Update dependency next to v12.0.9 [SECURITY] #168
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
12.0.8
->12.0.9
GitHub Vulnerability Alerts
CVE-2022-21721
Impact
Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version >= 12.0.0, and using i18n functionality.
Patches
A patch has been released,
next@12.0.9
, that mitigates this issue. We recommend all affected users upgrade as soon as possible.Workarounds
We recommend upgrading whether you can reproduce or not although you can ensure
/${locale}/_next/
is blocked from reaching the Next.js instance until you upgrade.For more information
If you have any questions or comments about this advisory:
Release Notes
vercel/next.js
v12.0.9
Compare Source
This upgrade is completely backward-compatible and recommended for all users on versions below 12.0.9
Vulnerable code could allow a bad actor to trigger a denial of service attack via the
/${locale}/_next/
route for anyone running a Next.js app at version >= 12.0.0, and using built-in i18n routing functionality.How to Upgrade
npm install next@latest --save
Impact
v12.0.0
andv12.0.9
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
How to Assess Impact
If your server has seen requests to any route under the prefix
/${locale}/_next/
that have triggered a heap overflow error, this was caused by the patched issue.What is Being Done
As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to our users for their investigation and responsible disclosure of the original bug.
We've landed a patch that ensures this is handled properly so the requested route no longer crashes and triggers a heap overflow.
Regression tests for this attack were added to the i18n integration test suite
security@vercel.com
. We are actively monitoring this mailbox.Core Changes
process.env
to inferred usage: #33186postcss
: #33142node-fetch
: #33466onLoadingComplete()
: #33474next-multilingual
example: #29386lazyRoot
optional property tonext/image
component : #33290Documentation Changes
next export
+next/image
error message: #33317onLoad
gottcha note tonext/script
docs: #33097next/server
documentation forgeo
: #33609next/image
usage withnext export
based on feedback.: #33555headers
config option description: #33484netlify-plugin-cache-nextjs
has been deprecated: #33629Example Changes
Misc Changes
Credits
Huge thanks to @molebox, @Schniz, @sokra, @kachkaev, @shuding, @teleaziz, @OgbeniHMMD, @goncy, @balazsorban44, @MaedahBatool, @bennettdams, @kdy1, @huozhi, @hsynlms, @styfle, @ijjk, @callumgare, @jonrosner, @karaggeorge, @rpie3, @MartijnHols, @leerob, @bashunaimiroy, @NOCELL, @rishabhpoddar, @omariosouto, @hanneslund, @theMosaad, @javivelasco, @pierrenel, @lobsterkatie, @tharakabimal, @vvo, @saevarb, @lfades, @nbouvrette, @paulnbrd, @ecklf, @11koukou, @renbaoshuo, @chozzz, @tbezman, @karlhorky, @j-mendez, and @ffan0811 for helping!
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.