Skip to content

fix(deps): update dependency next to v14 [security]#34

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-next-vulnerability
Open

fix(deps): update dependency next to v14 [security]#34
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-next-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 10, 2024
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
next (source) ^13.4.4^14.0.0 age confidence

XSS in Image Optimization API for Next.js

CVE-2021-39178 / GHSA-9gr3-7897-pp7m

More information

Details

Impact
  • Affected: All of the following must be true to be affected
    • Next.js between version 10.0.0 and 11.1.0
    • The next.config.js file has images.domains array assigned
    • The image host assigned in images.domains allows user-provided SVG
  • Not affected: The next.config.js file has images.loader assigned to something other than default
  • Not affected: Deployments on Vercel are not affected
Patches

Next.js v11.1.1

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Unexpected server crash in Next.js.

CVE-2021-43803 / GHSA-25mp-g6fv-mqxx

More information

Details

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Open Redirect in Next.js

CVE-2021-37699 / GHSA-vxf5-wxwp-m7g9

More information

Details

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.

Impact
  • Affected: Users of Next.js between 10.0.5 and 10.2.0
  • Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
  • Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
  • Not affected: Deployments on Vercel (vercel.com) are not affected
  • Not affected: Deployments with pages/404.js
  • Note that versions prior to 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

Patches

https://github.com/vercel/next.js/releases/tag/v11.1.0

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js missing cache-control header may lead to CDN caching empty reply

CVE-2023-46298 / GHSA-c59h-r6p8-q9wc

More information

Details

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

Severity

Low

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js Server-Side Request Forgery in Server Actions

CVE-2024-34351 / GHSA-fr5h-rqp8-mj6g

More information

Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites
  • Next.js (<14.1.1) is running in a self-hosted* manner.
  • The Next.js application makes use of Server Actions.
  • The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #​62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js Cache Poisoning

CVE-2024-46982 / GHSA-gp8f-8m3g-qvj9

More information

Details

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

  • Next.js between 13.5.1 and 14.2.9
  • Using pages router
  • Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

  • Deployments using only app router
  • Deployments on Vercel are not affected
Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits
  • Allam Rachid (zhero_)
  • Henry Chen

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Denial of Service condition in Next.js image optimization

CVE-2024-47831 / GHSA-g77x-44xx-532m

More information

Details

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

  • The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
  • The Next.js application is hosted on Vercel.
Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

Severity

  • CVSS Score: 4.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js authorization bypass vulnerability

CVE-2024-51479 / GHSA-7gfc-8cq8-jh5f

More information

Details

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js Allows a Denial of Service (DoS) with Server Actions

CVE-2024-56332 / GHSA-7m27-7ghc-44w9

More information

Details

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

vercel/next.js (next)

v14.2.15

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • support breadcrumb style catch-all parallel routes #​65063
  • Provide non-dynamic segments to catch-all parallel routes #​65233
  • Fix client reference access causing metadata missing #​70732
  • feat(next/image): add support for decoding prop #​70298
  • feat(next/image): add images.localPatterns config #​70529
  • fix(next/image): handle undefined images.localPatterns config in images-manifest.json
  • fix: Do not omit alt on getImgProps return type, ImgProps #​70608
  • [i18n] Routing fix #​70761
Credits

Huge thanks to @​ztanner, @​agadzik, @​huozhi, @​styfle, @​icyJoseph and @​wyattjoh for helping!

v14.2.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: clone response in first handler to prevent race (#​70082) (#​70649)
  • Respect reexports from metadata API routes (#​70508) (#​70647)
  • Externalize node binary modules for app router (#​70646)
  • Fix revalidateTag() behaviour when invoked in server components (#​70446) (#​70642)
  • Fix prefetch bailout detection for nested loading segments (#​70618)
  • Add missing node modules to externals (#​70382)
  • Feature: next/image: add support for images.remotePatterns.search (#​70302)
Credits

Huge thanks to @​styfle, @​ztanner, @​ijjk, @​huozhi and @​wyattjoh for helping!

v14.2.13

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix missing cache-control on SSR app route (#​70265)
  • feat: add polyfill of URL.canParse for browser compatibility (#​70228)
  • Fix vercel og package memory leak (#​70214)
  • Fix startTime error on Android 9 with Chrome 74 (#​67391)
Credits

Huge thanks to @​raeyoung-kim, @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

v14.2.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • update prefetching jsdoc & documentation (#​68047)
  • Ensure we chunk revalidate tag requests (#​70189)
  • (backport) fix(eslint): allow typescript-eslint v8 (#​70090)
  • [ppr] Don't mark RSC requests as /_next/data requests (backport of #​66249) (#​70083)
Credits

Huge thanks to @​alvarlagerlof, @​wyattjoh, @​delbaoliveira, and @​ijjk for helping!

v14.2.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: correct metadata url suffix (#​69959)
  • fix: setting assetPrefix to URL format breaks HMR (#​70040)
  • Update revalidateTag to batch tags in one request (#​65296)
Credits

Huge thanks to @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

v14.2.10

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Remove invalid fallback revalidate value (#​69990)
  • Revert server action optimization (#​69925)
  • Add ability to customize Cache-Control (#​69802)
Credits

Huge thanks to @​huozhi and @​ijjk for helping!

v14.2.9

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Revert "Fix esm property def in flight loader (#​66990)" (#​69749)
  • Disable experimental.optimizeServer by default to fix failed server action (#​69788)
  • Fix middleware fallback: false case (#​69799)
  • Fix status code for /_not-found route (#​64058) (#​69808)
  • Fix metadata prop merging (#​69807)
  • create-next-app: fix font file corruption when using import alias (#​69806)
Credits

Huge thanks to @​huozhi, @​ztanner, @​ijjk, and @​lubieowoce for helping!

v14.2.8

Compare Source

What's Changed

[!NOTE]
This release is backporting bug fixes and minor improvements. It does not include all pending features/changes on canary.

Support esmExternals in app directory
Reading cookies set in middleware in components and actions
  • initialize ALS with cookies in middleware (#​65008)
  • fix middleware cookie initialization (#​65820)
  • ensure cookies set in middleware can be read in a server action (#​67924)
  • fix: merged middleware cookies should preserve options (#​67956)
Metadata and icons
  • support facebook-specific metadata (fb:app_id, fb:admins) in generateMetaData (#​65713)
  • Always collect static icons for all segments (#​68712)
  • Fix favicon merging with customized icons (#​67982)
  • Warn metadataBase missing in standalone mode or non vercel deployment (#​66296)
Parallel routes fixes
  • fix missing stylesheets when parallel routes are present (#​69507)
Draft mode and edge improvements
next/image fixes
  • Allow external image urls with _next/image pathname to be rendered via Image component (#​69586)
Server actions improvements
  • optimize server actions (#​66523)
  • Apply optimization for unused actions (#​69178)
  • Improve SWC transform ID generation (#​69183)
Other changes
  • Ensure we match comment minify behavior between terser and swc (#​68372)
  • send initialCanonicalUrl in array format to prevent crawler confusion (#​69509)
Create-next-app updates

Full Changelog: vercel/next.js@v14.2.7...v14.2.8

Huge thanks to everyone who contributed to this release:
@​abhi12299, @​delbaoliveira, @​eps1lon, @​ForsakenHarmony, @​huozhi, @​ijjk, @​JoshuaKGoldberg, @​leerob, @​lubieowoce, @​Netail, @​ronanru, @​samcx, @​shuding, @​sokra, @​stylessh, @​timfuhrmann, @​wbinnssmith, @​wyattjoh, @​ypessoa, @​ztanner

v14.2.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Revert "chore: externalize undici for bundling" (#​65727)
  • Refactor internal routing headers to use request meta (#​66987)
  • fix(next): add cross origin in react dom preload (#​67423)
  • build: upgrade edge-runtime (#​67565)
  • GTM dataLayer parameter should take an object, not an array of strings (#​66339)
  • fix: properly patch lockfile against swc bindings (#​66515)
  • Add deployment id header for rsc payload if present (#​67255)
  • Update font data (#​68639)
  • fix i18n data pathname resolving (#​68947)
  • pages router: ensure x-middleware-cache is respected (#​67734)
  • Fix bad modRequest in flight entry manifest #​68888
  • Reject next image urls in image optimizer #​68628
  • Fix hmr assetPrefix escaping and reuse logic from other files #​67983
Credits

Huge thanks to @​kjugi, @​huozhi, @​ztanner, @​SukkaW, @​marlier, @​Kikobeats, @​syi0808, @​ijjk, and @​samcx for helping!

v14.2.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Ensure fetch cache TTL is updated properly (#​69164)

v14.2.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • avoid merging global css in a way that leaks into other chunk groups (#​67373)
  • Fix server action edge redirect with middleware rewrite (#​67148)
  • fix(next): reject protocol-relative URLs in image optimization (#​65752)
  • fix(next-swc): correct path interop to filepath for wasm (#​65633)
  • Use addDependency to track metadata route file changes (#​66714)
  • Fix noindex is missing on static not-found page (#​67135)
  • perf: improve retrieving versionInfo on Turbo HMR (#​67309)
  • fix(next/image): handle invalid url (#​67465)
  • fix(next): initial prefetch cache not set properly with different search params (#​65977)
  • fix: Backport class properties fix (#​67377)
  • Upgrade acorn (#​67592)
Misc
  • Log stdio for pull-turbo-cache script (#​66759)
  • Ensure turbo is setup when building in docker (#​66804)
Credits

Huge thanks to @​devjiwonchoi, @​ijjk, @​emmerich, @​huozhi, @​kdy1, @​kwonoj, @​styfle, and @​sokra for helping!

v14.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: ensure route handlers properly track dynamic access (#​66446)
  • fix NextRequest proxy in edge runtime (#​66551)
  • Fix next/dynamic with babel and src dir (#​65177)
  • Use vercel deployment url for metadataBase fallbacks (#​65089)
  • fix(next/image): detect react@​19 for fetchPriority prop (#​65235)
  • Fix loading navigation with metadata and prefetch (#​66447)
  • prevent duplicate RSC fetch when action redirects (#​66620)
  • ensure router cache updates reference the latest cache values (#​66681)
  • Prevent append of trailing slash in cases where path ends with a file extension (#​66636)
  • Fix inconsistency with 404 getStaticProps cache-control (#​66674)
  • Use addDependency to track metadata route file changes (#​66714)
  • Add timeout/retry handling for fetch cache (#​66652)
  • fix: app-router prefetch crash when an invalid URL is passed to Link (#​66755)
Credits

Huge thanks to @​ztanner, @​ijjk, @​wbinnssmith, @​huozhi, and @​lubieowoce for helping!

v14.2.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: resolve mixed re-exports module as cjs (#​64681)
  • fix: mixing namespace import and named import client components (#​64809)
  • Fix mixed exports in server component with barrel optimization (#​64894)
  • Fix next/image usage in mdx(#​64875)
  • fix(fetch-cache): fix additional typo, add type & data validation (#​64799)
  • prevent erroneous route interception during lazy fetch (#​64692)
  • fix root page revalidation when redirecting in a server action (#​64730)
  • fix: remove traceparent from cachekey should not remove traceparent from original object (#​64727)
  • Clean-up fetch metrics tracking (#​64746)
Credits

Huge thanks to @​huozhi, @​samcx, @​ztanner, @​Jeffrey-Zutt, and @​ijjk for helping!

v14.2.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix Server Action error logs for unhandled POST requests (#​64315)
  • Improve rendering performance (#​64408)
  • Fix the method prop case in Server Actions transform (#​64398)
  • fix(next-lint): update option --report-unused-disable-directives to --report-unused-disable-directives-severity (#​64405)
  • tweak test for Azure (#​64424)
  • router restore should take priority over pending actions (#​64449)
  • Fix client boundary inheritance for barrel optimization (#​64467)
  • improve turborepo caching (#​64493)
  • feat: strip traceparent header from cachekey (#​64499)
  • Fix more Turbopack build tests
  • Update lockfile for compatibility with turbo (#​64360)
  • Fix typo in dynamic-rendering.ts (#​64365)
  • Fix DynamicServerError not being thrown in fetch (#​64511)
  • fix(next): Metadata.openGraph values not resolving basic values when type is set (#​63620)
  • disable production chunking in dev (#​64488)
  • Fix cjs client components tree-shaking (#​64558)
  • fix refresh behavior for discarded actions (#​64532)
  • fix: filter out middleware requests in logging (#​64549)
  • Turbopack: Allow client components to be imported in app routes (#​64520)
  • Fix ASL bundling for dynamic css (#​64451)
  • add pathname normalizer for actions (#​64592)
  • fix incorrect refresh request when basePath is set (#​64589)
  • test: skip turbopack build test (#​64356)
  • hotfix(turbopack): Update with patch for postcss.config.js path resolution on Windows (#​64677)
Credits

Huge thanks to @​shuding, @​coltonehrman, @​ztanner, @​huozhi, @​sokra, @​Jeffrey-Zutt, @​timneutkens, @​wbinnssmith, @​wiesson, @​ijjk, @​devjiwonchoi, and @​bgw for helping!

v14.2.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • use pathToFileUrl to make esm import()s work with absolute windows paths (#​64386) @​sokra
Credits

Huge thanks to @​sokra for helping!

v14.2.0

Compare Source

Learn more: https://nextjs.org/blog/next-14-2

Core Changes
  • Update build worker warning to use debug: #​60847
  • fix: added @​sentry/profiling-node to sep list to prevent build/bundle breakage: #​60855
  • Optimize build trace ignores: #​60859
  • Deprecation warning for config.analyticsId: #​60677
  • chore: indicate staleness more prominently in next info output: #​60376
  • Telemetry: createComponentTree span: #​60857
  • chore: replace micromatch w/ picomatch: #​60699
  • Report HMR latency as trace spans for Turbopack: #​60799
  • Turbopack: always log HMR rebuild times: #​60908
  • Error overlay refactors: #​60886
  • Use precompiled source-map in overlay middleware: #​60932
  • Use more precompiled deps in react-dev-overlay: #​60959
  • Fix next phase for next build: #​60969
  • chore: update turbopack: #​60980
  • refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc: #​59300
  • disable static generation on interception routes: #​61004
  • Docs: Address community feedback: #​60960
  • avoid output of webpack stats: #​61023
  • Revert "refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc": #​61021
  • fix useSelectedLayoutSegment's support for parallel routes: #​60912
  • Dynamic APIs: #​60645
  • Enable next.js version checker in turbopack: #​61034
  • chore: Update terser to v5.27.0: #​61068
  • Update swc_core to v0.87.28: #​60876
  • update turbopack: #​61015
  • Implement client_root for edge in Turbopack: #​61024
  • fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: #​60776
  • fix(image): warn when animated image is missing unoptimized prop: #​61045
  • Fix version checker not displaying when version newer than npm: #​61075
  • Fix sitemap generateSitemaps support for string id: #​61088
  • ppr: ensure the router state tree is provided for interception routes: #​61059
  • Improve the Server Actions SWC transform: #​61001
  • Fix instrument bundling as client components: #​60984
  • fix(turbopack): use correct layout for 404 page: #​61032
  • fix: emotion import source should be enabled in SSR contexts: #​61099
  • chore: update turbopack: #​61090
  • fix(turbopack): custom page extensions for _app: #​60789
  • Disable trace uploads with NEXT_TRACE_UPLOAD_DISABLE: #​61101
  • add optimizeServerReact to config-shared: #​61106
  • Fix filesystempublicroutes test for Turbopack: #​61132
  • chore: upgrade webpack to 5.90.0: #​61109
  • Add maxDuration to typescript plugin allowed exports: #​59193
  • Upgrade Turbopack: #​61190
  • build: remove sentry from the externals list: #​61194
  • exclude default routes from isPageStatic check: #​61173
  • Add stack trace to client rendering bailout error: #​61200
  • chore: refactor image optimization to separate external/internal urls: #​61172
  • parallel routes: support multi-slot layouts: #​61115
  • Refine revalidatePath warning message: #​61220
  • revert changes to process default routes at build: #​61241
  • Fix cookie merging in Server Action redirections: #​61113
  • Update swc_core to v0.89.x: #​61086
  • Fix Server Reference being double registered: #​61244
  • Fix Server Action redirection with absolute internal URL: #​60798
  • Fix indentation in source code of dev overlay: #​61216
  • Update swc_core to v0.89.4: #​61285
  • fix: Revert preset-env mode of styled-jsx in webpack mode: #​61306
  • DX: add route context to the dynamic errors: #​61332
  • Telemetry: add time-to-first-byte si

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from sullivanpj as a code owner May 10, 2024 11:52
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 10, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from 6a4a003 to cc76038 Compare April 15, 2026 16:05
@renovate renovate Bot requested a review from a team April 15, 2026 16:05
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from cc76038 to f1ded5f Compare April 30, 2026 02:19
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 30, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​docusaurus/​preset-classic@​2.4.3991007099100
Added@​envelop/​filter-operation-type@​5.0.3921007092100
Added@​docusaurus/​core@​2.4.3971007599100
Added@​n1ru4l/​graphql-live-query-patch-jsondiffpatch@​0.8.07510010080100
Added@​envelop/​disable-introspection@​5.0.31001007592100
Added@​nxkit/​style-dictionary@​3.0.2801009777100
Added@​envelop/​validation-cache@​6.0.41001007895100
Added@​envelop/​parser-cache@​6.0.41001007995100
Added@​envelop/​graphql-modules@​5.0.389858298100
Added@​commitlint/​cz-commitlint@​17.7.21001008984100
Added@​graphql-hive/​client@​0.24.29310010090100
Added@​nx/​devkit@​16.7.0981009199100
Added@​asyncapi/​generator@​1.13.1971009794100
Added@​envelop/​sentry@​6.0.3971009596100
Added@​envelop/​extended-validation@​3.0.310010010095100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sullivanpj sullivanpj Awaiting requested review from sullivanpj sullivanpj is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants