Closed renovate[bot] closed 5 months ago
vercel[bot]
commented
5 months ago The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| next-enterprise | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | May 15, 2024 7:47pm |
github-actions[bot]
commented
5 months ago This analysis was generated by the Next.js Bundle Analysis action. 🤖
| Page | Size (compressed) |
|---|---|
global |
84.92 KB (🟢 2.97 KB) |
The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!
The following page was added to the bundle from the code in this PR:
| Page | Size (compressed) | First Load |
|---|---|---|
/_not-found/page |
871 B |
85.77 KB |
The following pages changed size from the code in this PR compared to its base branch:
| Page | Size (compressed) | First Load |
|---|---|---|
/layout |
2.63 KB (🟢 2 B) |
87.54 KB |
/page |
137 B (🟢 -1 B) |
85.05 KB |
Only the gzipped size is provided here based on an expert tip.
First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by undefined% or more, there will be a red status indicator applied, indicating that special attention should be given to this.
renovate[bot]
commented
5 months ago Because you closed this PR without merging, Renovate will ignore this update (^14.0.3). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
14.0.3->14.1.1Next.js Server-Side Request Forgery in Server Actions
CVE-2024-34351 / GHSA-fr5h-rqp8-mj6g
More information
#### Details ##### Impact A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. ##### Prerequisites * Next.js (`<14.1.1`) is running in a self-hosted* manner. * The Next.js application makes use of Server Actions. * The Server Action performs a redirect to a relative path which starts with a `/`. \* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner. ##### Patches This vulnerability was patched in [#62561](https://togithub.com/vercel/next.js/pull/62561) and fixed in Next.js `14.1.1`. ##### Workarounds There are no official workarounds for this vulnerability. We recommend upgrading to Next.js `14.1.1`. ##### Credit Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to: Adam Kues - Assetnote Shubham Shah - Assetnote #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` #### References - [https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g](https://togithub.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g) - [https://nvd.nist.gov/vuln/detail/CVE-2024-34351](https://nvd.nist.gov/vuln/detail/CVE-2024-34351) - [https://github.com/vercel/next.js/pull/62561](https://togithub.com/vercel/next.js/pull/62561) - [https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085](https://togithub.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085) - [https://github.com/vercel/next.js](https://togithub.com/vercel/next.js) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-fr5h-rqp8-mj6g) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
vercel/next.js (next)
### [`v14.1.1`](https://togithub.com/vercel/next.js/releases/tag/v14.1.1) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.1.0...v14.1.1) *Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary* ##### Core Changes - Should not warn metadataBase missing if only absolute urls are present: [https://github.com/vercel/next.js/pull/61898](https://togithub.com/vercel/next.js/pull/61898) - Fix trailing slash for canonical url: [https://github.com/vercel/next.js/pull/62109](https://togithub.com/vercel/next.js/pull/62109) - Fix metadata json manifest convention: [https://github.com/vercel/next.js/pull/62615](https://togithub.com/vercel/next.js/pull/62615) - Improve the Server Actions SWC transform: [https://github.com/vercel/next.js/pull/61001](https://togithub.com/vercel/next.js/pull/61001) - Fix Server Reference being double registered: [https://github.com/vercel/next.js/pull/61244](https://togithub.com/vercel/next.js/pull/61244) - Improve the Server Actions SWC transform (part 2): [https://github.com/vercel/next.js/pull/62052](https://togithub.com/vercel/next.js/pull/62052) - Fix module-level Server Action creation with closure-closed values: [https://github.com/vercel/next.js/pull/62437](https://togithub.com/vercel/next.js/pull/62437) - Fix draft mode invariant: [https://github.com/vercel/next.js/pull/62121](https://togithub.com/vercel/next.js/pull/62121) - fix: babel usage with next/image: [https://github.com/vercel/next.js/pull/61835](https://togithub.com/vercel/next.js/pull/61835) - Fix next/server api alias for ESM pkg: [https://github.com/vercel/next.js/pull/61721](https://togithub.com/vercel/next.js/pull/61721) - Replace image optimizer IPC call with request handler: [https://github.com/vercel/next.js/pull/61471](https://togithub.com/vercel/next.js/pull/61471) - chore: refactor image optimization to separate external/internal urls: [https://github.com/vercel/next.js/pull/61172](https://togithub.com/vercel/next.js/pull/61172) - fix(image): warn when animated image is missing unoptimized prop: [https://github.com/vercel/next.js/pull/61045](https://togithub.com/vercel/next.js/pull/61045) - fix(build-output): show stack during CSR bailout warning: [https://github.com/vercel/next.js/pull/62594](https://togithub.com/vercel/next.js/pull/62594) - Fix extra swc optimizer applied to node_modules in browser layer: [https://github.com/vercel/next.js/pull/62051](https://togithub.com/vercel/next.js/pull/62051) - fix(next-swc): Detect exports.foo from cjs_finder: [https://github.com/vercel/next.js/pull/61795](https://togithub.com/vercel/next.js/pull/61795) - Fix attempted import error for react: [https://github.com/vercel/next.js/pull/61791](https://togithub.com/vercel/next.js/pull/61791) - Add stack trace to client rendering bailout error: [https://github.com/vercel/next.js/pull/61200](https://togithub.com/vercel/next.js/pull/61200) - fix router crash on revalidate + popstate: [https://github.com/vercel/next.js/pull/62383](https://togithub.com/vercel/next.js/pull/62383) - fix loading issue when navigating to page with async metadata: [https://github.com/vercel/next.js/pull/61687](https://togithub.com/vercel/next.js/pull/61687) - revert changes to process default routes at build: [https://github.com/vercel/next.js/pull/61241](https://togithub.com/vercel/next.js/pull/61241) - fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: [https://github.com/vercel/next.js/pull/60776](https://togithub.com/vercel/next.js/pull/60776) - Improve redirection handling: [https://github.com/vercel/next.js/pull/62561](https://togithub.com/vercel/next.js/pull/62561) - Simplify node/edge server chunking some: [https://github.com/vercel/next.js/pull/62424](https://togithub.com/vercel/next.js/pull/62424) ##### Credits Huge thanks to [@huozhi](https://togithub.com/huozhi), [@shuding](https://togithub.com/shuding), [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood), [@styfle](https://togithub.com/styfle), [@ijjk](https://togithub.com/ijjk), [@ztanner](https://togithub.com/ztanner), [@balazsorban44](https://togithub.com/balazsorban44), [@kdy1](https://togithub.com/kdy1), and [@williamli](https://togithub.com/williamli) for helping! ### [`v14.1.0`](https://togithub.com/vercel/next.js/compare/v14.0.4...v14.1.0) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.4...v14.1.0) ### [`v14.0.4`](https://togithub.com/vercel/next.js/compare/v14.0.3...v14.0.4) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.3...v14.0.4)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.