search

celo-org / rainbowkit-celo

rainbowkit-with-celo.vercel.app
Apache License 2.0
12 stars 11 forks source link

fix(deps): update dependency next to v14 [security] #129

Open renovate[bot] opened 2 months ago

renovate[bot] commented 2 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 13.5.6 -> 14.1.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #​62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote Shubham Shah - Assetnote

Next.js Server-Side Request Forgery in Server Actions

CVE-2024-34351 / GHSA-fr5h-rqp8-mj6g

More information #### Details ##### Impact A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. ##### Prerequisites * Next.js (`<14.1.1`) is running in a self-hosted* manner. * The Next.js application makes use of Server Actions. * The Server Action performs a redirect to a relative path which starts with a `/`. \* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner. ##### Patches This vulnerability was patched in [#​62561](https://togithub.com/vercel/next.js/pull/62561) and fixed in Next.js `14.1.1`. ##### Workarounds There are no official workarounds for this vulnerability. We recommend upgrading to Next.js `14.1.1`. ##### Credit Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to: Adam Kues - Assetnote Shubham Shah - Assetnote #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` #### References - [https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g](https://togithub.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g) - [https://nvd.nist.gov/vuln/detail/CVE-2024-34351](https://nvd.nist.gov/vuln/detail/CVE-2024-34351) - [https://github.com/vercel/next.js/pull/62561](https://togithub.com/vercel/next.js/pull/62561) - [https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085](https://togithub.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085) - [https://github.com/vercel/next.js](https://togithub.com/vercel/next.js) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-fr5h-rqp8-mj6g) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

Release Notes

vercel/next.js (next) ### [`v14.1.1`](https://togithub.com/vercel/next.js/releases/tag/v14.1.1) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.1.0...v14.1.1) *Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary* ##### Core Changes - Should not warn metadataBase missing if only absolute urls are present: [https://github.com/vercel/next.js/pull/61898](https://togithub.com/vercel/next.js/pull/61898) - Fix trailing slash for canonical url: [https://github.com/vercel/next.js/pull/62109](https://togithub.com/vercel/next.js/pull/62109) - Fix metadata json manifest convention: [https://github.com/vercel/next.js/pull/62615](https://togithub.com/vercel/next.js/pull/62615) - Improve the Server Actions SWC transform: [https://github.com/vercel/next.js/pull/61001](https://togithub.com/vercel/next.js/pull/61001) - Fix Server Reference being double registered: [https://github.com/vercel/next.js/pull/61244](https://togithub.com/vercel/next.js/pull/61244) - Improve the Server Actions SWC transform (part 2): [https://github.com/vercel/next.js/pull/62052](https://togithub.com/vercel/next.js/pull/62052) - Fix module-level Server Action creation with closure-closed values: [https://github.com/vercel/next.js/pull/62437](https://togithub.com/vercel/next.js/pull/62437) - Fix draft mode invariant: [https://github.com/vercel/next.js/pull/62121](https://togithub.com/vercel/next.js/pull/62121) - fix: babel usage with next/image: [https://github.com/vercel/next.js/pull/61835](https://togithub.com/vercel/next.js/pull/61835) - Fix next/server api alias for ESM pkg: [https://github.com/vercel/next.js/pull/61721](https://togithub.com/vercel/next.js/pull/61721) - Replace image optimizer IPC call with request handler: [https://github.com/vercel/next.js/pull/61471](https://togithub.com/vercel/next.js/pull/61471) - chore: refactor image optimization to separate external/internal urls: [https://github.com/vercel/next.js/pull/61172](https://togithub.com/vercel/next.js/pull/61172) - fix(image): warn when animated image is missing unoptimized prop: [https://github.com/vercel/next.js/pull/61045](https://togithub.com/vercel/next.js/pull/61045) - fix(build-output): show stack during CSR bailout warning: [https://github.com/vercel/next.js/pull/62594](https://togithub.com/vercel/next.js/pull/62594) - Fix extra swc optimizer applied to node_modules in browser layer: [https://github.com/vercel/next.js/pull/62051](https://togithub.com/vercel/next.js/pull/62051) - fix(next-swc): Detect exports.foo from cjs_finder: [https://github.com/vercel/next.js/pull/61795](https://togithub.com/vercel/next.js/pull/61795) - Fix attempted import error for react: [https://github.com/vercel/next.js/pull/61791](https://togithub.com/vercel/next.js/pull/61791) - Add stack trace to client rendering bailout error: [https://github.com/vercel/next.js/pull/61200](https://togithub.com/vercel/next.js/pull/61200) - fix router crash on revalidate + popstate: [https://github.com/vercel/next.js/pull/62383](https://togithub.com/vercel/next.js/pull/62383) - fix loading issue when navigating to page with async metadata: [https://github.com/vercel/next.js/pull/61687](https://togithub.com/vercel/next.js/pull/61687) - revert changes to process default routes at build: [https://github.com/vercel/next.js/pull/61241](https://togithub.com/vercel/next.js/pull/61241) - fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: [https://github.com/vercel/next.js/pull/60776](https://togithub.com/vercel/next.js/pull/60776) - Improve redirection handling: [https://github.com/vercel/next.js/pull/62561](https://togithub.com/vercel/next.js/pull/62561) - Simplify node/edge server chunking some: [https://github.com/vercel/next.js/pull/62424](https://togithub.com/vercel/next.js/pull/62424) ##### Credits Huge thanks to [@​huozhi](https://togithub.com/huozhi), [@​shuding](https://togithub.com/shuding), [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood), [@​styfle](https://togithub.com/styfle), [@​ijjk](https://togithub.com/ijjk), [@​ztanner](https://togithub.com/ztanner), [@​balazsorban44](https://togithub.com/balazsorban44), [@​kdy1](https://togithub.com/kdy1), and [@​williamli](https://togithub.com/williamli) for helping! ### [`v14.1.0`](https://togithub.com/vercel/next.js/compare/v14.0.4...v14.1.0) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.4...v14.1.0) ### [`v14.0.4`](https://togithub.com/vercel/next.js/compare/v14.0.3...v14.0.4) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.3...v14.0.4) ### [`v14.0.3`](https://togithub.com/vercel/next.js/compare/v14.0.2...v14.0.3) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.2...v14.0.3) ### [`v14.0.2`](https://togithub.com/vercel/next.js/compare/v14.0.1...v14.0.2) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.1...v14.0.2) ### [`v14.0.1`](https://togithub.com/vercel/next.js/releases/tag/v14.0.1) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.0...v14.0.1) ##### Core Changes - Add Next.js 14 codemods to CLI output.: [#​57552](https://togithub.com/vercel/next.js/issues/57552) - OpenTelemetry: propagate a configured context(s) to root requests: [#​57084](https://togithub.com/vercel/next.js/issues/57084) - debug: Add tags to next build traces to track build configuration in the .next/trace file: [#​56965](https://togithub.com/vercel/next.js/issues/56965) - \[Traces] Await the flush of the trace write stream to make sure trace file is written: [#​57641](https://togithub.com/vercel/next.js/issues/57641) - Add node-pty to externals list: [#​57640](https://togithub.com/vercel/next.js/issues/57640) - fix: move logging config validation out of experimental: [#​57530](https://togithub.com/vercel/next.js/issues/57530) - Update font data: [#​57728](https://togithub.com/vercel/next.js/issues/57728) - Support viewport export via TS Plugin: [#​57554](https://togithub.com/vercel/next.js/issues/57554) - Fix: Build compilation warning when using middleware: [#​57685](https://togithub.com/vercel/next.js/issues/57685) - chore: Update flight-client-entry-plugin.ts typo: [#​57734](https://togithub.com/vercel/next.js/issues/57734) - Improve error for missing default export in dynamic metadata routes: [#​57711](https://togithub.com/vercel/next.js/issues/57711) - fix gsp tracing issue: [#​57766](https://togithub.com/vercel/next.js/issues/57766) - fix(turbopack): don't match empty route groups: [#​57647](https://togithub.com/vercel/next.js/issues/57647) - Update React from [`8c8ee9e`](https://togithub.com/vercel/next.js/commit/8c8ee9ee6) to [`0c63487`](https://togithub.com/vercel/next.js/commit/0c6348758) and types: [#​57772](https://togithub.com/vercel/next.js/issues/57772) ##### Documentation Changes - Add missing dot in codemod command: [#​57536](https://togithub.com/vercel/next.js/issues/57536) - docs(fix): example text unescaped entities: [#​57255](https://togithub.com/vercel/next.js/issues/57255) - doc: Clarify built-in support for sass after installation: [#​57279](https://togithub.com/vercel/next.js/issues/57279) - Update docs with a Good to know box about using redirect in client components: [#​56966](https://togithub.com/vercel/next.js/issues/56966) - docs: fix 02-dynamic-routes.mdx: [#​57029](https://togithub.com/vercel/next.js/issues/57029) - Fix incorrect link in GTM docs: [#​57547](https://togithub.com/vercel/next.js/issues/57547) - Fix typos: [#​57592](https://togithub.com/vercel/next.js/issues/57592) - Add apostrophe 07-error-handling.mdx: [#​57626](https://togithub.com/vercel/next.js/issues/57626) - Fix: codemods.mdx Incorrect heading structure of next-og-import, meta…: [#​57605](https://togithub.com/vercel/next.js/issues/57605) - Typo fix, version "13" to "14": [#​57723](https://togithub.com/vercel/next.js/issues/57723) - Fix Google Tag Manager URL in Third Party Libraries documentation: [#​57731](https://togithub.com/vercel/next.js/issues/57731) ##### Example Changes - Fix: Call cookies function from route to flag as dynamic: [#​57494](https://togithub.com/vercel/next.js/issues/57494) - (Examples) Add `with-youtube-embed` example: [#​57367](https://togithub.com/vercel/next.js/issues/57367) - (Examples) Add `with-google-maps-embed` example: [#​57365](https://togithub.com/vercel/next.js/issues/57365) - update [@​types/react](https://togithub.com/types/react) version in examples: [#​57259](https://togithub.com/vercel/next.js/issues/57259) - docs: fix broken link to demo: [#​57229](https://togithub.com/vercel/next.js/issues/57229) - (example update) Update example with-Clerk: [#​57050](https://togithub.com/vercel/next.js/issues/57050) - active-class-name example style js has not taken effect: [#​56136](https://togithub.com/vercel/next.js/issues/56136) - add inngest next.js example: [#​56049](https://togithub.com/vercel/next.js/issues/56049) - fix inngest example for 3.x sdk: [#​57712](https://togithub.com/vercel/next.js/issues/57712) ##### Misc Changes - update manifest: [#​57523](https://togithub.com/vercel/next.js/issues/57523) - update next/third-parties to use Next 14 or 13 as a peer dependency, instead of just 13: [#​57515](https://togithub.com/vercel/next.js/issues/57515) - Modify tailwindcss related dependency of `create-next-app`: [#​57262](https://togithub.com/vercel/next.js/issues/57262) - Remove extra CI step and lock Node.js version: [#​57769](https://togithub.com/vercel/next.js/issues/57769) ##### Credits Huge thanks to [@​dijonmusters](https://togithub.com/dijonmusters), [@​sokra](https://togithub.com/sokra), [@​philwolstenholme](https://togithub.com/philwolstenholme), [@​IgorKowalczyk](https://togithub.com/IgorKowalczyk), [@​housseindjirdeh](https://togithub.com/housseindjirdeh), [@​Zoe-Bot](https://togithub.com/Zoe-Bot), [@​HanCiHu](https://togithub.com/HanCiHu), [@​JackHowa](https://togithub.com/JackHowa), [@​goncy](https://togithub.com/goncy), [@​hirotomoyamada](https://togithub.com/hirotomoyamada), [@​pveyes](https://togithub.com/pveyes), [@​yeskunall](https://togithub.com/yeskunall), [@​vinaykulk621](https://togithub.com/vinaykulk621), [@​ChendayUP](https://togithub.com/ChendayUP), [@​leerob](https://togithub.com/leerob), [@​dvoytenko](https://togithub.com/dvoytenko), [@​mknichel](https://togithub.com/mknichel), [@​ijjk](https://togithub.com/ijjk), [@​hmaesta](https://togithub.com/hmaesta), [@​ajz003](https://togithub.com/ajz003), [@​its-kunal](https://togithub.com/its-kunal), [@​joelhooks](https://togithub.com/joelhooks), [@​blurrah](https://togithub.com/blurrah), [@​tariknh](https://togithub.com/tariknh), [@​Vinlock](https://togithub.com/Vinlock), [@​Nayeem-XTREME](https://togithub.com/Nayeem-XTREME), [@​aziyatali](https://togithub.com/aziyatali), [@​aspehler](https://togithub.com/aspehler), [@​huozhi](https://togithub.com/huozhi), [@​ztanner](https://togithub.com/ztanner), [@​ForsakenHarmony](https://togithub.com/ForsakenHarmony), [@​moka-ayumu](https://togithub.com/moka-ayumu), and [@​gnoff](https://togithub.com/gnoff) for helping! ### [`v14.0.0`](https://togithub.com/vercel/next.js/compare/v13.5.6...v14.0.0) [Compare Source](https://togithub.com/vercel/next.js/compare/v13.5.6...v14.0.0)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

vercel[bot] commented 2 months ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
rainbowkit-with-celo ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 10, 2024 4:32am
changeset-bot[bot] commented 2 months ago

⚠️ No Changeset found

Latest commit: e044215cb1ecd7a6e990de3227d8b21364aff7f2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

socket-security[bot] commented 2 months ago

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@next/env@14.1.1 environment, filesystem 0 11.7 kB vercel-release-bot
npm/@next/swc-darwin-arm64@14.1.1 None 0 106 MB vercel-release-bot
npm/@next/swc-darwin-x64@14.1.1 None 0 105 MB vercel-release-bot
npm/@next/swc-linux-arm64-gnu@14.1.1 None 0 108 MB vercel-release-bot
npm/@next/swc-linux-arm64-musl@14.1.1 None 0 131 MB vercel-release-bot
npm/@next/swc-linux-x64-gnu@14.1.1 None 0 120 MB vercel-release-bot
npm/@next/swc-linux-x64-musl@14.1.1 None 0 144 MB vercel-release-bot
npm/@next/swc-win32-arm64-msvc@14.1.1 None 0 95.3 MB vercel-release-bot
npm/@next/swc-win32-ia32-msvc@14.1.1 None 0 87.1 MB vercel-release-bot
npm/@next/swc-win32-x64-msvc@14.1.1 None 0 123 MB vercel-release-bot
npm/next@14.1.1 environment, filesystem, network, shell, unsafe 0 86.4 MB vercel-release-bot

🚮 Removed packages: npm/@next/env@13.5.6, npm/@next/swc-darwin-arm64@13.5.6, npm/@next/swc-darwin-x64@13.5.6, npm/@next/swc-linux-arm64-gnu@13.5.6, npm/@next/swc-linux-arm64-musl@13.5.6, npm/@next/swc-linux-x64-gnu@13.5.6, npm/@next/swc-linux-x64-musl@13.5.6, npm/@next/swc-win32-arm64-msvc@13.5.6, npm/@next/swc-win32-ia32-msvc@13.5.6, npm/@next/swc-win32-x64-msvc@13.5.6, npm/glob-to-regexp@0.4.1, npm/next@13.5.6, npm/watchpack@2.4.0

View full report↗︎