Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency next to v14.1.1 [security] #325

Merged
merged 1 commit into from
May 10, 2024
Merged

fix(deps): update dependency next to v14.1.1 [security] #325

merged 1 commit into from
May 10, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 10, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 14.1.0 -> 14.1.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

  • Next.js (<14.1.1) is running in a self-hosted* manner.
  • The Next.js application makes use of Server Actions.
  • The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #​62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

Release Notes

vercel/next.js (next)

v14.1.1

Compare Source

Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary

Core Changes
Credits

Huge thanks to @​huozhi, @​shuding, @​Ethan-Arrowood, @​styfle, @​ijjk, @​ztanner, @​balazsorban44, @​kdy1, and @​williamli for helping!

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label May 10, 2024
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@actions/core@1.10.0 environment, filesystem Transitive: network +1 144 kB thboop
npm/@babel/core@7.21.4 environment, filesystem, unsafe +18 4.47 MB nicolo-ribaudo
npm/@babel/generator@7.21.4 None +1 571 kB nicolo-ribaudo
npm/@babel/helper-plugin-utils@7.20.2 None 0 11.9 kB nicolo-ribaudo
npm/@babel/parser@7.21.4 None 0 1.87 MB nicolo-ribaudo
npm/@babel/template@7.20.7 None 0 68.8 kB nicolo-ribaudo
npm/@babel/traverse@7.21.4 None +4 620 kB nicolo-ribaudo
npm/@babel/types@7.21.4 environment +1 2.51 MB nicolo-ribaudo
npm/@jridgewell/set-array@1.1.2 None 0 15.5 kB jridgewell
npm/@jridgewell/sourcemap-codec@1.4.14 None 0 40 kB jridgewell
npm/@jridgewell/trace-mapping@0.3.17 None +1 219 kB jridgewell
npm/@octokit/core@4.2.0 Transitive: network +9 5.26 MB octokitbot
npm/@types/babel__traverse@7.18.3 None 0 65.2 kB types
npm/@types/istanbul-lib-coverage@2.0.4 None 0 5.76 kB types
npm/@types/jest@29.5.0 None 0 79.2 kB types
npm/@types/node-fetch@2.6.3 None +2 236 kB types
npm/@types/node@18.15.11 None 0 3.65 MB types
npm/define-properties@1.2.0 None +1 21.8 kB ljharb
npm/es-abstract@1.21.2 None +21 3.04 MB ljharb
npm/eslint@8.37.0 filesystem Transitive: unsafe +26 6.63 MB eslintbot
npm/espree@7.3.1 None +1 97 kB eslintbot
npm/esprima@4.0.1 None 0 314 kB ariya
npm/estraverse@5.2.0 None 0 36.9 kB michaelficarra
npm/expect@29.5.0 Transitive: environment, unsafe +17 965 kB simenb
npm/find-up@4.1.0 Transitive: filesystem +5 41.2 kB sindresorhus
npm/get-intrinsic@1.1.1 eval +2 60.4 kB ljharb
npm/get-intrinsic@1.2.0 eval 0 38.7 kB ljharb
npm/glob@7.1.7 filesystem Transitive: environment +9 139 kB isaacs
npm/globals@13.11.0 None +1 156 kB sindresorhus
npm/graceful-fs@4.2.6 environment, filesystem 0 28.6 kB isaacs
npm/has-symbols@1.0.2 None 0 18.1 kB ljharb
npm/is-callable@1.2.3 None 0 21.1 kB ljharb
npm/is-core-module@2.11.0 None 0 28.1 kB ljharb
npm/is-symbol@1.0.3 None 0 22.2 kB ljharb
npm/is-typed-array@1.1.10 None +4 64.2 kB ljharb
npm/istanbul-lib-coverage@3.2.0 None 0 29.3 kB oss-bot
npm/istanbul-lib-instrument@4.0.3 None +2 100 kB coreyfarrell
npm/istanbul-lib-instrument@5.2.1 None 0 70.2 kB oss-bot
npm/jest-diff@27.4.2 eval +2 142 kB simenb
npm/jest@27.4.5 Transitive: environment, eval, filesystem, network, shell, unsafe +213 14 MB simenb
npm/jest@29.5.0 Transitive: environment, eval, filesystem, network, shell, unsafe +81 3.3 MB simenb
npm/lodash.omit@4.5.0 None 0 40.9 kB jdalton
npm/lodash.pick@4.4.0 None 0 16.3 kB jdalton
npm/minimist@1.2.5 None 0 32.4 kB substack
npm/object-inspect@1.12.3 None 0 94.8 kB ljharb
npm/picomatch@2.3.0 None 0 89 kB jonschlinkert
npm/prettier@2.5.1 environment, eval, filesystem, unsafe 0 21 MB sosukesuzuki
npm/prettier@2.8.7 environment, filesystem, unsafe 0 11.2 MB prettier-bot
npm/pretty-format@27.4.2 eval Transitive: environment +7 203 kB simenb
npm/pretty-format@29.5.0 Transitive: environment +3 452 kB simenb
npm/regexpp@3.2.0 None 0 302 kB mysticatea
npm/resolve@1.20.0 filesystem +4 173 kB ljharb
npm/resolve@1.22.1 environment, filesystem +1 150 kB ljharb
npm/semver@7.6.2 None 0 95.4 kB npm-cli-ops
npm/signal-exit@3.0.4 None 0 9.21 kB isaacs
npm/signal-exit@3.0.7 None 0 9.96 kB isaacs
npm/string-width@4.2.2 None +2 58.4 kB sindresorhus
npm/typescript@4.5.3 None 0 64 MB typescript-bot
npm/whatwg-url@8.5.0 None +2 324 kB domenic
npm/word-wrap@1.2.3 None 0 10.6 kB jonschlinkert

🚮 Removed packages: npm/@babel/code-frame@7.23.5, npm/@babel/helper-module-imports@7.22.15, npm/@babel/parser@7.23.9, npm/@babel/runtime@7.23.9, npm/@babel/template@7.23.9, npm/@babel/types@7.23.9, npm/@codegouvfr/react-dsfr@1.7.3, npm/@emotion/cache@11.11.0, npm/@emotion/react@11.11.3, npm/@emotion/serialize@1.1.3, npm/@emotion/server@11.11.0, npm/@emotion/styled@11.11.0, npm/@emotion/utils@1.2.1, npm/@esbuild/aix-ppc64@0.20.2, npm/@esbuild/android-arm64@0.20.2, npm/@esbuild/android-arm@0.20.2, npm/@esbuild/android-x64@0.20.2, npm/@esbuild/darwin-arm64@0.20.2, npm/@esbuild/darwin-x64@0.20.2, npm/@esbuild/freebsd-arm64@0.20.2, npm/@esbuild/freebsd-x64@0.20.2, npm/@esbuild/linux-arm64@0.20.2, npm/@esbuild/linux-arm@0.20.2, npm/@esbuild/linux-ia32@0.20.2, npm/@esbuild/linux-loong64@0.20.2, npm/@esbuild/linux-mips64el@0.20.2, npm/@esbuild/linux-ppc64@0.20.2, npm/@esbuild/linux-riscv64@0.20.2, npm/@esbuild/linux-s390x@0.20.2, npm/@esbuild/linux-x64@0.20.2, npm/@esbuild/netbsd-x64@0.20.2, npm/@esbuild/openbsd-x64@0.20.2, npm/@esbuild/sunos-x64@0.20.2, npm/@esbuild/win32-arm64@0.20.2, npm/@esbuild/win32-ia32@0.20.2, npm/@esbuild/win32-x64@0.20.2, npm/@jridgewell/gen-mapping@0.3.3, npm/@jridgewell/sourcemap-codec@1.4.15, npm/@jridgewell/trace-mapping@0.3.22, npm/@mui/icons-material@5.15.6, npm/@mui/material@5.15.6, npm/@mui/utils@5.15.6, npm/@mui/x-data-grid@6.19.2, npm/@rollup/rollup-android-arm-eabi@4.17.2, npm/@rollup/rollup-android-arm64@4.17.2, npm/@rollup/rollup-darwin-arm64@4.17.2, npm/@rollup/rollup-darwin-x64@4.17.2, npm/@rollup/rollup-linux-arm-gnueabihf@4.17.2, npm/@rollup/rollup-linux-arm64-gnu@4.17.2, npm/@rollup/rollup-linux-arm64-musl@4.17.2, npm/@rollup/rollup-linux-riscv64-gnu@4.17.2, npm/@rollup/rollup-linux-x64-gnu@4.17.2, npm/@rollup/rollup-linux-x64-musl@4.17.2, npm/@rollup/rollup-win32-arm64-msvc@4.17.2, npm/@rollup/rollup-win32-ia32-msvc@4.17.2, npm/@rollup/rollup-win32-x64-msvc@4.17.2, npm/@socialgouv/matomo-next@1.8.0, npm/@testing-library/react@14.1.2, npm/@testing-library/user-event@14.5.2, npm/@types/d3-time@3.0.3, npm/@types/estree@1.0.5, npm/@types/lodash.orderby@4.6.9, npm/@types/lodash.uniq@4.5.9, npm/@types/node@20.11.10, npm/@types/prop-types@15.7.11, npm/@types/react@18.2.48, npm/@types/unist@3.0.2, npm/@ungap/structured-clone@1.2.0, npm/@vitejs/plugin-react@4.2.1, npm/@vitest/ui@1.2.2, npm/acorn@8.11.3, npm/array-includes@3.1.7, npm/array.prototype.flat@1.3.2, npm/array.prototype.flatmap@1.3.2, npm/call-bind@1.0.5, npm/caniuse-lite@1.0.30001581, npm/classnames@2.3.1, npm/clsx@2.1.0, npm/country-flag-icons@1.5.9, npm/csstype@3.1.3, npm/d3-array@2.12.1, npm/d3-color@2.0.0, npm/d3-dispatch@2.0.0, npm/d3-dsv@2.0.0, npm/d3-ease@2.0.0, npm/d3-format@2.0.0, npm/d3-interpolate@2.0.1, npm/d3-path@2.0.0, npm/d3-quadtree@2.0.0, npm/d3-time-format@3.0.0, npm/d3-time@2.1.1, npm/d3-timer@2.0.0, npm/date-fns@2.28.0, npm/define-data-property@1.1.1, npm/define-properties@1.2.1, npm/dequal@2.0.3, npm/devlop@1.1.0, npm/es-iterator-helpers@1.0.15, npm/esbuild@0.20.2, npm/eslint-config-next@14.1.4, npm/eslint-import-resolver-node@0.3.9, npm/eslint-module-utils@2.8.0, npm/eslint-plugin-testing-library@6.2.0, npm/eslint-visitor-keys@3.4.3, npm/eslint@8.56.0, npm/espree@9.6.1, npm/fast-glob@3.3.2, npm/flatted@3.2.9, npm/fsevents@2.3.3, npm/function-bind@1.1.2, npm/function.prototype.name@1.1.6, npm/get-func-name@2.0.2, npm/get-intrinsic@1.2.2, npm/has-property-descriptors@1.0.1, npm/internal-slot@1.0.6, npm/internmap@1.0.1, npm/is-core-module@2.13.1, npm/is-map@2.0.2, npm/is-set@2.0.2, npm/is-typed-array@1.1.12, npm/jsx-ast-utils@3.3.5, npm/lodash.orderby@4.6.0, npm/lodash.uniq@4.5.0, npm/lodash.uniqby@4.7.0, npm/loose-envify@1.4.0, npm/loupe@2.3.7, npm/merge2@1.4.1, npm/mlly@1.5.0, npm/nanoid@3.3.7, npm/next-router-mock@0.9.11, npm/next@14.1.0, npm/object-assign@4.1.1, npm/object-inspect@1.13.1, npm/object.entries@1.1.7, npm/object.fromentries@2.0.7, npm/object.values@1.1.7, npm/pathe@1.1.2, npm/postcss@8.4.31, npm/prop-types@15.8.1, npm/rc-tooltip@5.1.1, npm/rc-util@5.21.5, npm/react-d3-speedometer@1.1.0, npm/react-dom@18.2.0, npm/react-feather@2.0.9, npm/react-markdown@9.0.1, npm/react-test-renderer@18.2.0, npm/react-vertical-timeline-component@3.6.0, npm/react@18.2.0, npm/readable-stream@1.0.34, npm/recharts@2.11.0, npm/regexp.prototype.flags@1.5.1, npm/resolve@1.22.8, npm/rollup@4.17.2, npm/sass@1.70.0, npm/set-function-name@2.0.1, npm/signal-exit@4.1.0, npm/source-map-js@1.0.2, npm/string-width@5.1.2, npm/tss-react@4.9.3, npm/typescript@5.3.3, npm/vite-tsconfig-paths@4.3.1, npm/vite@5.2.11, npm/vitest@1.2.2, npm/which-typed-array@1.1.13

View full report↗︎

@renovate renovate bot merged commit 8951cc3 into main May 10, 2024
7 checks passed
@renovate renovate bot deleted the renovate/npm-next-vulnerability branch May 10, 2024 09:03
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 1.39.14 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants