Update dependency next to v11 [SECURITY] #421
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
9.4.4
->11.1.3
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2021-43803
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package
next
hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when
pages/_error.js
was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.Impact
10.0.5
and10.2.0
11.0.0
and11.0.1
usingpages/_error.js
withoutgetInitialProps
11.0.0
and11.0.1
usingpages/_error.js
andnext export
pages/404.js
next
npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
Patches
https://github.com/vercel/next.js/releases/tag/v11.1.0
Release Notes
vercel/next.js (next)
v11.1.3
Compare Source
See https://github.com/vercel/next.js/releases/v12.0.5 for details about this patch.
v11.1.2
Compare Source
Core Changes
Credits
Huge thanks to @huozhi and @kara for helping!
v11.1.1
Compare Source
Core Changes
NextConfig
type: #27974generateBuildId
type that can be async function: #28040Document
in preparation for streaming: #28032util
to 0.12.4: #27939next-env.d.ts
on read-only filesystems: #28206next/image
: #28221zen-observable
library: #28214next/image
blur placeholder when JS is disabled: #28269process.exit
tonext lint
success output: #28299typescript
property toNextConfig
: #28459next/image
: #28517Documentation Changes
next/image
docs around layouts.: #28345sharp
usage to mention Vercel: #28476Example Changes
private: true
: #28008.gitignore
to examples that lack them: #28003licence
from allexample/package.json
that has them: #28007with-couchbase
example: #27184create-next-app
: #28431Misc Changes
no-import-document-in-page
rule: #28261Credits
Huge thanks to @delbaoliveira, @padmaia, @andersonleite, @stefanprobst, @oBusk, @sokra, @xnuk, @styfle, @leerob, @devknoll, @huozhi, @timneutkens, @awareness481, @agektmr, @gu-stav, @sampoder, @Thisen, @ijjk, @oscarafuentes, @AryanBeezadhur, @bmuenzenmeyer, @tdkn, @rgabs, @urko-pineda, @davecaruso, @kevinold, @ctjlewis, @chrislloyd, @mrmckeb, @housseindjirdeh, @hiro0218, @Bezmehrabi, @atcastle, @janicklas-ralph, @lorensr, @lekterable, @vcnc-hex, @ejscribner, @Andarist, @aravindputrevu, @robbieaverill, @zhafri-shafiq, @htunnicliff, @kukicado, @OzzieOrca, @mikehedman, and @kmelve for helping!
v11.1.0
Compare Source
A security team from one of our partners noticed an issue in Next.js that allowed for an open redirect to occur.
Specially encoded paths could be used when
pages/_error.js
was statically generated allowing an open redirect to occur to an external site.In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.
We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
How to Upgrade
npm install next@latest --save
Impact
pages/_error.js
withoutgetInitialProps
pages/_error.js
andnext export
pages/404.js
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
How to Assess Impact
If you think sensitive code or data could have been exposed, you can filter logs of affected sites by
//
(double slash at the start of the url) followed by a domain.What is Being Done
As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to Gabriel Benmergui from Robinhood for their investigation and discovery of the original bug and subsequent responsible disclosure.
We've landed a patch that ensures path parsing is handled properly for these paths so that the open redirect can no longer occur.
Regression tests for this attack were added to the security integration test suite
[email protected]
. We are actively monitoring this mailbox.Release notes
Core Changes
next lint
: #26697next-dev-server
implementation: #26230max-age
to optimized image: #26739onLoadingComplete()
prop to Image component: #26824.eslintrc
file created to have.json
format: #26884ResponsePayload
support: #26938IncrementalCache
API: #26941respondWith
: #26961next/script
interface Props to ScriptProps: #26990next/image
TS types forwidth
andheight
: #26991dangerously-unoptimized
loader for next/image: #26847next/image
TS types forsrc
: #26996dangerously-unoptimized
tocustom
and warn when applicable: #26998next-env.d.ts
: #27028next dev
performance with placeholder=blur: #27061web-vitals
to v1.1.2.: #25272withCoalescedInvoke
withResponseCache
: #26997minimumCacheTTL
config for Image Optimization: #27200next/script
component: #27218minimumCacheTTL
so it doesn't affect browser caching: #27307placeholder=blur
inside<noscript>
: #27311RequestContext
: #27303keepAlive
tonode-fetch
polyfill: #27376null
responses: #27403lazyBoundary
prop to Image component: #27258NextConfig
type: #27446next/image
component hasstyle
prop: #27441--format
flag tonext lint
: #27052RenderResult
: #27319onLoadingComplete()
callback: #27695next.config.js
option to override defaultkeepAlive
: #27709removeHeader()
function to image optimizer mock res: #27763next lint
is run for the first time: #26584else
to fix tree shaking: #27788placeholder
withblurDataURL
in globalStaticImageData
type: #27916next/script
unhandled promise rejection: #27903concurrentFeatures
config: #27768next build
when sharp is missing: #27933Documentation Changes
no-duplicate-head
rule: #27179next/image
docs withonLoadingComplete()
: #27440next/script
must not be innext/head
: #27534Example Changes
lunix
→linux
: #26796package.json
: #27121href
did not match error: #27183as
prop from<Link>
components: #27359util
tolib
inwith-mongodb
example: #27404utils
tolib
inwith-mongodb-mongoose
example: #27407Misc Changes
publish-canary
script to include checkout: #26840create-next-app
next-env.d.ts: #26890placeholder=blur
withassetPrefix
: #27120next/script
topages/_app
in script loader integration tests: #27626Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.