Update dependency next to v12.1.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	12.0.9 -> 12.1.0

GitHub Vulnerability Alerts

CVE-2022-23646

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 12.0.10
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

---

Release Notes

vercel/next.js

v12.1.0

Compare Source

Core Changes

• Relay Support in Rust Compiler: #​33702
• fix eslint link-passhref rule: #​33857
• update webpack: #​33831
• Flush buffered vitals metrics on page mount: #​33867
• fix problem with HMR when middleware and page reference the same node_module: #​33873
• Refactor page component getter in web server: #​33759
• update NextResponse default redirect status to 307 to match docs: #​33505
• Bug fix: dynamic page should not be interpreted as predefined page: #​33808
• Group streaming experimental apis: #​33878
• Encapsulate routing and initial hydration: #​33875
• Optimize offline condition judgment: #​33238
• Ensure external beforeFiles rewrites are handled with next/link: #​33888
• Fix parsing params for i18n optional route in minimal mode: #​33896
• Ensure browserslist extends works properly: #​33890
• Fix image cache race condition: #​33883
• Add support for Relay projects without artifactDirectory: #​33918
• fix: handle jsxspreadattribute in inline-script-id eslint rule: #​32421
• feat(next-swc): Update swc: #​33724
• Update to latest version of amphtml-validator: #​33967
• Warn in dev mode when script tags are added with next/head: #​33968
• Ensure optional chaining in swc matches babel: #​33995
• Use react-dom/server.browser in Node.js: #​33950
• Ensure external middleware rewrite is handled correctly: #​33962
• Update Terser to v5.10.0, fix minification issues: #​33045
• Warn in dev mode when stylesheets are added using next/head: #​34004
• Use ReadableStream in RenderResult: #​34005
• Fix suffix ordering while streaming: #​34011
• Don't use yarn if a package-lock.json file is found: #​31926
• Do not warn when application/ld+json scripts are used with next/head: #​34021
• Babel & next-swc: Fix exporting page config with AsExpression: #​32702
• Detect per page runtime config for functions manifest: #​33945
• Add JSDoc to config options: #​32915
• Update font-stylesheet-gathering-plugin.ts: #​30709
• Add decoratorMetadata flag if enabled by tsconfig: #​32914
• fix: data url handling in css-loader: #​34034
• Place 'charset' element at the top of : #​28119
• Fix detection of anchor click events inside svg: #​23272
• Allow passing nothing as custom jest config: #​32328
• Fixes #​31240: Adding a recursive addPackagePath function in webpack-config: #​31264
• Require component rendered as child of Link to pass event to onClick handler: #​27723
• Allow scroll prevention on hash change: #​31921
• Add support for async fn / promise in next.config.js/.mjs: #​33662
• Fix lazyRoot functionality for next/image: #​33933
• Change SWC minify from beta to release candidate: #​34056
• Make Router state immutable: #​33925
• Stop exposing internal render and renderError methods from next/client: #​34069
• Add api-utils helper for testing: #​34078
• feat(next-swc): Update swc: #​34045
• Deprecate concurrentFeatures with runtime: #​34068
• Add check for resolveWeak to next/dynamic: #​33908
• remove unneeded and broken plugin: #​34087
• Remove experimental warning from next/jest: #​34096
• fix: arrow function export in rsc client component: #​34105
• Use renderToStream with React 18: #​34106
• Fix static result being piped: #​34111
• Polyfill pipeTo and pipeThrough: #​34112
• Update to leverage response-cache for image-optimizer: #​34075
• fix: next/image usage from node_modules: #​33559
• Fix included flight manifest on node runtime: #​34113
• Fix: Use react-dom/server.browser when reactRoot: true: #​34116
• Fix image-optimizer requires in next-server: #​34141
• Fix required files matching in rsc: #​34137
• Throw error when ts file contains css.resolve: #​34149
• Chore/stable swc compiler options: #​34074
• Fix bug with "Circular Structure" error: #​23905
• Add _document and _app pre-import: #​23261
• Ensure standalone server handles SIGTERM: #​34151
• Bump nft to 0.17.5: #​34190
• feat: copy .env file in standalone mode: #​34143
• Fix reuse of inline flight response and 404 for RSC in node runtime: #​34202
• Use updated recursive rm fs method for image-optimizer: #​34210
• Fix link for "Delete Query Params in Middleware" error message in next-server.ts: #​34230
• Enable dynamic HTML in minimal mode: #​34222
• Fix uncaught error in getInitialProps when runtime is set to nodejs: #​34228
• Optimize the web server size: #​34242
• feat: allow node-sass@7 as peer dependency: #​34107
• Adding step to build the app with docker in existing projects: #​34083
• Changed all occurrences of etc to match: #​34280
• Align reactRoot config between server and webpack config: #​34328
• Fix <RouteAnnouncer/> shouldn't announce initial path under strict mode and React 18: #​34338
• Fix flight root failed to hydrate in strict mode: #​34333
• Allow dismissing full refresh warning for session: #​33868
• Remove experimental image optimization feature: #​34349
• Add support for "type": "module" in package.json: #​33637
• feat(next-swc): Update swc: #​34355
• Ensure invalid request to static page is handled correctly: #​34346
• Add Error Handing section for ISR: #​34360
• feat(next-swc): Update swc: #​34408
• feat: improve opening a new issue flow: #​34434
• Ensure we don't poll page in development when notFound: true is returned: #​34352
• Add image config for dangerouslyAllowSVG and contentSecurityPolicy: #​34431
• Revert swc css bump temporarily: #​34440
• update webpack: #​34444
• Update server-only changes HMR handling: #​34298
• Fix .svg image optimization with a loader prop: #​34452
• Allow reading request bodies in middlewares: #​34294
• Revert "Allow reading request bodies in middlewares": #​34479
• update webpack: #​34477
• Fix chunk buffering for server components: #​34474
• Remove deprecation for relative URL usage in middlewares: #​34461

Documentation Changes

• Building web forms with Next.js and Vercel: #​32525
• Add Clarity About Downloading and Self-Hosting a Font File: #​33760
• Correct pluralization in newly added Relay documentation: #​33880
• Update MDX document: #​33916
• Update info on how to process webhooks by disabling bodyParser: #​33909
• Update deployment docs to fix oversized image.: #​33934
• docs: recommend .end instead of .send when no body is being sent: #​33611
• Update custom document docs to prepare for React 18.: #​33814
• Fix typo in new experimental Relay support docs: #​33963
• docs(isr): add missing key prop in jsx loop: #​33984
• docs: use function for components in general: #​33990
• Updated going-to-production with loading performance: #​33179
• docs: fix variable name from profileData to data in CSR page: #​34018
• Improve Form Guide Contents: #​33913
• Add async to middleware docs.: #​31356
• (docs): update i18n-routing.md: #​33123
• Fix redirect url for prefixing the default locale: #​33762
• Add note about dns-prefetch as fallback: #​30385
• Update custom server docs for async methods: #​30521
• Update multiple docs pages to follow Docs Content style guide: #​33855
• fix: Change url to nextUrl inside delete-query-params-in-middlewa…: #​33796
• Changing GitHub Actions cache documentation: #​28228
• [docs] Add env var load order: #​32350
• docs: add Ory vercel example to auth page: #​33029
• Add note about crawlers and fallback: true: #​34114
• docs(api-routes): fix node docs links: #​34125
• add note to clarify use of Link when clearing preview cookies (issue #​34129): #​34142
• Re-render details if rewrites are used: #​34049
• Add heading to invalid-api-status-body error: #​34150
• Ensure /index route is redirected correctly for docs: #​34206
• Update docs for image lazyRoot prop: #​34241
• Update link for includeFiles glob reference: #​34269
• Update Preview Mode docs.: #​34278
• Update frequently asked questions in documentation: #​34252
• Alphabetize auth docs providers.: #​34281
• Replace babel with SWC & minor changes in getting started: #​34282
• Update Middleware docs to add version history.: #​34302
• Fix typo on getInitialProps: #​34309
• Update missing curly brace in image.md: #​34307
• docs: Add link to pageExtensions config in page-without-valid-component.md: #​34285
• Add an example to Write server-side code directly section: #​34319
• Few touch-ups to the docs on web forms in Next: #​34286
• Update MDX Custom Elements setup: #​34175
• Update image.md: #​34374
• Updated failed to load error page to include info about node versions: #​34362
• docs: react 18, streaming SSR, rsc with new apis: #​33986
• Update MDX Guide config example: #​34405
• Remove hello world RSC example.: #​34456
• Fix typo: #​34480

Example Changes

• Update npm comment in Docker example: #​33881
• Update Contentful example to add validations to solve graphql complexity errors.: #​33958
• Update all CMS examples dependencies.: #​33580
• Fix warning unknown prettier option when running yarn lint.: #​34019
• [New Example] with docker - multiple deployment environments: #​34015
• Fix ambiguous flags in Dockerfile example: #​33417
• fix(examples/with-docker): update env comments: #​29972
• Remove unused "start" script from with-docker/package.json: #​31053
• Update remark in blog-starter-typescript: #​31393
• Update _document.js: #​29930
• Docs: use the nextv12 example from the storybook-addon-next repo as the with-storybook example: #​33891
• examples, update with new URL: #​34035
• [with-typescript-graphql] fixes breaking changes in graphql-let v0.18.0: #​32681
• fix(example): with-typescript-graphql graphql-let package migrate: #​29996
• feat: update firebase in with-firebase: #​29581
• progressive web app example converted to typescript : #​33100
• Make adjustment to cache config of with-apollo example: #​32733
• Fix error thrown by next/image in the Sanity example: #​34203
• Update examples/active-class-name: #​34205
• chore(example): update preact links in examples: #​34233
• fix: don't wrap profile in firebase example: #​34457

Misc Changes

• Fix flakey image-optimizer test: #​33957
• Update azure config: #​33999
• Add types to nextConfig in default template : #​34029
• docs(contributing): Search GitHub for an open or closed PR that relates to your submission: #​22533
• fix(create-next-app): add default version: #​33006
• chore: do not run lock/stale actions on forks: #​34053
• Fix functions manifest test: #​34092
• add pnpm debug file in gitignore templates: #​34091
• Update failing tests from upstream resource: #​34110
• Update version number in next.config.js API reference
• chore: log lock bot output: #​34168
• chore: decrease lock action runs #​34180
• Allow listening for page requests in tests: #​34204
• Update code of conduct from v1.4 to v2.1: #​34208
• Update contributing.md to link to walkthrough video.: #​34299
• fix: typo in gitignore in typescript template: #​34372
• test: add inline flight response reuse test: #​34364
• Update 2.example_bug_report.yml
• Update 1.bug_report.yml
• Update 2.example_bug_report.yml
• Update font-optimization test snapshot: #​34478

Credits

Huge thanks to @​MaedahBatool, @​mutebg, @​sokra, @​huozhi, @​hanford, @​shuding, @​sean6bucks, @​jameshfisher, @​devknoll, @​yuta-ike, @​zh-lx, @​amandeepmittal, @​alunyov, @​stefanprobst, @​leerob, @​balazsorban44, @​kdy1, @​brittanyrw, @​jord1e, @​kara, @​vvo, @​ismaelrumzan, @​dlindenkreuz, @​MohammadxAli, @​nguyenyou, @​thibautsabot, @​hanneslund, @​vertti, @​KateKate, @​stefee, @​mikinovation, @​Leticijak, @​mohsen1, @​ncphillips, @​ehowey, @​lancechentw, @​krychaxp, @​fmacherey, @​pklawansky, @​RyanClementsHax, @​lakbychance, @​sannajammeh, @​oliviertassinari, @​alexander-akait, @​u-yas, @​Cheprer, @​msp5382, @​chrispat, @​getspooky, @​Ryz0nd, @​klaasman, @​midgleyc, @​kumard3, @​jesstelford, @​neeraj3029, @​glenngijsberts, @​pie6k, @​wouterraateland, @​timneutkens, @​11koukou, @​thesyedbasim, @​aeneasr, @​ijjk, @​lfades, @​JuniorTour, @​xavhan, @​mattyocode, @​padmaia, @​Skn0tt, @​gwer, @​Nutlope, @​styfle, @​stipsan, @​xhoantran, @​eolme, @​sespinosa, @​zenorocha, @​hjaber, @​benmvp, @​T-O-R-U-S, @​dburrows, @​atcastle, @​kiriny, @​molebox, @​kitayoshi, and @​Schniz for helping!

v12.0.10

Compare Source

Core Changes

• fix: image optimizer hangs when invalid image is requested: #​33719
• feat: make compress configurable in standalone mode: #​33717
• fix: allow certain variable names in development: #​33638
• Use swc parse for flight server and client loaders: #​33713
• Properly support custom 500 page in the web server: #​33729
• chore: deprecate process.browser: #​32862
• Improve tests for streaming and server components: #​33740
• fix: fixes #​33314 move is-plain-object for es5 compilation: #​33690
• Add stale-while-revalidate pattern to Image Optimization API: #​33735
• Allow to delete URL search params in middleware rewrites: #​33725
• Ensure all CSS files are included for experimental critical CSS: #​33752
• Ensure non-error thrown in getStaticPaths shows correctly: #​33753
• Fix encoding error with location and refresh headers: #​33763
• Fix duplicate image src causing canceled request: #​33776
• Generate functions manifest: #​33770
• Enable jest hoist transform when using next/jest: #​33731
• fix typo: #​33840
• fix(next/image): render valid html according to W3C: #​33825

Documentation Changes

• Update Time to First Byte (TTFB) link: #​33715
• Changed data fetching file name to overview to fix meta data title: #​33232
• Correct misspelling in testing documentation #​33754: #​33755
• Move custom server note from middleware doc: #​33744
• Fixed duplicate data fetching overview page + links: #​33774
• [docs] Mention SWC in TypeScript documentation.: #​33801
• Testing docs: Comment out optional config that points to a file: #​33827
• Update Content-Security-Policy header usage explanation: #​33833

Example Changes

• Fix with-docker example dockerfile: #​33695
• Added next.config.js with datocms-assets domain in allow list: #​33647
• Fix: broken npm install: #​33767
• [example] Upgrade the with-stripe-typescript example app: #​33761
• Upgrade to @​stitches/react 1.2.6: #​33817
• Doc: fix broken link to api routes doc: #​33836

Misc Changes

• run stale 20 minutes earlier
• fix: use github action instead of bot: #​33718
• fix syntax error in lock.yml
• fix rsc test suite runner: #​33745

Credits

Huge thanks to @​Vienio99, @​balazsorban44, @​kyliau, @​molebox, @​huozhi, @​shuding, @​PepijnSenders, @​krystofex, @​PizzaPete, @​souljuse, @​styfle, @​Schniz, @​Nelsonfrank, @​ijjk, @​Mhmdrza, @​timneutkens, @​hideokamoto-stripe, @​Emrin, @​gr-qft, @​delbaoliveira, @​redbar0n, @​amandeepmittal, @​lxy-yz, and @​Divlo for helping!

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.