devinit / datahub

Datahub v2
http://data.devinit.org
15 stars 4 forks source link

Update dependency next to v11 [SECURITY] #510

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) ^5.1.0 -> ^11.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-5284

Impact

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

Patches

https://github.com/zeit/next.js/releases/tag/v9.3.2

References

https://github.com/zeit/next.js/releases/tag/v9.3.2

CVE-2021-43803

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

CVE-2021-37699

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.

Impact

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

Patches

https://github.com/vercel/next.js/releases/tag/v11.1.0


Release Notes

vercel/next.js (next) ### [`v11.1.3`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.3) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.1.2...v11.1.3) See https://github.com/vercel/next.js/releases/v12.0.5 for details about this patch. ### [`v11.1.2`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.2) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.1.1...v11.1.2) ##### Core Changes - chore: upgrade styled-jsx to 4.0.1: [#​28626](https://redirect.github.com/vercel/next.js/issues/28626) - getServerSideProps should support props value as Promise: [#​28607](https://redirect.github.com/vercel/next.js/issues/28607) - Ensure custom app regex is correct for Windows: [#​28631](https://redirect.github.com/vercel/next.js/issues/28631) ##### Credits Huge thanks to [@​huozhi](https://redirect.github.com/huozhi) and [@​kara](https://redirect.github.com/kara) for helping! ### [`v11.1.1`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.1) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.1.0...v11.1.1) ##### Core Changes - Next.js swc publish flow: [#​27984](https://redirect.github.com/vercel/next.js/issues/27984) - Ensure config file message is only shown once: [#​28017](https://redirect.github.com/vercel/next.js/issues/28017) - Add missing fields to `NextConfig` type: [#​27974](https://redirect.github.com/vercel/next.js/issues/27974) - use a shared worker pool for collecting page data and static page generation: [#​27924](https://redirect.github.com/vercel/next.js/issues/27924) - Use [@​next](https://redirect.github.com/next) scope for native packages: [#​28046](https://redirect.github.com/vercel/next.js/issues/28046) - Fix `generateBuildId` type that can be async function: [#​28040](https://redirect.github.com/vercel/next.js/issues/28040) - Fix image optimization encoding url: [#​28045](https://redirect.github.com/vercel/next.js/issues/28045) - Clean up `Document` in preparation for streaming: [#​28032](https://redirect.github.com/vercel/next.js/issues/28032) - Render as a concatenation of streams: [#​28082](https://redirect.github.com/vercel/next.js/issues/28082) - Add support for dynamic HTML: [#​28085](https://redirect.github.com/vercel/next.js/issues/28085) - Support suspense in next dynamic: [#​27611](https://redirect.github.com/vercel/next.js/issues/27611) - Handle blob urls in image component: [#​27975](https://redirect.github.com/vercel/next.js/issues/27975) - Bypass webpack compilation for precompiled [@​next/polyfills-nomodule](https://redirect.github.com/next/polyfills-nomodule): [#​27596](https://redirect.github.com/vercel/next.js/issues/27596) - Update `util` to 0.12.4: [#​27939](https://redirect.github.com/vercel/next.js/issues/27939) - Remove duplicate doctypes: [#​28089](https://redirect.github.com/vercel/next.js/issues/28089) - Fix revalidate for initial notFound: true paths: [#​28097](https://redirect.github.com/vercel/next.js/issues/28097) - Add proper error when failing to load next.config.js: [#​28099](https://redirect.github.com/vercel/next.js/issues/28099) - Fix: wrong link error message: [#​28127](https://redirect.github.com/vercel/next.js/issues/28127) - Add support for Jaeger trace target: [#​28129](https://redirect.github.com/vercel/next.js/issues/28129) - Enable pure client suspense in blocking rendering: [#​28165](https://redirect.github.com/vercel/next.js/issues/28165) - Add entrypoint tracing: [#​25538](https://redirect.github.com/vercel/next.js/issues/25538) - Add module type to build-module trace: [#​28128](https://redirect.github.com/vercel/next.js/issues/28128) - Update to latest babel versions: [#​28174](https://redirect.github.com/vercel/next.js/issues/28174) - Improve jaeger traces: [#​28168](https://redirect.github.com/vercel/next.js/issues/28168) - fix development mode bug with pages with "+" and other special characters: [#​28122](https://redirect.github.com/vercel/next.js/issues/28122) - let loaders automatically infer source map setting: [#​28204](https://redirect.github.com/vercel/next.js/issues/28204) - Avoid fs write `next-env.d.ts` on read-only filesystems: [#​28206](https://redirect.github.com/vercel/next.js/issues/28206) - Document usage of suspense option of next/dynamic: [#​28210](https://redirect.github.com/vercel/next.js/issues/28210) - Add warning when parent styles break `next/image`: [#​28221](https://redirect.github.com/vercel/next.js/issues/28221) - Use `zen-observable` library: [#​28214](https://redirect.github.com/vercel/next.js/issues/28214) - Fix HMR when custom \_app or \_document is removed: [#​28227](https://redirect.github.com/vercel/next.js/issues/28227) - Add relationship between issuer and module to traces: [#​28192](https://redirect.github.com/vercel/next.js/issues/28192) - Update generating next-server dependencies: [#​28223](https://redirect.github.com/vercel/next.js/issues/28223) - Fix `next/image` blur placeholder when JS is disabled: [#​28269](https://redirect.github.com/vercel/next.js/issues/28269) - Ensure adding \_app/\_document HMRs correctly: [#​28279](https://redirect.github.com/vercel/next.js/issues/28279) - upgrade webpack to 5.51.1: [#​28291](https://redirect.github.com/vercel/next.js/issues/28291) - \[ESLint] Adds `process.exit` to `next lint` success output: [#​28299](https://redirect.github.com/vercel/next.js/issues/28299) - Fix next env vars injection in dynamic: [#​28309](https://redirect.github.com/vercel/next.js/issues/28309) - Add layout to data-nimg attribute: [#​28312](https://redirect.github.com/vercel/next.js/issues/28312) - Add data attribute to script component: [#​28310](https://redirect.github.com/vercel/next.js/issues/28310) - Ensure [@​babel/core](https://redirect.github.com/babel/core) is de-duped when nccing: [#​28384](https://redirect.github.com/vercel/next.js/issues/28384) - Fix forked NODE_OPTIONS except for inspect: [#​28420](https://redirect.github.com/vercel/next.js/issues/28420) - \[ESLint] Enable caching by default: [#​28349](https://redirect.github.com/vercel/next.js/issues/28349) - Update test config to leverage swc: [#​28400](https://redirect.github.com/vercel/next.js/issues/28400) - Add missing `typescript` property to `NextConfig`: [#​28459](https://redirect.github.com/vercel/next.js/issues/28459) - next/script fix duplicate scripts : [#​28428](https://redirect.github.com/vercel/next.js/issues/28428) - Ensure error is shown correctly for empty headers field: [#​28430](https://redirect.github.com/vercel/next.js/issues/28430) - Add default trace format that is exported automatically: [#​28461](https://redirect.github.com/vercel/next.js/issues/28461) - Update i18n locales limit to warning: [#​28429](https://redirect.github.com/vercel/next.js/issues/28429) - Fix handling for 204 status code with a body: [#​28479](https://redirect.github.com/vercel/next.js/issues/28479) - Update warning when parent styles break `next/image`: [#​28517](https://redirect.github.com/vercel/next.js/issues/28517) - Support for functional Document components: [#​28515](https://redirect.github.com/vercel/next.js/issues/28515) - Ensure dev server side errors are correct: [#​28520](https://redirect.github.com/vercel/next.js/issues/28520) - Add CSP to Image Optimization API: [#​28620](https://redirect.github.com/vercel/next.js/issues/28620) ##### Documentation Changes - Fix incorrect error manifest path: [#​27970](https://redirect.github.com/vercel/next.js/issues/27970) - Add testing docs: [#​27965](https://redirect.github.com/vercel/next.js/issues/27965) - \[DOCS] Update testing docs: [#​28064](https://redirect.github.com/vercel/next.js/issues/28064) - \[ESLint] Disallow Githubissues.
  • Githubissues is a development platform for aggregating issues.