Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency @clerk/nextjs to v4.29.3 [security] #241

Merged
merged 1 commit into from
Jan 12, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 12, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@clerk/nextjs (source) 4.29.2 -> 4.29.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-22206

Impact

Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router.

Affected Versions

All applications that that use @clerk/nextjs versions in the range of >= 4.7.0,< 4.29.3 in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call auth() in the App Router or getAuth() in the Pages Router. Only the @clerk/nextjs SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.

Patches

Fix included in @clerk/nextjs@4.29.3.

References


Release Notes

clerk/javascript (@​clerk/nextjs)

v4.29.3

Compare Source

Patch Changes
  • Replace the Clerk-Backend-SDK header with User-Agent in BAPI requests and update it's value to contain both the package name and the package version of the clerk package (#​2579) by @​nikosdouvlis

    executing the request. Eg request from @clerk/nextjs to BAPI with append User-Agent: @&#8203;clerk/nextjs@5.0.0-alpha-v5.16 using the latest version.

    Miscellaneous changes: The backend test build changed to use tsup.

  • Updated dependencies [c59a2d4a2, 2a615bf98]:


Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the renovate label Jan 12, 2024
Copy link

vercel bot commented Jan 12, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
shiro ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 12, 2024 10:36pm

@renovate renovate bot enabled auto-merge (rebase) January 12, 2024 22:33
@Innei Innei merged commit 0d67edc into main Jan 12, 2024
3 checks passed
@renovate renovate bot deleted the renovate/npm-@clerk/nextjs-vulnerability branch January 12, 2024 23:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant