🚨 [security] Update next: 12.0.7 → 12.0.9 (patch)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ next (12.0.7 → 12.0.9) · Repo

Security Advisories 🚨

🚨 DOS Vulnerability for self-hosted next.js apps using i18n

Impact

Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version >= 12.0.0, and using i18n functionality.

Affected: All of the following must be true to be affected by this CVE

Next.js versions above v12.0.0

Using next start or a custom server

Using the built-in i18n support

Not affected:

Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

Patches

A patch has been released, next@12.0.9, that mitigates this issue. We recommend all affected users upgrade as soon as possible.

Workarounds

We recommend upgrading whether you can reproduce or not although you can ensure /${locale}/_next/ is blocked from reaching the Next.js instance until you upgrade.

For more information

If you have any questions or comments about this advisory:

Open an issue in next

Email us at security@vercel.com

Release Notes

12.0.9

Core Changes

middlewares: limit process.env to inferred usage: #33186

update webpack: #33207

Abstract out native filesystem usage from the base server: #33226

use text data url instead of base64 for shorter encoding: #33218

chore(deps): upgrade postcss: #33142

Fix global process testing for the process polyfill: #33220

Update swc: #33201

improve full refresh overlay: #33301

Custom app for server components: #33149

Update yarn PnP tests and disable swc file reading for PnP: #33236

Base Http for BaseServer: #32999

Update swc: #33342

Update check for fallback pages during export: #33323

Pre-compile more dependencies: #32742

Remove node fetch polyfill from base server: #33395

Replace regexp to plain string for optimization render HTML: #33306

Fix broken html on streaming render for error page: #33399

Disable cache for rsc pages: #33438

Fix pre-compiled check from copying react-refresh-utils: #33442

fix(next-swc): Update swc: #33427

Move middleware handling to node server: #33448

Enforce absolute URLs in Edge Functions runtime: #33410

feat(next-swc): Update swc: #33461

Update main field for nccd jest-worker: #33465

chore(deps): upgrade node-fetch: #33466

Move static serving to next server: #33475

feat(next-swc): Update swc: #33485

Fix multiple calls to image onLoadingComplete(): #33474

Refactor base server to remove native dependencies: #33499

Update swc: #33514

Implement abstract methods to get manifest files in the base server: #33537

Simplify getMiddlewareInfo calls: #33542

Fix static file check with i18n: #33503

Bump styled-jsx: #33546

Ensure optional value normalizing is correct for index: #33547

Bump nft to 0.17.4: #33548

Add next-multilingual example: #29386

Removed the s from NextConfig: #33560

feat(next-swc): Update swc: #33595

Fix rsc export component name detection: #33608

upgrade webpack: #33549

Ensure fetch polyfill is loaded in next-server: #33616

feat(next-swc): Update swc: #33628

Add lazyRoot optional property to next/image component : #33290

feat(next-swc): Update swc: #33675

Implement web server as the request handler for edge SSR: #33635

Relay Support in Rust Compiler: #33240

Revert "Relay Support in Rust Compiler": #33699

Documentation Changes

Fixed broken link related to the recently merged Data fetching docs refactor: #33209

Removed backticks on data fetching api titles: #33216

Added links to data fetching api refs, fixed title: #33221

Remove outdated & possibly confusing statement about redirects: #33224

[examples] Add a statically generated blog example using Next.js and Builder.io: #22094

Typo Fix: #33252

Update font-optimization.md: #33266

Fixed broken links in data fetching docs: #33250

docs: Mention middleware for getStaticProps: #33273

Add sections for Remove React Properties and Remove Console to compiler docs: #33311

Update links in next export + next/image error message: #33317

Add onLoad gottcha note to next/script docs: #33097

Update security-headers.md: fix path does not match homepage: #33137

fix minor typo in SWR: #33378

ReferenceError in authentication.md example fixed: #33411

docs: fix url: #33409

fix(docs): Fix typo in Custom Build Id docs: #33515

[docs] Update authentication docs to fix iron-session link.: #33483

docs(authentication): fix iron-session example link: #33502

Update middleware documentation for custom server: #33535

Removed unrequired path in docs' manifest: #33579

Update next/server documentation for geo: #33609

Clarify next/image usage with next export based on feedback.: #33555

Clarify headers config option description: #33484

fix(errors/no-cache): netlify-plugin-cache-nextjs has been deprecated: #33629

Updated docs for getServerSideProps and getStaticProps return values: #33577

Use relative path for example: #33565

chore(docs): update security headers specification: #33673

REMOVE: duplicate key in docs/testing.md: #33681

Example Changes

[examples] Update remark dependency for blog-starter: #33313

Update package.json for examples/with-supabase-auth-realtime-db: #33321

Working example for building forms with Next.js: #32669

Updates dependency version of frontend SDK in with-supertokens example: #33393

docs: add skynexui to examples: #33326

Update with-linaria dependency: #33487

Update Supabase example README.: #33610

[examples] Add new Tailwind CSS Prettier plugin to example: #33614

Misc Changes

Update license year

fix(docs): master branch renaming: #33312

Add link to security email directly.: #33358

Fix getServerSideProps hanging in dev on early end: #33366

[docs] Fix 404 link for testing example.: #33407

Update to latest version of turbo: #33613

Update other instances of node-fetch: #33617

12.0.8

Core Changes

Fix no-server-import-in-page eslint rule for subfolder middleware: #32139

Create Base Server: #32154

Revert support for render prop in <Main />: #32184

Refactor FS references in the Base Server: #32179

telemetry: collect feature usage for linting during build: #32022

Chore/load bindings improvements: #32191

fix(NODE_ENV): Warn when launching start or build on development: #14033

Fix crash in no-page-custom-font eslint rule when default export is unnamed.: #32251

Add docs for leveraging outputStandalone config: #32255

Replace raw-body with get-stream and bytes: #21915

Update to latest ncc and ensure caniuse-lite data is external : #32064

Update swc: #32210

Simplify custom Writable: #32247

Add shake exports transform to next-swc: #32253

Revert "Replace raw-body with get-stream and bytes": #32305

Re-open chore(deps): upgrade browserslist: #32300

Fix RSC link navigation: #32303

Compile escape-string-regexp: #32310

Add unstable_useRefreshRoot: #32342

Upate swc: #32365

fix unstable_useRefreshRoot typing: #32364

fix(next-swc/styled-jsx): Fix nth: #32358

Rename experimental vital hook: #32343

Inline server data response with partial hydration: #32330

Update jsx transform of swc: #32383

Fix running server with Polyfilled fetch: #32368

Fix dynamic routes with pages under index folder: #32440

Fixes #32338 missing Document components trigger an error for production builds: #32345

Fixes for inline embedding data in the web runtime: #32471

Add vitals and rsc to npm files: #32472

fixes to allow lazy compilation for import(): #32441

upgrade webpack and watchpack: #32173

Update to filter loader specific files from traces: #32267

Fix server data cache key: #32506

[middleware] Fix hydration for rewrites to dynamic pages: #32534

Ensure image-optimizer is traced for standalone mode: #32522

Remove unused classnames dependency from react-dev-overlay: #32487

next-swc: Emit errors and add tests to next-ssg: #32254

Include message body in redirect responses: #31886

Prevent NEXT_PHASE env change in workers: #28941

Check stack property for page export exceptions: #32289

fix(next-swc/styled-jsx): Fix interpolation in media query: #32490

Update swc: #32566

Add turbo / improve Rust build caching in GitHub Actions: #31464

Fix ReadableStream.pipeTo() being unimplemented in the web runtime: #32602

Ensure AMP optimizer is only excluded from trace when not used: #32577

Upgraded next-env dependencies: #32613

Feat/14701 full reload notification: #28866

Move fs API for inc cache to node server: #32604

Add options to defaultGetInitialProps and upgrade styled-jsx-with-csp example: #32594

Fix style.filter on image with placeholder=blur: #32623

Fix writing strings to the writable stream writer: #32637

fix(next/jest): do not watch .next folder: #32659

chore: Update swc: #32664

Pre-compile more dependencies: #32627

Upgrade react 18 to rc, drop prerelease warning: #32619

next-swc: styled-jsx error checking and reporting updated (invalid-styled-jsx-children.md): #31940

Fix style reset on image with placeholder=blur: #32680

Pre-compile more dependencies continued: #32679

web runtime: add AbortController & AbortSignal: #32089

Don't swallow test failures caused by POSIX signals: #32688

Escape from next head in rsc _error page: #32624

fix popstate detection for safari when basepath is present: #32687

Bust cache for RSC in each render: #32710

Update web runtime externals: #32717

Reduce styled-jsx size in client bundle: #32730

Bump nft to version 0.17.1: #32737

Remove anonymous default export rule from Babel: #32763

feat(eslint): allow a for internal url when target="blank" present: #32780

fix(eslint-plugin-next): Broken links in eslint output: #32837

[ESLint] Adds lint rule to flag usage of <head>: #32897

ignore .d.ts files inside pages folder: #30728

Fix next/image noscript tag to only render when lazy: #32918

Simplify trace span id generation: #32946

Move resolve-url-loader into Next.js: #32932

fix(router): scroll to top when href="/" and hash already present: #32954

Remove un-needed test dependency: #32616

Fix issue with escape-string-regexp in IE11: #32708

Allow to opt-out from preflight cache: #32767

Ensure setImmediate and punycode are polyfilled: #32768

Fixes issue with makeStylesheetInert: #32027

Reduce install size for linux glibc/musl: #32850

Ensure middleware is output in standalone mode: #32967

Revert "Reduce install size for linux glibc/musl": #32973

feat(cli): introduce next info CLI command: #32972

Ensure NODE_ENV is not inlined for next/jest: #33032

converted the old tailwind css example to typescript : #32808

fix: ensure revalidation error is logged from response-cache: #32657

Bump @vercel/nft to 0.17.2: #33048

Add util for generating new tests/error documents: #33001

Fix middleware at root in standalone mode: #33053

Update swc: #33063

use a separate webpack runtime for middleware: #33134

Allow dependencies to use environment variables in middlewares: #33141

next-swc: fix ssg code elimination when used in render: #32709

drop dynamic import with ssr: false on server-side: #32606

Fix broken yarn pnp: #32867

Add util for normalizing errors: #33159

Documentation Changes

Fixed Yarn and NPM dev swapped arguments: #32135

Removed misleading id's from headings: #32163

Details about starting dev server Next.js docs.: #32002

Add Umbraco Heartcore blog example: #21409

Fix error page doc for no server import in page: #32164

Document staticPageGenerationTimeout config: #32306

Change using-preact example dependencies and docs: #30394

Updated link to Local Images: #32427

docs: remove empty example link: #32439

Update react version to rc in react-18 doc: #32473

doc: update remark import: #32481

Include mention of the onError Prop for next/script: #31945

Document basePath redirect field for getStaticProps/getServerSideProps: #32550

Fix typo in documentation: #32581

Add moduleDirectories for TS Jest Config: #32574

Added section about router methods returning a promise: #31341

Added example for setting cookie before redirect in middleware: #32542

chore: convert Jest examples to TypeScript: #32705

Update note about .next/static in standalone mode: #32771

Fixed syntax error in the example of React Hydration Error: #32773

fix: typo: #32820

Update the React 18 documentation: #32896

doc: add quotes to api: #32898

Update lint-staged example to use node.js path: #30510

Update scrolling example using query param instead of hash: #31473

Updated wrong link to example of gtag init in measuring-performance.md: #32974

Update deployment documentation.: #32006

Fix link for Next.js Analytics in docs: #33049

docs: fix typo in MDX docs: #33077

docs: minor text-copy cleanup: #33120

No info on environment variables in the src folder (#33110): #33136

Add Caveats section to custom error page: #33160

Fixes #33153: Updating cross-references from master to main + canary: #33198

Docs: correct ignorance pattern for .env.local: #32647

Refactor data fetching API docs: #30615

Example Changes

fix cms-sanity example: #32182

Fix issue in auth0 example: #32293

Update Next.js version in api rate limits example: #32326

Update example for Tailwind v3: #32339

chore: remove duplicate example: #32391

Updated to working example: #32256

Update Dockerfile: #32299

Update docker image to leverage output traces: #32258

chore(blog-starter): update tailwindcss to v3: #32398

fix: setup prismic image host: #31589

fix: add .web.jsx extension support in react-native-web example: #32076

Update 14-alpine to 16-alpine: #31777

chore(blog-starter-typescript): update tailwindcss to v3: #32579

Typo fix in comments: #32609

This example does not show how to use Jest with TypeScript: #32633

Updates with-supertokens example: Fixes init race condition: #32706

Add authentication example using Stytch: #32194

Update Sentry example readme to mention Next.js 12 support: #32724

fix(examples): Update nextjs-graphql-with-prisma-simple example API endpoint: #32759

chore(examples): remove duplicate examples: #32779

fix(examples): bring with-semantic-ui example up-to-date: #32805

fix(examples): update link URL in cms-kontent example: #32806

Add id to inline Segment script: #32878

Remove un-necessary second yarn install from example Dockerfile: #32934

fix(examples): add missing dependencies: #32977

Rename api in with-redis example: #33016

fix(examples/cms-contentful): add correct Content-Type + missing closing tag for html: #30321

Avoid page double render with emotion vanilla: #30541

fix: typescript example supporting strict w/ version >= 4.4: #33042

[chore] Update deta version in examples: #30204

(examples/with-next-translate) Removed Redundancies in Strings: #29501

Remove extra config from tailwind example: #33062

Adding Asset Component for Rich Text Renderer: #32503

Misc Changes

chore: auto close inactive issues without reproduction: #32214

Ensure wasm dev artifact uploads even on cache hit: #32248

Ensure test wasm does not fail for docs only change: #32259

chore: lock version on stale action: #32262

Fix styled-jsx tests from swc bump: #32297

Update AMP validation tests: #32327

Update only fetch all tags for publish commits: #32337

Fix flakey next/link react streaming test: #32351

test: add wait timeout between clicks for rsc link: #32376

test: add timeout for dev entries to avoid hard navigation: #32476

chore: lock stale & closed issues sooner

Added docs issue template: #32488

Ensure experimental SWC options invalidate the cache: #32540

Edited contribution docs: #32583

Update contributing guidelines for examples: #32584

Remove unused turbo env vars: #32588

Move some img tests out of serverless mode: #32620

Disable turbo for build-native temporarily: #32621

Add test case for middleware rewrite to fallback: true page: #32626

Ensure device IP is used for safari browserstack test: #32712

fix: run prettier on with-jest and with-jest-babel examples

Update readme.md of next-mdx to allow typescript file extensions for pages: #32830

chore: decrease stale time before closing issues with no reproduction: #32955

Re-enable turbo caching for swc build jobs: #32617

fix(ci): Remove unused turbo remote cache env vars: #33030

Update next.config.js: #33091

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu recreate
Recreates this PR, overwriting any edits that you've made to it

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu close
Closes this PR and deletes the branch

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)