Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(nextjs): Update dependency next to v14.2.25 [SECURITY] #5418

Merged
merged 7 commits into from
Mar 27, 2025
Merged

chore(nextjs): Update dependency next to v14.2.25 [SECURITY] #5418

merged 7 commits into from
Mar 27, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 21, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 14.2.24 -> 14.2.25 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js 13.x, this issue is fixed in 13.5.9
  • For Next.js 12.x, this issue is fixed in 12.3.5
  • For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)

Release Notes

vercel/next.js (next)

v14.2.25

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone GMT, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 21, 2025
@vercel Vercel
Copy link

vercel bot commented Mar 21, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
clerk-js-sandbox ✅ Ready (Inspect) Visit Preview 💬 Add feedback Mar 27, 2025 1:15am

@renovate renovate bot enabled auto-merge (squash) March 21, 2025 18:55
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Mar 21, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 2171782

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from bfe9216 to c8a08d8 Compare March 21, 2025 19:09
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from c8a08d8 to 27d9c45 Compare March 22, 2025 20:24
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 27d9c45 to 10438cf Compare March 23, 2025 13:53
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 10438cf to 2488d7e Compare March 23, 2025 14:05
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 2488d7e to a593f74 Compare March 23, 2025 17:23
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from a593f74 to 1519a93 Compare March 23, 2025 18:08
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 1519a93 to c3461e3 Compare March 24, 2025 01:33
@renovate renovate bot changed the title chore(nextjs): Update dependency next to v14.2.25 [SECURITY] chore(nextjs): Update dependency next to v14.2.25 [SECURITY] - autoclosed Mar 24, 2025
@renovate renovate bot closed this Mar 24, 2025
auto-merge was automatically disabled March 24, 2025 14:42

Pull request was closed

@renovate renovate bot deleted the renovate/npm-next-vulnerability branch March 24, 2025 14:42
@renovate renovate bot changed the title chore(nextjs): Update dependency next to v14.2.25 [SECURITY] - autoclosed chore(nextjs): Update dependency next to v14.2.25 [SECURITY] Mar 25, 2025
@renovate renovate bot reopened this Mar 25, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from c3461e3 to 57d0b34 Compare March 25, 2025 08:03
@renovate renovate bot enabled auto-merge (squash) March 25, 2025 08:03
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 57d0b34 to 5a41f3b Compare March 25, 2025 10:28
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from c534de9 to d18c5bc Compare March 26, 2025 15:12
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from d18c5bc to fe9f5fb Compare March 26, 2025 15:45
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from fe9f5fb to b1e805c Compare March 26, 2025 16:10
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from b1e805c to a5a4ac0 Compare March 26, 2025 16:35
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from a5a4ac0 to 5f84c46 Compare March 26, 2025 16:57
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Mar 26, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot merged commit 44c0074 into main Mar 27, 2025
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jacekradko jacekradko

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file elements nextjs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jacekradko @clerk-cookie