New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency next to v14.2.10 [security] #7

Open

renovate wants to merge 1 commit into main from renovate/npm-next-vulnerability

renovate bot commented Aug 1, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	`14.0.4` -> `14.2.10`

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

Next.js (<14.1.1) is running in a self-hosted* manner.
The Next.js application makes use of Server Actions.
The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

CVE-2024-46982

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

Next.js between 13.5.1 and 14.2.9
Using pages router
Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

Deployments using only app router
Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

Allam Rachid (zhero_)
Henry Chen

Release Notes

vercel/next.js (next)

`v14.2.10`

`v14.2.9`

`v14.2.8`

`v14.2.7`

`v14.2.6`

`v14.2.5`

`v14.2.4`

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

fix: ensure route handlers properly track dynamic access (#66446)
fix NextRequest proxy in edge runtime (#66551)
Fix next/dynamic with babel and src dir (#65177)
Use vercel deployment url for metadataBase fallbacks (#65089)
fix(next/image): detect react@19 for fetchPriority prop (#65235)
Fix loading navigation with metadata and prefetch (#66447)
prevent duplicate RSC fetch when action redirects (#66620)
ensure router cache updates reference the latest cache values (#66681)
Prevent append of trailing slash in cases where path ends with a file extension (#66636)
Fix inconsistency with 404 getStaticProps cache-control (#66674)
Use addDependency to track metadata route file changes (#66714)
Add timeout/retry handling for fetch cache (#66652)
fix: app-router prefetch crash when an invalid URL is passed to Link (#66755)

Credits

Huge thanks to @ztanner, @ijjk, @wbinnssmith, @huozhi, and @lubieowoce for helping!

`v14.2.3`

`v14.2.2`

`v14.2.1`

`v14.2.0`

`v14.1.4`

`v14.1.3`

`v14.1.2`

`v14.1.1`

Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary

Core Changes

Should not warn metadataBase missing if only absolute urls are present: https://github.com/vercel/next.js/pull/61898
Fix trailing slash for canonical url: https://github.com/vercel/next.js/pull/62109
Fix metadata json manifest convention: https://github.com/vercel/next.js/pull/62615
Improve the Server Actions SWC transform: https://github.com/vercel/next.js/pull/61001
Fix Server Reference being double registered: https://github.com/vercel/next.js/pull/61244
Improve the Server Actions SWC transform (part 2): https://github.com/vercel/next.js/pull/62052
Fix module-level Server Action creation with closure-closed values: https://github.com/vercel/next.js/pull/62437
Fix draft mode invariant: https://github.com/vercel/next.js/pull/62121
fix: babel usage with next/image: https://github.com/vercel/next.js/pull/61835
Fix next/server api alias for ESM pkg: https://github.com/vercel/next.js/pull/61721
Replace image optimizer IPC call with request handler: https://github.com/vercel/next.js/pull/61471
chore: refactor image optimization to separate external/internal urls: https://github.com/vercel/next.js/pull/61172
fix(image): warn when animated image is missing unoptimized prop: https://github.com/vercel/next.js/pull/61045
fix(build-output): show stack during CSR bailout warning: https://github.com/vercel/next.js/pull/62594
Fix extra swc optimizer applied to node_modules in browser layer: https://github.com/vercel/next.js/pull/62051
fix(next-swc): Detect exports.foo from cjs_finder: https://github.com/vercel/next.js/pull/61795
Fix attempted import error for react: https://github.com/vercel/next.js/pull/61791
Add stack trace to client rendering bailout error: https://github.com/vercel/next.js/pull/61200
fix router crash on revalidate + popstate: https://github.com/vercel/next.js/pull/62383
fix loading issue when navigating to page with async metadata: https://github.com/vercel/next.js/pull/61687
revert changes to process default routes at build: https://github.com/vercel/next.js/pull/61241
fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: https://github.com/vercel/next.js/pull/60776
Improve redirection handling: https://github.com/vercel/next.js/pull/62561
Simplify node/edge server chunking some: https://github.com/vercel/next.js/pull/62424

Credits

Huge thanks to @huozhi, @shuding, @Ethan-Arrowood, @styfle, @ijjk, @ztanner, @balazsorban44, @kdy1, and @williamli for helping!

`v14.1.0`

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot added the renovate label

renovate bot added Mend: dependency security fix and removed renovate labels


          fix(deps): update dependency next to v14.2.10 [security]

01df16c

renovate bot force-pushed the renovate/npm-next-vulnerability branch from f78d603 to 01df16c Compare

September 18, 2024 05:44

renovate bot added renovate and removed Mend: dependency security fix labels

renovate bot changed the title ~~fix(deps): update dependency next to v14.1.1 [security]~~ fix(deps): update dependency next to v14.2.10 [security]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels