search

blitz-js / babel-plugin-superjson-next

Automatically transform your Next.js Pages to use SuperJSON
MIT License
125 stars 15 forks source link

🚨 [security] Update next: 11.1.0 → 11.1.2 (patch) #92

Closed depfu[bot] closed 2 years ago

depfu[bot] commented 2 years ago

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ next (11.1.0 → 11.1.2) · Repo

Security Advisories 🚨

🚨 XSS in Image Optimization API for Next.js

Impact

  • Affected: All of the following must be true to be affected
    • Next.js between version 10.0.0 and 11.1.0
    • The next.config.js file has images.domains array assigned
    • The image host assigned in images.domains allows user-provided SVG
  • Not affected: The next.config.js file has images.loader assigned to something other than default
  • Not affected: Deployments on Vercel are not affected

Patches

Next.js v11.1.1

Release Notes

11.1.2

Core Changes

  • chore: upgrade styled-jsx to 4.0.1: #28626
  • getServerSideProps should support props value as Promise: #28607
  • Ensure custom app regex is correct for Windows: #28631

11.1.1

Core Changes

  • Next.js swc publish flow: #27984
  • Ensure config file message is only shown once: #28017
  • Add missing fields to NextConfig type: #27974
  • use a shared worker pool for collecting page data and static page generation: #27924
  • Use @next scope for native packages: #28046
  • Fix generateBuildId type that can be async function: #28040
  • Fix image optimization encoding url: #28045
  • Clean up Document in preparation for streaming: #28032
  • Render as a concatenation of streams: #28082
  • Add support for dynamic HTML: #28085
  • Support suspense in next dynamic: #27611
  • Handle blob urls in image component: #27975
  • Bypass webpack compilation for precompiled @next/polyfills-nomodule: #27596
  • Update util to 0.12.4: #27939
  • Remove duplicate doctypes: #28089
  • Fix revalidate for initial notFound: true paths: #28097
  • Add proper error when failing to load next.config.js: #28099
  • Fix: wrong link error message: #28127
  • Add support for Jaeger trace target: #28129
  • Enable pure client suspense in blocking rendering: #28165
  • Add entrypoint tracing: #25538
  • Add module type to build-module trace: #28128
  • Update to latest babel versions: #28174
  • Improve jaeger traces: #28168
  • fix development mode bug with pages with "+" and other special characters: #28122
  • let loaders automatically infer source map setting: #28204
  • Avoid fs write next-env.d.ts on read-only filesystems: #28206
  • Document usage of suspense option of next/dynamic: #28210
  • Add warning when parent styles break next/image: #28221
  • Use zen-observable library: #28214
  • Fix HMR when custom _app or _document is removed: #28227
  • Add relationship between issuer and module to traces: #28192
  • Update generating next-server dependencies: #28223
  • Fix next/image blur placeholder when JS is disabled: #28269
  • Ensure adding _app/_document HMRs correctly: #28279
  • upgrade webpack to 5.51.1: #28291
  • [ESLint] Adds process.exit to next lint success output: #28299
  • Fix next env vars injection in dynamic: #28309
  • Add layout to data-nimg attribute: #28312
  • Add data attribute to script component: #28310
  • Ensure @babel/core is de-duped when nccing: #28384
  • Fix forked NODE_OPTIONS except for inspect: #28420
  • [ESLint] Enable caching by default: #28349
  • Update test config to leverage swc: #28400
  • Add missing typescript property to NextConfig: #28459
  • next/script fix duplicate scripts : #28428
  • Ensure error is shown correctly for empty headers field: #28430
  • Add default trace format that is exported automatically: #28461
  • Update i18n locales limit to warning: #28429
  • Fix handling for 204 status code with a body: #28479
  • Update warning when parent styles break next/image: #28517
  • Support for functional Document components: #28515
  • Ensure dev server side errors are correct: #28520
  • Add CSP to Image Optimization API: #28620

Documentation Changes

  • Fix incorrect error manifest path: #27970
  • Add testing docs: #27965
  • [DOCS] Update testing docs: #28064
  • [ESLint] Disallow <Script /> inside _document.js & <Script /> inside the next/head component: #27257
  • Docs: Mention 3rd option 'blocking' for fallback: #28077
  • Add a Styling Section to next/image component docs: #28055
  • Improve React Strict Mode documentation.: #28139
  • doc: fix typo: #28146
  • docs: corrected the link to the example: #28175
  • ESLint Plugin: Prefer next script component when using the inline script for Google Analytics.: #25147
  • Update testing.md: #28190
  • docs: Add link to Cypress GitHub Actions Guide to Testing docs: #28207
  • Add docs for ESLint plugin settings and rule options: #28059
  • Add eslint rule for id attribute on inline next/script: #27853
  • Update supported-browsers-features.md: #28326
  • fix link to global stylesheet in from-create-react-app.md: #28327
  • docs: update font-optimization.md: #28397
  • Improved next/image docs around layouts.: #28345
  • Minor docs edit: cors -> CORS: #28472
  • Update docs for sharp usage to mention Vercel: #28476
  • Use recommended pattern in testing example: #28404
  • Update with-jest packages and docs: #28209
  • Add docs for using pageExtensions to colocate other files with page components: #22740
  • Small grammar fixes: #28590

Example Changes

  • Make sure all example packages has private: true: #28008
  • next-env.d.ts note in templates: #27983
  • Add .gitignore to examples that lack them: #28003
  • Update Firebase hosting example to use Node.js 14.: #27988
  • Examples: Jotai: #27940
  • Remove licence from all example/package.json that has them: #28007
  • Add ci script to check examples: #28009
  • Replace CSS tag with JS import: #28143
  • Fixed typos that existed on some files: #28314
  • Add Temporal example: #28348
  • [examples] Added with-couchbase example: #27184
  • [examples] Add ElasticSearch example: #28043
  • Fix: changing import syntax slightly to ensure success with create-next-app: #28431
  • Add prop-types in package.json: #28481
  • Update to use the latest MongoDB best practices to limit connection pooling issues.: #28350
  • Add apiVersion to config: #28610

Misc Changes

  • Tests: Execute development-logs tests.: #27996
  • Fix publish native script: #28037
  • Authenticate npm before publishing native packages: #28041
  • publish flow fixes: #28050
  • USe await correctly: #28053
  • Refactor development-logs removing duplicated code.: #28049
  • Fix gh action workflow when docs changed: #28092
  • Skip native ci steps for docs only changes: #28101
  • Add setup for m1 build: #28138
  • fix(tests): fixes typo in basic integration test: #28158
  • Fix crash of lint rule no-document-import-in-page: #28148
  • docs: make contributing.md more contributor-friendly: #27913
  • Update polling env var for tests in CI: #28264
  • Ensure all packages are packed while tracing: #28263
  • Use temp repo copy while linking packages: #28301
  • feat: upgrade swc/core to 1.2.80: #28347
  • Move unit tests to one folder and migrate them to TypeScript: #28427
  • Tests: Adds test to data-nimg data attribute based on layout prop.: #28444
  • Remove unused imports
  • [ESLint Plugin] Handles edge case for no-import-document-in-page rule: #28261
  • Tests: Remove unnecessary await: #28594

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)