Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency next to v14.2.15 [security] #670

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 18, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 14.2.10 -> 14.2.15 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-51479

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.


Release Notes

vercel/next.js (next)

v14.2.15

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • support breadcrumb style catch-all parallel routes #​65063
  • Provide non-dynamic segments to catch-all parallel routes #​65233
  • Fix client reference access causing metadata missing #​70732
  • feat(next/image): add support for decoding prop #​70298
  • feat(next/image): add images.localPatterns config #​70529
  • fix(next/image): handle undefined images.localPatterns config in images-manifest.json
  • fix: Do not omit alt on getImgProps return type, ImgProps #​70608
  • [i18n] Routing fix #​70761
Credits

Huge thanks to @​ztanner, @​agadzik, @​huozhi, @​styfle, @​icyJoseph and @​wyattjoh for helping!

v14.2.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: clone response in first handler to prevent race (#​70082) (#​70649)
  • Respect reexports from metadata API routes (#​70508) (#​70647)
  • Externalize node binary modules for app router (#​70646)
  • Fix revalidateTag() behaviour when invoked in server components (#​70446) (#​70642)
  • Fix prefetch bailout detection for nested loading segments (#​70618)
  • Add missing node modules to externals (#​70382)
  • Feature: next/image: add support for images.remotePatterns.search (#​70302)
Credits

Huge thanks to @​styfle, @​ztanner, @​ijjk, @​huozhi and @​wyattjoh for helping!

v14.2.13

Compare Source

v14.2.12

Compare Source

v14.2.11

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link

vercel bot commented Dec 18, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
fairdataihub-website ❌ Failed (Inspect) Dec 18, 2024 6:42pm

Copy link

sourcery-ai bot commented Dec 18, 2024

Reviewer's Guide by Sourcery

This PR updates the Next.js dependency from version 14.2.10 to 14.2.15 to address a security vulnerability (CVE-2024-51479) related to middleware authorization bypass. The update also includes several bug fixes and feature improvements from versions 14.2.11 through 14.2.15.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change Details Files
Security vulnerability fix for middleware authorization bypass
  • Patches CVE-2024-51479 which could allow bypassing authorization in middleware for root-level pages
  • Affects only direct root-level pages (e.g., /foo) but not nested pages or root
package.json
yarn.lock
Core Next.js improvements and bug fixes
  • Added support for breadcrumb style catch-all parallel routes
  • Fixed client reference access causing metadata missing
  • Added support for decoding prop in next/image
  • Added images.localPatterns configuration
  • Fixed i18n routing issues
  • Fixed revalidateTag() behavior in server components
  • Improved prefetch bailout detection for nested loading segments
package.json
yarn.lock

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time. You can also use
    this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

Copy link
Contributor

github-actions bot commented Dec 18, 2024

Running Lighthouse audit...

Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants