Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency next to v14.2.15 [security] #6375

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 17, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 14.2.11 -> 14.2.15 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-46298

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

  • The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
  • The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

CVE-2024-51479

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.


Release Notes

vercel/next.js (next)

v14.2.15

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • support breadcrumb style catch-all parallel routes #​65063
  • Provide non-dynamic segments to catch-all parallel routes #​65233
  • Fix client reference access causing metadata missing #​70732
  • feat(next/image): add support for decoding prop #​70298
  • feat(next/image): add images.localPatterns config #​70529
  • fix(next/image): handle undefined images.localPatterns config in images-manifest.json
  • fix: Do not omit alt on getImgProps return type, ImgProps #​70608
  • [i18n] Routing fix #​70761
Credits

Huge thanks to @​ztanner, @​agadzik, @​huozhi, @​styfle, @​icyJoseph and @​wyattjoh for helping!

v14.2.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: clone response in first handler to prevent race (#​70082) (#​70649)
  • Respect reexports from metadata API routes (#​70508) (#​70647)
  • Externalize node binary modules for app router (#​70646)
  • Fix revalidateTag() behaviour when invoked in server components (#​70446) (#​70642)
  • Fix prefetch bailout detection for nested loading segments (#​70618)
  • Add missing node modules to externals (#​70382)
  • Feature: next/image: add support for images.remotePatterns.search (#​70302)
Credits

Huge thanks to @​styfle, @​ztanner, @​ijjk, @​huozhi and @​wyattjoh for helping!

v14.2.13

Compare Source

v14.2.12

Compare Source


Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Dec 17, 2024
@renovate renovate bot enabled auto-merge (squash) December 17, 2024 17:00
Copy link

socket-security bot commented Dec 17, 2024

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@eslint/[email protected] None 0 14.9 kB eslintbot, openjsfoundation
npm/[email protected] None 0 7.83 MB prettier-bot
npm/[email protected] environment 0 682 kB eemeli

🚮 Removed packages: npm/@babel/[email protected], npm/@babel/[email protected], npm/@codegouvfr/[email protected], npm/@elastic/[email protected], npm/@emnapi/[email protected], npm/@emnapi/[email protected], npm/@emnapi/[email protected], npm/@hutson/[email protected], npm/@isaacs/[email protected], npm/@jest/[email protected], npm/@matejmazur/[email protected], npm/@napi-rs/[email protected], npm/@nodelib/[email protected], npm/@nodelib/[email protected], npm/@nodelib/[email protected], npm/@npmcli/[email protected], npm/@nrwl/[email protected], npm/@nx/[email protected], npm/@nx/[email protected], npm/@nx/[email protected], npm/@nx/[email protected], npm/@nx/[email protected], npm/@nx/[email protected], npm/@nx/[email protected], npm/@nx/[email protected], npm/@nx/[email protected], npm/@nx/[email protected], npm/@octokit/[email protected], npm/@octokit/[email protected], npm/@octokit/[email protected], npm/@octokit/[email protected], npm/@octokit/[email protected], npm/@octokit/[email protected], npm/@octokit/[email protected], npm/@octokit/[email protected], npm/@opentelemetry/[email protected], npm/@opentelemetry/[email protected], npm/@opentelemetry/[email protected], npm/@pandacss/[email protected], npm/@pkgjs/[email protected], npm/@sentry/[email protected], npm/@sigstore/[email protected], npm/@sigstore/[email protected], npm/@sigstore/[email protected], npm/@sigstore/[email protected], npm/@sigstore/[email protected], npm/@sigstore/[email protected], npm/@sinclair/[email protected], npm/@socialgouv/[email protected], npm/@socialgouv/[email protected], npm/@socialgouv/[email protected], npm/@socialgouv/[email protected], npm/@socialgouv/[email protected], npm/@socialgouv/[email protected], npm/@testing-library/[email protected], npm/@testing-library/[email protected], npm/@testing-library/[email protected], npm/@testing-library/[email protected], npm/@tufjs/[email protected], npm/@tufjs/[email protected], npm/@tybys/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@yarnpkg/[email protected], npm/@yarnpkg/[email protected], npm/@zkochan/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 6201f9f to f72b076 Compare December 18, 2024 09:55
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from f72b076 to f108c3f Compare December 18, 2024 11:15
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from f108c3f to adf8127 Compare December 18, 2024 11:34
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from adf8127 to e415219 Compare December 18, 2024 14:09
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from e415219 to 1f1fda6 Compare December 19, 2024 08:51
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 1f1fda6 to eb2e0fa Compare December 19, 2024 14:28
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from eb2e0fa to ecad41c Compare December 19, 2024 15:13
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from ecad41c to af178dd Compare December 19, 2024 15:17
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from af178dd to 8b74efe Compare December 19, 2024 15:27
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 8b74efe to 77485d7 Compare December 19, 2024 15:49
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 77485d7 to 49f47d9 Compare December 19, 2024 16:06
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 49f47d9 to 418a99a Compare December 20, 2024 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants