disclosure of future issues. Please email us at security@zeit.co. We are actively monitoring this mailbox.

---

Patches

• Add Numeric Separator Support for TypeScript: #​11308
• Update CLI custom config documentation link: #​11152
• Add error when attempting to export GSSP page: #​11154
• Update blog-starter example: #​11071
• Add CSS file to build output: #​11145
• Update <dir> reference in help text: 5274535
• Clean up examples directory: #​11169
• Remove react-ssr-prepass alias as it's not longer needed: #​11170
• Upgrade @​ampproject/toolbox-optimizer to 2.0.1: #​11168
• Add section on reading files: #​11084
• [Examples] fix remark link in blog-starter's README: #​11177
• Updated with-typescript example to SSG: #​11081
• Add CMS example for Sanity: #​10907
• Group CSS files in shared build output separate from JS files: #​11184
• Updating min nodejs requirement: #​11181
• Docs(ssr): req is an IncomingMessage instance, not HttpRequest: #​11194
• Add support for baseUrl option in tsconfig and jsconfig: #​11203
• [Example] with-passport: #​10529
• CMS TakeShape Example: #​11038
• Ensure hybrid AMP works correctly with SSG: #​11205
• Update mocha example with yml configuration.: #​11214
• Fix with-firebase-cloud-messaging example setup code: #​10686
• Update wording of new data fetching methods recommendation: #​11221
• Updated Api Routes Middleware example to use getServerSideProps: #​11128
• With Firebase Client-Side example: #​11053
• Docs(example): Load basic-css example on codesandbox: #​11227
• Remove mkdirp, bump fs-extra to 9.0.0: #​11251
• Add support for paths in tsconfig.json and jsconfig.json: #​11293
• Add test for single alias: #​11296
• Update GIP docs: #​11303
• Add custom amp optimizer and skip validation mode: #​10705
• Update handling for ENOENT from GSSP methods: #​11302
• Docs: clarify how to customize next/babel presets: #​11316
• Fix assignment of props in WithApollo.getInitialProps: #​11236
• Fix: typo in isStaging in with-env example: #​11305
• Skip paths that are routed to a .d.ts file: #​11322
• Upgrade loader-utils: #​11324
• Fix warning for API routes with next export: #​11330
• Make sure to copy AMP SSG files during export: #​11331
• Just a small typo I think, right?: #​11344
• [docs] Mention our channels: #​11336
• Use records to init store: #​11343
• Update data-fetching.md: 074c60e
• Fix preview-mode docs/examples typo: #​11345
• Update to prevent re-using workers for getStaticPaths in dev mode: #​11347

Credits

Huge thanks to @​chibicode, @​ijjk, @​timneutkens, @​sebastianbenz, @​zhe, @​shaswatsaxena, @​prateekbh, @​vvo, @​lfades, @​bbortt, @​aviaryan, @​mgranados, @​julianbenegas, @​gregrickaby, @​dulmandakh, @​yosuke-furukawa, @​tinymachine, @​bgoerdt, @​nicolasrouanne, @​filipesmedeiros, @​rishabhsaxena, and @​queq1890 for helping!

v9.3.1

Compare Source

Patches

• Correctly Count Object References: #​10903
• Add warning when built-in CSS/SCSS support is disabled: #​10942
• Add missing words in docs: #​10941
• Update handling for patterns in custom routes: #​10523
• Remove extra closing parenthesis: #​10948
• Fix paths.params.type in getStaticPaths(document): #​10959
• Check SSG Page via Route Lookup: #​10971
• Make sure to not show pages/404 GIP error from _app having GIP: #​10974
• Fix examples with relay-compiler: #​10976
• Use core-js promise polyfill for nomodule browsers: #​10985
• Improve Sass Error: #​10982
• Add support for getStaticProps in pages/404: #​10984
• Cms-datocms SerializableError fixes: #​10986
• Fix Lint: 39ed664
• Generic form of GetStaticProps and GetServerSideProps: #​10856
• Add Array.flat polyfill to nomodule-polyfills: #​11004
• Add "noreferrer" to the prerender indicator doc link: #​11005
• Update RegExp test and remove extra script: #​11006
• Update data-fetch example to SSG: #​11017
• Feat: update api-routes example to SSG: #​11019
• Fix Test for Windows: c135830
• Update amp-first example to use GSSP: #​11028
• Update with-zeit-fetch example to use SSG: #​11026
• Update next-sass example to use built-in sass support: #​11015
• Correct Cache-Control Behavior for GS(S)P: #​11022
• Update custom-server-fastify example to not use internal fn: #​11040
• Updated analyze-bundles example: #​11031
• Use getServerSideProps for example: #​11057
• Update custom-server-express example with getServerSideProps: #​11035
• Upgrade next.js version on datocms example: #​11039
• Update with-loading example to SSG: #​11050
• Update form handler example: #​11059
• Add support for static 404 when _error does not have custom GIP: #​11062
• Update ssr-caching example with getServerSideProps: #​11032
• Upgrade styled-jsx: #​11070
• Update preset.ts: Remove any and use updated Node.js types: #​11075
• Update @​next/bundle-analyzer dependencies: #​11068
• Update introduction.md: #​11092
• Fix prettier linting: a231315
• Add experimental support for SCSS options: #​11063
• Update API routes documentation to correctly mention middlewar…: #​11083
• Update with-react-multi-carousel example to use GSSP: #​11069
• Move public directory for development in examples/with-firebas…: #​11085
• Update examples to use getStaticProps where possible: #​11136

Credits

Huge thanks to @​ijjk, @​chibicode, @​5alidz, @​watanabeyu, @​messa, @​timneutkens, @​followbl, @​herrstucki, @​danlutz, @​Spy-Seth, @​asotoglez, @​josiahwiebe, @​ragingwind, @​ruisaraiva19, @​SarKurd, @​bobaaaaa, @​akhila-ariyachandra, @​lfades, @​matamatanot, @​JazibJafri, @​tomdohnal, @​carlospavanetti, @​giuseppeg, @​lifeiscontent, @​7ma7X, @​PaulHale, @​john015, and @​petamoriken for helping!

v9.3.0

Compare Source

Minor Changes

• Enable scss/sass support: #​10571
• Enable pages/404.js support: #​10572
• Enable polyfillsOptimization: #​10574
• Prefetch SSG Data: #​10127
• Adding conformance checks: #​10314
• Preview mode documentation: #​10863
• Add TypeScript docs for SSG: #​10865
• Verify GS(S)P Serializability: #​10857

Patches

• Adds a missing dependency: #​10570
• Add missin create permission for faunadb example: #​10575
• Decrease number of expected preloads in safari: #​10578
• Make sure to handle rejection when prefetching pages: #​10579
• Add NextApiHandler type: #​10573
• Update error message for invalid return value from getStaticPaths: #​10580
• Update to latest watchpack with dynamic route rename fix: #​10351
• Bump amphtml-validator to 1.0.30: #​10588
• Add Failing CSS Test Case: #​10590
• Do not cache 404 SSR responses: #​10596
• Fix Nested Index Dynamic Routes in Development: #​10595
• Emit ES5 Friendly Code in Program#exit Visitor: #​10591
• Fixed pathname check in router: #​10547
• Use clearInterval instead of clearTimer on a timer: #​10597
• Fix AMP Validator Version: #​10600
• Fix: Improve grammar of apollo.js comments: #​10601
• Clean up landed experimental flags: #​10593
• Updated links: #​10604
• Add err.sh for invalid getStaticPaths return value: #​10605
• Remove extra whitespace: 80bdf73
• Upgrade next-transpile-modules to latest everywhere: #​10607
• Disable setImmediate polyfill: #​10612
• Add navigation test specific for Safari 10: #​10616
• Make sure to handle failing to load _error: #​10617
• Update legacy safari test for GitHub actions: #​10618
• Add err.sh for getStaticProps error: #​10619
• Add error messages for dynamic SSG page without getStaticPaths: #​10620
• Remove next/link from chakra-ui example: #​10625
• Update error-load-fail test to use check to handle reload taking longer on windows: #​10631
• Remove deprecated static folder: #​10632
• Fix Cookie Expiration: #​10634
• Preview Mode Should Not Cache: #​10636
• Invalidate cache for link[preload] in dev for CSS files: #​10630
• Update link to GitHub Discussions beta: b331338
• Make sure to log errors from data fetching in dev mode in the console: #​10652
• Fix typo in invalid getStaticPaths value example: #​10657
• Update with-mobx-keystone-typescript example: #​10638
• Test Prerender in Emulated Serverless Mode: #​10660
• Improve Nested Catch-All Coverage: #​10659
• Fix Double URL Encoding for Serverless: #​10663
• Add calling getStaticPaths in development before showing fallback: #​10611
• Show better error when non-array is returned from custom-routes: #​10670
• Update error load fail test so that webdriver can still connect to app: #​10673
• Rename zeit.co/new → zeit.co/import: #​10674
• Update example "with-typescript-graphql": #​10637
• Create config.yml: cedd6fa
• Update 1.Bug_report.md: fc9f18d
• Fix apollo example: #​10696
• Update head-manager to compress better: #​10687
• Update README.md: c0f4283
• Make sure rewrites are handled in serverless mode correctly: #​10697
• Update url prop handling for pages with new data methods: #​10653
• Add dataRoutes field to routes-manifest for SSG and serverProps routes: #​10622
• Ability to Disable SSG Fallback: #​10701
• Fix Error Message: 663f5c4
• Add --example=<github-url> to create-next-app: #​10226
• Rename getServerProps to getServerSideProps: #​10722
• Remove unstable_ prefix from new methods: #​10723
• Fix buildId being escaped breaking test with certain build ids: #​10728
• Fix url-polyfill dep and re-enable native-url: #​10726
• Extract sendPayload and prepareServerlessUrl: #​10732
• Extract getStaticPaths helper: #​10731
• Remove old eslint-ignores from unstable_ prefix: #​10740
• Move upgrading guide to /docs: #​10727
• Adding new types of performance monitoring: #​10421
• Separate Low Priority Files from Main Files: #​10756
• Consistently Type GS(S)P: #​10757
• Correctly Dedupe Prefetching: #​10758
• Add params to getStaticProps on err.sh: #​10751
• Updating links to dynamic-routes section of docs: #​10759
• Remove dangerousAsPath from RenderOpts: #​10773
• Remove Dead Code from Next Server: #​10772
• Examples: react-native-web: fix config to prefer .web.* exts: #​10774
• Fix RenderOpts in next-server: #​10776
• Fix next/config module mismatch in new serverless mode: #​10792
• Remove old env from workflow since it is replaced with WebHook: #​10798
• Measure getStaticProps, getServerSideProps: #​10800
• Throw NoFallbackError instead of returning: #​10793
• Add identifier to NEXT_DATA for gs(s)p: #​10812
• Update to output jest data for posting failed tests comment: #​10814
• Fix(cli): inspect flag is deprecated: #​10819
• Update to make sure preview mode works with getServerSideProps: #​10813
• Send Credentials for getServerSideProps Requests: #​10826
• Update release stats with different name from pr stats: #​10827
• Add docs for static 404 and pages/404: #​10811
• Make sure to error when setting too large of preview data: #​10831
• Ensure an accessible default viewport meta tag: #​10823
• Update Pages and Data Fetching docs for SSG improvements: #​10837
• Update Custom Server README's: #​10843
• Fix data fetching learn more links: a61dfb2
• Re-add Sass Docs: #​10850
• Update README-template.md: 69ba793
• Fix getStaticPaths modules being cached in dev mode: #​10852
• Add example for why-did-you-render: #​10662
• Update method for attaching GS(S)P identifier to page: #​10859
• Fix getServerSideProps Test Case: #​10862
• Fix Prerender Test Cases: #​10861
• Add Test Case for SSG Full Re-Export: #​10864
• Test child_process with API route: #​10872
• Typo on preview mode documentation: #​10892
• Fix getStaticPaths example code: #​10893
• Fix linting of markdown documentation: 83b4fd1
• DatoCMS Example: #​10891
• Upgrade webpack: #​10895
• Fix Azure Pipelines: #​10896
• Add demo URL for the DatoCMS example: #​10901

Credits

Huge thanks to @​arcanis, @​lgordey, @​ijjk, @​martpie, @​jaywink, @​fabianishere, @​dijs, @​TheRusskiy, @​quinnturner, @​timneutkens, @​lfades, @​vvo, @​adithwip, @​rafaelalmeidatk, @​bmathews, @​Spy-Seth, @​EvgeniyKumachev, @​chibicode, @​piglovesyou, @​HaNdTriX, @​Timer, @​janicklas-ralph, @​devknoll, @​prateekbh, @​ethanryan, @​MoOx, @​rifaidev, @​msweeneydev, @​motiko, and @​balazsorban44 for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.