Closed renovate[bot] closed 1 year ago
We've marked this issue as stale because there hasn't been any activity for 60 days. If there's no further activity on this issue in the next three days then we'll close it. You can keep the conversation going with just a short comment. Thanks for your contributions.
This PR contains the following updates:
10.1.3
->12.1.0
GitHub Vulnerability Alerts
CVE-2021-39178
Impact
next.config.js
file hasimages.domains
array assignedimages.domains
allows user-provided SVGnext.config.js
file hasimages.loader
assigned to something other than defaultPatches
Next.js v11.1.1
CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the
next.config.js
file must have animages.domains
array assigned and the image host assigned inimages.domains
must allow user-provided SVG. If thenext.config.js
file hasimages.loader
assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, changenext.config.js
to use a differentloader configuration
other than the default.Impact
next.config.js
file has images.domains array assignednext.config.js
file has images.loader assigned to something other than defaultPatches
Next.js 12.1.0
Workarounds
Change
next.config.js
to use a different loader configuration other than the default, for example:Or if you want to use the
loader
prop on the component, you can usecustom
:CVE-2021-43803
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package
next
hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when
pages/_error.js
was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.Impact
10.0.5
and10.2.0
11.0.0
and11.0.1
usingpages/_error.js
withoutgetInitialProps
11.0.0
and11.0.1
usingpages/_error.js
andnext export
pages/404.js
next
npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
Patches
https://github.com/vercel/next.js/releases/tag/v11.1.0
Release Notes
vercel/next.js
### [`v12.1.0`](https://togithub.com/vercel/next.js/releases/tag/v12.1.0) [Compare Source](https://togithub.com/vercel/next.js/compare/v12.0.10...v12.1.0) ##### Core Changes - Relay Support in Rust Compiler: [#33702](https://togithub.com/vercel/next.js/issues/33702) - fix eslint link-passhref rule: [#33857](https://togithub.com/vercel/next.js/issues/33857) - update webpack: [#33831](https://togithub.com/vercel/next.js/issues/33831) - Flush buffered vitals metrics on page mount: [#33867](https://togithub.com/vercel/next.js/issues/33867) - fix problem with HMR when middleware and page reference the same node_module: [#33873](https://togithub.com/vercel/next.js/issues/33873) - Refactor page component getter in web server: [#33759](https://togithub.com/vercel/next.js/issues/33759) - update NextResponse default redirect status to 307 to match docs: [#33505](https://togithub.com/vercel/next.js/issues/33505) - Bug fix: dynamic page should not be interpreted as predefined page: [#33808](https://togithub.com/vercel/next.js/issues/33808) - Group streaming experimental apis: [#33878](https://togithub.com/vercel/next.js/issues/33878) - Encapsulate routing and initial hydration: [#33875](https://togithub.com/vercel/next.js/issues/33875) - Optimize offline condition judgment: [#33238](https://togithub.com/vercel/next.js/issues/33238) - Ensure external beforeFiles rewrites are handled with next/link: [#33888](https://togithub.com/vercel/next.js/issues/33888) - Fix parsing params for i18n optional route in minimal mode: [#33896](https://togithub.com/vercel/next.js/issues/33896) - Ensure browserslist extends works properly: [#33890](https://togithub.com/vercel/next.js/issues/33890) - Fix image cache race condition: [#33883](https://togithub.com/vercel/next.js/issues/33883) - Add support for Relay projects without `artifactDirectory`: [#33918](https://togithub.com/vercel/next.js/issues/33918) - fix: handle jsxspreadattribute in inline-script-id eslint rule: [#32421](https://togithub.com/vercel/next.js/issues/32421) - feat(next-swc): Update swc: [#33724](https://togithub.com/vercel/next.js/issues/33724) - Update to latest version of amphtml-validator: [#33967](https://togithub.com/vercel/next.js/issues/33967) - Warn in dev mode when script tags are added with next/head: [#33968](https://togithub.com/vercel/next.js/issues/33968) - Ensure optional chaining in swc matches babel: [#33995](https://togithub.com/vercel/next.js/issues/33995) - Use `react-dom/server.browser` in Node.js: [#33950](https://togithub.com/vercel/next.js/issues/33950) - Ensure external middleware rewrite is handled correctly: [#33962](https://togithub.com/vercel/next.js/issues/33962) - Update Terser to v5.10.0, fix minification issues: [#33045](https://togithub.com/vercel/next.js/issues/33045) - Warn in dev mode when stylesheets are added using next/head: [#34004](https://togithub.com/vercel/next.js/issues/34004) - Use `ReadableStream` in `RenderResult`: [#34005](https://togithub.com/vercel/next.js/issues/34005) - Fix suffix ordering while streaming: [#34011](https://togithub.com/vercel/next.js/issues/34011) - Don't use yarn if a package-lock.json file is found: [#31926](https://togithub.com/vercel/next.js/issues/31926) - Do not warn when application/ld+json scripts are used with next/head: [#34021](https://togithub.com/vercel/next.js/issues/34021) - Babel & next-swc: Fix exporting page config with AsExpression: [#32702](https://togithub.com/vercel/next.js/issues/32702) - Detect per page runtime config for functions manifest: [#33945](https://togithub.com/vercel/next.js/issues/33945) - Add JSDoc to config options: [#32915](https://togithub.com/vercel/next.js/issues/32915) - Update font-stylesheet-gathering-plugin.ts: [#30709](https://togithub.com/vercel/next.js/issues/30709) - Add decoratorMetadata flag if enabled by tsconfig: [#32914](https://togithub.com/vercel/next.js/issues/32914) - fix: data url handling in css-loader: [#34034](https://togithub.com/vercel/next.js/issues/34034) - Place 'charset' element at the top of : [#28119](https://togithub.com/vercel/next.js/issues/28119) - Fix detection of anchor click events inside svg: [#23272](https://togithub.com/vercel/next.js/issues/23272) - Allow passing nothing as custom jest config: [#32328](https://togithub.com/vercel/next.js/issues/32328) - Fixes [#31240](https://togithub.com/vercel/next.js/issues/31240): Adding a recursive addPackagePath function in webpack-config: [#31264](https://togithub.com/vercel/next.js/issues/31264) - Require component rendered as child of `Link` to pass event to `onClick` handler: [#27723](https://togithub.com/vercel/next.js/issues/27723) - Allow scroll prevention on hash change: [#31921](https://togithub.com/vercel/next.js/issues/31921) - Add support for async fn / promise in next.config.js/.mjs: [#33662](https://togithub.com/vercel/next.js/issues/33662) - Fix `lazyRoot` functionality for `next/image`: [#33933](https://togithub.com/vercel/next.js/issues/33933) - Change SWC minify from beta to release candidate: [#34056](https://togithub.com/vercel/next.js/issues/34056) - Make `Router` state immutable: [#33925](https://togithub.com/vercel/next.js/issues/33925) - Stop exposing internal `render` and `renderError` methods from `next/client`: [#34069](https://togithub.com/vercel/next.js/issues/34069) - Add api-utils helper for testing: [#34078](https://togithub.com/vercel/next.js/issues/34078) - feat(next-swc): Update swc: [#34045](https://togithub.com/vercel/next.js/issues/34045) - Deprecate `concurrentFeatures` with `runtime`: [#34068](https://togithub.com/vercel/next.js/issues/34068) - Add check for resolveWeak to next/dynamic: [#33908](https://togithub.com/vercel/next.js/issues/33908) - remove unneeded and broken plugin: [#34087](https://togithub.com/vercel/next.js/issues/34087) - Remove experimental warning from next/jest: [#34096](https://togithub.com/vercel/next.js/issues/34096) - fix: arrow function export in rsc client component: [#34105](https://togithub.com/vercel/next.js/issues/34105) - Use `renderToStream` with React 18: [#34106](https://togithub.com/vercel/next.js/issues/34106) - Fix static result being piped: [#34111](https://togithub.com/vercel/next.js/issues/34111) - Polyfill pipeTo and pipeThrough: [#34112](https://togithub.com/vercel/next.js/issues/34112) - Update to leverage response-cache for image-optimizer: [#34075](https://togithub.com/vercel/next.js/issues/34075) - fix: `next/image` usage from `node_modules`: [#33559](https://togithub.com/vercel/next.js/issues/33559) - Fix included flight manifest on node runtime: [#34113](https://togithub.com/vercel/next.js/issues/34113) - Fix: Use `react-dom/server.browser` when `reactRoot: true`: [#34116](https://togithub.com/vercel/next.js/issues/34116) - Fix image-optimizer requires in next-server: [#34141](https://togithub.com/vercel/next.js/issues/34141) - Fix required files matching in rsc: [#34137](https://togithub.com/vercel/next.js/issues/34137) - Throw error when ts file contains css.resolve: [#34149](https://togithub.com/vercel/next.js/issues/34149) - Chore/stable swc compiler options: [#34074](https://togithub.com/vercel/next.js/issues/34074) - Fix bug with "Circular Structure" error: [#23905](https://togithub.com/vercel/next.js/issues/23905) - Add \_document and \_app pre-import: [#23261](https://togithub.com/vercel/next.js/issues/23261) - Ensure standalone server handles SIGTERM: [#34151](https://togithub.com/vercel/next.js/issues/34151) - Bump nft to 0.17.5: [#34190](https://togithub.com/vercel/next.js/issues/34190) - feat: copy `.env` file in standalone mode: [#34143](https://togithub.com/vercel/next.js/issues/34143) - Fix reuse of inline flight response and 404 for RSC in node runtime: [#34202](https://togithub.com/vercel/next.js/issues/34202) - Use updated recursive rm fs method for image-optimizer: [#34210](https://togithub.com/vercel/next.js/issues/34210) - Fix link for "Delete Query Params in Middleware" error message in `next-server.ts`: [#34230](https://togithub.com/vercel/next.js/issues/34230) - Enable dynamic HTML in minimal mode: [#34222](https://togithub.com/vercel/next.js/issues/34222) - Fix uncaught error in getInitialProps when `runtime` is set to `nodejs`: [#34228](https://togithub.com/vercel/next.js/issues/34228) - Optimize the web server size: [#34242](https://togithub.com/vercel/next.js/issues/34242) - feat: allow `node-sass@7` as peer dependency: [#34107](https://togithub.com/vercel/next.js/issues/34107) - Adding step to build the app with docker in existing projects: [#34083](https://togithub.com/vercel/next.js/issues/34083) - Changed all occurrences of etc to match: [#34280](https://togithub.com/vercel/next.js/issues/34280) - Align reactRoot config between server and webpack config: [#34328](https://togithub.com/vercel/next.js/issues/34328) - Fix `Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.