fix(deps): update dependency @clerk/nextjs to v4.29.3 [security] #241
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.29.2
->4.29.3
GitHub Vulnerability Alerts
CVE-2024-22206
Impact
Unauthorized access or privilege escalation due to a logic flaw in
auth()
in the App Router orgetAuth()
in the Pages Router.Affected Versions
All applications that that use
@clerk/nextjs
versions in the range of>= 4.7.0
,< 4.29.3
in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that callauth()
in the App Router orgetAuth()
in the Pages Router. Only the@clerk/nextjs
SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.Patches
Fix included in
@clerk/nextjs@4.29.3
.References
Release Notes
clerk/javascript (@clerk/nextjs)
v4.29.3
Compare Source
Patch Changes
Replace the
Clerk-Backend-SDK
header withUser-Agent
in BAPI requests and update it's value to contain both the package name and the package version of the clerk package (#2579) by @nikosdouvlisexecuting the request. Eg request from
@clerk/nextjs
to BAPI with appendUser-Agent: @​clerk/nextjs@5.0.0-alpha-v5.16
using the latest version.Miscellaneous changes: The backend test build changed to use tsup.
Updated dependencies [
c59a2d4a2
,2a615bf98
]:Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.