bump(deps): update dependency next to v14.2.21 [security] (#336)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [next](https://nextjs.org)
([source](https://redirect.github.com/vercel/next.js)) | [`14.2.10` ->
`14.2.21`](https://renovatebot.com/diffs/npm/next/14.2.10/14.2.21) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/next/14.2.21?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/next/14.2.21?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/next/14.2.10/14.2.21?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/next/14.2.10/14.2.21?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-51479](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f)

### Impact
If a Next.js application is performing authorization in middleware based
on pathname, it was possible for this authorization to be bypassed.

### Patches
This issue was patched in Next.js `14.2.15` and later.

If your Next.js application is hosted on Vercel, this vulnerability has
been automatically mitigated, regardless of Next.js version.

### Workarounds
There are no official workarounds for this vulnerability.

#### Credits
We'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity
by IERAE) for responsible disclosure of this issue.

####
[CVE-2024-56332](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9)

### Impact
A Denial of Service (DoS) attack allows attackers to construct requests
that leaves requests to Server Actions hanging until the hosting
provider cancels the function execution.

_Note: Next.js server is idle during that time and only keeps the
connection open. CPU and memory footprint are low during that time._

Deployments without any protection against long running Server Action
invocations are especially vulnerable. Hosting providers like Vercel or
Netlify set a default maximum duration on function execution to reduce
the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid
`Content-Length` header or never closes. If the host has no other
mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server
Actions.

### Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8.
We recommend that users upgrade to a safe version.

### Workarounds

There are no official workarounds for this vulnerability.

### Credits

Thanks to the PackDraw team for responsibly disclosing this
vulnerability.

---

### Release Notes

<details>
<summary>vercel/next.js (next)</summary>

###
[`v14.2.21`](https://redirect.github.com/vercel/next.js/compare/v14.2.20...v14.2.21)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.20...v14.2.21)

###
[`v14.2.20`](https://redirect.github.com/vercel/next.js/compare/v14.2.19...ed78a4aa673034719d5664536a80d326eebac7e1)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.19...v14.2.20)

###
[`v14.2.19`](https://redirect.github.com/vercel/next.js/releases/tag/v14.2.19)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.18...v14.2.19)

> \[!NOTE]\
> This release is backporting bug fixes. It does **not** include all
pending features/changes on canary.

##### Core Changes

- ensure worker exits bubble to parent process
([#&#8203;73433](https://redirect.github.com/vercel/next.js/issues/73433))
- Increase max cache tags to 128
([#&#8203;73125](https://redirect.github.com/vercel/next.js/issues/73125))

##### Misc Changes

- Update max tag items limit in docs
([#&#8203;73445](https://redirect.github.com/vercel/next.js/issues/73445))

##### Credits

Huge thanks to [@&#8203;ztanner](https://redirect.github.com/ztanner)
and [@&#8203;ijjk](https://redirect.github.com/ijjk) for helping!

###
[`v14.2.18`](https://redirect.github.com/vercel/next.js/compare/v14.2.17...v14.2.18)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.17...v14.2.18)

###
[`v14.2.17`](https://redirect.github.com/vercel/next.js/compare/v14.2.16...v14.2.17)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.16...v14.2.17)

###
[`v14.2.16`](https://redirect.github.com/vercel/next.js/compare/v14.2.15...v14.2.16)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.15...v14.2.16)

###
[`v14.2.15`](https://redirect.github.com/vercel/next.js/releases/tag/v14.2.15)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.14...v14.2.15)

> \[!NOTE]\
> This release is backporting bug fixes. It does **not** include all
pending features/changes on canary.

##### Core Changes

- support breadcrumb style catch-all parallel routes
[#&#8203;65063](https://redirect.github.com/vercel/next.js/issues/65063)
- Provide non-dynamic segments to catch-all parallel routes
[#&#8203;65233](https://redirect.github.com/vercel/next.js/issues/65233)
- Fix client reference access causing metadata missing
[#&#8203;70732](https://redirect.github.com/vercel/next.js/issues/70732)
- feat(next/image): add support for decoding prop
[#&#8203;70298](https://redirect.github.com/vercel/next.js/issues/70298)
- feat(next/image): add images.localPatterns config
[#&#8203;70529](https://redirect.github.com/vercel/next.js/issues/70529)
- fix(next/image): handle undefined images.localPatterns config in
images-manifest.json
- fix: Do not omit alt on getImgProps return type, ImgProps
[#&#8203;70608](https://redirect.github.com/vercel/next.js/issues/70608)
- \[i18n] Routing fix
[#&#8203;70761](https://redirect.github.com/vercel/next.js/issues/70761)

##### Credits

Huge thanks to [@&#8203;ztanner](https://redirect.github.com/ztanner),
[@&#8203;agadzik](https://redirect.github.com/agadzik),
[@&#8203;huozhi](https://redirect.github.com/huozhi),
[@&#8203;styfle](https://redirect.github.com/styfle),
[@&#8203;icyJoseph](https://redirect.github.com/icyJoseph) and
[@&#8203;wyattjoh](https://redirect.github.com/wyattjoh) for helping!

###
[`v14.2.14`](https://redirect.github.com/vercel/next.js/releases/tag/v14.2.14)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.13...v14.2.14)

> \[!NOTE]\
> This release is backporting bug fixes. It does **not** include all
pending features/changes on canary.

##### Core Changes

- Fix: clone response in first handler to prevent race
([#&#8203;70082](https://redirect.github.com/vercel/next.js/issues/70082))
([#&#8203;70649](https://redirect.github.com/vercel/next.js/issues/70649))
- Respect reexports from metadata API routes
([#&#8203;70508](https://redirect.github.com/vercel/next.js/issues/70508))
([#&#8203;70647](https://redirect.github.com/vercel/next.js/issues/70647))
- Externalize node binary modules for app router
([#&#8203;70646](https://redirect.github.com/vercel/next.js/issues/70646))
- Fix revalidateTag() behaviour when invoked in server components
([#&#8203;70446](https://redirect.github.com/vercel/next.js/issues/70446))
([#&#8203;70642](https://redirect.github.com/vercel/next.js/issues/70642))
- Fix prefetch bailout detection for nested loading segments
([#&#8203;70618](https://redirect.github.com/vercel/next.js/issues/70618))
- Add missing node modules to externals
([#&#8203;70382](https://redirect.github.com/vercel/next.js/issues/70382))
- Feature: next/image: add support for images.remotePatterns.search
([#&#8203;70302](https://redirect.github.com/vercel/next.js/issues/70302))

##### Credits

Huge thanks to [@&#8203;styfle](https://redirect.github.com/styfle),
[@&#8203;ztanner](https://redirect.github.com/ztanner),
[@&#8203;ijjk](https://redirect.github.com/ijjk),
[@&#8203;huozhi](https://redirect.github.com/huozhi) and
[@&#8203;wyattjoh](https://redirect.github.com/wyattjoh) for helping!

###
[`v14.2.13`](https://redirect.github.com/vercel/next.js/compare/v14.2.12...f550237aa564bd59bfef7462350ac6c502f0206d)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.12...v14.2.13)

###
[`v14.2.12`](https://redirect.github.com/vercel/next.js/compare/v14.2.11...v14.2.12)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.11...v14.2.12)

###
[`v14.2.11`](https://redirect.github.com/vercel/next.js/compare/v14.2.10...bfbc92aab5c727444ed21e0b84bd55cda2e22067)

[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v14.2.10...v14.2.11)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/fuxingloh/cryptomatter).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS43Mi41IiwidXBkYXRlZEluVmVyIjoiMzkuODUuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

website/package.json

@@ -47,7 +47,7 @@
     "dayjs": "^1.11.11",
     "framer-motion": "11.2.10",
     "html-to-react": "^1.7.0",
-    "next": "14.2.10",
+    "next": "14.2.21",
     "react": "18.3.1",
     "react-dom": "18.3.1",
     "sharp": "^0.33.4",