stakes.social fix(deps): update dependency next to v14 [security]

fix(deps): update dependency next to v14 [security]

Open renovate[bot] opened this issue 5 months ago • 1 comments

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	`12.1.5` -> `14.2.7`

GitHub Vulnerability Alerts

CVE-2023-46298

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS Dimitrios Vlastaras

Release Notes

vercel/next.js (next)

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

fix: ensure route handlers properly track dynamic access (#66446)
fix NextRequest proxy in edge runtime (#66551)
Fix next/dynamic with babel and src dir (#65177)
Use vercel deployment url for metadataBase fallbacks (#65089)
fix(next/image): detect react@19 for fetchPriority prop (#65235)
Fix loading navigation with metadata and prefetch (#66447)
prevent duplicate RSC fetch when action redirects (#66620)
ensure router cache updates reference the latest cache values (#66681)
Prevent append of trailing slash in cases where path ends with a file extension (#66636)
Fix inconsistency with 404 getStaticProps cache-control (#66674)
Use addDependency to track metadata route file changes (#66714)
Add timeout/retry handling for fetch cache (#66652)
fix: app-router prefetch crash when an invalid URL is passed to Link (#66755)

Credits

Huge thanks to @ztanner, @ijjk, @wbinnssmith, @huozhi, and @lubieowoce for helping!

Core Changes

Should not warn metadataBase missing if only absolute urls are present: https://github.com/vercel/next.js/pull/61898
Fix trailing slash for canonical url: https://github.com/vercel/next.js/pull/62109
Fix metadata json manifest convention: https://github.com/vercel/next.js/pull/62615
Improve the Server Actions SWC transform: https://github.com/vercel/next.js/pull/61001
Fix Server Reference being double registered: https://github.com/vercel/next.js/pull/61244
Improve the Server Actions SWC transform (part 2): https://github.com/vercel/next.js/pull/62052
Fix module-level Server Action creation with closure-closed values: https://github.com/vercel/next.js/pull/62437
Fix draft mode invariant: https://github.com/vercel/next.js/pull/62121
fix: babel usage with next/image: https://github.com/vercel/next.js/pull/61835
Fix next/server api alias for ESM pkg: https://github.com/vercel/next.js/pull/61721
Replace image optimizer IPC call with request handler: https://github.com/vercel/next.js/pull/61471
chore: refactor image optimization to separate external/internal urls: https://github.com/vercel/next.js/pull/61172
fix(image): warn when animated image is missing unoptimized prop: https://github.com/vercel/next.js/pull/61045
fix(build-output): show stack during CSR bailout warning: https://github.com/vercel/next.js/pull/62594
Fix extra swc optimizer applied to node_modules in browser layer: https://github.com/vercel/next.js/pull/62051
fix(next-swc): Detect exports.foo from cjs_finder: https://github.com/vercel/next.js/pull/61795
Fix attempted import error for react: https://github.com/vercel/next.js/pull/61791
Add stack trace to client rendering bailout error: https://github.com/vercel/next.js/pull/61200
fix router crash on revalidate + popstate: https://github.com/vercel/next.js/pull/62383
fix loading issue when navigating to page with async metadata: https://github.com/vercel/next.js/pull/61687
revert changes to process default routes at build: https://github.com/vercel/next.js/pull/61241
fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: https://github.com/vercel/next.js/pull/60776
Improve redirection handling: https://github.com/vercel/next.js/pull/62561
Simplify node/edge server chunking some: https://github.com/vercel/next.js/pull/62424

Credits

Huge thanks to @huozhi, @shuding, @Ethan-Arrowood, @styfle, @ijjk, @ztanner, @balazsorban44, @kdy1, and @williamli for helping!

Core Changes

Add Next.js 14 codemods to CLI output.: #57552
OpenTelemetry: propagate a configured context(s) to root requests: #57084
debug: Add tags to next build traces to track build configuration in the .next/trace file: #56965
[Traces] Await the flush of the trace write stream to make sure trace file is written: #57641
Add node-pty to externals list: #57640
fix: move logging config validation out of experimental: #57530
Update font data: #57728
Support viewport export via TS Plugin: #57554
Fix: Build compilation warning when using middleware: #57685
chore: Update flight-client-entry-plugin.ts typo: #57734
Improve error for missing default export in dynamic metadata routes: #57711
fix gsp tracing issue: #57766
fix(turbopack): don't match empty route groups: #57647
Update React from 8c8ee9e to 0c63487 and types: #57772

Documentation Changes

Add missing dot in codemod command: #57536
docs(fix): example text unescaped entities: #57255
doc: Clarify built-in support for sass after installation: #57279
Update docs with a Good to know box about using redirect in client components: #56966
docs: fix 02-dynamic-routes.mdx: #57029
Fix incorrect link in GTM docs: #57547
Fix typos: #57592
Add apostrophe 07-error-handling.mdx: #57626
Fix: codemods.mdx Incorrect heading structure of next-og-import, meta…: #57605
Typo fix, version "13" to "14": #57723
Fix Google Tag Manager URL in Third Party Libraries documentation: #57731

Example Changes

Fix: Call cookies function from route to flag as dynamic: #57494
(Examples) Add with-youtube-embed example: #57367
(Examples) Add with-google-maps-embed example: #57365
update @types/react version in examples: #57259
docs: fix broken link to demo: #57229
(example update) Update example with-Clerk: #57050
active-class-name example style js has not taken effect: #56136
add inngest next.js example: #56049
fix inngest example for 3.x sdk: #57712

Misc Changes

update manifest: #57523
update next/third-parties to use Next 14 or 13 as a peer dependency, instead of just 13: #57515
Modify tailwindcss related dependency of create-next-app: #57262
Remove extra CI step and lock Node.js version: #57769

Credits

Huge thanks to @dijonmusters, @sokra, @philwolstenholme, @IgorKowalczyk, @housseindjirdeh, @Zoe-Bot, @HanCiHu, @JackHowa, @goncy, @hirotomoyamada, @pveyes, @yeskunall, @vinaykulk621, @ChendayUP, @leerob, @dvoytenko, @mknichel, @ijjk, @hmaesta, @ajz003, @its-kunal, @joelhooks, @blurrah, @tariknh, @Vinlock, @Nayeem-XTREME, @aziyatali, @aspehler, @huozhi, @ztanner, @ForsakenHarmony, @moka-ayumu, and @gnoff for helping!

Core Changes

Upgrade edge-runtime/cookies #57021
Patch React with fix for write-after-close for ReadableStream #57011

Credits

Huge thanks to @ijjk @huozhi @gnoff for helping!

`v13.5.5`

Compare Source

`v13.5.4`

Compare Source

Core Changes

chore: NextJS -> Next.js: #55961
fix-failed-to-generate-self-signed-certificate issue:#55891: #55947
Remove .test.js from dist: #55946
Turbopack next/font/google: don't insert css rules for multiple weights or styles: #55852
Fix stale revalidate stream handling: #55978
turbopack: improve turbopack/test stability: #56024
Mark testmode fetches internal: #56036
chore: Remove 'beta.' Subdomain from beta.nextjs.org Links: #55924
Remove experimental.sharedPool: #56021
fix(worker): pass env to build worker w/ config.experimental.workerThreads: #55257
Update swc_core to v0.83.26: #55780
Revert "Update swc_core to v0.83.26": #56077
fix reporting of illegal segments when directory only contains irrelevant files: #56076
Make permanentRedirect return 308 in route handlers: #56065
Remove unneeded next-dev js in next-core: #56039
Fix: Use boolean instead of false for experimental logging config: #56110
chore: remove chalk in favor of picocolors: #55992
Revert: "Generate prefetch RSC payload during build for SSR paths (#54403)": #56059
fetching logging on edge: #56108
Optimize build trace handling: #56048
Update font data: #56121
feat(turbopack): port bloom filter to nexturbo: #55678
Fixes performance problems due to TaskScopes: #55721
perf: remove react dom legacy from app router: #56082
perf: replace zod with superstruct: #56083
perf: externalise ws for bundled server: #56095
misc: refactor node utils: #56096
Add support for skipTrailingSlashRedirect and skipMiddlewareUrlNormalize in Turbopack: #56147
Add experimental.scrollRestoration for Turbopack: #56150
misc: refactor handleExternals: #56161
perf: add option to bundle pages externals: #56162
Allow jest to run with use server directive: #56148
Update experimental compile cache handling: #56139
App render related code clean up: #56178
Add support for i18n config in Turbopack: #56182
Implement list of config options for Turbopack: #56188
Turbopack: add support for an assetPrefix and basePath: #56058
update turbopack: #56197
Update supported options list to reflect #56188: #56200
Add support for experimental.logging.level in Turbopack: #56201
Add next.config.js options to turbopack warning file: #56207
fix: @libsql/client build error: #56192
chore: bump postcss: #56225
Add additional handling for experimental-compile: #56224
Drop ipc server headers filters: #56226
only override NODE_EXTRA_CA_CERTS when using experimental https flag: #56252
Pass same mangling option as terser to SWC minifier: #56281
update turbopack: #56285
clear require cache only when needed: #56198
misc: enable source maps for bundled runtime: #56289
misc: shortcut styled-jsx in external resolution: #56291
Support serverRuntimeConfig and publicRuntimeConfig in Turbopack: #56310
Reland static prefetches & fix prefetch bailout behavior: #56228
fix(#53190): add missing crossOrigin to assetsPrefix resources: #56311
misc: fix instrumentation with bundled server: #56318
fix(next/client): keep hash when navigating from app to pages router: #56223
fix: support both decoded and encoded url requests of conventioned files : #56187
fix: Invalid URL (404) provided on server actions error: #56323
Revert "misc: shortcut styled-jsx in external resolution (#56291)": #56334
Fix build output logging order: #56335

Documentation Changes

docs: add not-found to file conventions page: #55944
Update 03-linking-and-navigating.mdx: #55907
docs: Correct place for passing extension option to createMDX(): #55967
docs-55629 update router cache column in cache interactions api table: #55630
Update 03-linking-and-navigating.mdx: #55969
Updates "Prerender Error" page for App Router: #56044
Add the default import alias to create-next-app prompt for clarity: #55896
Update revalidatePath.mdx to fix confusing wording of arguments section.: #56099
docs: Renamed function that is used by other name: #56170
(docs) Document Server Actions .bind method: #56164
docs: Use Response.json over NextResponse.json: #56173
correcting link to useSearchParams ref: #56169
docs(sharp-missing-in-production.mdx): update standalone command: #56191
docs(sharp-missing-in-production.mdx): update standalone command: #56239
Update image.mdx: #56269
Update image.mdx: #56266

Example Changes

chore(examples): bump dependency versions: #55899
Update to with-supertokens example app: #56035
Update dependencies in examples : #55993
Chore/update with supabase demo deploy button: #52483
chore(examples): remove deprecated dependency from with-jest: #56152
chore(examples): fix with-jest types: #56193
(Examples) update Grafbase example: #54705
fix: typo in with-stripe-typescript example: #56274

Misc Changes

Skip production tests for Turbopack: #56045
Fix invalid build-and-test workflow: #56053
turbopack: Add more skipped tests: #56052
Skip next build test: #56079
add flakey test: #56080
Skip more production tests for turbopack: #56084
Ensure tests suites have unique names: #56085
Skip experimental.nextScriptWorkers test for Turbopack: #56086
Skip production tests for Turbopack: #56089
Skip Babel tests for Turbopack: #56091
misc: add node-version file: #55938
Ensure unique name for app dir css tests: #56088
Decrease default test timeouts: #56116
misc: stop hiding node_modules in vscode: #56081
special case timeout on windows: #56120
Turbopack: update test manifest: #56133
More test updates: #56146
fix(cna): pin dependency versions: #56177
Update swc_core to v0.83.28: #56134
Fix middleware-general test for Turbopack: #56211
More Turbopack test fixes: #56248
update test mainfest: #56214
More Turbopack fixes: #56275
More Turbopack fixes: #56299
misc: update code owners: #56290
Fix flaky test for size output: #56303
update webp crate: #56307
Remove buildId test as it's no longer relevant: #56316
Add code freeze GitHub actions for releasing: #56325
test: add flaky turbopack integration tests to manifest: #56309

Core Changes

Remove link to closed discussion: #55596
test(turbopack) migrate api tests, few image tests: #55552
fix: handle string nodejs signals: #55606
Update React from d6dcad6 to 2807d78: #55590
Simplified ensure promise handling: #55562
chore: bump @vercel/og and satori: #55654
Fix header resent when error occured: #55619
Add additional cleanup logic for forked process: #55652
Polish error icon for error log: #55618
Fix importing name multiple times with the named_import transform: #55664

Documentation Changes

create-next-app templates: Change bun run dev commands to bun dev: #55603
docs: move optimizePackageImports to experimental: #55614
fix(docs): internationalization middleware example: #55645

Example Changes

fix: examples/with-fauna/package.json to reduce vulnerabilities: #55594
fix: examples/with-grafbase/package.json to reduce vulnerabilities: #55593
chore(examples): upgrade next-translate dependencies: #55637

Misc Changes

chore: run repro validation only on bug reports: #55610
Run unit tests in a separate job: #55621
Run unit tests in a single job run: #55625

Credits

Huge thanks to @padmaia, @mayank1513, @jakeboone02, @balazsorban44, @kwonoj, @huozhi, @Yovach, @ztanner, @wyattjoh, @GabenGar, @timneutkens, and @shuding for helping!

`v13.5.1`

Compare Source

Core Changes

Update font data: #54257
add experimental https support to next dev: #54016
Fix emotion-js transform for server components: #54284
Handle basePath for redirect(): #54277
Remove unused array in router-server: #54278
app-router: tweak prefetch cache status heuristics: #53864
Adds nonce to preinit scripts: #54059
Fix default export of server action utility aliases: #54254
fix: improve error message when output: export in app router: #54202
ci(trace): allow to opt in to upload full trace: #54347
fix: server actions blocking navigation events: #54307
Skip getStaticPaths check for non-dynamic app routes: #54351
OpenTel: ensure that exceptions are recorded on an active span: #54131
Testmode: intercept rewrite fetches: #54259
Polyfill Array.prototype.at: #44436
Fix missing locale info for middleware data request: #54357
fix: minimum node version 16.14.0: #54331
Merge app renderer process: #54143
Fix data route ordering in dev: #54364
fix(app): enable React Strict Mode by default: #53375
Fix swc compiling of client components when directive appears later than exports: #54392
Upgrade vendored react: #54399
Code clean up: #54405
Upgrade precompiled ua-parser-js: #54404
Fix compilation of next/dynamic with ssr: false in App Router: #54411
refactor: Use swc AST to determine use client and server directives: #54358
Fix not found css not being preloaded while navigation: #53906
Optimize webpack memory cache garbage collection: #54397
Use push for Server Action redirections: #54458
Decreased watchpack aggregate timeout: #54461
Generate prefetch RSC paylod during build for SSR paths: #54403
remove HMR polling in favor of more targeted events: #54406
Trace upload fixup: #54455
fix: custom incremental cache handlers should work when transpiled: #54472
upgrade Edge Runtime dependency: #54489
fix infinite navigate events when Promise is proxied: #54394
Implement named_import_transform: #54530
fix resolve routes behavior when matching a dynamic segment: #54539
Turbopack: add edge support for pages apis: #54449
chore(eslint): bump ESLint plugins: #54490
Skip copying signal field for revalidate: #54533
Fix missing new line for certain logs: #54442
update turbopack: #54558
fix(DX): More precise error messages for export const config deprecation: #54492
Revert "Decreased watchpack aggregate timeout": #54515
Forms and mutations docs.: #54314
optimize_barrel SWC transform and new optimizePackageImports config: #54572
Reuse edgeConditionNames variable: #54594
Update font data: #54585
Add cleanup logic to worker.ts: #54500
chore: add extra error info for rsc info helper: #54609
Fix router CPU profiling: #54497
Turbopack: add middleware support for next.rs api dev mode: #54555
Rename hot-reloader to hot-reloader-webpack: #54628
Implement hot-reloader interface: #54629
Remove this as any cases: #54642
Implement hot reloader interface for Turbopack: #54632
Fix weight values above 900 not working with Google Fonts: #54339
add support for app pages to next.rs api: #54668
Remove unused cssnano-simple file: #54658
File Reader Improvements: #54645
Add new permanentRedirect function in App Router: #54047
Default app router not found : #54199
Cleanup of /_next/data handling in server: #54689
Trace uploader: fix git binary on windows: #54580
fix(next/image): import error preload is not exported from react-dom: #54688
turbopack: should only create _not-found when path_prefix is root: #54687
fix app routes: #54701
refactor: share utils and optimize segments normalization: #54611
Improve barrel optimizer with loader caching and wilcard exports: #54695
Move getBabelConfigFile to separate file: #54716
Reimplement getBabelConfigFile to be simpler: #54741
Fix memory watcher reboot: #54760
Misc Typescript updates: #54734
Fix unexpected full hmr reload when editing _app: #54690
update turbopack: #54768
Use variable for common isNodeOrEdgeCompilation condition: #54763
Turbopack: Implement HMR in next-api : #54772
Add @visx/visx to the import optimization list: #54778
Remove experimental.appDir as it's stable: #54785
Short circut 404's for /favicon.ico in development: #54747
Remove additional appDir checks: #54788
Remove experimental.pageEnv: #54789
Update list of Next.js options in next.rs: #54798
Fixes for Turbopack HMR: #54790
Fix the build manifest path for /: #54744
Allow any number of onFetch handlers for a single test: #54846
Update @vercel/og to latest: #54849
fix(turbopack): edge api entry path should not have /route suffix: #54851
Don't send tracing spans if performance.measure doesn't return measurements: #54808
Update tag handling for app cache: #53321
Simplify getPagePaths logic: #54908
Debug tracing: time devserver startup: #54537
Update turbopack: #54909
Add types for hot reloader send method: #54932
Fix typo in hot-reloader: #54944
Ensure that barrel files behind wildcards are transformed into shortpath: #54951
Fix group routes custom root not-found: #54931
fix: server actions firing twice after navigation: #54948
docs: fix document format for next_private_export_map: #54952
Unify serverError hmr event: #54962
Add serverError action to list of HMR events: #54964
fix(next-swc): skips client/server only checks when running with Jest to unblock testing: #54891
Remove pong HMR event as it is not used: #54965
Add turbopack-connected HMR event: #54976
Redesign nextjs logging: #54713
chore: bump undici: #55007
chore: restore options to opt-in for server-side transpilation: #55010
upgrade edge-runtime: #55005
[functions-config-manifest] use correct extra config for pages router: #54786
Client-side HMR message types: #55009
perf: use split chunks for the node server: #54988
Remove react-hot-toast from the optimizePackageImports list: #55029
Experimental server optimization: #54925
Fix duplicated dynamic metadata routes in dev mode: #55026
Adjust optimizePackageImports: #55040
server: enable minification by default: #54960
webpack: tweak config for split chunks: #55054
fix(perf): lazy load babel/code-frame: #55024
remove --turbo, use --experimental-turbo as --turbo: #55063
fix: skipTrailingSlashRedirect being ignored in pages: #55067
Debug tracing: include session and anonymous ids: #55021
Next SWC: Constrain Vc cell values with Send: #55077
test(next-dev): migrate styled-jsx integration test: #55079
perf: add bundled rendering runtimes: #52997
chore: add structured app page path type: #55070
Fixed i18n data route RegExp: #55109
chore: upgrade to TypeScript 5.2.2: #55105
fix: ensure mpa navigation render side effects are only fired once: #55032
Revert "perf: add bundled rendering runtimes (#52997)": #55117
Strip internal routing headers: #55114
Add option to support log full request url in verbose mode: #55111
Filter out pages tree view for app dir only output: #55120
Check for type of route handler returned value at build time (via the TS plugin) and at runtime: #51394
Set test headers via page.router API: #55087
server: re-land bundled runtimes: #55139
feat(turbopack): add dynamic metadata support: #54995
server: require hook hotfix : #55146
Revert swc versions to one that doesn't use lightningcss: #55148
feat: support expanding urls in nexturbo (and fix static files): #55147
Update font data: #55155
server: remove turbopack-specific code when compiling with webpack: #55226
Ensure ImageResponse extends Response: #55187
Remove render workers in favor of esm loader: #54813
test(turbopack): migrate 404-related tests from next-dev: #55243
feat: add reserved port validation: #55237
build: fix externals resolution when importing from next/dist: #55269
Make open editor icon size non-shrink in error overlay: #55273
build: fix minimal trace caching: #55279
reafactor: renamed pathname -> page: [#55282](https://re

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sep 25 '24 13:09 renovate[bot]

stakes.social stakes.social copied to clipboard

fix(deps): update dependency next to v14 [security]

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

Credits

Release Notes

Core Changes

Credits

Core Changes

Credits

Core Changes

Documentation Changes

Example Changes

Misc Changes

Credits

Core Changes

Credits

Core Changes

Documentation Changes

Example Changes

Misc Changes

Credits

Core Changes

Documentation Changes

Example Changes

Misc Changes

Credits

Core Changes

Configuration

stakes.social
stakes.social copied to clipboard