Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency next to v14.2.15 [SECURITY] #6

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency next to v14.2.15 [SECURITY] #6

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Aug 1, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 14.0.4 -> 14.2.15 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

  • Next.js (<14.1.1) is running in a self-hosted* manner.
  • The Next.js application makes use of Server Actions.
  • The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #​62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

CVE-2024-46982

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

  • Next.js between 13.5.1 and 14.2.9
  • Using pages router
  • Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

  • Deployments using only app router
  • Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

  • Allam Rachid (zhero_)
  • Henry Chen

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

  • The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
  • The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

CVE-2024-51479

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

Release Notes

vercel/next.js (next)

v14.2.15

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • support breadcrumb style catch-all parallel routes #​65063
  • Provide non-dynamic segments to catch-all parallel routes #​65233
  • Fix client reference access causing metadata missing #​70732
  • feat(next/image): add support for decoding prop #​70298
  • feat(next/image): add images.localPatterns config #​70529
  • fix(next/image): handle undefined images.localPatterns config in images-manifest.json
  • fix: Do not omit alt on getImgProps return type, ImgProps #​70608
  • [i18n] Routing fix #​70761
Credits

Huge thanks to @​ztanner, @​agadzik, @​huozhi, @​styfle, @​icyJoseph and @​wyattjoh for helping!

v14.2.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: clone response in first handler to prevent race (#​70082) (#​70649)
  • Respect reexports from metadata API routes (#​70508) (#​70647)
  • Externalize node binary modules for app router (#​70646)
  • Fix revalidateTag() behaviour when invoked in server components (#​70446) (#​70642)
  • Fix prefetch bailout detection for nested loading segments (#​70618)
  • Add missing node modules to externals (#​70382)
  • Feature: next/image: add support for images.remotePatterns.search (#​70302)
Credits

Huge thanks to @​styfle, @​ztanner, @​ijjk, @​huozhi and @​wyattjoh for helping!

v14.2.13

Compare Source

v14.2.12

Compare Source

v14.2.11

Compare Source

v14.2.10

Compare Source

v14.2.9

Compare Source

v14.2.8

Compare Source

v14.2.7

Compare Source

v14.2.6

Compare Source

v14.2.5

Compare Source

v14.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: ensure route handlers properly track dynamic access (#​66446)
  • fix NextRequest proxy in edge runtime (#​66551)
  • Fix next/dynamic with babel and src dir (#​65177)
  • Use vercel deployment url for metadataBase fallbacks (#​65089)
  • fix(next/image): detect react@19 for fetchPriority prop (#​65235)
  • Fix loading navigation with metadata and prefetch (#​66447)
  • prevent duplicate RSC fetch when action redirects (#​66620)
  • ensure router cache updates reference the latest cache values (#​66681)
  • Prevent append of trailing slash in cases where path ends with a file extension (#​66636)
  • Fix inconsistency with 404 getStaticProps cache-control (#​66674)
  • Use addDependency to track metadata route file changes (#​66714)
  • Add timeout/retry handling for fetch cache (#​66652)
  • fix: app-router prefetch crash when an invalid URL is passed to Link (#​66755)
Credits

Huge thanks to @​ztanner, @​ijjk, @​wbinnssmith, @​huozhi, and @​lubieowoce for helping!

v14.2.3

Compare Source

v14.2.2

Compare Source

v14.2.1

Compare Source

v14.2.0

Compare Source

v14.1.4

Compare Source

v14.1.3

Compare Source

v14.1.2

Compare Source

v14.1.1

Compare Source

Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary

Core Changes
Credits

Huge thanks to @​huozhi, @​shuding, @​Ethan-Arrowood, @​styfle, @​ijjk, @​ztanner, @​balazsorban44, @​kdy1, and @​williamli for helping!

v14.1.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel Vercel
Copy link

vercel bot commented Aug 1, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
storage ❌ Failed (Inspect) Dec 21, 2024 2:27pm
storage-next ❌ Failed (Inspect) Dec 21, 2024 2:27pm

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from d044928 to 21bbd8b Compare September 18, 2024 02:59
@renovate renovate bot changed the title Update dependency next to v14.1.1 [SECURITY] Update dependency next to v14.2.10 [SECURITY] Sep 18, 2024
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 21bbd8b to a66af13 Compare December 21, 2024 14:27
@renovate renovate bot changed the title Update dependency next to v14.2.10 [SECURITY] Update dependency next to v14.2.15 [SECURITY] Dec 21, 2024
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Dec 21, 2024

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@codiumai-pr-agent-free CodiumAI PR-Agent (Free)
Copy link

codiumai-pr-agent-free bot commented Dec 21, 2024
edited
Loading

CI Failure Feedback 🧐

(Checks updated until commit a66af13)

Action: test

Failed stage: Setup pnpm [❌]

Failure summary:

The action failed because no pnpm version was specified in the configuration. This can be fixed by
either:

  • Adding a "version" key in the GitHub Action config for pnpm/action-setup
  • Specifying the packageManager version in package.json

    • Relevant error logs: 
    1:  ##[group]Operating System
2:  Ubuntu
...

135:  POSTGRES_URL: ***
136:  POSTGRES_URL_NON_POOLING: ***
137:  BLOB_READ_WRITE_TOKEN: ***
138:  KV_REST_API_URL: 
139:  KV_REST_API_TOKEN: 
140:  EDGE_CONFIG: ***
141:  ##[endgroup]
142:  ##[group]Running self-installer...
143:  Error: No pnpm version is specified.
144:  Please specify it by one of the following ways:
145:  - in the GitHub Action config with the key "version"
146:  - in the package.json with the key "packageManager"
147:  at readTarget (/home/runner/work/_actions/pnpm/action-setup/v2/dist/index.js:1:3939)
148:  at async runSelfInstaller (/home/runner/work/_actions/pnpm/action-setup/v2/dist/index.js:1:2928)
149:  at async install (/home/runner/work/_actions/pnpm/action-setup/v2/dist/index.js:1:2239)
150:  at async main (/home/runner/work/_actions/pnpm/action-setup/v2/dist/index.js:1:445)
151:  ##[error]Error: No pnpm version is specified.
    ✨ CI feedback usage guide:

    The CI feedback tool (/checks) automatically triggers when a PR has a failed check.
    The tool analyzes the failed checks and provides several feedbacks:

    • Failed stage
    • Failed test name
    • Failure summary
    • Relevant error logs

    In addition to being automatically triggered, the tool can also be invoked manually by commenting on a PR:

    /checks "https://github.com/{repo_name}/actions/runs/{run_number}/job/{job_number}"

    where {repo_name} is the name of the repository, {run_number} is the run number of the failed check, and {job_number} is the job number of the failed check.

    Configuration options

    • enable_auto_checks_feedback - if set to true, the tool will automatically provide feedback when a check is failed. Default is true.
    • excluded_checks_list - a list of checks to exclude from the feedback, for example: ["check1", "check2"]. Default is an empty list.
    • enable_help_text - if set to true, the tool will provide a help message with the feedback. Default is true.
    • persistent_comment - if set to true, the tool will overwrite a previous checks comment with the new feedback. Default is true.
    • final_update_message - if persistent_comment is true and updating a previous checks message, the tool will also create a new message: "Persistent checks updated to latest commit". Default is true.

    See more information about the checks tool in the docs.

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers
    No reviews
    Assignees
    No one assigned
    Labels
    None yet
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    0 participants