🚨 [security] Upgrade next: 10.2.0 → 11.1.0 (major)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ next (10.2.0 → 11.1.0) · Repo

Security Advisories 🚨

🚨 Open Redirect in Next.js

Impact

• Affected: Users of Next.js between 10.0.5 and 10.2.0
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
• Not affected: Deployments on Vercel (vercel.com) are not affected
• Not affected: Deployments with pages/404.js

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

Patches

https://github.com/vercel/next.js/releases/tag/v11.1.0

Release Notes

11.0.1

Core Changes

• Fix failing Runner import: #26172
• docs: fix ignoring-eslint-url during build: #26165
• Fix babel-loader failing on JSON5 syntax: #26194
• Fix eslint version check for older versions: #26212
• fix: use a client-side navigation when redirecting to a rewriten URL: #25990
• Fix next/image noscript src path with loaders: #24011
• Fix long URLs causing 400s with dynamic routes/rewrites: #26221
• Ensure has query encoding is normalized: #25732
• Fix Show error when user put wrong values in width or height: #26166
• Update to latest TypeScript version and de-dupe versions: #26285
• Automatically use createRoot for React@>=18: #26279
• Omit svg static imports if custom webpack config is defined: #26281
• [ESLint] Adds --quiet flag, TypeScript resolver and bug fixes: #26280
• Add runtime to hotUpdateMainFilename: #26256
• Add check for startLatency in fast refresh: #26417
• fix: ignore invalid accept-language header: #26476
• chore: Add Alex to lint documentation: #26354
• Fix domain locales not available on client: #26083
• Update to only add image import types when enabled: #26485
• Strongly type Router.events.on and Router.events.off: #26456

Documentation Changes

• docs(image): fix image import path: #26142
• Ensure all errors are added in manifest: #26129
• Update next/image docs and examples: #26150
• Fixed no-img-element documentation snippet.: #26154
• docs(next/script): Improve formatting of docs: #26149
• add missing step of installing next@latest: #26141
• Fix next/image docs version history: #26192
• Update next/image docs and example with shimmer animation: #26183
• Update docs on static image imports: #26211
• Update note in script doc: #26214
• Doc "no-sync-scripts" remove experimental notice: #26225
• Correct the word "remove": #26258
• Update next/script docs to clear up confusion around next/head and client-side JS: #26253
• docs: remove duplicated --ts, --typescript from Options: #26252
• Correct Next.js 9 upgrade instructions: #26271
• Fix closing tag in Script docs: #26276
• docs: fixed typo: #26311
• Extend disclaimer for dynamic image imports: #26241
• Add docs on adding HTTP security headers.: #25833
• Improve the next/script documentation.: #26325
• add missing closing bracket: #26375
• Docs: Add Prettier section on ESLint page: #26347
• docs(router.md) Add note about page state and navigation: #26320
• Add module.exports to security headers documentation: #26466
• Update i18n fields in docs: #26492

Example Changes

• (examples/image-component): fix placeholder href: #26140
• fix(examples): future.webpack5 -> top level webpack5: #26175
• [examples/cms-wordpress] fix typo on alert message: #26115
• Follow the breaking change of jest-config: #26082
• Update examples to use React 17: #26133
• Add cms-drupal example: #25198
• Fix: upgrade react-test-renderer version to 17.0.2: #26229
• Update postcss version in examples: #26226
• Update with-supertokens example: #26266
• Updating Typescript to recommended minimum 4.3.2: #26267
• (examples/with-lingui): update example: #26076
• Examples: Fixed the example path to correct value: #26255
• Update with-eslint example.: #25817
• (examples/with-webassembly) fixed for webpack 5: #26440

Misc Changes

• Update create-next-app template favicons: #26289
• Remove period for ESLint passHref docs link.: #26402
• Ensure image-types file is included: #26495

11.0.0

Core Changes

• fix(types): allow nonpromise return types for static functions: #24685
• Ensure history navigates correctly with dynamic routes + basePath: #25459
• Fix external check for non-local next import: #25518
• Ensure providing only query on dynamic route works as expected: #25469
• Assume a recent react@experimental if reactRoot is set: #25496
• Update to latest webpack 5 and webpack-sources: #25558
• Set default webpack publicPath value to override auto: #25452
• Add helpful error for link with multiple children: #25657
• Ensure rewrites are resolved correctly through history: #25666
• Fix rewrite and dynamic params on navigating to initial history entry: #25495
• Enable serial build by default: #25642
• Don't show webpack version message in production server: #25654
• Font optimization add preconnect: #25346
• Enable new babel mode: #25635
• Remove deprecated features: #25446
• Disable split chunks in webpack 5 in dev mode: #25735
• Remove experimental tag from Script component: #25435
• next lint + ESLint in Create Next App: #25064
• Bump "engines" to node >= 12.0.0: #25761
• Support for static image imports: #24993
• Bump minimum React version to ^17.0.2: #25788
• Remove feature flags for static image and blurry placeholder: #25797
• Add note to upgrading guide about React version: #25849
• Fix "env" key in babelrc with new Babel mode: #25841
• Enable webpack5 for all apps: #25639
• Fix types for static image: #25808
• Do not remove placeholder for data URL: #24704
• Add warning for older TypeScript versions: #25867
• Prevent node inspect from causing webpack check to fail: #25876
• fix(21606): consider scroll option when using shallow routing: #24888
• remove opentelemetry/api: #25900
• Adjust JPEG quality when generating placeholder: #25904
• Improve check for eslint version: #25910
• Refactor image optimizer static immutable header: #25909
• ESLint Updates: #25895
• Fix immutable header on static image: #25914
• ESLint: Updates disable ESLint message during builds: #25917
• Remove @types/comment-json: #25810
• Add delay to placeholder removal: #25916
• Add experimental cra-to-next transform in codemod cli: #24969
• add global callback for refresh latency: #25944
• Add css blur when placeholder=blur: #25945
• ESLint: More updates and bug fixes: #25952
• Add errors for invalid placeholder=blur usage: #25953
• Fix delay between blur image and high res image: #25994
• Update json5 and remove @types/json5: #25946
• Disable prerendering /500 when _error has getServerSideProps: #23586
• Update comments for clarity & grammar in router.ts: #25947
• include lib folder when publishing next-codemod: #26003
• Update client-side default error: #25997
• Add gitignore template to published files for codemod: #26008
• Fix Firefox image decode error: #26011
• Enable optimized loading strategy: #26021
• Remove deprecated features and enable future flag: #26066
• Remove unsupported examples: #26075
• Remove React version checks and warnings that are no longer needed: #25992
• fix: don't create .eslintrc if package.json contains eslintConfig: #26025
• Add lint checking events: #26089
• Update to latest version of webpack 5: #26102

Documentation Changes

• Update Authentication docs to be an examples list.: #25497
• Improve documentation of CDN asset paths : #25531
• Fix rewrite example for fallback site: #25508
• doc: update TS version for --incremental: #25736
• Update ESLint docs.: #25816
• ESLint Plugin: Fix Document and Head import rules: #25730
• Adding --typescript option: #25831
• Fix command in upgrade guide: #25879
• docs: use descriptive links instead of "click here": #25897
• Fix loader url composition on image/next doc: #25893
• Add changing the hostname to the cli doc: #25971
• Add experimental CRA transform to docs: #25989
• docs: advise users of create-next-app --ts, --typescript: #25349
• Update react-version.md: #26093
• [ESLint] Adds section to docs for migrating existing ESLint configurations: #26101
• Update learn path in getting started and from cra docs: #26104
• Script component docs: #25471
• Update image documentation for static image: #25949

Example Changes

• Updated example name: #25428
• Example: Treat "mockServiceWorker" as a generated artifact in "with-msw": #25515
• Fix with-docker example fails to load image: #25536
• Updated with-mdx-remote dynamic components example: #25366
• up-to-date electron: #25551
• Update tsconfig of example to be consistent with default output of next.js: #25581
• Remove react-relay-network-modern example.: #25815
• fix mobx-state-tree-typesript missing babel/core dependency: #25589
• feat: bump styled-components version on examples: #25826
• Add run on Google Cloud Run button to the docker example: #25824
• updated example for zustand v3.5.1 interface change: #25066
• fix: added typescript dependency in next-sitemap example: #25866
• docs(examples/with-iron-session): fix mutate + fetch, add TypeScript example link: #25889
• docs: add 'Open in StackBlitz' buttons to various examples: #25853
• fix: move viewport meta tag to head in _app.js: #25901
• fix: use key while rendering arrays: #25902
• docs(examples/with-mobx-state-tree-typescript): add 'Open in StackBlitz' button: #25926
• tslib module missing in package.json: #25829
• Updated Readme: #25575
• Modify image component examples app for static image: #25956
• (examples/with-urql): fixes graphql server url: #25987
• docs(examples/with-redux-persist): add 'Open in StackBlitz' button: #25972
• Example blog with comments: #24829
• docs: fix typo in with-unstated/README.md: #26004
• (examples/with-react-md): switch from node-sass to sass: #26001
• Update next-transpile-modules to 7.3.0 across examples: #26040
• examples/with-mongodb: avoid destructuring of environment variables.: #26029
• (example/with-typescript-grapql): fix deps: #26010
• (examples): fix missed peer dependencies: #26069
• (examples/with-rbx-bulma-pro): update deps: #26077

Misc Changes

• Update yarn next script with --enable-source-maps: #25533
• Update size limit test
• ESLint Config: Adds alt text rule for Image: #25462
• Enable Strict Mode in new create-next-app projects: #25696
• Replace 'require' with 'import' in bench files and update dependancies: #25775
• Fix occasional test failures: #25855
• feat: have .tsx be in ts template for create-next-app: #25820
• Run acceptance tests non-concurrently: #25861
• Update CNA build target in tsconfig: #25780
• Replace CLIEngine with ESLint: #25801
• Ensure correct browser env is used: #26014
• Update preload test for safari: #26020
• Update safari preload test: #26086
• Fix react@next and react@experimental tests: #26088

10.2.3

Core Changes

• lazy load postcss plugins: #25317
• Add missing i18n types in gip context: #25363
• Ensure externals are correct for mini-css-extract-plugin: #25340
• Update beforeFiles rewrites to continue: #25418

Documentation Changes

• Update docs to show how to typecheck next.config.js: #25240
• docs: typo in rewrites page: #25377

Example Changes

• Fix PatternFly 4 example: #25356
• Update package.json blog-starter-typescript: #25361
• New kontent UI screenshots: #25387

Misc Changes

• Follow up rewrites regression test for #25208: #25282
• Fix ie11 has rewrite test: #25342

10.2.2

Core Changes

• server doesn't need to be contenthashing at all: #25251
• Update postcss-loader to 4.3.0: #25197
• restore webpack defaults for managed/immutablePaths: #25250
• react-loadable-plugin. Handle undefined opts.caller: #25264

Documentation Changes

• doc(typescript.md) Mention incremental type checking: #25268

Misc Changes

• Ensure CNA install succeeds with npm and example flags: #25267
• Update output size test to handle version change: #25275
• Update the text for eslint/no-page-custom-font rule: #25117

10.2.1

Core Changes

• Remove unnecessary optimizeFonts key from type: #24563
• Fix Image compatibility issue when using sizes: #24569
• Replace regex lexer with minimal regex for named groups: #24604
• Remove un-used lib files: #24625
• Adds ESLint with default rule-set: #23702
• Don't swallow MODULE_NOT_FOUND error: #24577
• Fix/link router 24075 take asPath instead of pathName in router: #24199
• Add experimental blurry placeholder to image component: #24153
• update webpack to 5.36.2, use dependOn: #24656
• Add type checking events: #24595
• fix memory leak in require.cache: #24282
• Don't throw 500 error when Content-type is invalid: #24818
• Land - Font optimizations - Adobe Fonts / Typekit support : #24834
• updated zustand example : #24884
• feat(build): Log whether type checking is actually performed: #24440
• webpack 5 externals fixes: #24603
• Remove experimental babel flag: #24776
• cache typechecking with incremental compilation: #24559
• Ensure next/dynamic transpiles for tests: #24751
• fix: handle compression for custom-server render calls (#16378): #18891
• Refactor experimental-script component : #24940
• Fix: Non-writable pages/_app breaks build : #24849
• I18n context initial props: #21930
• update webpack to 5.37.0: #24954
• Ensure webpack cache is invalidated for alias change: #24956

Documentation Changes

• Add documentation on Font Optimization.: #24572
• Clarify whether router.pathname includes basePath: #24675
• Update font optimization docs to mention opting out.: #24756
• Bumps version of supertokens dependencies and updates its README: #24571
• docs(response-helpers): Update res.json definition: #24782
• docs(next/router): Update router.push api: #24833
• docs(config intro): Fix github link hash: #24838
• Add version note for has property: #24836
• Remove old docs sections: #24853
• Add additional reason for the Prerender Error when running next export: #24828
• feat(create-next-app): add --ts, --typescript support: #24655
• ESLint Plugin: Disallow <title> in Head from next/document: #24868
• Clarify rewrites and other docs cleanup.: #24890
• ESLint Plugin: Google Font rules: #24766
• ESLint Plugin: passHref is not assigned: #24670
• ESLint Plugin: Custom Font at page-level rule: #24789
• ESLint Plugin: Prevent bad imports of next/document and next/head: #24832

Example Changes

• Fix: with-passport example dependency issue: #24567
• demo serving storybook static build with serve: #24812
• Update signin/signup form samples: #24524
• react-hook-form example: #21245
• Update example with-sentry: #24819
• Update custom server examples: #24814
• Remove outdated/deprecated/unmainted examples: #24945
• Fix build in blog-starter-typescript example: #24695
• Update with-three-js example: #24857
• Update with-mdx-remote example: #24973

Misc Changes

• fix(next-storybook): make rules an array in webpack config: #22125
• Fix rewrite shape in Storybook: #24827
• Match last PR mention in commit message for release notes
• Add label for chrome automatically to PR

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)