fix(deps): update dependency next to v12.1.0 [security] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	12.0.9 -> 12.1.0

GitHub Vulnerability Alerts

CVE-2022-23646

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 12.0.10
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

---

Release Notes

vercel/next.js

v12.1.0

Compare Source

Core Changes

• Relay Support in Rust Compiler: #​33702
• fix eslint link-passhref rule: #​33857
• update webpack: #​33831
• Flush buffered vitals metrics on page mount: #​33867
• fix problem with HMR when middleware and page reference the same node_module: #​33873
• Refactor page component getter in web server: #​33759
• update NextResponse default redirect status to 307 to match docs: #​33505
• Bug fix: dynamic page should not be interpreted as predefined page: #​33808
• Group streaming experimental apis: #​33878
• Encapsulate routing and initial hydration: #​33875
• Optimize offline condition judgment: #​33238
• Ensure external beforeFiles rewrites are handled with next/link: #​33888
• Fix parsing params for i18n optional route in minimal mode: #​33896
• Ensure browserslist extends works properly: #​33890
• Fix image cache race condition: #​33883
• Add support for Relay projects without artifactDirectory: #​33918
• fix: handle jsxspreadattribute in inline-script-id eslint rule: #​32421
• feat(next-swc): Update swc: #​33724
• Update to latest version of amphtml-validator: #​33967
• Warn in dev mode when script tags are added with next/head: #​33968
• Ensure optional chaining in swc matches babel: #​33995
• Use react-dom/server.browser in Node.js: #​33950
• Ensure external middleware rewrite is handled correctly: #​33962
• Update Terser to v5.10.0, fix minification issues: #​33045
• Warn in dev mode when stylesheets are added using next/head: #​34004
• Use ReadableStream in RenderResult: #​34005
• Fix suffix ordering while streaming: #​34011
• Don't use yarn if a package-lock.json file is found: #​31926
• Do not warn when application/ld+json scripts are used with next/head: #​34021
• Babel & next-swc: Fix exporting page config with AsExpression: #​32702
• Detect per page runtime config for functions manifest: #​33945
• Add JSDoc to config options: #​32915
• Update font-stylesheet-gathering-plugin.ts: #​30709
• Add decoratorMetadata flag if enabled by tsconfig: #​32914
• fix: data url handling in css-loader: #​34034
• Place 'charset' element at the top of : #​28119
• Fix detection of anchor click events inside svg: #​23272
• Allow passing nothing as custom jest config: #​32328
• Fixes #​31240: Adding a recursive addPackagePath function in webpack-config: #​31264
• Require component rendered as child of Link to pass event to onClick handler: #​27723
• Allow scroll prevention on hash change: #​31921
• Add support for async fn / promise in next.config.js/.mjs: #​33662
• Fix lazyRoot functionality for next/image: #​33933
• Change SWC minify from beta to release candidate: #​34056
• Make Router state immutable: #​33925
• Stop exposing internal render and renderError methods from next/client: #​34069
• Add api-utils helper for testing: #​34078
• feat(next-swc): Update swc: #​34045
• Deprecate concurrentFeatures with runtime: #​34068
• Add check for resolveWeak to next/dynamic: #​33908
• remove unneeded and broken plugin: #​34087
• Remove experimental warning from next/jest: #​34096
• fix: arrow function export in rsc client component: #​34105
• Use renderToStream with React 18: #​34106
• Fix static result being piped: #​34111
• Polyfill pipeTo and pipeThrough: #​34112
• Update to leverage response-cache for image-optimizer: #​34075
• fix: next/image usage from node_modules: #​33559
• Fix included flight manifest on node runtime: #​34113
• Fix: Use react-dom/server.browser when reactRoot: true: #​34116
• Fix image-optimizer requires in next-server: #​34141
• Fix required files matching in rsc: #​34137
• Throw error when ts file contains css.resolve: #​34149
• Chore/stable swc compiler options: #​34074
• Fix bug with "Circular Structure" error: #​23905
• Add _document and _app pre-import: #​23261
• Ensure standalone server handles SIGTERM: #​34151
• Bump nft to 0.17.5: #​34190
• feat: copy .env file in standalone mode: #​34143
• Fix reuse of inline flight response and 404 for RSC in node runtime: #​34202
• Use updated recursive rm fs method for image-optimizer: #​34210
• Fix link for "Delete Query Params in Middleware" error message in next-server.ts: #​34230
• Enable dynamic HTML in minimal mode: #​34222
• Fix uncaught error in getInitialProps when runtime is set to nodejs: #​34228
• Optimize the web server size: #​34242
• feat: allow node-sass@7 as peer dependency: #​34107
• Adding step to build the app with docker in existing projects: #​34083
• Changed all occurrences of etc to match: #​34280
• Align reactRoot config between server and webpack config: #​34328
• Fix <RouteAnnouncer/> shouldn't announce initial path under strict mode and React 18: #​34338
• Fix flight root failed to hydrate in strict mode: #​34333
• Allow dismissing full refresh warning for session: #​33868
• Remove experimental image optimization feature: #​34349
• Add support for "type": "module" in package.json: #​33637
• feat(next-swc): Update swc: #​34355
• Ensure invalid request to static page is handled correctly: #​34346
• Add Error Handing section for ISR: #​34360
• feat(next-swc): Update swc: #​34408
• feat: improve opening a new issue flow: #​34434
• Ensure we don't poll page in development when notFound: true is returned: #​34352
• Add image config for dangerouslyAllowSVG and contentSecurityPolicy: #​34431
• Revert swc css bump temporarily: #​34440
• update webpack: #​34444
• Update server-only changes HMR handling: #​34298
• Fix .svg image optimization with a loader prop: #​34452
• Allow reading request bodies in middlewares: #​34294
• Revert "Allow reading request bodies in middlewares": #​34479
• update webpack: #​34477
• Fix chunk buffering for server components: #​34474
• Remove deprecation for relative URL usage in middlewares: #​34461

Documentation Changes

• Building web forms with Next.js and Vercel: #​32525
• Add Clarity About Downloading and Self-Hosting a Font File: #​33760
• Correct pluralization in newly added Relay documentation: #​33880
• Update MDX document: #​33916
• Update info on how to process webhooks by disabling bodyParser: #​33909
• Update deployment docs to fix oversized image.: #​33934
• docs: recommend .end instead of .send when no body is being sent: #​33611
• Update custom document docs to prepare for React 18.: #​33814
• Fix typo in new experimental Relay support docs: #​33963
• docs(isr): add missing key prop in jsx loop: #​33984
• docs: use function for components in general: #​33990
• Updated going-to-production with loading performance: #​33179
• docs: fix variable name from profileData to data in CSR page: #​34018
• Improve Form Guide Contents: #​33913
• Add async to middleware docs.: #​31356
• (docs): update i18n-routing.md: #​33123
• Fix redirect url for prefixing the default locale: #​33762
• Add note about dns-prefetch as fallback: #​30385
• Update custom server docs for async methods: #​30521
• Update multiple docs pages to follow Docs Content style guide: #​33855
• fix: Change url to nextUrl inside delete-query-params-in-middlewa…: #​33796
• Changing GitHub Actions cache documentation: #​28228
• [docs] Add env var load order: #​32350
• docs: add Ory vercel example to auth page: #​33029
• Add note about crawlers and fallback: true: #​34114
• docs(api-routes): fix node docs links: #​34125
• add note to clarify use of Link when clearing preview cookies (issue #​34129): #​34142
• Re-render details if rewrites are used: #​34049
• Add heading to invalid-api-status-body error: #​34150
• Ensure /index route is redirected correctly for docs: #​34206
• Update docs for image lazyRoot prop: #​34241
• Update link for includeFiles glob reference: #​34269
• Update Preview Mode docs.: #​34278
• Update frequently asked questions in documentation: #​34252
• Alphabetize auth docs providers.: #​34281
• Replace babel with SWC & minor changes in getting started: #​34282
• Update Middleware docs to add version history.: #​34302
• Fix typo on getInitialProps: #​34309
• Update missing curly brace in image.md: #​34307
• docs: Add link to pageExtensions config in page-without-valid-component.md: #​34285
• Add an example to Write server-side code directly section: #​34319
• Few touch-ups to the docs on web forms in Next: #​34286
• Update MDX Custom Elements setup: #​34175
• Update image.md: #​34374
• Updated failed to load error page to include info about node versions: #​34362
• docs: react 18, streaming SSR, rsc with new apis: #​33986
• Update MDX Guide config example: #​34405
• Remove hello world RSC example.: #​34456
• Fix typo: #​34480

Example Changes

• Update npm comment in Docker example: #​33881
• Update Contentful example to add validations to solve graphql complexity errors.: #​33958
• Update all CMS examples dependencies.: #​33580
• Fix warning unknown prettier option when running yarn lint.: #​34019
• [New Example] with docker - multiple deployment environments: #​34015
• Fix ambiguous flags in Dockerfile example: #​33417
• fix(examples/with-docker): update env comments: #​29972
• Remove unused "start" script from with-docker/package.json: #​31053
• Update remark in blog-starter-typescript: #​31393
• Update _document.js: #​29930
• Docs: use the nextv12 example from the storybook-addon-next repo as the with-storybook example: #​33891
• examples, update with new URL: #​34035
• [with-typescript-graphql] fixes breaking changes in graphql-let v0.18.0: #​32681
• fix(example): with-typescript-graphql graphql-let package migrate: #​29996
• feat: update firebase in with-firebase: #​29581
• progressive web app example converted to typescript : #​33100
• Make adjustment to cache config of with-apollo example: #​32733
• Fix error thrown by next/image in the Sanity example: #​34203
• Update examples/active-class-name: #​34205
• chore(example): update preact links in examples: #​34233
• fix: don't wrap profile in firebase example: #​34457

Misc Changes

• Fix flakey image-optimizer test: #​33957
• Update azure config: #​33999
• Add types to nextConfig in default template : #​34029
• docs(contributing): Search GitHub for an open or closed PR that relates to your submission: #​22533
• fix(create-next-app): add default version: #​33006
• chore: do not run lock/stale actions on forks: #​34053
• Fix functions manifest test: #​34092
• add pnpm debug file in gitignore templates: #​34091
• Update failing tests from upstream resource: #​34110
• Update version number in next.config.js API reference
• chore: log lock bot output: #​34168
• chore: decrease lock action runs #​34180
• Allow listening for page requests in tests: #​34204
• Update code of conduct from v1.4 to v2.1: #​34208
• Update contributing.md to link to walkthrough video.: #​34299
• fix: typo in gitignore in typescript template: #​34372
• test: add inline flight response reuse test: #​34364
• Update 2.example_bug_report.yml
• Update 1.bug_report.yml
• Update 2.example_bug_report.yml
• Update font-optimization test snapshot: #​34478

Credits

Huge thanks to @​MaedahBatool, @​mutebg, @​sokra, @​huozhi, @​hanford, @​shuding, @​sean6bucks, @​jameshfisher, @​devknoll, @​yuta-ike, @​zh-lx, @​amandeepmittal, @​alunyov, @​stefanprobst, @​leerob, @​balazsorban44, @​kdy1, @​brittanyrw, @​jord1e, @​kara, @​vvo, @​ismaelrumzan, @​dlindenkreuz, @​MohammadxAli, @​nguyenyou, @​thibautsabot, @​hanneslund, @​vertti, @​KateKate, @​stefee, @​mikinovation, @​Leticijak, @​mohsen1, @​ncphillips, @​ehowey, @​lancechentw, @​krychaxp, @​fmacherey, @​pklawansky, @​RyanClementsHax, @​lakbychance, @​sannajammeh, @​oliviertassinari, @​alexander-akait, @​u-yas, @​Cheprer, @​msp5382, @​chrispat, @​getspooky, @​Ryz0nd, @​klaasman, @​midgleyc, @​kumard3, @​jesstelford, @​neeraj3029, @​glenngijsberts, @​pie6k, @​wouterraateland, @​timneutkens, @​11koukou, @​thesyedbasim, @​aeneasr, @​ijjk, @​lfades, @​JuniorTour, @​xavhan, @​mattyocode, @​padmaia, @​Skn0tt, @​gwer, @​Nutlope, @​styfle, @​stipsan, @​xhoantran, @​eolme, @​sespinosa, @​zenorocha, @​hjaber, @​benmvp, @​T-O-R-U-S, @​dburrows, @​atcastle, @​kiriny, @​molebox, @​kitayoshi, and @​Schniz for helping!

v12.0.10

Compare Source

Core Changes

• fix: image optimizer hangs when invalid image is requested: #​33719
• feat: make compress configurable in standalone mode: #​33717
• fix: allow certain variable names in development: #​33638
• Use swc parse for flight server and client loaders: #​33713
• Properly support custom 500 page in the web server: #​33729
• chore: deprecate process.browser: #​32862
• Improve tests for streaming and server components: #​33740
• fix: fixes #​33314 move is-plain-object for es5 compilation: #​33690
• Add stale-while-revalidate pattern to Image Optimization API: #​33735
• Allow to delete URL search params in middleware rewrites: #​33725
• Ensure all CSS files are included for experimental critical CSS: #​33752
• Ensure non-error thrown in getStaticPaths shows correctly: #​33753
• Fix encoding error with location and refresh headers: #​33763
• Fix duplicate image src causing canceled request: #​33776
• Generate functions manifest: #​33770
• Enable jest hoist transform when using next/jest: #​33731
• fix typo: #​33840
• fix(next/image): render valid html according to W3C: #​33825

Documentation Changes

• Update Time to First Byte (TTFB) link: #​33715
• Changed data fetching file name to overview to fix meta data title: #​33232
• Correct misspelling in testing documentation #​33754: #​33755
• Move custom server note from middleware doc: #​33744
• Fixed duplicate data fetching overview page + links: #​33774
• [docs] Mention SWC in TypeScript documentation.: #​33801
• Testing docs: Comment out optional config that points to a file: #​33827
• Update Content-Security-Policy header usage explanation: #​33833

Example Changes

• Fix with-docker example dockerfile: #​33695
• Added next.config.js with datocms-assets domain in allow list: #​33647
• Fix: broken npm install: #​33767
• [example] Upgrade the with-stripe-typescript example app: #​33761
• Upgrade to @​stitches/react 1.2.6: #​33817
• Doc: fix broken link to api routes doc: #​33836

Misc Changes

• run stale 20 minutes earlier
• fix: use github action instead of bot: #​33718
• fix syntax error in lock.yml
• fix rsc test suite runner: #​33745

Credits

Huge thanks to @​Vienio99, @​balazsorban44, @​kyliau, @​molebox, @​huozhi, @​shuding, @​PepijnSenders, @​krystofex, @​PizzaPete, @​souljuse, @​styfle, @​Schniz, @​Nelsonfrank, @​ijjk, @​Mhmdrza, @​timneutkens, @​hideokamoto-stripe, @​Emrin, @​gr-qft, @​delbaoliveira, @​redbar0n, @​amandeepmittal, @​lxy-yz, and @​Divlo for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.