This repository has been archived by the owner on Apr 7, 2022. It is now read-only.
Update next in /modules/frontend from 5.1.0 to 7.0.2 #309
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![dependencies[bot]](https://avatars.githubusercontent.com/in/2310?s=60&v=4){kind=small}
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dependencies.io has updated
next(a npm dependency in/modules/frontend) from "5.1.0" to "7.0.2".7.0.2
Release Notes
This upgrade is completely backwards compatible and recommended for all users on version 7.0.0 and 7.0.1
For future security related communications of our OSS projects, please join this mailing list.
Next.js has just been audited by one of the top security firms in the world. They found a XSS vulnerability on
/_errorpages (404, 500), where an attacker could craft a request that executes client side code on these particular pages. As a reminder, websites that follow OWASP security guidelines should see minimized impact from this attack vector.How to Upgrade
similar problems in the future
npm install next@latest --savenpm install next@canary --saveImpact
next exportWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
How to Assess Impact
If you think sensitive code or data could have been exposed, please filter logs of affected sites by
/'with a 404 response.What is Being Done
As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Jessica Stokes from Buildkite, lvh and Jeremy Rauch from Latacora for their investigation and discovery of the original bug and subsequent responsible disclosure.
Next.js 7.0.0 included a bugfix for the inline script generation code, it previously had a condition that would always return false, causing the error page to not be initialized. The generated code passed the pathname through the
htmlescapemodule to escape arbitrary HTML characters. However this module does not escape single quotes ('). Meaning that an attacker could break out of the code block by including extra single quotes in the pathname. In Next.js 7.0.2 we have completely removed the user providedpathnamevalue from the inline script tag. Regression tests for this attack were added to the security test suite.