Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(deps): update dependency next to v14.2.10 [security] (#362)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [next](https://nextjs.org) ([source](https://github.com/vercel/next.js)) | [`14.2.6` -> `14.2.10`](https://renovatebot.com/diffs/npm/next/14.2.6/14.2.10) | [![age](https://developer.mend.io/api/mc/badges/age/npm/next/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/next/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/next/14.2.6/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/next/14.2.6/14.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-46982](https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9) ### Impact By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: - Next.js between 13.5.1 and 14.2.9 - Using pages router - Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx` The below configurations are unaffected: - Deployments using only app router - Deployments on [Vercel](https://vercel.com/) are not affected ### Patches This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. ### Workarounds There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version. #### Credits - Allam Rachid (zhero_) - Henry Chen --- ### Release Notes <details> <summary>vercel/next.js (next)</summary> ### [`v14.2.10`](https://github.com/vercel/next.js/compare/v14.2.9...v14.2.10) [Compare Source](https://github.com/vercel/next.js/compare/v14.2.9...v14.2.10) ### [`v14.2.9`](https://github.com/vercel/next.js/compare/v14.2.8...v14.2.9) [Compare Source](https://github.com/vercel/next.js/compare/v14.2.8...v14.2.9) ### [`v14.2.8`](https://github.com/vercel/next.js/compare/v14.2.7...v14.2.8) [Compare Source](https://github.com/vercel/next.js/compare/v14.2.7...v14.2.8) ### [`v14.2.7`](https://github.com/vercel/next.js/compare/v14.2.6...v14.2.7) [Compare Source](https://github.com/vercel/next.js/compare/v14.2.6...v14.2.7) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/simonknittel/simonknittel.de). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6ImRldmVsb3AiLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Loading branch information