Bump next from 6.1.2 to 7.0.2

[dependabot-preview]

Bumps next from 6.1.2 to 7.0.2.

Release notes

Sourced from next's releases.

7.0.2

Release Notes

This upgrade is completely backwards compatible and recommended for all users on version 7.0.0 and 7.0.1
For future security related communications of our OSS projects, please join this mailing list.

Next.js has just been audited by one of the top security firms in the world. They found a XSS vulnerability on /_error pages (404, 500), where an attacker could craft a request that executes client side code on these particular pages. As a reminder, websites that follow OWASP security guidelines should see minimized impact from this attack vector.

How to Upgrade

• We have released patch versions for both the stable and canary channels of Next.js.
• The following versions fix this bug and include precautions to avoid
  similar problems in the future
• Run npm install next@latest --save
• When using the canary release channel use npm install next@canary --save

Impact

• Affected: Users of Next.js using version 7.0.0 and 7.0.1
• Not affected: Deployments on https://now.sh (like https://zeit.co) are mitigated.
• Not affected: Static deployments via next export

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If you think sensitive code or data could have been exposed, please filter logs of affected sites by /' with a 404 response.

What is Being Done

As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Jessica Stokes from Buildkite, lvh and Jeremy Rauch from Latacora for their investigation and discovery of the original bug and subsequent responsible disclosure.

Next.js 7.0.0 included a bugfix for the inline script generation code, it previously had a condition that would always return false, causing the error page to not be initialized. The generated code passed the pathname through the htmlescape module to escape arbitrary HTML characters. However this module does not escape single quotes ('). Meaning that an attacker could break out of the code block by including extra single quotes in the pathname. In Next.js 7.0.2 we have completely removed the user provided pathname value from the inline script tag. Regression tests for this attack were added to the security test suite.

• We have notified known Next.js users in advance of this publication.
• A public CVE was released
• If you want to stay on top of our security related news impacting Next.js or other ZEIT projects, please join this mailing list.
• We encourage responsible disclosure of future issues. Please email us at security@zeit.co. We are actively monitoring this mailbox.

v7.0.2-canary.41

Patches

• Add tsc type checking: #5826
• Mark react/react-dom as external when in lambdas mode: #5828

v7.0.2-canary.40

Patches

• Remove console.log after verifying the correct files are ignored: 1a5fc941ce53a3e192a388b0caa65922078e96e4

... (truncated)

Commits

• 45c554a 7.0.2
• e6d79bb Remove pathname (#5428)
• ae56c78 7.0.1
• c094539 Upgrade webpack (#5330)
• 8fb6f7d Use new import syntax in readme examples
• 7f9d244 7.0.1-canary.6
• 2f61858 Remove disabled plugin
• 6c0ea2d 7.0.1-canary.5
• b065daf Refactor head keys (#5326)
• df41997 Remove _containerProps context (#5327)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.