chore(nextjs): Update dependency next [SECURITY] #3418

renovate · 2024-05-22T09:06:04Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	`^13.5.4` -> `^14.0.0`
next (source)	`^13.5` -> `^14.0.0`
next (source)	`14.1.0` -> `14.1.1`

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

Next.js (<14.1.1) is running in a self-hosted* manner.
The Next.js application makes use of Server Actions.
The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

Release Notes

vercel/next.js (next)

Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary

Core Changes

Should not warn metadataBase missing if only absolute urls are present: https://github.com/vercel/next.js/pull/61898
Fix trailing slash for canonical url: https://github.com/vercel/next.js/pull/62109
Fix metadata json manifest convention: https://github.com/vercel/next.js/pull/62615
Improve the Server Actions SWC transform: https://github.com/vercel/next.js/pull/61001
Fix Server Reference being double registered: https://github.com/vercel/next.js/pull/61244
Improve the Server Actions SWC transform (part 2): https://github.com/vercel/next.js/pull/62052
Fix module-level Server Action creation with closure-closed values: https://github.com/vercel/next.js/pull/62437
Fix draft mode invariant: https://github.com/vercel/next.js/pull/62121
fix: babel usage with next/image: https://github.com/vercel/next.js/pull/61835
Fix next/server api alias for ESM pkg: https://github.com/vercel/next.js/pull/61721
Replace image optimizer IPC call with request handler: https://github.com/vercel/next.js/pull/61471
chore: refactor image optimization to separate external/internal urls: https://github.com/vercel/next.js/pull/61172
fix(image): warn when animated image is missing unoptimized prop: https://github.com/vercel/next.js/pull/61045
fix(build-output): show stack during CSR bailout warning: https://github.com/vercel/next.js/pull/62594
Fix extra swc optimizer applied to node_modules in browser layer: https://github.com/vercel/next.js/pull/62051
fix(next-swc): Detect exports.foo from cjs_finder: https://github.com/vercel/next.js/pull/61795
Fix attempted import error for react: https://github.com/vercel/next.js/pull/61791
Add stack trace to client rendering bailout error: https://github.com/vercel/next.js/pull/61200
fix router crash on revalidate + popstate: https://github.com/vercel/next.js/pull/62383
fix loading issue when navigating to page with async metadata: https://github.com/vercel/next.js/pull/61687
revert changes to process default routes at build: https://github.com/vercel/next.js/pull/61241
fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: https://github.com/vercel/next.js/pull/60776
Improve redirection handling: https://github.com/vercel/next.js/pull/62561
Simplify node/edge server chunking some: https://github.com/vercel/next.js/pull/62424

Credits

Huge thanks to @huozhi, @shuding, @Ethan-Arrowood, @styfle, @ijjk, @ztanner, @balazsorban44, @kdy1, and @williamli for helping!

`v14.1.0`

Compare Source

`v14.0.4`

Compare Source

`v14.0.3`

Compare Source

`v14.0.2`

Compare Source

`v14.0.1`

Compare Source

Core Changes

Add Next.js 14 codemods to CLI output.: #57552
OpenTelemetry: propagate a configured context(s) to root requests: #57084
debug: Add tags to next build traces to track build configuration in the .next/trace file: #56965
[Traces] Await the flush of the trace write stream to make sure trace file is written: #57641
Add node-pty to externals list: #57640
fix: move logging config validation out of experimental: #57530
Update font data: #57728
Support viewport export via TS Plugin: #57554
Fix: Build compilation warning when using middleware: #57685
chore: Update flight-client-entry-plugin.ts typo: #57734
Improve error for missing default export in dynamic metadata routes: #57711
fix gsp tracing issue: #57766
fix(turbopack): don't match empty route groups: #57647
Update React from 8c8ee9e to 0c63487 and types: #57772

Documentation Changes

Add missing dot in codemod command: #57536
docs(fix): example text unescaped entities: #57255
doc: Clarify built-in support for sass after installation: #57279
Update docs with a Good to know box about using redirect in client components: #56966
docs: fix 02-dynamic-routes.mdx: #57029
Fix incorrect link in GTM docs: #57547
Fix typos: #57592
Add apostrophe 07-error-handling.mdx: #57626
Fix: codemods.mdx Incorrect heading structure of next-og-import, meta…: #57605
Typo fix, version "13" to "14": #57723
Fix Google Tag Manager URL in Third Party Libraries documentation: #57731

Example Changes

Fix: Call cookies function from route to flag as dynamic: #57494
(Examples) Add with-youtube-embed example: #57367
(Examples) Add with-google-maps-embed example: #57365
update @types/react version in examples: #57259
docs: fix broken link to demo: #57229
(example update) Update example with-Clerk: #57050
active-class-name example style js has not taken effect: #56136
add inngest next.js example: #56049
fix inngest example for 3.x sdk: #57712

Misc Changes

update manifest: #57523
update next/third-parties to use Next 14 or 13 as a peer dependency, instead of just 13: #57515
Modify tailwindcss related dependency of create-next-app: #57262
Remove extra CI step and lock Node.js version: #57769

Credits

Huge thanks to @dijonmusters, @sokra, @philwolstenholme, @IgorKowalczyk, @housseindjirdeh, @Zoe-Bot, @HanCiHu, @JackHowa, @goncy, @hirotomoyamada, @pveyes, @yeskunall, @vinaykulk621, @ChendayUP, @leerob, @dvoytenko, @mknichel, @ijjk, @hmaesta, @ajz003, @its-kunal, @joelhooks, @blurrah, @tariknh, @Vinlock, @Nayeem-XTREME, @aziyatali, @aspehler, @huozhi, @ztanner, @ForsakenHarmony, @moka-ayumu, and @gnoff for helping!

`v14.0.0`

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone GMT, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

changeset-bot · 2024-05-22T09:06:08Z

⚠️ No Changeset found

Latest commit: 1bd760a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

…3418)" This reverts commit e9b6901.

renovate bot added the dependencies Pull requests that update a dependency file label May 22, 2024

clerk-cookie added nextjs integration labels May 22, 2024

renovate bot force-pushed the renovate/npm-next-vulnerability branch from 6fdd1b9 to b9b8dae Compare May 22, 2024 10:57