🚨 [security] Update next: 12.0.8 → 12.0.9 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ next (12.0.8 → 12.0.9) · Repo

Security Advisories 🚨

🚨 DOS Vulnerability for self-hosted next.js apps using i18n

Impact

Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version >= 12.0.0, and using i18n functionality.

• Affected: All of the following must be true to be affected by this CVE
  • Next.js versions above v12.0.0
  • Using next start or a custom server
  • Using the built-in i18n support
• Not affected:
  • Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

Patches

A patch has been released, next@12.0.9, that mitigates this issue. We recommend all affected users upgrade as soon as possible.

Workarounds

We recommend upgrading whether you can reproduce or not although you can ensure /${locale}/_next/ is blocked from reaching the Next.js instance until you upgrade.

For more information

If you have any questions or comments about this advisory:

• Open an issue in next
• Email us at security@vercel.com

Release Notes

12.0.9

Core Changes

• middlewares: limit process.env to inferred usage: #33186
• update webpack: #33207
• Abstract out native filesystem usage from the base server: #33226
• use text data url instead of base64 for shorter encoding: #33218
• chore(deps): upgrade postcss: #33142
• Fix global process testing for the process polyfill: #33220
• Update swc: #33201
• improve full refresh overlay: #33301
• Custom app for server components: #33149
• Update yarn PnP tests and disable swc file reading for PnP: #33236
• Base Http for BaseServer: #32999
• Update swc: #33342
• Update check for fallback pages during export: #33323
• Pre-compile more dependencies: #32742
• Remove node fetch polyfill from base server: #33395
• Replace regexp to plain string for optimization render HTML: #33306
• Fix broken html on streaming render for error page: #33399
• Disable cache for rsc pages: #33438
• Fix pre-compiled check from copying react-refresh-utils: #33442
• fix(next-swc): Update swc: #33427
• Move middleware handling to node server: #33448
• Enforce absolute URLs in Edge Functions runtime: #33410
• feat(next-swc): Update swc: #33461
• Update main field for nccd jest-worker: #33465
• chore(deps): upgrade node-fetch: #33466
• Move static serving to next server: #33475
• feat(next-swc): Update swc: #33485
• Fix multiple calls to image onLoadingComplete(): #33474
• Refactor base server to remove native dependencies: #33499
• Update swc: #33514
• Implement abstract methods to get manifest files in the base server: #33537
• Simplify getMiddlewareInfo calls: #33542
• Fix static file check with i18n: #33503
• Bump styled-jsx: #33546
• Ensure optional value normalizing is correct for index: #33547
• Bump nft to 0.17.4: #33548
• Add next-multilingual example: #29386
• Removed the s from NextConfig: #33560
• feat(next-swc): Update swc: #33595
• Fix rsc export component name detection: #33608
• upgrade webpack: #33549
• Ensure fetch polyfill is loaded in next-server: #33616
• feat(next-swc): Update swc: #33628
• Add lazyRoot optional property to next/image component : #33290
• feat(next-swc): Update swc: #33675
• Implement web server as the request handler for edge SSR: #33635
• Relay Support in Rust Compiler: #33240
• Revert "Relay Support in Rust Compiler": #33699

Documentation Changes

• Fixed broken link related to the recently merged Data fetching docs refactor: #33209
• Removed backticks on data fetching api titles: #33216
• Added links to data fetching api refs, fixed title: #33221
• Remove outdated & possibly confusing statement about redirects: #33224
• [examples] Add a statically generated blog example using Next.js and Builder.io: #22094
• Typo Fix: #33252
• Update font-optimization.md: #33266
• Fixed broken links in data fetching docs: #33250
• docs: Mention middleware for getStaticProps: #33273
• Add sections for Remove React Properties and Remove Console to compiler docs: #33311
• Update links in next export + next/image error message: #33317
• Add onLoad gottcha note to next/script docs: #33097
• Update security-headers.md: fix path does not match homepage: #33137
• fix minor typo in SWR: #33378
• ReferenceError in authentication.md example fixed: #33411
• docs: fix url: #33409
• fix(docs): Fix typo in Custom Build Id docs: #33515
• [docs] Update authentication docs to fix iron-session link.: #33483
• docs(authentication): fix iron-session example link: #33502
• Update middleware documentation for custom server: #33535
• Removed unrequired path in docs' manifest: #33579
• Update next/server documentation for geo: #33609
• Clarify next/image usage with next export based on feedback.: #33555
• Clarify headers config option description: #33484
• fix(errors/no-cache): netlify-plugin-cache-nextjs has been deprecated: #33629
• Updated docs for getServerSideProps and getStaticProps return values: #33577
• Use relative path for example: #33565
• chore(docs): update security headers specification: #33673
• REMOVE: duplicate key in docs/testing.md: #33681

Example Changes

• [examples] Update remark dependency for blog-starter: #33313
• Update package.json for examples/with-supabase-auth-realtime-db: #33321
• Working example for building forms with Next.js: #32669
• Updates dependency version of frontend SDK in with-supertokens example: #33393
• docs: add skynexui to examples: #33326
• Update with-linaria dependency: #33487
• Update Supabase example README.: #33610
• [examples] Add new Tailwind CSS Prettier plugin to example: #33614

Misc Changes

• Update license year
• fix(docs): master branch renaming: #33312
• Add link to security email directly.: #33358
• Fix getServerSideProps hanging in dev on early end: #33366
• [docs] Fix 404 link for testing example.: #33407
• Update to latest version of turbo: #33613
• Update other instances of node-fetch: #33617

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/theodorusclarence/notiolink/6gq8FKeW82Bez2JeKEtibcC3Aw5j
✅ Preview: https://notiolink-git-depfu-updateyarnnext-1209-theodorusclarence.vercel.app

[depfu]

Closing because this update has already been applied