search

rolling-scopes / rsschool-app

An application for the RS School education process
https://app.rs.school
Mozilla Public License 2.0
9.88k stars 202 forks source link

chore(deps): update dependency next to v14.1.1 [security] #2477

Closed apalchys closed 2 weeks ago

apalchys commented 1 month ago

This PR contains the following updates:

Package Type Update Change
next 13.4.3 -> 14.1.1
next (source) dependencies major 13.4.3 -> 14.1.1

GitHub Vulnerability Alerts

CVE-2023-46298

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

CVE-2024-34350

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.

Workarounds

There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.

References

https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #​62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote Shubham Shah - Assetnote

Release Notes

vercel/next.js ### [`v14.1.1`](https://togithub.com/vercel/next.js/releases/tag/v14.1.1) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.1.0...v14.1.1) *Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary* ##### Core Changes - Should not warn metadataBase missing if only absolute urls are present: [https://github.com/vercel/next.js/pull/61898](https://togithub.com/vercel/next.js/pull/61898) - Fix trailing slash for canonical url: [https://github.com/vercel/next.js/pull/62109](https://togithub.com/vercel/next.js/pull/62109) - Fix metadata json manifest convention: [https://github.com/vercel/next.js/pull/62615](https://togithub.com/vercel/next.js/pull/62615) - Improve the Server Actions SWC transform: [https://github.com/vercel/next.js/pull/61001](https://togithub.com/vercel/next.js/pull/61001) - Fix Server Reference being double registered: [https://github.com/vercel/next.js/pull/61244](https://togithub.com/vercel/next.js/pull/61244) - Improve the Server Actions SWC transform (part 2): [https://github.com/vercel/next.js/pull/62052](https://togithub.com/vercel/next.js/pull/62052) - Fix module-level Server Action creation with closure-closed values: [https://github.com/vercel/next.js/pull/62437](https://togithub.com/vercel/next.js/pull/62437) - Fix draft mode invariant: [https://github.com/vercel/next.js/pull/62121](https://togithub.com/vercel/next.js/pull/62121) - fix: babel usage with next/image: [https://github.com/vercel/next.js/pull/61835](https://togithub.com/vercel/next.js/pull/61835) - Fix next/server api alias for ESM pkg: [https://github.com/vercel/next.js/pull/61721](https://togithub.com/vercel/next.js/pull/61721) - Replace image optimizer IPC call with request handler: [https://github.com/vercel/next.js/pull/61471](https://togithub.com/vercel/next.js/pull/61471) - chore: refactor image optimization to separate external/internal urls: [https://github.com/vercel/next.js/pull/61172](https://togithub.com/vercel/next.js/pull/61172) - fix(image): warn when animated image is missing unoptimized prop: [https://github.com/vercel/next.js/pull/61045](https://togithub.com/vercel/next.js/pull/61045) - fix(build-output): show stack during CSR bailout warning: [https://github.com/vercel/next.js/pull/62594](https://togithub.com/vercel/next.js/pull/62594) - Fix extra swc optimizer applied to node_modules in browser layer: [https://github.com/vercel/next.js/pull/62051](https://togithub.com/vercel/next.js/pull/62051) - fix(next-swc): Detect exports.foo from cjs_finder: [https://github.com/vercel/next.js/pull/61795](https://togithub.com/vercel/next.js/pull/61795) - Fix attempted import error for react: [https://github.com/vercel/next.js/pull/61791](https://togithub.com/vercel/next.js/pull/61791) - Add stack trace to client rendering bailout error: [https://github.com/vercel/next.js/pull/61200](https://togithub.com/vercel/next.js/pull/61200) - fix router crash on revalidate + popstate: [https://github.com/vercel/next.js/pull/62383](https://togithub.com/vercel/next.js/pull/62383) - fix loading issue when navigating to page with async metadata: [https://github.com/vercel/next.js/pull/61687](https://togithub.com/vercel/next.js/pull/61687) - revert changes to process default routes at build: [https://github.com/vercel/next.js/pull/61241](https://togithub.com/vercel/next.js/pull/61241) - fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: [https://github.com/vercel/next.js/pull/60776](https://togithub.com/vercel/next.js/pull/60776) - Improve redirection handling: [https://github.com/vercel/next.js/pull/62561](https://togithub.com/vercel/next.js/pull/62561) - Simplify node/edge server chunking some: [https://github.com/vercel/next.js/pull/62424](https://togithub.com/vercel/next.js/pull/62424) ##### Credits Huge thanks to [@​huozhi](https://togithub.com/huozhi), [@​shuding](https://togithub.com/shuding), [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood), [@​styfle](https://togithub.com/styfle), [@​ijjk](https://togithub.com/ijjk), [@​ztanner](https://togithub.com/ztanner), [@​balazsorban44](https://togithub.com/balazsorban44), [@​kdy1](https://togithub.com/kdy1), and [@​williamli](https://togithub.com/williamli) for helping! ### [`v14.1.0`](https://togithub.com/vercel/next.js/releases/tag/v14.1.0) [Compare Source](https://togithub.com/vercel/next.js/compare/v14.0.4...v14.1.0) ##### Core Changes - Turbopack: switch to a single client components entrypoint: [#​59352](https://togithub.com/vercel/next.js/issues/59352) - Update `swc_core` to `v0.86.98` and turbopack: [#​59393](https://togithub.com/vercel/next.js/issues/59393) - Fix cases for the `optimize_server_react` transform: [#​59390](https://togithub.com/vercel/next.js/issues/59390) - Use new JSX transform: [#​56294](https://togithub.com/vercel/next.js/issues/56294) - loading.tsx should have no effect on partial rendering when PPR is enabled: [#​59196](https://togithub.com/vercel/next.js/issues/59196) - Update font data: [#​59426](https://togithub.com/vercel/next.js/issues/59426) - Remove CacheNode.status field: [#​59472](https://togithub.com/vercel/next.js/issues/59472) - Rename CacheNode.data β†’ .lazyData : [#​59473](https://togithub.com/vercel/next.js/issues/59473) - Generate Params Cleanup: [#​59431](https://togithub.com/vercel/next.js/issues/59431) - Fix webpack chunks handling in traces: [#​59498](https://togithub.com/vercel/next.js/issues/59498) - Rename CacheNode.subTreeData -> .rsc : [#​59491](https://togithub.com/vercel/next.js/issues/59491) - fix NODE_OPTIONS=inspect: [#​59530](https://togithub.com/vercel/next.js/issues/59530) - Add CacheNode.prefetchRsc field: [#​59537](https://togithub.com/vercel/next.js/issues/59537) - allow passing wildcard domains in serverActions.allowedDomains: [#​59428](https://togithub.com/vercel/next.js/issues/59428) - Page Info Cleanup: [#​59430](https://togithub.com/vercel/next.js/issues/59430) - Fix force-static and fetch no-store cases: [#​59549](https://togithub.com/vercel/next.js/issues/59549) - Should not show no index for client rendering bailout: [#​59531](https://togithub.com/vercel/next.js/issues/59531) - Enable build worker by default: [#​59405](https://togithub.com/vercel/next.js/issues/59405) - Fork navigateReducer into PPR and non-PPR versions: [#​59538](https://togithub.com/vercel/next.js/issues/59538) - cleanup magic segment strings: [#​59552](https://togithub.com/vercel/next.js/issues/59552) - chore: update Turbopack: [#​59589](https://togithub.com/vercel/next.js/issues/59589) - Fix another magic segment string constant: [#​59591](https://togithub.com/vercel/next.js/issues/59591) - Make CacheNodeSeedData match FlightRouterState more closely: [#​59590](https://togithub.com/vercel/next.js/issues/59590) - transpilePackages should override default settings for external packages: [#​59385](https://togithub.com/vercel/next.js/issues/59385) - move segment constants to separate file: [#​59587](https://togithub.com/vercel/next.js/issues/59587) - Revert "Page Info Cleanup ([#​59430](https://togithub.com/vercel/next.js/issues/59430))": [#​59592](https://togithub.com/vercel/next.js/issues/59592) - Fix useOptimistic in server components bug. Add tests for invalid React server APIs: [#​59621](https://togithub.com/vercel/next.js/issues/59621) - Partial Pre Rendering Headers: [#​59447](https://togithub.com/vercel/next.js/issues/59447) - Add tests for invalid React server APIs: [#​59622](https://togithub.com/vercel/next.js/issues/59622) - Refactor setup-dev-bundler to make Turbopack/Webpack split clearer: [#​59650](https://togithub.com/vercel/next.js/issues/59650) - refactor and simplify app dynamic components: [#​59658](https://togithub.com/vercel/next.js/issues/59658) - Change manifestPath to pagesManifestPath: [#​59657](https://togithub.com/vercel/next.js/issues/59657) - Fix issue with outputFileTracingExcludes and pages/api edge runtime: [#​59157](https://togithub.com/vercel/next.js/issues/59157) - Update font data: [#​59722](https://togithub.com/vercel/next.js/issues/59722) - Remove path normalization logic when uploading .next/trace traces: [#​59305](https://togithub.com/vercel/next.js/issues/59305) - LayoutRouter: Support segment value of Promise to asynchronously bail out and trigger a server patch: [#​59724](https://togithub.com/vercel/next.js/issues/59724) - fix: Allow start turbopack dev server for a project using middleware: [#​59759](https://togithub.com/vercel/next.js/issues/59759) - fix: gracefully shutdown server: [#​59551](https://togithub.com/vercel/next.js/issues/59551) - Revert "fix: gracefully shutdown server ([#​59551](https://togithub.com/vercel/next.js/issues/59551))": [#​59792](https://togithub.com/vercel/next.js/issues/59792) - Optionally bundle legacy react-dom/server APIs based on usage: [#​59737](https://togithub.com/vercel/next.js/issues/59737) - fix `default` handling in route groups that handle interception: [#​59752](https://togithub.com/vercel/next.js/issues/59752) - Transpile all code on app browser layer: [#​59569](https://togithub.com/vercel/next.js/issues/59569) - Initial implementation of PPR client navigations: [#​59725](https://togithub.com/vercel/next.js/issues/59725) - fix(turbopack): prevent edge entrypoint from becoming an async module: [#​59818](https://togithub.com/vercel/next.js/issues/59818) - Ensure we validate revalidate configs properly: [#​59822](https://togithub.com/vercel/next.js/issues/59822) - Update error check in validateRevalidate: [#​59826](https://togithub.com/vercel/next.js/issues/59826) - Rename confusing loaders: [#​59827](https://togithub.com/vercel/next.js/issues/59827) - Upgrade og dependencies: [#​59541](https://togithub.com/vercel/next.js/issues/59541) - \[PPR Navs] Bugfix: Dynamic data never streams in if prefetch entry is stale: [#​59833](https://togithub.com/vercel/next.js/issues/59833) - fix parallel catch-all route normalization: [#​59791](https://togithub.com/vercel/next.js/issues/59791) - fix router prefetch cache key to work with route interception: [#​59861](https://togithub.com/vercel/next.js/issues/59861) - Alias nextjs api entry to esm version for app router: [#​59852](https://togithub.com/vercel/next.js/issues/59852) - Remove duplicate standalone check: [#​60085](https://togithub.com/vercel/next.js/issues/60085) - Remove return on void function: [#​60087](https://togithub.com/vercel/next.js/issues/60087) - Ensure NextBuildContext is only used during build: [#​60099](https://togithub.com/vercel/next.js/issues/60099) - Add PageExtensions type: [#​60108](https://togithub.com/vercel/next.js/issues/60108) - Ensure instrumentation file does not affect middleware count: [#​60102](https://togithub.com/vercel/next.js/issues/60102) - Use WebpackError type instead of any: [#​60105](https://togithub.com/vercel/next.js/issues/60105) - Remove root parameter: [#​60112](https://togithub.com/vercel/next.js/issues/60112) - Remove extra duplicate pages warning: [#​60113](https://togithub.com/vercel/next.js/issues/60113) - Add MappedPages type: [#​60106](https://togithub.com/vercel/next.js/issues/60106) - Always call createPagesMapping for root paths: [#​60107](https://togithub.com/vercel/next.js/issues/60107) - Fix path issues on linux machines when build created on windows: [#​60116](https://togithub.com/vercel/next.js/issues/60116) - fix: Fix wrong cjs detection of `auto-cjs` pass: [#​60118](https://togithub.com/vercel/next.js/issues/60118) - chore: update Copyright time from 2023 to 2024: [#​60071](https://togithub.com/vercel/next.js/issues/60071) - Filter out duplicate paths in build output: [#​59858](https://togithub.com/vercel/next.js/issues/59858) - chore: align webpack config node version: [#​59862](https://togithub.com/vercel/next.js/issues/59862) - gracefully handle client router segment mismatches: [#​60141](https://togithub.com/vercel/next.js/issues/60141) - Fix start build log being overwritten by logs from page: [#​60122](https://togithub.com/vercel/next.js/issues/60122) - Allow using ESM pkg with custom incremental cache: [#​59863](https://togithub.com/vercel/next.js/issues/59863) - Fix emitting ESM swc helpers for 3rd parties CJS libs in bundle: [#​60169](https://togithub.com/vercel/next.js/issues/60169) - Move cacheDir logic to getCacheDir: [#​60133](https://togithub.com/vercel/next.js/issues/60133) - Refactor to unify writeFile, readFile, and add readManifest: [#​60137](https://togithub.com/vercel/next.js/issues/60137) - chore: bump `@vercel/nft@0.26.2`: [#​60172](https://togithub.com/vercel/next.js/issues/60172) - fix: ` Githubissues.
  • Githubissues is a development platform for aggregating issues.