SocialGouv / dashlord-actions

GitHub actions for DashLord
Apache License 2.0
2 stars 13 forks source link

fix(deps): update dependency next to v14.1.1 [security] #325

Closed renovate[bot] closed 5 months ago

renovate[bot] commented 5 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 14.1.0 -> 14.1.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #​62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote Shubham Shah - Assetnote


Release Notes

vercel/next.js (next) ### [`v14.1.1`](https://togithub.com/vercel/next.js/releases/tag/v14.1.1) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.1.0...v14.1.1) *Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary* ##### Core Changes - Should not warn metadataBase missing if only absolute urls are present: [https://github.com/vercel/next.js/pull/61898](https://togithub.com/vercel/next.js/pull/61898) - Fix trailing slash for canonical url: [https://github.com/vercel/next.js/pull/62109](https://togithub.com/vercel/next.js/pull/62109) - Fix metadata json manifest convention: [https://github.com/vercel/next.js/pull/62615](https://togithub.com/vercel/next.js/pull/62615) - Improve the Server Actions SWC transform: [https://github.com/vercel/next.js/pull/61001](https://togithub.com/vercel/next.js/pull/61001) - Fix Server Reference being double registered: [https://github.com/vercel/next.js/pull/61244](https://togithub.com/vercel/next.js/pull/61244) - Improve the Server Actions SWC transform (part 2): [https://github.com/vercel/next.js/pull/62052](https://togithub.com/vercel/next.js/pull/62052) - Fix module-level Server Action creation with closure-closed values: [https://github.com/vercel/next.js/pull/62437](https://togithub.com/vercel/next.js/pull/62437) - Fix draft mode invariant: [https://github.com/vercel/next.js/pull/62121](https://togithub.com/vercel/next.js/pull/62121) - fix: babel usage with next/image: [https://github.com/vercel/next.js/pull/61835](https://togithub.com/vercel/next.js/pull/61835) - Fix next/server api alias for ESM pkg: [https://github.com/vercel/next.js/pull/61721](https://togithub.com/vercel/next.js/pull/61721) - Replace image optimizer IPC call with request handler: [https://github.com/vercel/next.js/pull/61471](https://togithub.com/vercel/next.js/pull/61471) - chore: refactor image optimization to separate external/internal urls: [https://github.com/vercel/next.js/pull/61172](https://togithub.com/vercel/next.js/pull/61172) - fix(image): warn when animated image is missing unoptimized prop: [https://github.com/vercel/next.js/pull/61045](https://togithub.com/vercel/next.js/pull/61045) - fix(build-output): show stack during CSR bailout warning: [https://github.com/vercel/next.js/pull/62594](https://togithub.com/vercel/next.js/pull/62594) - Fix extra swc optimizer applied to node_modules in browser layer: [https://github.com/vercel/next.js/pull/62051](https://togithub.com/vercel/next.js/pull/62051) - fix(next-swc): Detect exports.foo from cjs_finder: [https://github.com/vercel/next.js/pull/61795](https://togithub.com/vercel/next.js/pull/61795) - Fix attempted import error for react: [https://github.com/vercel/next.js/pull/61791](https://togithub.com/vercel/next.js/pull/61791) - Add stack trace to client rendering bailout error: [https://github.com/vercel/next.js/pull/61200](https://togithub.com/vercel/next.js/pull/61200) - fix router crash on revalidate + popstate: [https://github.com/vercel/next.js/pull/62383](https://togithub.com/vercel/next.js/pull/62383) - fix loading issue when navigating to page with async metadata: [https://github.com/vercel/next.js/pull/61687](https://togithub.com/vercel/next.js/pull/61687) - revert changes to process default routes at build: [https://github.com/vercel/next.js/pull/61241](https://togithub.com/vercel/next.js/pull/61241) - fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: [https://github.com/vercel/next.js/pull/60776](https://togithub.com/vercel/next.js/pull/60776) - Improve redirection handling: [https://github.com/vercel/next.js/pull/62561](https://togithub.com/vercel/next.js/pull/62561) - Simplify node/edge server chunking some: [https://github.com/vercel/next.js/pull/62424](https://togithub.com/vercel/next.js/pull/62424) ##### Credits Huge thanks to [@​huozhi](https://togithub.com/huozhi), [@​shuding](https://togithub.com/shuding), [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood), [@​styfle](https://togithub.com/styfle), [@​ijjk](https://togithub.com/ijjk), [@​ztanner](https://togithub.com/ztanner), [@​balazsorban44](https://togithub.com/balazsorban44), [@​kdy1](https://togithub.com/kdy1), and [@​williamli](https://togithub.com/williamli) for helping!

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by Mend Renovate. View repository job log here.

sonarcloud[bot] commented 5 months ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

socket-security[bot] commented 5 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@actions/core@1.10.0 environment, filesystem Transitive: network +1 144 kB thboop
npm/@babel/core@7.21.4 environment, filesystem, unsafe +18 4.47 MB nicolo-ribaudo
npm/@babel/generator@7.21.4 None +1 571 kB nicolo-ribaudo
npm/@babel/helper-plugin-utils@7.20.2 None 0 11.9 kB nicolo-ribaudo
npm/@babel/parser@7.21.4 None 0 1.87 MB nicolo-ribaudo
npm/@babel/template@7.20.7 None 0 68.8 kB nicolo-ribaudo
npm/@babel/traverse@7.21.4 None +4 620 kB nicolo-ribaudo
npm/@babel/types@7.21.4 environment +1 2.51 MB nicolo-ribaudo
npm/@jridgewell/set-array@1.1.2 None 0 15.5 kB jridgewell
npm/@jridgewell/sourcemap-codec@1.4.14 None 0 40 kB jridgewell
npm/@jridgewell/trace-mapping@0.3.17 None +1 219 kB jridgewell
npm/@octokit/core@4.2.0 Transitive: network +9 5.26 MB octokitbot
npm/@types/babel__traverse@7.18.3 None 0 65.2 kB types
npm/@types/istanbul-lib-coverage@2.0.4 None 0 5.76 kB types
npm/@types/jest@29.5.0 None 0 79.2 kB types
npm/@types/node-fetch@2.6.3 None +2 236 kB types
npm/@types/node@18.15.11 None 0 3.65 MB types
npm/define-properties@1.2.0 None +1 21.8 kB ljharb
npm/es-abstract@1.21.2 None +21 3.04 MB ljharb
npm/eslint@8.37.0 filesystem Transitive: unsafe +26 6.63 MB eslintbot
npm/espree@7.3.1 None +1 97 kB eslintbot
npm/esprima@4.0.1 None 0 314 kB ariya
npm/estraverse@5.2.0 None 0 36.9 kB michaelficarra
npm/expect@29.5.0 Transitive: environment, unsafe +17 965 kB simenb
npm/find-up@4.1.0 Transitive: filesystem +5 41.2 kB sindresorhus
npm/get-intrinsic@1.1.1 eval +2 60.4 kB ljharb
npm/get-intrinsic@1.2.0 eval 0 38.7 kB ljharb
npm/glob@7.1.7 filesystem Transitive: environment +9 139 kB isaacs
npm/globals@13.11.0 None +1 156 kB sindresorhus
npm/graceful-fs@4.2.6 environment, filesystem 0 28.6 kB isaacs
npm/has-symbols@1.0.2 None 0 18.1 kB ljharb
npm/is-callable@1.2.3 None 0 21.1 kB ljharb
npm/is-core-module@2.11.0 None 0 28.1 kB ljharb
npm/is-symbol@1.0.3 None 0 22.2 kB ljharb
npm/is-typed-array@1.1.10 None +4 64.2 kB ljharb
npm/istanbul-lib-coverage@3.2.0 None 0 29.3 kB oss-bot
npm/istanbul-lib-instrument@4.0.3 None +2 100 kB coreyfarrell
npm/istanbul-lib-instrument@5.2.1 None 0 70.2 kB oss-bot
npm/jest-diff@27.4.2 eval +2 142 kB simenb
npm/jest@27.4.5 Transitive: environment, eval, filesystem, network, shell, unsafe +213 14 MB simenb
npm/jest@29.5.0 Transitive: environment, eval, filesystem, network, shell, unsafe +81 3.3 MB simenb
npm/lodash.omit@4.5.0 None 0 40.9 kB jdalton
npm/lodash.pick@4.4.0 None 0 16.3 kB jdalton
npm/minimist@1.2.5 None 0 32.4 kB substack
npm/object-inspect@1.12.3 None 0 94.8 kB ljharb
npm/picomatch@2.3.0 None 0 89 kB jonschlinkert
npm/prettier@2.5.1 environment, eval, filesystem, unsafe 0 21 MB sosukesuzuki
npm/prettier@2.8.7 environment, filesystem, unsafe 0 11.2 MB prettier-bot
npm/pretty-format@27.4.2 eval Transitive: environment +7 203 kB simenb
npm/pretty-format@29.5.0 Transitive: environment +3 452 kB simenb
npm/regexpp@3.2.0 None 0 302 kB mysticatea
npm/resolve@1.20.0 filesystem +4 173 kB ljharb
npm/resolve@1.22.1 environment, filesystem +1 150 kB ljharb
npm/semver@7.6.2 None 0 95.4 kB npm-cli-ops
npm/signal-exit@3.0.4 None 0 9.21 kB isaacs
npm/signal-exit@3.0.7 None 0 9.96 kB isaacs
npm/string-width@4.2.2 None +2 58.4 kB sindresorhus
npm/typescript@4.5.3 None 0 64 MB typescript-bot
npm/whatwg-url@8.5.0 None +2 324 kB domenic
npm/word-wrap@1.2.3 None 0 10.6 kB jonschlinkert

🚮 Removed packages: npm/@babel/code-frame@7.23.5, npm/@babel/helper-module-imports@7.22.15, npm/@babel/parser@7.23.9, npm/@babel/runtime@7.23.9, npm/@babel/template@7.23.9, npm/@babel/types@7.23.9, npm/@codegouvfr/react-dsfr@1.7.3, npm/@emotion/cache@11.11.0, npm/@emotion/react@11.11.3, npm/@emotion/serialize@1.1.3, npm/@emotion/server@11.11.0, npm/@emotion/styled@11.11.0, npm/@emotion/utils@1.2.1, npm/@esbuild/aix-ppc64@0.20.2, npm/@esbuild/android-arm64@0.20.2, npm/@esbuild/android-arm@0.20.2, npm/@esbuild/android-x64@0.20.2, npm/@esbuild/darwin-arm64@0.20.2, npm/@esbuild/darwin-x64@0.20.2, npm/@esbuild/freebsd-arm64@0.20.2, npm/@esbuild/freebsd-x64@0.20.2, npm/@esbuild/linux-arm64@0.20.2, npm/@esbuild/linux-arm@0.20.2, npm/@esbuild/linux-ia32@0.20.2, npm/@esbuild/linux-loong64@0.20.2, npm/@esbuild/linux-mips64el@0.20.2, npm/@esbuild/linux-ppc64@0.20.2, npm/@esbuild/linux-riscv64@0.20.2, npm/@esbuild/linux-s390x@0.20.2, npm/@esbuild/linux-x64@0.20.2, npm/@esbuild/netbsd-x64@0.20.2, npm/@esbuild/openbsd-x64@0.20.2, npm/@esbuild/sunos-x64@0.20.2, npm/@esbuild/win32-arm64@0.20.2, npm/@esbuild/win32-ia32@0.20.2, npm/@esbuild/win32-x64@0.20.2, npm/@jridgewell/gen-mapping@0.3.3, npm/@jridgewell/sourcemap-codec@1.4.15, npm/@jridgewell/trace-mapping@0.3.22, npm/@mui/icons-material@5.15.6, npm/@mui/material@5.15.6, npm/@mui/utils@5.15.6, npm/@mui/x-data-grid@6.19.2, npm/@rollup/rollup-android-arm-eabi@4.17.2, npm/@rollup/rollup-android-arm64@4.17.2, npm/@rollup/rollup-darwin-arm64@4.17.2, npm/@rollup/rollup-darwin-x64@4.17.2, npm/@rollup/rollup-linux-arm-gnueabihf@4.17.2, npm/@rollup/rollup-linux-arm64-gnu@4.17.2, npm/@rollup/rollup-linux-arm64-musl@4.17.2, npm/@rollup/rollup-linux-riscv64-gnu@4.17.2, npm/@rollup/rollup-linux-x64-gnu@4.17.2, npm/@rollup/rollup-linux-x64-musl@4.17.2, npm/@rollup/rollup-win32-arm64-msvc@4.17.2, npm/@rollup/rollup-win32-ia32-msvc@4.17.2, npm/@rollup/rollup-win32-x64-msvc@4.17.2, npm/@socialgouv/matomo-next@1.8.0, npm/@testing-library/react@14.1.2, npm/@testing-library/user-event@14.5.2, npm/@types/d3-time@3.0.3, npm/@types/estree@1.0.5, npm/@types/lodash.orderby@4.6.9, npm/@types/lodash.uniq@4.5.9, npm/@types/node@20.11.10, npm/@types/prop-types@15.7.11, npm/@types/react@18.2.48, npm/@types/unist@3.0.2, npm/@ungap/structured-clone@1.2.0, npm/@vitejs/plugin-react@4.2.1, npm/@vitest/ui@1.2.2, npm/acorn@8.11.3, npm/array-includes@3.1.7, npm/array.prototype.flat@1.3.2, npm/array.prototype.flatmap@1.3.2, npm/call-bind@1.0.5, npm/caniuse-lite@1.0.30001581, npm/classnames@2.3.1, npm/clsx@2.1.0, npm/country-flag-icons@1.5.9, npm/csstype@3.1.3, npm/d3-array@2.12.1, npm/d3-color@2.0.0, npm/d3-dispatch@2.0.0, npm/d3-dsv@2.0.0, npm/d3-ease@2.0.0, npm/d3-format@2.0.0, npm/d3-interpolate@2.0.1, npm/d3-path@2.0.0, npm/d3-quadtree@2.0.0, npm/d3-time-format@3.0.0, npm/d3-time@2.1.1, npm/d3-timer@2.0.0, npm/date-fns@2.28.0, npm/define-data-property@1.1.1, npm/define-properties@1.2.1, npm/dequal@2.0.3, npm/devlop@1.1.0, npm/es-iterator-helpers@1.0.15, npm/esbuild@0.20.2, npm/eslint-config-next@14.1.4, npm/eslint-import-resolver-node@0.3.9, npm/eslint-module-utils@2.8.0, npm/eslint-plugin-testing-library@6.2.0, npm/eslint-visitor-keys@3.4.3, npm/eslint@8.56.0, npm/espree@9.6.1, npm/fast-glob@3.3.2, npm/flatted@3.2.9, npm/fsevents@2.3.3, npm/function-bind@1.1.2, npm/function.prototype.name@1.1.6, npm/get-func-name@2.0.2, npm/get-intrinsic@1.2.2, npm/has-property-descriptors@1.0.1, npm/internal-slot@1.0.6, npm/internmap@1.0.1, npm/is-core-module@2.13.1, npm/is-map@2.0.2, npm/is-set@2.0.2, npm/is-typed-array@1.1.12, npm/jsx-ast-utils@3.3.5, npm/lodash.orderby@4.6.0, npm/lodash.uniq@4.5.0, npm/lodash.uniqby@4.7.0, npm/loose-envify@1.4.0, npm/loupe@2.3.7, npm/merge2@1.4.1, npm/mlly@1.5.0, npm/nanoid@3.3.7, npm/next-router-mock@0.9.11, npm/next@14.1.0, npm/object-assign@4.1.1, npm/object-inspect@1.13.1, npm/object.entries@1.1.7, npm/object.fromentries@2.0.7, npm/object.values@1.1.7, npm/pathe@1.1.2, npm/postcss@8.4.31, npm/prop-types@15.8.1, npm/rc-tooltip@5.1.1, npm/rc-util@5.21.5, npm/react-d3-speedometer@1.1.0, npm/react-dom@18.2.0, npm/react-feather@2.0.9, npm/react-markdown@9.0.1, npm/react-test-renderer@18.2.0, npm/react-vertical-timeline-component@3.6.0, npm/react@18.2.0, npm/readable-stream@1.0.34, npm/recharts@2.11.0, npm/regexp.prototype.flags@1.5.1, npm/resolve@1.22.8, npm/rollup@4.17.2, npm/sass@1.70.0, npm/set-function-name@2.0.1, npm/signal-exit@4.1.0, npm/source-map-js@1.0.2, npm/string-width@5.1.2, npm/tss-react@4.9.3, npm/typescript@5.3.3, npm/vite-tsconfig-paths@4.3.1, npm/vite@5.2.11, npm/vitest@1.2.2, npm/which-typed-array@1.1.13

View full report↗︎

github-actions[bot] commented 5 months ago

:tada: This PR is included in version 1.39.14 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: