[Snyk] Upgrade next from 9.3.2 to 9.3.3 #3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade next from 9.3.2 to 9.3.3.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.Release notes
Package name: next
Patches
Credits
Huge thanks to @bgoerdt, @herrstucki, @MichelleLucero, @liulanz, @sdhani, @JazibJafri, @ElForastero, @moeyashi, @Andarist, @comxd, @chislee0708, and @PullJosh for helping!
Patches
Credits
Huge thanks to @bgoerdt, @herrstucki, @MichelleLucero, @liulanz, @sdhani, @JazibJafri, @ElForastero, @moeyashi, @Andarist, @comxd, @chislee0708, and @PullJosh for helping!
This upgrade is completely backwards compatible and recommended for all users on versions below 9.3.2. For future security related communications of our OSS projects, please join this mailing list.
Next.js has just been audited by one of the top security firms in the world.
They found that attackers could craft special requests to access files in the dist directory (
.next
).This does not affect files outside of the dist directory (
.next
).In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.
We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
How to Upgrade
npm install next@latest --save
Impact
serverless
targetnext export
next start
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
How to Assess Impact
If you think sensitive code or data could have been exposed, you can filter logs of affected sites by
../
with a 200 response.What is Being Done
As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Luca Carettoni from Doyensec for their investigation and discovery of the original bug and subsequent responsible disclosure.
We've landed a patch that ensures only known filesystem paths of
.next/static
are made available under/_next/static
.Regression tests for this attack were added to the security integration test suite.
Patches
remark
link in blog-starter's README: #11177isStaging
inwith-env
example: #11305Credits
Huge thanks to @chibicode, @ijjk, @timneutkens, @sebastianbenz, @zhe, @shaswatsaxena, @prateekbh, @vvo, @lfades, @bbortt, @aviaryan, @mgranados, @julianbenegas, @gregrickaby, @dulmandakh, @yosuke-furukawa, @tinymachine, @bgoerdt, @nicolasrouanne, @filipesmedeiros, @rishabhsaxena, and @queq1890 for helping!
Commit messages
Package name: next
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs