Open renovate[bot] opened 1 week ago
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
react-celo | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Jun 18, 2024 8:59pm |
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@next/env@12.3.4, npm/@next/swc-android-arm-eabi@12.3.4, npm/@next/swc-android-arm64@12.3.4, npm/@next/swc-darwin-arm64@12.3.4, npm/@next/swc-darwin-x64@12.3.4, npm/@next/swc-freebsd-x64@12.3.4, npm/@next/swc-linux-arm-gnueabihf@12.3.4, npm/@next/swc-linux-arm64-gnu@12.3.4, npm/@next/swc-linux-arm64-musl@12.3.4, npm/@next/swc-linux-x64-gnu@12.3.4, npm/@next/swc-linux-x64-musl@12.3.4, npm/@next/swc-win32-arm64-msvc@12.3.4, npm/@next/swc-win32-ia32-msvc@12.3.4, npm/@next/swc-win32-x64-msvc@12.3.4, npm/@swc/helpers@0.4.11, npm/next@12.3.4
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
Alert | Package | Note | Source | CI |
---|---|---|---|---|
AI warning | npm/next@13.5.6 |
| 🚫 |
AI has identified unusual behaviors that may pose a security risk.
An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of ecosystem/package-name@version
specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/next@13.5.6
This PR contains the following updates:
^12.1.6
->^13.0.0
GitHub Vulnerability Alerts
CVE-2023-46298
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
Next.js missing cache-control header may lead to CDN caching empty reply
CVE-2023-46298 / GHSA-c59h-r6p8-q9wc
More information
#### Details Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets. #### Severity Low #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-46298](https://nvd.nist.gov/vuln/detail/CVE-2023-46298) - [https://github.com/vercel/next.js/issues/45301](https://togithub.com/vercel/next.js/issues/45301) - [https://github.com/vercel/next.js/pull/54732](https://togithub.com/vercel/next.js/pull/54732) - [https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648](https://togithub.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648) - [https://github.com/vercel/next.js](https://togithub.com/vercel/next.js) - [https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13](https://togithub.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-c59h-r6p8-q9wc) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
vercel/next.js (next)
### [`v13.5.0`](https://togithub.com/vercel/next.js/compare/v13.4.19...v13.5.0) [Compare Source](https://togithub.com/vercel/next.js/compare/v13.4.19...v13.5.0) ### [`v13.4.19`](https://togithub.com/vercel/next.js/releases/tag/v13.4.19) [Compare Source](https://togithub.com/vercel/next.js/compare/v13.4.18...v13.4.19) ##### Core Changes - fix: invalid module transform for `@headlessui/react`: [#54206](https://togithub.com/vercel/next.js/issues/54206) - chore: remove unnecessary type cast in dev-build-watcher: [#54221](https://togithub.com/vercel/next.js/issues/54221) - fix process.env not being available in standalone mode: [#54203](https://togithub.com/vercel/next.js/issues/54203) - Fix missing `devPageFiles` collection: [#54224](https://togithub.com/vercel/next.js/issues/54224) - Add `Route` and `LinkProps` stub generics: [#54226](https://togithub.com/vercel/next.js/issues/54226) - Use `createClientModuleProxy` from Flight Server: [#54232](https://togithub.com/vercel/next.js/issues/54232) - Add default not found to loader tree of group routes root layer: [#54228](https://togithub.com/vercel/next.js/issues/54228) - feat(image): add support for custom `loaderFile` when `loader: default`: [#53417](https://togithub.com/vercel/next.js/issues/53417) - Fix renamed export of Server Actions: [#54241](https://togithub.com/vercel/next.js/issues/54241) - Ensures App Router Link respects scroll-behavior: smooth when only hash is changed.: [#54243](https://togithub.com/vercel/next.js/issues/54243) ##### Misc Changes - Update dd-trace used for internal tools: [#54214](https://togithub.com/vercel/next.js/issues/54214) - (Fix)Broken `upgrading.mdx` link : [#54234](https://togithub.com/vercel/next.js/issues/54234) - chore: skip CI run on forks: [#54219](https://togithub.com/vercel/next.js/issues/54219) - chore(ci): bump `cancel-workflow-action@0.11.0`: [#54246](https://togithub.com/vercel/next.js/issues/54246) ##### Credits Huge thanks to [@opnay](https://togithub.com/opnay), [@styfle](https://togithub.com/styfle), [@timneutkens](https://togithub.com/timneutkens), [@ztanner](https://togithub.com/ztanner), [@shuding](https://togithub.com/shuding), [@huozhi](https://togithub.com/huozhi), [@vinaykulk621](https://togithub.com/vinaykulk621), [@balazsorban44](https://togithub.com/balazsorban44), [@goguda](https://togithub.com/goguda), and [@coreyleelarson](https://togithub.com/coreyleelarson) for helping! ### [`v13.4.18`](https://togithub.com/vercel/next.js/releases/tag/v13.4.18) [Compare Source](https://togithub.com/vercel/next.js/compare/v13.4.17...v13.4.18) ##### Core Changes - refactor: remove edge condition for module proxy path: [#54167](https://togithub.com/vercel/next.js/issues/54167) - Remove unused variables: [#54149](https://togithub.com/vercel/next.js/issues/54149) - chore: improve ts types for `position` in `dev-build-watcher`: [#54124](https://togithub.com/vercel/next.js/issues/54124) - Turbopack: Strip relative path prefix when generating PageLoaderAsset: [#54040](https://togithub.com/vercel/next.js/issues/54040) - Add `size` property to `ReadonlySearchParams`: [#53144](https://togithub.com/vercel/next.js/issues/53144) - Assign default not-found boundary if custom not-found is not present for root layer only: [#54185](https://togithub.com/vercel/next.js/issues/54185) - Allow range version for eslint config: [#53751](https://togithub.com/vercel/next.js/issues/53751) - Automatically modularizeImports for the popular [@headlessui/react](https://togithub.com/headlessui/react) library: [#54188](https://togithub.com/vercel/next.js/issues/54188) - fix bfcache restoration behavior: [#54198](https://togithub.com/vercel/next.js/issues/54198) ##### Misc Changes - Update rust toolchain: [#54130](https://togithub.com/vercel/next.js/issues/54130) ##### Credits Huge thanks to [@huozhi](https://togithub.com/huozhi), [@shuding](https://togithub.com/shuding), [@styfle](https://togithub.com/styfle), [@jridgewell](https://togithub.com/jridgewell), [@bencmbrook](https://togithub.com/bencmbrook), [@cramforce](https://togithub.com/cramforce), and [@ztanner](https://togithub.com/ztanner) for helping! ### [`v13.4.17`](https://togithub.com/vercel/next.js/releases/tag/v13.4.17) [Compare Source](https://togithub.com/vercel/next.js/compare/v13.4.16...v13.4.17) ##### Core Changes - fix(next/image): empty blur image when animated [#54028](https://togithub.com/vercel/next.js/issues/54028) - Do not output pages 404 in tree view if app not-found is used: [#54051](https://togithub.com/vercel/next.js/issues/54051) - Fix scroll bailout logic when targeting fixed/sticky elements: [#53873](https://togithub.com/vercel/next.js/issues/53873) - Debug tracing: add updated modules and page to HMR span: [#53698](https://togithub.com/vercel/next.js/issues/53698) - fix(next-swc): coerce mdxrs default options: [#54068](https://togithub.com/vercel/next.js/issues/54068) - fix: don't add forceConsistentCasingInFileNames to tsconfig when ts version >= 5.0: [#51564](https://togithub.com/vercel/next.js/issues/51564) - fix(47299): allow testing pages with metadata in jsdom test environment: [#53578](https://togithub.com/vercel/next.js/issues/53578) - upgrade edge-runtime dependency: [#54117](https://togithub.com/vercel/next.js/issues/54117) - Fix root not-found page tree loader structure: [#54080](https://togithub.com/vercel/next.js/issues/54080) - chore: remove `as any` type cast: [#54074](https://togithub.com/vercel/next.js/issues/54074) - chore: refactor to use `fs.promises.rm()`: [#54076](https://togithub.com/vercel/next.js/issues/54076) - Refactor layout router creation in app-render: [#54126](https://togithub.com/vercel/next.js/issues/54126) - chore(image): remove apple silicon workaround for versions older than `node@16.5.0`: [#54125](https://togithub.com/vercel/next.js/issues/54125) - fix routing bug when bfcache is hit following an mpa navigation: [#54081](https://togithub.com/vercel/next.js/issues/54081) - Tracing: add opt-in flag to send a subset of development traces to url: [#53880](https://togithub.com/vercel/next.js/issues/53880) - fix(edge): override init when cloning with `NextRequest`: [#54108](https://togithub.com/vercel/next.js/issues/54108) - OpenTel: remove the internal (ipc) fetched from traces in a non-verbose mode: [#54083](https://togithub.com/vercel/next.js/issues/54083) - cleanup: remove unnecessary effect dep: [#54134](https://togithub.com/vercel/next.js/issues/54134) - Next build: use exported `handle_issues` from turbopack: [#52972](https://togithub.com/vercel/next.js/issues/52972) - node-web-streams: remove tee shim, use ReadableStream.tee: [#54079](https://togithub.com/vercel/next.js/issues/54079) - fix: `cookies().has()` breaks in app-route: [#54112](https://togithub.com/vercel/next.js/issues/54112) - Revert "fix(47299): allow testing pages with metadata in jsdom test environment": [#54160](https://togithub.com/vercel/next.js/issues/54160) ##### Documentation Changes - fix missing `'` in data-fetching/fetching-caching-and-revalidating: [#54058](https://togithub.com/vercel/next.js/issues/54058) ##### Example Changes - Update Docker example to remove HOSTNAME: [#54102](https://togithub.com/vercel/next.js/issues/54102) ##### Misc Changes - chore: hide "same on new version" without link: [#54048](https://togithub.com/vercel/next.js/issues/54048) - chore(ci): small notes for the build steps: [#54073](https://togithub.com/vercel/next.js/issues/54073) - chore: update lock bot wording: [#54099](https://togithub.com/vercel/next.js/issues/54099) - Update `swc_core` to `v0.79.59`: [#54082](https://togithub.com/vercel/next.js/issues/54082) - install-native.mjs: include `packageManager` field: [#54132](https://togithub.com/vercel/next.js/issues/54132) ##### Credits Huge thanks to [@balazsorban44](https://togithub.com/balazsorban44), [@huozhi](https://togithub.com/huozhi), [@ztanner](https://togithub.com/ztanner), [@williamli](https://togithub.com/williamli), [@wbinnssmith](https://togithub.com/wbinnssmith), [@kwonoj](https://togithub.com/kwonoj), [@stefanprobst](https://togithub.com/stefanprobst), [@feugy](https://togithub.com/feugy), [@timneutkens](https://togithub.com/timneutkens), [@kdy1](https://togithub.com/kdy1), [@Kikobeats](https://togithub.com/Kikobeats), [@styfle](https://togithub.com/styfle), [@dvoytenko](https://togithub.com/dvoytenko), [@MaxLeiter](https://togithub.com/MaxLeiter), and [@devjiwonchoi](https://togithub.com/devjiwonchoi) for helping! ### [`v13.4.16`](https://togithub.com/vercel/next.js/releases/tag/v13.4.16) [Compare Source](https://togithub.com/vercel/next.js/compare/v13.4.15...v13.4.16) ##### Core Changes - Concept: test mode for Playwright and similar integration tools: [#52520](https://togithub.com/vercel/next.js/issues/52520) - Turbopack: fix hiding node_modules warnings in error overlay.: [#54022](https://togithub.com/vercel/next.js/issues/54022) - ci(next-swc): print glibc version when build: [#54026](https://togithub.com/vercel/next.js/issues/54026) - Adjust internal action proxy export: [#54004](https://togithub.com/vercel/next.js/issues/54004) ##### Documentation Changes - Update 05-client-side-rendering.mdx with latest tanstack query version: [#54009](https://togithub.com/vercel/next.js/issues/54009) - Open Graph Image font declaration moved to correct place: [#53998](https://togithub.com/vercel/next.js/issues/53998) - Update opengraph-image.mdx: Fix typo: [#54020](https://togithub.com/vercel/next.js/issues/54020) ##### Misc Changes - Remove extra label from runner: [#54002](https://togithub.com/vercel/next.js/issues/54002) - add standalone testcase for ipv6 hostnames: [#53999](https://togithub.com/vercel/next.js/issues/53999) - release: add release log generation script: [#54006](https://togithub.com/vercel/next.js/issues/54006) - test(ci): refine test suite name unique: [#54013](https://togithub.com/vercel/next.js/issues/54013) - Leverage previous swc build images: [#54027](https://togithub.com/vercel/next.js/issues/54027) - chore: mark build folder indexable: [#54029](https://togithub.com/vercel/next.js/issues/54029) - Move turbo outside of build for docker swc builds: [#54035](https://togithub.com/vercel/next.js/issues/54035) ##### Credits Huge thanks to [@ijjk](https://togithub.com/ijjk), [@ztanner](https://togithub.com/ztanner), [@huozhi](https://togithub.com/huozhi), [@lacymorrow](https://togithub.com/lacymorrow), [@dvoytenko](https://togithub.com/dvoytenko), [@kylemcd](https://togithub.com/kylemcd), [@kwonoj](https://togithub.com/kwonoj), [@tibi1220](https://togithub.com/tibi1220), [@wbinnssmith](https://togithub.com/wbinnssmith), and [@shuding](https://togithub.com/shuding) for helping! ### [`v13.4.15`](https://togithub.com/vercel/next.js/releases/tag/v13.4.15) [Compare Source](https://togithub.com/vercel/next.js/compare/v13.4.13...v13.4.15) ##### Core Changes - Fix action failures due to state tree encoding: [#53655](https://togithub.com/vercel/next.js/issues/53655) - Initial HMR Nexturbo API implementation: [#52950](https://togithub.com/vercel/next.js/issues/52950) - Turbopack: add edge app routes : [#53387](https://togithub.com/vercel/next.js/issues/53387) - Turbopack: Hide Turbo Engine internals: [#53007](https://togithub.com/vercel/next.js/issues/53007) - add unit test case for next.rs api: [#53679](https://togithub.com/vercel/next.js/issues/53679) - Fix not-found rendering in production with edge: [#53687](https://togithub.com/vercel/next.js/issues/53687) - fix(next/image): don't call ReactDOM.preload if missing, such as jest: [#53443](https://togithub.com/vercel/next.js/issues/53443) - Add docs page for uncaught DynamicServerErrors: [#53402](https://togithub.com/vercel/next.js/issues/53402) - Consolidate Server and Routing process into one process: [#53523](https://togithub.com/vercel/next.js/issues/53523) - fix: Update outdated transform imports lucide-react: [#53697](https://togithub.com/vercel/next.js/issues/53697) - Update font data: [#53759](https://togithub.com/vercel/next.js/issues/53759) - Add warnings for static generation bail outs: [#53761](https://togithub.com/vercel/next.js/issues/53761) - Sort root entries per pageExtensions config for consistency: [#53769](https://togithub.com/vercel/next.js/issues/53769) - improve error message for conflicting parallel segments: [#53803](https://togithub.com/vercel/next.js/issues/53803) - Add `changeFrequency` and `priority` attributes to sitemaps: [#48484](https://togithub.com/vercel/next.js/issues/48484) - Ensure we set cache-control: no-cache for actions: [#53824](https://togithub.com/vercel/next.js/issues/53824) - Reuse RenderWorker type: [#53782](https://togithub.com/vercel/next.js/issues/53782) - fix: normalize backslash in `getStaticPaths()` for windows: [#53876](https://togithub.com/vercel/next.js/issues/53876) - Delete errorneous empty content length header: [#53843](https://togithub.com/vercel/next.js/issues/53843) - Turbopack: more tests and bugfixes for next.rs api: [#53809](https://togithub.com/vercel/next.js/issues/53809) - Add `@heroicons/react` to `modularizeImports`: [#53902](https://togithub.com/vercel/next.js/issues/53902) - Turbopack: Fix debugging in napi for next-api: [#53889](https://togithub.com/vercel/next.js/issues/53889) - Fix/match resource: [#53796](https://togithub.com/vercel/next.js/issues/53796) - Use summary_large_image as twitter card if images present by default: [#53919](https://togithub.com/vercel/next.js/issues/53919) - Turbopack: Emit whether server or client assets changed: [#53879](https://togithub.com/vercel/next.js/issues/53879) - Limit sharp's concurrency: [#53385](https://togithub.com/vercel/next.js/issues/53385) - enable [@vercel/og](https://togithub.com/vercel/og) support for turbopack: [#53917](https://togithub.com/vercel/next.js/issues/53917) - feat(image): DataURL placeholder support forConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.