Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.
Impact
Affected: All of the following must be true to be affected
Next.js between version 10.0.0 and 12.0.10
The next.config.js file has images.domains array assigned
The image host assigned in images.domains allows user-provided SVG
Not affected: The next.config.js file has images.loader assigned to something other than default
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.
Impact
Affected: Users of Next.js between 10.0.5 and 10.2.0
Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
Not affected: Deployments on Vercel (vercel.com) are not affected
Not affected: Deployments withpages/404.js
Note that versions prior to 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.
We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
vercel/next.js
### [`v12.1.0`](https://togithub.com/vercel/next.js/releases/tag/v12.1.0)
[Compare Source](https://togithub.com/vercel/next.js/compare/v12.0.10...v12.1.0)
##### Core Changes
- Relay Support in Rust Compiler: [#33702](https://togithub.com/vercel/next.js/issues/33702)
- fix eslint link-passhref rule: [#33857](https://togithub.com/vercel/next.js/issues/33857)
- update webpack: [#33831](https://togithub.com/vercel/next.js/issues/33831)
- Flush buffered vitals metrics on page mount: [#33867](https://togithub.com/vercel/next.js/issues/33867)
- fix problem with HMR when middleware and page reference the same node_module: [#33873](https://togithub.com/vercel/next.js/issues/33873)
- Refactor page component getter in web server: [#33759](https://togithub.com/vercel/next.js/issues/33759)
- update NextResponse default redirect status to 307 to match docs: [#33505](https://togithub.com/vercel/next.js/issues/33505)
- Bug fix: dynamic page should not be interpreted as predefined page: [#33808](https://togithub.com/vercel/next.js/issues/33808)
- Group streaming experimental apis: [#33878](https://togithub.com/vercel/next.js/issues/33878)
- Encapsulate routing and initial hydration: [#33875](https://togithub.com/vercel/next.js/issues/33875)
- Optimize offline condition judgment: [#33238](https://togithub.com/vercel/next.js/issues/33238)
- Ensure external beforeFiles rewrites are handled with next/link: [#33888](https://togithub.com/vercel/next.js/issues/33888)
- Fix parsing params for i18n optional route in minimal mode: [#33896](https://togithub.com/vercel/next.js/issues/33896)
- Ensure browserslist extends works properly: [#33890](https://togithub.com/vercel/next.js/issues/33890)
- Fix image cache race condition: [#33883](https://togithub.com/vercel/next.js/issues/33883)
- Add support for Relay projects without `artifactDirectory`: [#33918](https://togithub.com/vercel/next.js/issues/33918)
- fix: handle jsxspreadattribute in inline-script-id eslint rule: [#32421](https://togithub.com/vercel/next.js/issues/32421)
- feat(next-swc): Update swc: [#33724](https://togithub.com/vercel/next.js/issues/33724)
- Update to latest version of amphtml-validator: [#33967](https://togithub.com/vercel/next.js/issues/33967)
- Warn in dev mode when script tags are added with next/head: [#33968](https://togithub.com/vercel/next.js/issues/33968)
- Ensure optional chaining in swc matches babel: [#33995](https://togithub.com/vercel/next.js/issues/33995)
- Use `react-dom/server.browser` in Node.js: [#33950](https://togithub.com/vercel/next.js/issues/33950)
- Ensure external middleware rewrite is handled correctly: [#33962](https://togithub.com/vercel/next.js/issues/33962)
- Update Terser to v5.10.0, fix minification issues: [#33045](https://togithub.com/vercel/next.js/issues/33045)
- Warn in dev mode when stylesheets are added using next/head: [#34004](https://togithub.com/vercel/next.js/issues/34004)
- Use `ReadableStream` in `RenderResult`: [#34005](https://togithub.com/vercel/next.js/issues/34005)
- Fix suffix ordering while streaming: [#34011](https://togithub.com/vercel/next.js/issues/34011)
- Don't use yarn if a package-lock.json file is found: [#31926](https://togithub.com/vercel/next.js/issues/31926)
- Do not warn when application/ld+json scripts are used with next/head: [#34021](https://togithub.com/vercel/next.js/issues/34021)
- Babel & next-swc: Fix exporting page config with AsExpression: [#32702](https://togithub.com/vercel/next.js/issues/32702)
- Detect per page runtime config for functions manifest: [#33945](https://togithub.com/vercel/next.js/issues/33945)
- Add JSDoc to config options: [#32915](https://togithub.com/vercel/next.js/issues/32915)
- Update font-stylesheet-gathering-plugin.ts: [#30709](https://togithub.com/vercel/next.js/issues/30709)
- Add decoratorMetadata flag if enabled by tsconfig: [#32914](https://togithub.com/vercel/next.js/issues/32914)
- fix: data url handling in css-loader: [#34034](https://togithub.com/vercel/next.js/issues/34034)
- Place 'charset' element at the top of : [#28119](https://togithub.com/vercel/next.js/issues/28119)
- Fix detection of anchor click events inside svg: [#23272](https://togithub.com/vercel/next.js/issues/23272)
- Allow passing nothing as custom jest config: [#32328](https://togithub.com/vercel/next.js/issues/32328)
- Fixes [#31240](https://togithub.com/vercel/next.js/issues/31240): Adding a recursive addPackagePath function in webpack-config: [#31264](https://togithub.com/vercel/next.js/issues/31264)
- Require component rendered as child of `Link` to pass event to `onClick` handler: [#27723](https://togithub.com/vercel/next.js/issues/27723)
- Allow scroll prevention on hash change: [#31921](https://togithub.com/vercel/next.js/issues/31921)
- Add support for async fn / promise in next.config.js/.mjs: [#33662](https://togithub.com/vercel/next.js/issues/33662)
- Fix `lazyRoot` functionality for `next/image`: [#33933](https://togithub.com/vercel/next.js/issues/33933)
- Change SWC minify from beta to release candidate: [#34056](https://togithub.com/vercel/next.js/issues/34056)
- Make `Router` state immutable: [#33925](https://togithub.com/vercel/next.js/issues/33925)
- Stop exposing internal `render` and `renderError` methods from `next/client`: [#34069](https://togithub.com/vercel/next.js/issues/34069)
- Add api-utils helper for testing: [#34078](https://togithub.com/vercel/next.js/issues/34078)
- feat(next-swc): Update swc: [#34045](https://togithub.com/vercel/next.js/issues/34045)
- Deprecate `concurrentFeatures` with `runtime`: [#34068](https://togithub.com/vercel/next.js/issues/34068)
- Add check for resolveWeak to next/dynamic: [#33908](https://togithub.com/vercel/next.js/issues/33908)
- remove unneeded and broken plugin: [#34087](https://togithub.com/vercel/next.js/issues/34087)
- Remove experimental warning from next/jest: [#34096](https://togithub.com/vercel/next.js/issues/34096)
- fix: arrow function export in rsc client component: [#34105](https://togithub.com/vercel/next.js/issues/34105)
- Use `renderToStream` with React 18: [#34106](https://togithub.com/vercel/next.js/issues/34106)
- Fix static result being piped: [#34111](https://togithub.com/vercel/next.js/issues/34111)
- Polyfill pipeTo and pipeThrough: [#34112](https://togithub.com/vercel/next.js/issues/34112)
- Update to leverage response-cache for image-optimizer: [#34075](https://togithub.com/vercel/next.js/issues/34075)
- fix: `next/image` usage from `node_modules`: [#33559](https://togithub.com/vercel/next.js/issues/33559)
- Fix included flight manifest on node runtime: [#34113](https://togithub.com/vercel/next.js/issues/34113)
- Fix: Use `react-dom/server.browser` when `reactRoot: true`: [#34116](https://togithub.com/vercel/next.js/issues/34116)
- Fix image-optimizer requires in next-server: [#34141](https://togithub.com/vercel/next.js/issues/34141)
- Fix required files matching in rsc: [#34137](https://togithub.com/vercel/next.js/issues/34137)
- Throw error when ts file contains css.resolve: [#34149](https://togithub.com/vercel/next.js/issues/34149)
- Chore/stable swc compiler options: [#34074](https://togithub.com/vercel/next.js/issues/34074)
- Fix bug with "Circular Structure" error: [#23905](https://togithub.com/vercel/next.js/issues/23905)
- Add \_document and \_app pre-import: [#23261](https://togithub.com/vercel/next.js/issues/23261)
- Ensure standalone server handles SIGTERM: [#34151](https://togithub.com/vercel/next.js/issues/34151)
- Bump nft to 0.17.5: [#34190](https://togithub.com/vercel/next.js/issues/34190)
- feat: copy `.env` file in standalone mode: [#34143](https://togithub.com/vercel/next.js/issues/34143)
- Fix reuse of inline flight response and 404 for RSC in node runtime: [#34202](https://togithub.com/vercel/next.js/issues/34202)
- Use updated recursive rm fs method for image-optimizer: [#34210](https://togithub.com/vercel/next.js/issues/34210)
- Fix link for "Delete Query Params in Middleware" error message in `next-server.ts`: [#34230](https://togithub.com/vercel/next.js/issues/34230)
- Enable dynamic HTML in minimal mode: [#34222](https://togithub.com/vercel/next.js/issues/34222)
- Fix uncaught error in getInitialProps when `runtime` is set to `nodejs`: [#34228](https://togithub.com/vercel/next.js/issues/34228)
- Optimize the web server size: [#34242](https://togithub.com/vercel/next.js/issues/34242)
- feat: allow `node-sass@7` as peer dependency: [#34107](https://togithub.com/vercel/next.js/issues/34107)
- Adding step to build the app with docker in existing projects: [#34083](https://togithub.com/vercel/next.js/issues/34083)
- Changed all occurrences of etc to match: [#34280](https://togithub.com/vercel/next.js/issues/34280)
- Align reactRoot config between server and webpack config: [#34328](https://togithub.com/vercel/next.js/issues/34328)
- Fix `` shouldn't announce initial path under strict mode and React 18: [#34338](https://togithub.com/vercel/next.js/issues/34338)
- Fix flight root failed to hydrate in strict mode: [#34333](https://togithub.com/vercel/next.js/issues/34333)
- Allow dismissing full refresh warning for session: [#33868](https://togithub.com/vercel/next.js/issues/33868)
- Remove experimental image optimization feature: [#34349](https://togithub.com/vercel/next.js/issues/34349)
- Add support for "type": "module" in package.json: [#33637](https://togithub.com/vercel/next.js/issues/33637)
- feat(next-swc): Update swc: [#34355](https://togithub.com/vercel/next.js/issues/34355)
- Ensure invalid request to static page is handled correctly: [#34346](https://togithub.com/vercel/next.js/issues/34346)
- Add Error Handing section for ISR: [#34360](https://togithub.com/vercel/next.js/issues/34360)
- feat(next-swc): Update swc: [#34408](https://togithub.com/vercel/next.js/issues/34408)
- feat: improve opening a new issue flow: [#34434](https://togithub.com/vercel/next.js/issues/34434)
- Ensure we don't poll page in development when notFound: true is returned: [#34352](https://togithub.com/vercel/next.js/issues/34352)
- Add image config for `dangerouslyAllowSVG` and `contentSecurityPolicy`: [#34431](https://togithub.com/vercel/next.js/issues/34431)
- Revert swc css bump temporarily: [#34440](https://togithub.com/vercel/next.js/issues/34440)
- update webpack: [#34444](https://togithub.com/vercel/next.js/issues/34444)
- Update server-only changes HMR handling: [#34298](https://togithub.com/vercel/next.js/issues/34298)
- Fix `.svg` image optimization with a `loader` prop: [#34452](https://togithub.com/vercel/next.js/issues/34452)
- Allow reading request bodies in middlewares: [#34294](https://togithub.com/vercel/next.js/issues/34294)
- Revert "Allow reading request bodies in middlewares": [#34479](https://togithub.com/vercel/next.js/issues/34479)
- update webpack: [#34477](https://togithub.com/vercel/next.js/issues/34477)
- Fix chunk buffering for server components: [#34474](https://togithub.com/vercel/next.js/issues/34474)
- Remove deprecation for relative URL usage in middlewares: [#34461](https://togithub.com/vercel/next.js/issues/34461)
##### Documentation Changes
- Building web forms with Next.js and Vercel: [#32525](https://togithub.com/vercel/next.js/issues/32525)
- Add Clarity About Downloading and Self-Hosting a Font File: [#33760](https://togithub.com/vercel/next.js/issues/33760)
- Correct pluralization in newly added Relay documentation: [#33880](https://togithub.com/vercel/next.js/issues/33880)
- Update MDX document: [#33916](https://togithub.com/vercel/next.js/issues/33916)
- Update info on how to process webhooks by disabling bodyParser: [#33909](https://togithub.com/vercel/next.js/issues/33909)
- Update deployment docs to fix oversized image.: [#33934](https://togithub.com/vercel/next.js/issues/33934)
- docs: recommend `.end` instead of `.send` when no body is being sent: [#33611](https://togithub.com/vercel/next.js/issues/33611)
- Update custom document docs to prepare for React 18.: [#33814](https://togithub.com/vercel/next.js/issues/33814)
- Fix typo in new experimental Relay support docs: [#33963](https://togithub.com/vercel/next.js/issues/33963)
- docs(isr): add missing key prop in jsx loop: [#33984](https://togithub.com/vercel/next.js/issues/33984)
- docs: use function for components in general: [#33990](https://togithub.com/vercel/next.js/issues/33990)
- Updated going-to-production with loading performance: [#33179](https://togithub.com/vercel/next.js/issues/33179)
- docs: fix variable name from `profileData` to `data` in CSR page: [#34018](https://togithub.com/vercel/next.js/issues/34018)
- Improve Form Guide Contents: [#33913](https://togithub.com/vercel/next.js/issues/33913)
- Add `async` to middleware docs.: [#31356](https://togithub.com/vercel/next.js/issues/31356)
- (docs): update i18n-routing.md: [#33123](https://togithub.com/vercel/next.js/issues/33123)
- Fix redirect url for prefixing the default locale: [#33762](https://togithub.com/vercel/next.js/issues/33762)
- Add note about dns-prefetch as fallback: [#30385](https://togithub.com/vercel/next.js/issues/30385)
- Update custom server docs for async methods: [#30521](https://togithub.com/vercel/next.js/issues/30521)
- Update multiple docs pages to follow Docs Content style guide: [#33855](https://togithub.com/vercel/next.js/issues/33855)
- fix: Change `url` to `nextUrl` inside delete-query-params-in-middlewa…: [#33796](https://togithub.com/vercel/next.js/issues/33796)
- Changing GitHub Actions cache documentation: [#28228](https://togithub.com/vercel/next.js/issues/28228)
- \[docs] Add env var load order: [#32350](https://togithub.com/vercel/next.js/issues/32350)
- docs: add Ory vercel example to auth page: [#33029](https://togithub.com/vercel/next.js/issues/33029)
- Add note about crawlers and `fallback: true`: [#34114](https://togithub.com/vercel/next.js/issues/34114)
- docs(api-routes): fix node docs links: [#34125](https://togithub.com/vercel/next.js/issues/34125)
- add note to clarify use of Link when clearing preview cookies (issue [#34129](https://togithub.com/vercel/next.js/issues/34129)): [#34142](https://togithub.com/vercel/next.js/issues/34142)
- Re-render details if rewrites are used: [#34049](https://togithub.com/vercel/next.js/issues/34049)
- Add heading to `invalid-api-status-body` error: [#34150](https://togithub.com/vercel/next.js/issues/34150)
- Ensure /index route is redirected correctly for docs: [#34206](https://togithub.com/vercel/next.js/issues/34206)
- Update docs for image `lazyRoot` prop: [#34241](https://togithub.com/vercel/next.js/issues/34241)
- Update link for includeFiles glob reference: [#34269](https://togithub.com/vercel/next.js/issues/34269)
- Update Preview Mode docs.: [#34278](https://togithub.com/vercel/next.js/issues/34278)
- Update frequently asked questions in documentation: [#34252](https://togithub.com/vercel/next.js/issues/34252)
- Alphabetize auth docs providers.: [#34281](https://togithub.com/vercel/next.js/issues/34281)
- Replace babel with SWC & minor changes in `getting started`: [#34282](https://togithub.com/vercel/next.js/issues/34282)
- Update Middleware docs to add version history.: [#34302](https://togithub.com/vercel/next.js/issues/34302)
- Fix typo on `getInitialProps`: [#34309](https://togithub.com/vercel/next.js/issues/34309)
- Update missing curly brace in image.md: [#34307](https://togithub.com/vercel/next.js/issues/34307)
- docs: Add link to pageExtensions config in page-without-valid-component.md: [#34285](https://togithub.com/vercel/next.js/issues/34285)
- Add an example to Write server-side code directly section: [#34319](https://togithub.com/vercel/next.js/issues/34319)
- Few touch-ups to the docs on web forms in Next: [#34286](https://togithub.com/vercel/next.js/issues/34286)
- Update MDX Custom Elements setup: [#34175](https://togithub.com/vercel/next.js/issues/34175)
- Update image.md: [#34374](https://togithub.com/vercel/next.js/issues/34374)
- Updated failed to load error page to include info about node versions: [#34362](https://togithub.com/vercel/next.js/issues/34362)
- docs: react 18, streaming SSR, rsc with new apis: [#33986](https://togithub.com/vercel/next.js/issues/33986)
- Update MDX Guide config example: [#34405](https://togithub.com/vercel/next.js/issues/34405)
- Remove hello world RSC example.: [#34456](https://togithub.com/vercel/next.js/issues/34456)
- Fix typo: [#34480](https://togithub.com/vercel/next.js/issues/34480)
##### Example Changes
- Update npm comment in Docker example: [#33881](https://togithub.com/vercel/next.js/issues/33881)
- Update Contentful example to add validations to solve graphql complexity errors.: [#33958](https://togithub.com/vercel/next.js/issues/33958)
- Update all CMS examples dependencies.: [#33580](https://togithub.com/vercel/next.js/issues/33580)
- Fix warning unknown prettier option when running `yarn lint`.: [#34019](https://togithub.com/vercel/next.js/issues/34019)
- \[New Example] with docker - multiple deployment environments: [#34015](https://togithub.com/vercel/next.js/issues/34015)
- Fix ambiguous flags in Dockerfile example: [#33417](https://togithub.com/vercel/next.js/issues/33417)
- fix(examples/with-docker): update env comments: [#29972](https://togithub.com/vercel/next.js/issues/29972)
- Remove unused "start" script from with-docker/package.json: [#31053](https://togithub.com/vercel/next.js/issues/31053)
- Update remark in blog-starter-typescript: [#31393](https://togithub.com/vercel/next.js/issues/31393)
- Update \_document.js: [#29930](https://togithub.com/vercel/next.js/issues/29930)
- Docs: use the nextv12 example from the storybook-addon-next repo as the with-storybook example: [#33891](https://togithub.com/vercel/next.js/issues/33891)
- examples, update with new URL: [#34035](https://togithub.com/vercel/next.js/issues/34035)
- \[with-typescript-graphql] fixes breaking changes in graphql-let v0.18.0: [#32681](https://togithub.com/vercel/next.js/issues/32681)
- fix(example): with-typescript-graphql graphql-let package migrate: [#29996](https://togithub.com/vercel/next.js/issues/29996)
- feat: update firebase in with-firebase: [#29581](https://togithub.com/vercel/next.js/issues/29581)
- progressive web app example converted to typescript : [#33100](https://togithub.com/vercel/next.js/issues/33100)
- Make adjustment to cache config of with-apollo example: [#32733](https://togithub.com/vercel/next.js/issues/32733)
- Fix error thrown by `next/image` in the Sanity example: [#34203](https://togithub.com/vercel/next.js/issues/34203)
- Update examples/active-class-name: [#34205](https://togithub.com/vercel/next.js/issues/34205)
- chore(example): update preact links in examples: [#34233](https://togithub.com/vercel/next.js/issues/34233)
- fix: don't wrap `profile` in firebase example: [#34457](https://togithub.com/vercel/next.js/issues/34457)
##### Misc Changes
- Fix flakey image-optimizer test: [#33957](https://togithub.com/vercel/next.js/issues/33957)
- Update azure config: [#33999](https://togithub.com/vercel/next.js/issues/33999)
- Add types to nextConfig in default template : [#34029](https://togithub.com/vercel/next.js/issues/34029)
- docs(contributing): Search GitHub for an open or closed PR that relates to your submission: [#22533](https://togithub.com/vercel/next.js/issues/22533)
- fix(create-next-app): add default version: [#33006](https://togithub.com/vercel/next.js/issues/33006)
- chore: do not run lock/stale actions on forks: [#34053](https://togithub.com/vercel/next.js/issues/34053)
- Fix functions manifest test: [#34092](https://togithub.com/vercel/next.js/issues/34092)
- add pnpm debug file in gitignore templates: [#34091](https://togithub.com/vercel/next.js/issues/34091)
- Update failing tests from upstream resource: [#34110](https://togithub.com/vercel/next.js/issues/34110)
- Update version number in next.config.js API reference
- chore: log lock bot output: [#34168](https://togithub.com/vercel/next.js/issues/34168)
- chore: decrease lock action runs [#34180](https://togithub.com/vercel/next.js/issues/34180)
- Allow listening for page requests in tests: [#34204](https://togithub.com/vercel/next.js/issues/34204)
- Update code of conduct from v1.4 to v2.1: [#34208](https://togithub.com/vercel/next.js/issues/34208)
- Update contributing.md to link to walkthrough video.: [#34299](https://togithub.com/vercel/next.js/issues/34299)
- fix: typo in gitignore in typescript template: [#34372](https://togithub.com/vercel/next.js/issues/34372)
- test: add inline flight response reuse test: [#34364](https://togithub.com/vercel/next.js/issues/34364)
- Update 2.example_bug_report.yml
- Update 1.bug_report.yml
- Update 2.example_bug_report.yml
- Update font-optimization test snapshot: [#34478](https://togithub.com/vercel/next.js/issues/34478)
##### Credits
Huge thanks to [@MaedahBatool](https://togithub.com/MaedahBatool), [@mutebg](https://togithub.com/mutebg), [@sokra](https://togithub.com/sokra), [@huozhi](https://togithub.com/huozhi), [@hanford](https://togithub.com/hanford), [@shuding](https://togithub.com/shuding), [@sean6bucks](https://togithub.com/sean6bucks), [@jameshfisher](https://togithub.com/jameshfisher), [@devknoll](https://togithub.com/devknoll), [@yuta-ike](https://togithub.com/yuta-ike), [@zh-lx](https://togithub.com/zh-lx), [@amandeepmittal](https://togithub.com/amandeepmittal), [@alunyov](https://togithub.com/alunyov), [@stefanprobst](https://togithub.com/stefanprobst), [@leerob](https://togithub.com/leerob), [@balazsorban44](https://togithub.com/balazsorban44), [@kdy1](https://togithub.com/kdy1), [@brittanyrw](https://togithub.com/brittanyrw), [@jord1e](https://togithub.com/jord1e), [@kara](https://togithub.com/kara), [@vvo](https://togithub.com/vvo), [@ismaelrumzan](https://togithub.com/ismaelrumzan), [@dlindenkreuz](https://togithub.com/dlindenkreuz), [@MohammadxAli](https://togithub.com/MohammadxAli), [@nguyenyou](https://togithub.com/nguyenyou), [@thibautsabot](https://togithub.com/thibautsabot), [@hanneslund](https://togithub.com/hanneslund), [@vertti](https://togithub.com/vertti), [@KateKate](https://togithub.com/KateKate), [@stefee](https://togithub.com/stefee), [@mikinovation](https://togithub.com/mikinovation), [@Leticijak](https://togithub.com/Leticijak), [@mohsen1](https://togithub.com/mohsen1), [@ncphillips](https://togithub.com/ncphillips), [@ehowey](https://togithub.com/ehowey), [@lancechentw](https://togithub.com/lancechentw), [@krychaxp](https://togithub.com/krychaxp), [@fmacherey](https://togithub.com/fmacherey), [@pklawansky](https://togithub.com/pklawansky), [@RyanClementsHax](https://togithub.com/RyanClementsHax), [@lakbychance](https://togithub.com/lakbychance), [@sannajammeh](https://togithub.com/sannajammeh), [@oliviertassinari](https://togithub.com/oliviertassinari), [@alexander-akait](https://togithub.com/alexander-akait), [@u-yas](https://togithub.com/u-yas), [@Cheprer](https://togithub.com/Cheprer), [@msp5382](https://togithub.com/msp5382), [@chrispat](https://togithub.com/chrispat), [@getspooky](https://togithub.com/getspooky), [@Ryz0nd](https://togithub.com/Ryz0nd), [@klaasman](https://togithub.com/klaasman), [@midgleyc](https://togithub.com/midgleyc), [@kumard3](https://togithub.com/kumard3), [@jesstelford](https://togithub.com/jesstelford), [@neeraj3029](https://togithub.com/neeraj3029), [@glenngijsberts](https://togithub.com/glenngijsberts), [@pie6k](https://togithub.com/pie6k), [@wouterraateland](https://togithub.com/wouterraateland), [@timneutkens](https://togithub.com/timneutkens), [@11koukou](https://togithub.com/11koukou), [@thesyedbasim](https://togithub.com/thesyedbasim), [@aeneasr](https://togithub.com/aeneasr), [@ijjk](https://togithub.com/ijjk), [@lfades](https://togithub.com/lfades), [@JuniorTour](https://togithub.com/JuniorTour), [@xavhan](https://togithub.com/xavhan), [@mattyocode](https://togithub.com/mattyocode), [@padmaia](https://togithub.com/padmaia), [@Skn0tt](https://togithub.com/Skn0tt), [@gwer](https://togithub.com/gwer), [@Nutlope](https://togithub.com/Nutlope), [@styfle](https://togithub.com/styfle), [@stipsan](https://togithub.com/stipsan), [@xhoantran](https://togithub.com/xhoantran), [@eolme](https://togithub.com/eolme), [@sespinosa](https://togithub.com/sespinosa), [@zenorocha](https://togithub.com/zenorocha), [@hjaber](https://togithub.com/hjaber), [@benmvp](https://togithub.com/benmvp), [@T-O-R-U-S](https://togithub.com/T-O-R-U-S), [@dburrows](https://togithub.com/dburrows), [@atcastle](https://togithub.com/atcastle), [@kiriny](https://togithub.com/kiriny), [@molebox](https://togithub.com/molebox), [@kitayoshi](https://togithub.com/kitayoshi), and [@Schniz](https://togithub.com/Schniz) for helping!
### [`v12.0.10`](https://togithub.com/vercel/next.js/releases/tag/v12.0.10)
[Compare Source](https://togithub.com/vercel/next.js/compare/v12.0.9...v12.0.10)
##### Core Changes
- fix: image optimizer hangs when invalid image is requested: [#33719](https://togithub.com/vercel/next.js/issues/33719)
- feat: make `compress` configurable in standalone mode: [#33717](https://togithub.com/vercel/next.js/issues/33717)
- fix: allow certain variable names in development: [#33638](https://togithub.com/vercel/next.js/issues/33638)
- Use swc parse for flight server and client loaders: [#33713](https://togithub.com/vercel/next.js/issues/33713)
- Properly support custom 500 page in the web server: [#33729](https://togithub.com/vercel/next.js/issues/33729)
- chore: deprecate process.browser: [#32862](https://togithub.com/vercel/next.js/issues/32862)
- Improve tests for streaming and server components: [#33740](https://togithub.com/vercel/next.js/issues/33740)
- fix: fixes [#33314](https://togithub.com/vercel/next.js/issues/33314) move is-plain-object for es5 compilation: [#33690](https://togithub.com/vercel/next.js/issues/33690)
- Add `stale-while-revalidate` pattern to Image Optimization API: [#33735](https://togithub.com/vercel/next.js/issues/33735)
- Allow to delete URL search params in middleware rewrites: [#33725](https://togithub.com/vercel/next.js/issues/33725)
- Ensure all CSS files are included for experimental critical CSS: [#33752](https://togithub.com/vercel/next.js/issues/33752)
- Ensure non-error thrown in getStaticPaths shows correctly: [#33753](https://togithub.com/vercel/next.js/issues/33753)
- Fix encoding error with location and refresh headers: [#33763](https://togithub.com/vercel/next.js/issues/33763)
- Fix duplicate image src causing canceled request: [#33776](https://togithub.com/vercel/next.js/issues/33776)
- Generate functions manifest: [#33770](https://togithub.com/vercel/next.js/issues/33770)
- Enable jest hoist transform when using next/jest: [#33731](https://togithub.com/vercel/next.js/issues/33731)
- fix typo: [#33840](https://togithub.com/vercel/next.js/issues/33840)
- fix(next/image): render valid html according to W3C: [#33825](https://togithub.com/vercel/next.js/issues/33825)
##### Documentation Changes
- Update Time to First Byte (TTFB) link: [#33715](https://togithub.com/vercel/next.js/issues/33715)
- Changed data fetching file name to overview to fix meta data title: [#33232](https://togithub.com/vercel/next.js/issues/33232)
- Correct misspelling in testing documentation [#33754](https://togithub.com/vercel/next.js/issues/33754): [#33755](https://togithub.com/vercel/next.js/issues/33755)
- Move custom server note from middleware doc: [#33744](https://togithub.com/vercel/next.js/issues/33744)
- Fixed duplicate data fetching overview page + links: [#33774](https://togithub.com/vercel/next.js/issues/33774)
- \[docs] Mention SWC in TypeScript documentation.: [#33801](https://togithub.com/vercel/next.js/issues/33801)
- Testing docs: Comment out optional config that points to a file: [#33827](https://togithub.com/vercel/next.js/issues/33827)
- Update Content-Security-Policy header usage explanation: [#33833](https://togithub.com/vercel/next.js/issues/33833)
##### Example Changes
- Fix `with-docker` example dockerfile: [#33695](https://togithub.com/vercel/next.js/issues/33695)
- Added next.config.js with datocms-assets domain in allow list: [#33647](https://togithub.com/vercel/next.js/issues/33647)
- Fix: broken npm install: [#33767](https://togithub.com/vercel/next.js/issues/33767)
- \[example] Upgrade the with-stripe-typescript example app: [#33761](https://togithub.com/vercel/next.js/issues/33761)
- Upgrade to [@stitches/react](https://togithub.com/stitches/react) 1.2.6: [#33817](https://togithub.com/vercel/next.js/issues/33817)
- Doc: fix broken link to api routes doc: [#33836](https://togithub.com/vercel/next.js/issues/33836)
##### Misc Changes
- run stale 20 minutes earlier
- fix: use github action instead of bot: [#33718](https://togithub.com/vercel/next.js/issues/33718)
- fix syntax error in `lock.yml`
- fix rsc test suite runner: [#33745](https://togithub.com/vercel/next.js/issues/33745)
##### Credits
Huge thanks to [@Vienio99](https://togithub.com/Vienio99), [@balazsorban44](https://togithub.com/balazsorban44), [@kyliau](https://togithub.com/kyliau), [@molebox](https://togithub.com/molebox), [@huozhi](https://togithub.com/huozhi), [@shuding](https://togithub.com/shuding), [@PepijnSenders](https://togithub.com/PepijnSenders), [@krystofex](https://togithub.com/krystofex), [@PizzaPete](https://togithub.com/PizzaPete), [@souljuse](https://togithub.com/souljuse), [@styfle](https://togithub.com/styfle), [@Schniz](https://togithub.com/Schniz), [@Nelsonfrank](https://togithub.com/Nelsonfrank), [@ijjk](https://togithub.com/ijjk), [@Mhmdrza](https://togithub.com/Mhmdrza), [@timneutkens](https://togithub.com/timneutkens), [@hideokamoto-stripe](https://togithub.com/hideokamoto-stripe), [@Emrin](https://togithub.com/Emrin), [@gr-qft](https://togithub.com/gr-qft), [@delbaoliveira](https://togithub.com/delbaoliveira), [@redbar0n](https://togithub.com/redbar0n), [@amandeepmittal](https://togithub.com/amandeepmittal), [@lxy-yz](https://togithub.com/lxy-yz), and [@Divlo](https://togithub.com/Divlo) for helping!
### [`v12.0.9`](https://togithub.com/vercel/next.js/releases/tag/v12.0.9)
[Compare Source](https://togithub.com/vercel/next.js/compare/v12.0.8...v12.0.9)
**This upgrade is completely backward-compatible and recommended for all users on versions below 12.0.9**
Vulnerable code could allow a bad actor to trigger a denial of service attack via the `/${locale}/_next/` route for anyone running a Next.js app at version >= 12.0.0, and using built-in [i18n routing](https://nextjs.org/docs/advanced-features/i18n-routing) functionality.
#### How to Upgrade
- We have released patch versions for both the stable and canary channels of Next.js.
- To upgrade run `npm install next@latest --save`
#### Impact
- **Affected:** All of the following must be true to be affected by this CVE
- Next.js versions between `v12.0.0` and `v12.0.9`
- Using next start or a custom server
- Using the built-in i18n support
- **Not affected:**
- Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
##### How to Assess Impact
If your server has seen requests to any route under the prefix `/${locale}/_next/` that have triggered a heap overflow error, this was caused by the patched issue.
#### What is Being Done
As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to our users for their investigation and responsible disclosure of the original bug.
We've landed a patch that ensures this is handled properly so the requested route no longer crashes and triggers a heap overflow.
Regression tests for this attack were added to the [i18n integration test suite](https://togithub.com/vercel/next.js/pull/33503/files#diff-ed73e662e3c049828f92017b8104734e08b868acf10d4d621c44266a72825df6)
- A public CVE was released.
- We encourage responsible disclosure of future reports. Please email us at `security@vercel.com`. We are actively monitoring this mailbox.
##### Core Changes
- middlewares: limit `process.env` to inferred usage: [#33186](https://togithub.com/vercel/next.js/issues/33186)
- update webpack: [#33207](https://togithub.com/vercel/next.js/issues/33207)
- Abstract out native filesystem usage from the base server: [#33226](https://togithub.com/vercel/next.js/issues/33226)
- use text data url instead of base64 for shorter encoding: [#33218](https://togithub.com/vercel/next.js/issues/33218)
- chore(deps): upgrade `postcss`: [#33142](https://togithub.com/vercel/next.js/issues/33142)
- Fix global process testing for the process polyfill: [#33220](https://togithub.com/vercel/next.js/issues/33220)
- Update swc: [#33201](https://togithub.com/vercel/next.js/issues/33201)
- improve full refresh overlay: [#33301](https://togithub.com/vercel/next.js/issues/33301)
- Custom app for server components: [#33149](https://togithub.com/vercel/next.js/issues/33149)
- Update yarn PnP tests and disable swc file reading for PnP: [#33236](https://togithub.com/vercel/next.js/issues/33236)
- Base Http for BaseServer: [#32999](https://togithub.com/vercel/next.js/issues/32999)
- Update swc: [#33342](https://togithub.com/vercel/next.js/issues/33342)
- Update check for fallback pages during export: [#33323](https://togithub.com/vercel/next.js/issues/33323)
- Pre-compile more dependencies: [#32742](https://togithub.com/vercel/next.js/issues/32742)
- Remove node fetch polyfill from base server: [#33395](https://togithub.com/vercel/next.js/issues/33395)
- Replace regexp to plain string for optimization render HTML: [#33306](https://togithub.com/vercel/next.js/issues/33306)
- Fix broken html on streaming render for error page: [#33399](https://togithub.com/vercel/next.js/issues/33399)
- Disable cache for rsc pages: [#33438](https://togithub.com/vercel/next.js/issues/33438)
- Fix pre-compiled check from copying react-refresh-utils: [#33442](https://togithub.com/vercel/next.js/issues/33442)
- fix(next-swc): Update swc: [#33427](https://togithub.com/vercel/next.js/issues/33427)
- Move middleware handling to node server: [#33448](https://togithub.com/vercel/next.js/issues/33448)
- Enforce absolute URLs in Edge Functions runtime: [#33410](https://togithub.com/vercel/next.js/issues/33410)
- feat(next-swc): Update swc: [#33461](https://togithub.com/vercel/next.js/issues/33461)
- Update main field for nccd jest-worker: [#33465](https://togithub.com/vercel/next.js/issues/33465)
- chore(deps): upgrade `node-fetch`: [#33466](https://togithub.com/vercel/next.js/issues/33466)
- Move static serving to next server: [#33475](https://togithub.com/vercel/next.js/issues/33475)
- feat(next-swc): Update swc: [#33485](https://togithub.com/vercel/next.js/issues/33485)
- Fix multiple calls to image `onLoadingComplete()`: [#33474](https://togithub.com/vercel/next.js/issues/33474)
- Refactor base server to remove native dependencies: [#33499](https://togithub.com/vercel/next.js/issues/33499)
- Update swc: [#33514](https://togithub.com/vercel/next.js/issues/33514)
- Implement abstract methods to get manifest files in the base server: [#33537](https://togithub.com/vercel/next.js/issues/33537)
- Simplify getMiddlewareInfo calls: [#33542](https://togithub.com/vercel/next.js/issues/33542)
- Fix static file check with i18n: [#33503](https://togithub.com/vercel/next.js/issues/33503)
- Bump styled-jsx: [#33546](https://togithub.com/vercel/next.js/issues/33546)
- Ensure optional value normalizing is correct for index: [#33547](https://togithub.com/vercel/next.js/issues/33547)
- Bump nft to 0.17.4: [#33548](https://togithub.com/vercel/next.js/issues/33548)
- Add `next-multilingual` example: [#29386](https://togithub.com/vercel/next.js/issues/29386)
- Removed the s from NextConfig: [#33560](https://togithub.com/vercel/next.js/issues/33560)
- feat(next-swc): Update swc: [#33595](https://togithub.com/vercel/next.js/issues/33595)
- Fix rsc export component name detection: [#33608](https://togithub.com/vercel/next.js/issues/33608)
- upgrade webpack: [#33549](https://togithub.com/vercel/next.js/issues/33549)
- Ensure fetch polyfill is loaded in next-server: [#33616](https://togithub.com/vercel/next.js/issues/33616)
- feat(next-swc): Update swc: [#33628](https://togithub.com/vercel/next.js/issues/33628)
- Add `lazyRoot` optional property to `next/image` component : [#33290](https://togithub.com/vercel/next.js/issues/33290)
- feat(next-swc): Update swc: [#33675](https://togithub.com/vercel/next.js/issues/33675)
- Implement web server as the request handler for edge SSR: [#33635](https://togithub.com/vercel/next.js/issues/33635)
- Relay Support in Rust Compiler: [#33240](https://togithub.com/vercel/next.js/issues/33240)
- Revert "Relay Support in Rust Compiler": [#33699](https://togithub.com/vercel/next.js/issues/33699)
##### Documentation Changes
- Fixed broken link related to the recently merged Data fetching docs refactor: [#33209](https://togithub.com/vercel/next.js/issues/33209)
- Removed backticks on data fetching api titles: [#33216](https://togithub.com/vercel/next.js/issues/33216)
- Added links to data fetching api refs, fixed title: [#33221](https://togithub.com/vercel/next.js/issues/33221)
- Remove outdated & possibly confusing statement about redirects: [#33224](https://togithub.com/vercel/next.js/issues/33224)
- \[examples] Add a statically generated blog example using Next.js and Builder.io: [#22094](https://togithub.com/vercel/next.js/issues/22094)
- Typo Fix: [#33252](https://togithub.com/vercel/next.js/issues/33252)
- Update font-optimization.md: [#33266](https://togithub.com/vercel/next.js/issues/33266)
- Fixed broken links in data fetching docs: [#33250](https://togithub.com/vercel/next.js/issues/33250)
- docs: Mention middleware for getStaticProps: [#33273](https://togithub.com/vercel/next.js/issues/33273)
- Add sections for Remove React Properties and Remove Console to compiler docs: [#33311](https://togithub.com/vercel/next.js/issues/33311)
- Update links in `next export` + `next/image` error message: [#33317](https://togithub.com/vercel/next.js/issues/33317)
- Add `onLoad` gottcha note to `next/script` docs: [#33097](https://togithub.com/vercel/next.js/issues/33097)
- Update security-headers.md: fix path does not match homepage: [#33137](https://togithub.com/vercel/next.js/issues/33137)
- fix minor typo in SWR: [#33378](https://togithub.com/vercel/next.js/issues/33378)
- ReferenceError in authentication.md example fixed: [#33411](https://togithub.com/vercel/next.js/issues/33411)
- docs: fix url: [#33409](https://togithub.com/vercel/next.js/issues/33409)
- fix(docs): Fix typo in Custom Build Id docs: [#33515](https://togithub.com/vercel/next.js/issues/33515)
- \[docs] Update authentication docs to fix iron-session link.: [#33483](https://togithub.com/vercel/next.js/issues/33483)
- docs(authentication): fix iron-session example link: [#33502](https://togithub.com/vercel/next.js/issues/33502)
- Update middleware documentation for custom server: [#33535](https://togithub.com/vercel/next.js/issues/33535)
- Removed unrequired path in docs' manifest: [#33579](https://togithub.com/vercel/next.js/issues/33579)
- Update `next/server` documentation for `geo`: [#33609](https://togithub.com/vercel/next.js/issues/33609)
- Clarify `next/image` usage with `next export` based on feedback.: [#33555](https://togithub.com/vercel/next.js/issues/33555)
- Clarify `headers` config option description: [#33484](https://togithub.com/vercel/next.js/issues/33484)
- fix(errors/no-cache): `netlify-plugin-cache-nextjs` has been deprecated: [#33629](https://togithub.com/vercel/next.js/issues/33629)
- Updated docs for getServerSideProps and getStaticProps return values: [#33577](https://togithub.com/vercel/next.js/issues/33577)
- Use relative path for example: [#33565](https://togithub.com/vercel/next.js/issues/33565)
- chore(docs): update security headers specification: [#33673](https://togithub.com/vercel/next.js/issues/33673)
- REMOVE: duplicate key in docs/testing.md: [#33681](https://togithub.com/vercel/next.js/issues/33681)
##### Example Changes
- \[examples] Update remark dependency for blog-starter: [#33313](https://togithub.com/vercel/next.js/issues/33313)
- Update package.json for examples/with-supabase-auth-realtime-db: [#33321](https://togithub.com/vercel/next.js/issues/33321)
- Working example for building forms with Next.js: [#32669](https://togithub.com/vercel/next.js/issues/32669)
- Updates dependency version of frontend SDK in with-supertokens example: [#33393](https://togithub.com/vercel/next.js/issues/33393)
- docs: add skynexui to examples: [#33326](https://togithub.com/vercel/next.js/issues/33326)
- Update with-linaria dependency: [#33487](https://togithub.com/vercel/next.js/issues/33487)
- Update Supabase example README.: [#33610](https://togithub.com/vercel/next.js/issues/33610)
- \[examples] Add new Tailwind CSS Prettier plugin to example: [#33614](https://togithub.com/vercel/next.js/issues/33614)
##### Misc Changes
- Update license year
- fix(docs): master branch renaming: [#33312](https://togithub.com/vercel/next.js/issues/33312)
- Add link to security email directly.: [#33358](https://togithub.com/vercel/next.js/issues/33358)
- Fix getServerSideProps hanging in dev on early end: [#33366](https://togithub.com/vercel/next.js/issues/33366)
- \[docs] Fix 404 link for testing example.: [#33407](https://togithub.com/vercel/next.js/issues/33407)
- Update to latest version of turbo: [#33613](https://togithub.com/vercel/next.js/issues/33613)
- Update other instances of node-fetch: [#33617](https://togithub.com/vercel/next.js/issues/33617)
##### Credits
Huge thanks to [@molebox](https://togithub.com/molebox), [@Schniz](https://togithub.com/Schniz), [@sokra](https://togithub.com/sokra), [@kachkaev](https://togithub.com/kachkaev), [@shuding](https://togithub.com/shuding), [@teleaziz](https://togithub.com/teleaziz), [@OgbeniHMMD](https://togithub.com/OgbeniHMMD), [@goncy](https://togithub.com/goncy), [@balazsorban44](https://togithub.com/balazsorban44), [@MaedahBatool](https://togithub.com/MaedahBatool), [@bennettdams](https://togithub.com/bennettdams), [@kdy1](https://togithub.com/kdy1), [@huozhi](https://togithub.com/huozhi), [@hsynlms](https://togithub.com/hsynlms), [@styfle](https://togithub.com/styfle), [@ijjk](https://togithub.com/ijjk), [@callumgare](https://togithub.com/callumgare), [@jonrosner](https://togithub.com/jonrosner), [@karaggeorge](https://togithub.com/karaggeorge), [@rpie3](https://togithub.com/rpie3), [@MartijnHols](https://togithub.com/MartijnHols), [@leerob](https://togithub.com/leerob), [@bashunaimiroy](https://togithub.com/bashunaimiroy), [@NOCELL](https://togithub.com/NOCELL), [@rishabhpoddar](https://togithub.com/rishabhpoddar), [@omariosouto](https://togithub.com/omariosouto), [@hanneslund](https://togithub.com/hanneslund), [@theMosaad](https://togithub.com/theMosaad), [@javivelasco](https://togithub.com/javivelasco), [@pierrenel](https://togithub.com/pierrenel), [@lobsterkatie](https://togithub.com/lobsterkatie), [@tharakabimal](https://togithub.com/tharakabimal), [@vvo](https://togithub.com/vvo), [@saevarb](https://togithub.com/saevarb), [@lfades](https://togithub.com/lfades), [@nbouvrette](https://togithub.com/nbouvrette), [@paulnbrd](https://togithub.com/paulnbrd), [@ecklf](https://togithub.com/ecklf), [@11koukou](https://togithub.com/11koukou), [@renbaoshuo](https://togithub.com/renbaoshuo), [@chozzz](https://togithub.com/chozzz), [@tbezman](https://togithub.com/tbezman), [@karlhorky](https://togithub.com/karlhorky), [@j-mendez](https://togithub.com/j-mendez), and [@ffan0811](https://togithub.com/ffan0811) for helping!
### [`v12.0.8`](https://togithub.com/vercel/next.js/releases/tag/v12.0.8)
[Compare Source](https://togithub.com/vercel/next.js/compare/v12.0.7...v12.0.8)
##### Core Changes
- Fix no-server-import-in-page eslint rule for subfolder middleware: [#32139](https://togithub.com/vercel/next.js/issues/32139)
- Create Base Server: [#32154](https://togithub.com/vercel/next.js/issues/32154)
- Revert support for render prop in ``: [#32184](https://togithub.com/vercel/next.js/issues/32184)
- Refactor FS references in the Base Server: [#32179](https://togithub.com/vercel/next.js/issues/32179)
- telemetry: collect feature usage for linting during build: [#32022](https://togithub.com/vercel/next.js/issues/32022)
- Chore/load bindings improvements: [#32191](https://togithub.com/vercel/next.js/issues/32191)
- fix(NODE_ENV): Warn when launching start or build on development: [#14033](https://togithub.com/vercel/next.js/issues/14033)
- Fix crash in no-page-custom-font eslint rule when default export is unnamed.: [#32251](https://togithub.com/vercel/next.js/issues/32251)
- Add docs for leveraging outputStandalone config: [#32255](https://togithub.com/vercel/next.js/issues/32255)
- Replace raw-body with get-stream and bytes: [#21915](https://togithub.com/vercel/next.js/issues/21915)
- Update to latest ncc and ensure caniuse-lite data is external : [#32064](https://togithub.com/vercel/next.js/issues/32064)
- Update swc: [#32210](https://togithub.com/vercel/next.js/issues/32210)
- Simplify custom `Writable`: [#32247](https://togithub.com/vercel/next.js/issues/32247)
- Add shake exports transform to next-swc: [#32253](https://togithub.com/vercel/next.js/issues/32253)
- Revert "Replace raw-body with get-stream and bytes": [#32305](https://togithub.com/vercel/next.js/issues/32305)
- Re-open chore(deps): upgrade browserslist: [#32300](https://togithub.com/vercel/next.js/issues/32300)
- Fix RSC link navigation: [#32303](https://togithub.com/vercel/next.js/issues/32303)
- Compile escape-string-regexp: [#32310](https://togithub.com/vercel/next.js/issues/32310)
- Add unstable_useRefreshRoot: [#32342](https://togithub.com/vercel/next.js/issues/32342)
- Upate swc: [#32365](https://togithub.com/vercel/next.js/issues/32365)
- fix unstable_useRefreshRoot typing: [#32364](https://togithub.com/vercel/next.js/issues/32364)
- fix(next-swc/styled-jsx): Fix `nth`: [#32358](https://togithub.com/vercel/next.js/issues/32358)
- Rename experimental vital hook: [#32343](https://togithub.com/vercel/next.js/issues/32343)
- Inline server data response with partial hydration: [#32330](https://togithub.com/vercel/next.js/issues/32330)
- Update `jsx` transform of swc: [#32383](https://togithub.com/vercel/next.js/issues/32383)
- Fix running server with Polyfilled fetch: [#32368](https://togithub.com/vercel/next.js/issues/32368)
- Fix dynamic routes with pages under index folder: [#32440](https://togithub.com/vercel/next.js/issues/32440)
- Fixes [#32338](https://togithub.com/vercel/next.js/issues/32338) missing Document components trigger an error for production builds: [#32345](https://togithub.com/vercel/next.js/issues/32345)
- Fixes for inline embedding data in the web runtime: [#32471](https://togithub.com/vercel/next.js/issues/32471)
- Add vitals and rsc to npm files: [#32472](https://togithub.com/vercel/next.js/issues/32472)
- fixes to allow lazy compilation for import(): [#32441](https://togithub.com/vercel/next.js/issues/32441)
- upgrade webpack and watchpack: [#32173](https://togithub.com/vercel/next.js/issues/32173)
- Update to filter loader specific files from traces: [#32267](https://togithub.com/vercel/next.js/issues/32267)
- Fix server data cache key: [#32506](https://togithub.com/vercel/next.js/issues/32506)
- \[middleware] Fix hydration for rewrites to dynamic pages: [#32534](https://togithub.com/vercel/next.js/issues/32534)
- Ensure image-optimizer is traced for standalone mode: [#32522](https://togithub.com/vercel/next.js/issues/32522)
- Remove unused classnames dependency from react-dev-overlay: [#32487](https://togithub.com/vercel/next.js/issues/32487)
- next-swc: Emit errors and add tests to next-ssg: [#32254](https://togithub.com/vercel/next.js/issues/32254)
- Include message body in redirect responses: [#31886](https://togithub.com/vercel/next.js/issues/31886)
- Prevent NEXT_PHASE env change in workers: [#28941](https://togithub.com/vercel/next.js/issues/28941)
- Check stack property for page export exceptions: [#32289](https://togithub.com/vercel/next.js/issues/32289)
- fix(next-swc/styled-jsx): Fix interpolation in media query: [#32490](https://togithub.com/vercel/next.js/issues/32490)
- Update swc: [#32566](https://togithub.com/vercel/next.js/issues/32566)
- Add turbo / improve Rust build caching in GitHub Actions: [#31464](https://togithub.com/vercel/next.js/issues/31464)
- Fix ReadableStream.pipeTo() being unimplemented in the web runtime: [#32602](https://togithub.com/vercel/next.js/issues/32602)
- Ensure AMP optimizer is only excluded from trace when not used: [#32577](https://togithub.com/vercel/next.js/issues/32577)
- Upgraded next-env dependencies: [#32613](https://togithub.com/vercel/next.js/issues/32613)
- Feat/14701 full reload notification: [#28866](h
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
10.2.3
->12.1.0
GitHub Vulnerability Alerts
CVE-2021-39178
Impact
next.config.js
file hasimages.domains
array assignedimages.domains
allows user-provided SVGnext.config.js
file hasimages.loader
assigned to something other than defaultPatches
Next.js v11.1.1
CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the
next.config.js
file must have animages.domains
array assigned and the image host assigned inimages.domains
must allow user-provided SVG. If thenext.config.js
file hasimages.loader
assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, changenext.config.js
to use a differentloader configuration
other than the default.Impact
next.config.js
file has images.domains array assignednext.config.js
file has images.loader assigned to something other than defaultPatches
Next.js 12.1.0
Workarounds
Change
next.config.js
to use a different loader configuration other than the default, for example:Or if you want to use the
loader
prop on the component, you can usecustom
:CVE-2021-43803
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package
next
hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when
pages/_error.js
was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.Impact
10.0.5
and10.2.0
11.0.0
and11.0.1
usingpages/_error.js
withoutgetInitialProps
11.0.0
and11.0.1
usingpages/_error.js
andnext export
pages/404.js
next
npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
Patches
https://github.com/vercel/next.js/releases/tag/v11.1.0
Release Notes
vercel/next.js
### [`v12.1.0`](https://togithub.com/vercel/next.js/releases/tag/v12.1.0) [Compare Source](https://togithub.com/vercel/next.js/compare/v12.0.10...v12.1.0) ##### Core Changes - Relay Support in Rust Compiler: [#33702](https://togithub.com/vercel/next.js/issues/33702) - fix eslint link-passhref rule: [#33857](https://togithub.com/vercel/next.js/issues/33857) - update webpack: [#33831](https://togithub.com/vercel/next.js/issues/33831) - Flush buffered vitals metrics on page mount: [#33867](https://togithub.com/vercel/next.js/issues/33867) - fix problem with HMR when middleware and page reference the same node_module: [#33873](https://togithub.com/vercel/next.js/issues/33873) - Refactor page component getter in web server: [#33759](https://togithub.com/vercel/next.js/issues/33759) - update NextResponse default redirect status to 307 to match docs: [#33505](https://togithub.com/vercel/next.js/issues/33505) - Bug fix: dynamic page should not be interpreted as predefined page: [#33808](https://togithub.com/vercel/next.js/issues/33808) - Group streaming experimental apis: [#33878](https://togithub.com/vercel/next.js/issues/33878) - Encapsulate routing and initial hydration: [#33875](https://togithub.com/vercel/next.js/issues/33875) - Optimize offline condition judgment: [#33238](https://togithub.com/vercel/next.js/issues/33238) - Ensure external beforeFiles rewrites are handled with next/link: [#33888](https://togithub.com/vercel/next.js/issues/33888) - Fix parsing params for i18n optional route in minimal mode: [#33896](https://togithub.com/vercel/next.js/issues/33896) - Ensure browserslist extends works properly: [#33890](https://togithub.com/vercel/next.js/issues/33890) - Fix image cache race condition: [#33883](https://togithub.com/vercel/next.js/issues/33883) - Add support for Relay projects without `artifactDirectory`: [#33918](https://togithub.com/vercel/next.js/issues/33918) - fix: handle jsxspreadattribute in inline-script-id eslint rule: [#32421](https://togithub.com/vercel/next.js/issues/32421) - feat(next-swc): Update swc: [#33724](https://togithub.com/vercel/next.js/issues/33724) - Update to latest version of amphtml-validator: [#33967](https://togithub.com/vercel/next.js/issues/33967) - Warn in dev mode when script tags are added with next/head: [#33968](https://togithub.com/vercel/next.js/issues/33968) - Ensure optional chaining in swc matches babel: [#33995](https://togithub.com/vercel/next.js/issues/33995) - Use `react-dom/server.browser` in Node.js: [#33950](https://togithub.com/vercel/next.js/issues/33950) - Ensure external middleware rewrite is handled correctly: [#33962](https://togithub.com/vercel/next.js/issues/33962) - Update Terser to v5.10.0, fix minification issues: [#33045](https://togithub.com/vercel/next.js/issues/33045) - Warn in dev mode when stylesheets are added using next/head: [#34004](https://togithub.com/vercel/next.js/issues/34004) - Use `ReadableStream` in `RenderResult`: [#34005](https://togithub.com/vercel/next.js/issues/34005) - Fix suffix ordering while streaming: [#34011](https://togithub.com/vercel/next.js/issues/34011) - Don't use yarn if a package-lock.json file is found: [#31926](https://togithub.com/vercel/next.js/issues/31926) - Do not warn when application/ld+json scripts are used with next/head: [#34021](https://togithub.com/vercel/next.js/issues/34021) - Babel & next-swc: Fix exporting page config with AsExpression: [#32702](https://togithub.com/vercel/next.js/issues/32702) - Detect per page runtime config for functions manifest: [#33945](https://togithub.com/vercel/next.js/issues/33945) - Add JSDoc to config options: [#32915](https://togithub.com/vercel/next.js/issues/32915) - Update font-stylesheet-gathering-plugin.ts: [#30709](https://togithub.com/vercel/next.js/issues/30709) - Add decoratorMetadata flag if enabled by tsconfig: [#32914](https://togithub.com/vercel/next.js/issues/32914) - fix: data url handling in css-loader: [#34034](https://togithub.com/vercel/next.js/issues/34034) - Place 'charset' element at the top of : [#28119](https://togithub.com/vercel/next.js/issues/28119) - Fix detection of anchor click events inside svg: [#23272](https://togithub.com/vercel/next.js/issues/23272) - Allow passing nothing as custom jest config: [#32328](https://togithub.com/vercel/next.js/issues/32328) - Fixes [#31240](https://togithub.com/vercel/next.js/issues/31240): Adding a recursive addPackagePath function in webpack-config: [#31264](https://togithub.com/vercel/next.js/issues/31264) - Require component rendered as child of `Link` to pass event to `onClick` handler: [#27723](https://togithub.com/vercel/next.js/issues/27723) - Allow scroll prevention on hash change: [#31921](https://togithub.com/vercel/next.js/issues/31921) - Add support for async fn / promise in next.config.js/.mjs: [#33662](https://togithub.com/vercel/next.js/issues/33662) - Fix `lazyRoot` functionality for `next/image`: [#33933](https://togithub.com/vercel/next.js/issues/33933) - Change SWC minify from beta to release candidate: [#34056](https://togithub.com/vercel/next.js/issues/34056) - Make `Router` state immutable: [#33925](https://togithub.com/vercel/next.js/issues/33925) - Stop exposing internal `render` and `renderError` methods from `next/client`: [#34069](https://togithub.com/vercel/next.js/issues/34069) - Add api-utils helper for testing: [#34078](https://togithub.com/vercel/next.js/issues/34078) - feat(next-swc): Update swc: [#34045](https://togithub.com/vercel/next.js/issues/34045) - Deprecate `concurrentFeatures` with `runtime`: [#34068](https://togithub.com/vercel/next.js/issues/34068) - Add check for resolveWeak to next/dynamic: [#33908](https://togithub.com/vercel/next.js/issues/33908) - remove unneeded and broken plugin: [#34087](https://togithub.com/vercel/next.js/issues/34087) - Remove experimental warning from next/jest: [#34096](https://togithub.com/vercel/next.js/issues/34096) - fix: arrow function export in rsc client component: [#34105](https://togithub.com/vercel/next.js/issues/34105) - Use `renderToStream` with React 18: [#34106](https://togithub.com/vercel/next.js/issues/34106) - Fix static result being piped: [#34111](https://togithub.com/vercel/next.js/issues/34111) - Polyfill pipeTo and pipeThrough: [#34112](https://togithub.com/vercel/next.js/issues/34112) - Update to leverage response-cache for image-optimizer: [#34075](https://togithub.com/vercel/next.js/issues/34075) - fix: `next/image` usage from `node_modules`: [#33559](https://togithub.com/vercel/next.js/issues/33559) - Fix included flight manifest on node runtime: [#34113](https://togithub.com/vercel/next.js/issues/34113) - Fix: Use `react-dom/server.browser` when `reactRoot: true`: [#34116](https://togithub.com/vercel/next.js/issues/34116) - Fix image-optimizer requires in next-server: [#34141](https://togithub.com/vercel/next.js/issues/34141) - Fix required files matching in rsc: [#34137](https://togithub.com/vercel/next.js/issues/34137) - Throw error when ts file contains css.resolve: [#34149](https://togithub.com/vercel/next.js/issues/34149) - Chore/stable swc compiler options: [#34074](https://togithub.com/vercel/next.js/issues/34074) - Fix bug with "Circular Structure" error: [#23905](https://togithub.com/vercel/next.js/issues/23905) - Add \_document and \_app pre-import: [#23261](https://togithub.com/vercel/next.js/issues/23261) - Ensure standalone server handles SIGTERM: [#34151](https://togithub.com/vercel/next.js/issues/34151) - Bump nft to 0.17.5: [#34190](https://togithub.com/vercel/next.js/issues/34190) - feat: copy `.env` file in standalone mode: [#34143](https://togithub.com/vercel/next.js/issues/34143) - Fix reuse of inline flight response and 404 for RSC in node runtime: [#34202](https://togithub.com/vercel/next.js/issues/34202) - Use updated recursive rm fs method for image-optimizer: [#34210](https://togithub.com/vercel/next.js/issues/34210) - Fix link for "Delete Query Params in Middleware" error message in `next-server.ts`: [#34230](https://togithub.com/vercel/next.js/issues/34230) - Enable dynamic HTML in minimal mode: [#34222](https://togithub.com/vercel/next.js/issues/34222) - Fix uncaught error in getInitialProps when `runtime` is set to `nodejs`: [#34228](https://togithub.com/vercel/next.js/issues/34228) - Optimize the web server size: [#34242](https://togithub.com/vercel/next.js/issues/34242) - feat: allow `node-sass@7` as peer dependency: [#34107](https://togithub.com/vercel/next.js/issues/34107) - Adding step to build the app with docker in existing projects: [#34083](https://togithub.com/vercel/next.js/issues/34083) - Changed all occurrences of etc to match: [#34280](https://togithub.com/vercel/next.js/issues/34280) - Align reactRoot config between server and webpack config: [#34328](https://togithub.com/vercel/next.js/issues/34328) - Fix `Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.