Update dependency next to v13 [SECURITY]#449
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Manage this branch in SquashTest this branch here: https://renovatenpm-next-vulnerability-ft0hf.squash.io |
312c9ef to
e403527
Compare
e403527 to
f93ac01
Compare
0eb1a52 to
b76b18c
Compare
b76b18c to
9a8fdd6
Compare
9a8fdd6 to
423f8db
Compare
423f8db to
faecc4c
Compare
6fcc82e to
73a1d6a
Compare
73a1d6a to
58c790d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
12.3.4→13.5.11XSS in Image Optimization API for Next.js
CVE-2021-39178 / GHSA-9gr3-7897-pp7m
More information
Details
Impact
next.config.jsfile hasimages.domainsarray assignedimages.domainsallows user-provided SVGnext.config.jsfile hasimages.loaderassigned to something other than defaultPatches
Next.js v11.1.1
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0
CVE-2022-23646 / GHSA-fmvm-x8mv-47mj
More information
Details
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the
next.config.jsfile must have animages.domainsarray assigned and the image host assigned inimages.domainsmust allow user-provided SVG. If thenext.config.jsfile hasimages.loaderassigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, changenext.config.jsto use a differentloader configurationother than the default.Impact
next.config.jsfile has images.domains array assignednext.config.jsfile has images.loader assigned to something other than defaultPatches
Next.js 12.1.0
Workarounds
Change
next.config.jsto use a different loader configuration other than the default, for example:Or if you want to use the
loaderprop on the component, you can usecustom:Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Unexpected server crash in Next.js.
CVE-2021-43803 / GHSA-25mp-g6fv-mqxx
More information
Details
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package
nexthosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js missing cache-control header may lead to CDN caching empty reply
CVE-2023-46298 / GHSA-c59h-r6p8-q9wc
More information
Details
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
Severity
Low
References
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vercel/next.js (next)
v13.5.11Compare Source
Core Changes
v13.5.10Compare Source
Core Changes
v13.5.9Compare Source
Core Changes
v13.5.8Compare Source
Core Changes
d900fadto1dba980: #74202Credits
Huge thanks to @wyattjoh and @ztanner for helping!
v13.5.7Compare Source
Core Changes
Credits
Huge thanks to @wyattjoh and @ijjk for helping!
v13.5.6Compare Source
Core Changes
Credits
Huge thanks to @ijjk @huozhi @gnoff for helping!
v13.5.5Compare Source
Core Changes
fs.existsSyncto avoid race condition: #56387waitUntilinto the handler: #56404existSynccall: #56419isolateModulestotsconfigwhen extending from tsconfig withverbatimModuleSyntax: #54164verbatimModuleSyntaxto make type imports/exports explicit: #56551server-onlyandclient-only: #56760useParams: #56771x-forwarded-*headers: #56797Documentation Changes
JSON.parseto make reading output easier: #56713Example Changes
@radix-ui/react-icons: #56452Misc Changes
permalinkoption ofuseFormState: #56329cargo fmtto lint staged: #56430.../templates/*/app/layout.*import order: #56380.env.examplefile: #56469Credits
Huge thanks to @ijjk, @timneutkens, @shuding, @wyattjoh, @Syphini, @manovotny, @ForsakenHarmony, @gnoff, @anonrig, @viktorronnback, @Rylab, @sokra, @hamirmahal, @huozhi, @jridgewell, @SukkaW, @wbinnssmith, @feedthejim, @balazsorban44, @jazsouf, @2XG-DEV, @stefanprobst, @ztanner, @mzab1985, @Mustafadagkiranlar, @JoRyGu, @cmbritten, @styfle, @Krishnanand2517, @bahag-buttf, @kwonoj, @Shadid12, @delbaoliveira, @mayankkamboj47, @dvoytenko, @mayank1513, @himself65, @suravshrestha, @fvaysh, @dianacpg, @joristirado, and @Kikobeats for helping!
v13.5.4Compare Source
Core Changes
beta.nextjs.orgLinks: #55924config.experimental.workerThreads: #55257swc_coretov0.83.26: #55780swc_coretov0.83.26": #56077permanentRedirectreturn 308 in route handlers: #56065booleaninstead offalsefor experimental logging config: #56110postcss: #56225Documentation Changes
not-foundto file conventions page: #55944extensionoption tocreateMDX(): #55967.bindmethod: #56164Response.jsonoverNextResponse.json: #56173Example Changes
with-jest: #56152with-jesttypes: #56193with-stripe-typescriptexample: #56274Misc Changes
swc_coretov0.83.28: #56134Credits
Huge thanks to @balazsorban44, @sdkdeepa, @aayman997, @mayank1513, @timneutkens, @2XG-DEV, @eliot-akira, @hi-matthew, @riobits, @wbinnssmith, @ijjk, @sokra, @dvoytenko, @rishabhpoddar, @manovotny, @A7med3bdulBaset, @huozhi, @jridgewell, @joulev, @SukkaW, @kdy1, @feedthejim, @Fredkiss3, @styfle, @MildTomato, @ForsakenHarmony, @walfly, @bzhn, @shuding, @boylett, @Loki899899, @devrsi0n, @ImBIOS, @vinaykulk621, @ztanner, @sdaigo, @hamirmahal, @blurrah, @omarmciver, and @alexBaizeau for helping!
v13.5.3Compare Source
Core Changes
build: #55628fs.existsSyncinstead ofaccessSync: #55675next/dist/esmrewriteResolvePlugin: #55689fetchServerResponseis a valid record when stored in router cache: #55690next/navigation: #55743generate_typestask: #55748next infooutput: #55704--experimental-https: #55775turbopack-230922.2: #55828--experimental-https: #55775turbopack-230922.2: #55828Documentation Changes
useFormState: #55564Example Changes
Misc Changes
nissuer: #55723dependencies/devDependencies: #55730Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.