chore(control-plane): bump next back to ^16.2.6 (undo 16.2.5 pin)#1934
Merged
Conversation
Reverts the temporary `next` pin from #1928. Deeper investigation showed the control-plane redirect loop (#1926) is NOT a 16.2.6 regression: it reproduces identically on 16.2.5 and 16.2.6, and is triggered specifically by binding the standalone server to HOSTNAME=127.0.0.1 (Next normalizes 127.0.0.1 -> localhost in the proxy request URL but keeps 127.0.0.1 in the router's initUrl, so the next-intl locale rewrite looks cross-origin and leaks as a 307 loop). The production launchers (docker start-all.sh, bin/cli.js) bind HOSTNAME=0.0.0.0, which serves 200 on every version, so the pin neither fixed #1926's repro nor was needed for production. Restoring ^16.2.6 brings back the 16.2.6 security fixes (proxy-bypass + SSRF). The 127.0.0.1-binding quirk is unrelated to the version. Verified: npm ci -> single next@16.2.7; control-plane build typechecks; standalone on HOSTNAME=0.0.0.0 serves /login, /banks/*, /es/login as 200.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reverts the temporary
nextpin from #1928 and restores^16.2.6(resolves to 16.2.7), bringing back 16.2.6's security fixes (proxy-bypass + SSRF).Why the pin wasn't needed
Deeper investigation corrected the original diagnosis. The control-plane redirect loop (#1926) is not a 16.2.6 regression — it reproduces identically on 16.2.5 and 16.2.6:
HOSTNAME127.0.0.10.0.0.0(prod default)The loop is triggered specifically by binding the standalone server to
127.0.0.1: Next normalizes127.0.0.1→localhostin the proxy'srequest.urlbut keeps127.0.0.1in the router'sinitUrl, so next-intl's locale rewrite looks cross-origin and leaks as a 307. With0.0.0.0both sides agree → 200.The production launchers (
docker/standalone/start-all.sh,bin/cli.js) bindHOSTNAME=0.0.0.0, which serves 200 on every version. So the pin neither fixed #1926's repro (which uses127.0.0.1) nor was needed for production.Change
hindsight-control-plane:next16.2.5→^16.2.6package.json: drop the now-unneededoverrides.next(^16.2.6dedupes next-intl's peer to a single version on its own)16.2.5→16.2.7, single hoisted, all platform binaries preserved (minimal 40/40 diff)Verification
npm ci→ single dedupednext@16.2.7npm run build --workspace=hindsight-control-plane→ compiles + typechecksHOSTNAME=0.0.0.0:/login,/banks/abc,/es/login→ 200Note on #1926
The
127.0.0.1-binding loop is a Next standalone quirk (asymmetric hostname normalization), unrelated to the Next version. Production is unaffected. If we want to support loopback binding, a small follow-up can normalize a127.0.0.1bind tolocalhost; otherwise the guidance is to bind0.0.0.0(the default).