From 51fabdfd99c61aef7e1c9e00130e1ab16ea07e89 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 16 Jan 2025 21:35:35 +0800 Subject: [PATCH] bump(deps): update dependency next to v14.2.21 [security] (#336) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [next](https://nextjs.org) ([source](https://redirect.github.com/vercel/next.js)) | [`14.2.10` -> `14.2.21`](https://renovatebot.com/diffs/npm/next/14.2.10/14.2.21) | [![age](https://developer.mend.io/api/mc/badges/age/npm/next/14.2.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/next/14.2.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/next/14.2.10/14.2.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/next/14.2.10/14.2.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-51479](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f) ### Impact If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed. ### Patches This issue was patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. ### Workarounds There are no official workarounds for this vulnerability. #### Credits We'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity by IERAE) for responsible disclosure of this issue. #### [CVE-2024-56332](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9) ### Impact A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. _Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time._ Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. ### Patches This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version. ### Workarounds There are no official workarounds for this vulnerability. ### Credits Thanks to the PackDraw team for responsibly disclosing this vulnerability. --- ### Release Notes
vercel/next.js (next) ### [`v14.2.21`](https://redirect.github.com/vercel/next.js/compare/v14.2.20...v14.2.21) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.20...v14.2.21) ### [`v14.2.20`](https://redirect.github.com/vercel/next.js/compare/v14.2.19...ed78a4aa673034719d5664536a80d326eebac7e1) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.19...v14.2.20) ### [`v14.2.19`](https://redirect.github.com/vercel/next.js/releases/tag/v14.2.19) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.18...v14.2.19) > \[!NOTE]\ > This release is backporting bug fixes. It does **not** include all pending features/changes on canary. ##### Core Changes - ensure worker exits bubble to parent process ([#​73433](https://redirect.github.com/vercel/next.js/issues/73433)) - Increase max cache tags to 128 ([#​73125](https://redirect.github.com/vercel/next.js/issues/73125)) ##### Misc Changes - Update max tag items limit in docs ([#​73445](https://redirect.github.com/vercel/next.js/issues/73445)) ##### Credits Huge thanks to [@​ztanner](https://redirect.github.com/ztanner) and [@​ijjk](https://redirect.github.com/ijjk) for helping! ### [`v14.2.18`](https://redirect.github.com/vercel/next.js/compare/v14.2.17...v14.2.18) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.17...v14.2.18) ### [`v14.2.17`](https://redirect.github.com/vercel/next.js/compare/v14.2.16...v14.2.17) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.16...v14.2.17) ### [`v14.2.16`](https://redirect.github.com/vercel/next.js/compare/v14.2.15...v14.2.16) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.15...v14.2.16) ### [`v14.2.15`](https://redirect.github.com/vercel/next.js/releases/tag/v14.2.15) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.14...v14.2.15) > \[!NOTE]\ > This release is backporting bug fixes. It does **not** include all pending features/changes on canary. ##### Core Changes - support breadcrumb style catch-all parallel routes [#​65063](https://redirect.github.com/vercel/next.js/issues/65063) - Provide non-dynamic segments to catch-all parallel routes [#​65233](https://redirect.github.com/vercel/next.js/issues/65233) - Fix client reference access causing metadata missing [#​70732](https://redirect.github.com/vercel/next.js/issues/70732) - feat(next/image): add support for decoding prop [#​70298](https://redirect.github.com/vercel/next.js/issues/70298) - feat(next/image): add images.localPatterns config [#​70529](https://redirect.github.com/vercel/next.js/issues/70529) - fix(next/image): handle undefined images.localPatterns config in images-manifest.json - fix: Do not omit alt on getImgProps return type, ImgProps [#​70608](https://redirect.github.com/vercel/next.js/issues/70608) - \[i18n] Routing fix [#​70761](https://redirect.github.com/vercel/next.js/issues/70761) ##### Credits Huge thanks to [@​ztanner](https://redirect.github.com/ztanner), [@​agadzik](https://redirect.github.com/agadzik), [@​huozhi](https://redirect.github.com/huozhi), [@​styfle](https://redirect.github.com/styfle), [@​icyJoseph](https://redirect.github.com/icyJoseph) and [@​wyattjoh](https://redirect.github.com/wyattjoh) for helping! ### [`v14.2.14`](https://redirect.github.com/vercel/next.js/releases/tag/v14.2.14) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.13...v14.2.14) > \[!NOTE]\ > This release is backporting bug fixes. It does **not** include all pending features/changes on canary. ##### Core Changes - Fix: clone response in first handler to prevent race ([#​70082](https://redirect.github.com/vercel/next.js/issues/70082)) ([#​70649](https://redirect.github.com/vercel/next.js/issues/70649)) - Respect reexports from metadata API routes ([#​70508](https://redirect.github.com/vercel/next.js/issues/70508)) ([#​70647](https://redirect.github.com/vercel/next.js/issues/70647)) - Externalize node binary modules for app router ([#​70646](https://redirect.github.com/vercel/next.js/issues/70646)) - Fix revalidateTag() behaviour when invoked in server components ([#​70446](https://redirect.github.com/vercel/next.js/issues/70446)) ([#​70642](https://redirect.github.com/vercel/next.js/issues/70642)) - Fix prefetch bailout detection for nested loading segments ([#​70618](https://redirect.github.com/vercel/next.js/issues/70618)) - Add missing node modules to externals ([#​70382](https://redirect.github.com/vercel/next.js/issues/70382)) - Feature: next/image: add support for images.remotePatterns.search ([#​70302](https://redirect.github.com/vercel/next.js/issues/70302)) ##### Credits Huge thanks to [@​styfle](https://redirect.github.com/styfle), [@​ztanner](https://redirect.github.com/ztanner), [@​ijjk](https://redirect.github.com/ijjk), [@​huozhi](https://redirect.github.com/huozhi) and [@​wyattjoh](https://redirect.github.com/wyattjoh) for helping! ### [`v14.2.13`](https://redirect.github.com/vercel/next.js/compare/v14.2.12...f550237aa564bd59bfef7462350ac6c502f0206d) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.12...v14.2.13) ### [`v14.2.12`](https://redirect.github.com/vercel/next.js/compare/v14.2.11...v14.2.12) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.11...v14.2.12) ### [`v14.2.11`](https://redirect.github.com/vercel/next.js/compare/v14.2.10...bfbc92aab5c727444ed21e0b84bd55cda2e22067) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.10...v14.2.11)
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/fuxingloh/cryptomatter). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- pnpm-lock.yaml | 74 ++++++++++++++++++++++---------------------- website/package.json | 2 +- 2 files changed, 38 insertions(+), 38 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index abd3e5d7a..b2d8c03fa 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -368,7 +368,7 @@ importers: version: 2.1.4(react@18.3.1) '@vercel/analytics': specifier: ^1.3.1 - version: 1.3.1(next@14.2.10)(react@18.3.1) + version: 1.3.1(next@14.2.21)(react@18.3.1) clsx: specifier: ^2.1.1 version: 2.1.1 @@ -385,8 +385,8 @@ importers: specifier: ^1.7.0 version: 1.7.0(react@18.3.1) next: - specifier: 14.2.10 - version: 14.2.10(@babel/core@7.23.6)(react-dom@18.3.1)(react@18.3.1) + specifier: 14.2.21 + version: 14.2.21(@babel/core@7.23.6)(react-dom@18.3.1)(react@18.3.1) react: specifier: 18.3.1 version: 18.3.1 @@ -1438,8 +1438,8 @@ packages: resolution: {integrity: sha512-n5JEf16Wr4mdkRMZ8wMP/wN9/sHmTjRPbouXjJH371mZ2LEGDl72t8tEsMRNFerQN/QJtivOxqK1frdGa4QK5Q==} engines: {node: '>=10'} - /@next/env@14.2.10: - resolution: {integrity: sha512-dZIu93Bf5LUtluBXIv4woQw2cZVZ2DJTjax5/5DOs3lzEOeKLy7GxRSr4caK9/SCPdaW6bCgpye6+n4Dh9oJPw==} + /@next/env@14.2.21: + resolution: {integrity: sha512-lXcwcJd5oR01tggjWJ6SrNNYFGuOOMB9c251wUNkjCpkoXOPkDeF/15c3mnVlBqrW4JJXb2kVxDFhC4GduJt2A==} dev: false /@next/eslint-plugin-next@14.2.3: @@ -1448,8 +1448,8 @@ packages: glob: 10.3.10 dev: false - /@next/swc-darwin-arm64@14.2.10: - resolution: {integrity: sha512-V3z10NV+cvMAfxQUMhKgfQnPbjw+Ew3cnr64b0lr8MDiBJs3eLnM6RpGC46nhfMZsiXgQngCJKWGTC/yDcgrDQ==} + /@next/swc-darwin-arm64@14.2.21: + resolution: {integrity: sha512-HwEjcKsXtvszXz5q5Z7wCtrHeTTDSTgAbocz45PHMUjU3fBYInfvhR+ZhavDRUYLonm53aHZbB09QtJVJj8T7g==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] @@ -1457,8 +1457,8 @@ packages: dev: false optional: true - /@next/swc-darwin-x64@14.2.10: - resolution: {integrity: sha512-Y0TC+FXbFUQ2MQgimJ/7Ina2mXIKhE7F+GUe1SgnzRmwFY3hX2z8nyVCxE82I2RicspdkZnSWMn4oTjIKz4uzA==} + /@next/swc-darwin-x64@14.2.21: + resolution: {integrity: sha512-TSAA2ROgNzm4FhKbTbyJOBrsREOMVdDIltZ6aZiKvCi/v0UwFmwigBGeqXDA97TFMpR3LNNpw52CbVelkoQBxA==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] @@ -1466,8 +1466,8 @@ packages: dev: false optional: true - /@next/swc-linux-arm64-gnu@14.2.10: - resolution: {integrity: sha512-ZfQ7yOy5zyskSj9rFpa0Yd7gkrBnJTkYVSya95hX3zeBG9E55Z6OTNPn1j2BTFWvOVVj65C3T+qsjOyVI9DQpA==} + /@next/swc-linux-arm64-gnu@14.2.21: + resolution: {integrity: sha512-0Dqjn0pEUz3JG+AImpnMMW/m8hRtl1GQCNbO66V1yp6RswSTiKmnHf3pTX6xMdJYSemf3O4Q9ykiL0jymu0TuA==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] @@ -1475,8 +1475,8 @@ packages: dev: false optional: true - /@next/swc-linux-arm64-musl@14.2.10: - resolution: {integrity: sha512-n2i5o3y2jpBfXFRxDREr342BGIQCJbdAUi/K4q6Env3aSx8erM9VuKXHw5KNROK9ejFSPf0LhoSkU/ZiNdacpQ==} + /@next/swc-linux-arm64-musl@14.2.21: + resolution: {integrity: sha512-Ggfw5qnMXldscVntwnjfaQs5GbBbjioV4B4loP+bjqNEb42fzZlAaK+ldL0jm2CTJga9LynBMhekNfV8W4+HBw==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] @@ -1484,8 +1484,8 @@ packages: dev: false optional: true - /@next/swc-linux-x64-gnu@14.2.10: - resolution: {integrity: sha512-GXvajAWh2woTT0GKEDlkVhFNxhJS/XdDmrVHrPOA83pLzlGPQnixqxD8u3bBB9oATBKB//5e4vpACnx5Vaxdqg==} + /@next/swc-linux-x64-gnu@14.2.21: + resolution: {integrity: sha512-uokj0lubN1WoSa5KKdThVPRffGyiWlm/vCc/cMkWOQHw69Qt0X1o3b2PyLLx8ANqlefILZh1EdfLRz9gVpG6tg==} engines: {node: '>= 10'} cpu: [x64] os: [linux] @@ -1493,8 +1493,8 @@ packages: dev: false optional: true - /@next/swc-linux-x64-musl@14.2.10: - resolution: {integrity: sha512-opFFN5B0SnO+HTz4Wq4HaylXGFV+iHrVxd3YvREUX9K+xfc4ePbRrxqOuPOFjtSuiVouwe6uLeDtabjEIbkmDA==} + /@next/swc-linux-x64-musl@14.2.21: + resolution: {integrity: sha512-iAEBPzWNbciah4+0yI4s7Pce6BIoxTQ0AGCkxn/UBuzJFkYyJt71MadYQkjPqCQCJAFQ26sYh7MOKdU+VQFgPg==} engines: {node: '>= 10'} cpu: [x64] os: [linux] @@ -1502,8 +1502,8 @@ packages: dev: false optional: true - /@next/swc-win32-arm64-msvc@14.2.10: - resolution: {integrity: sha512-9NUzZuR8WiXTvv+EiU/MXdcQ1XUvFixbLIMNQiVHuzs7ZIFrJDLJDaOF1KaqttoTujpcxljM/RNAOmw1GhPPQQ==} + /@next/swc-win32-arm64-msvc@14.2.21: + resolution: {integrity: sha512-plykgB3vL2hB4Z32W3ktsfqyuyGAPxqwiyrAi2Mr8LlEUhNn9VgkiAl5hODSBpzIfWweX3er1f5uNpGDygfQVQ==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] @@ -1511,8 +1511,8 @@ packages: dev: false optional: true - /@next/swc-win32-ia32-msvc@14.2.10: - resolution: {integrity: sha512-fr3aEbSd1GeW3YUMBkWAu4hcdjZ6g4NBl1uku4gAn661tcxd1bHs1THWYzdsbTRLcCKLjrDZlNp6j2HTfrw+Bg==} + /@next/swc-win32-ia32-msvc@14.2.21: + resolution: {integrity: sha512-w5bacz4Vxqrh06BjWgua3Yf7EMDb8iMcVhNrNx8KnJXt8t+Uu0Zg4JHLDL/T7DkTCEEfKXO/Er1fcfWxn2xfPA==} engines: {node: '>= 10'} cpu: [ia32] os: [win32] @@ -1520,8 +1520,8 @@ packages: dev: false optional: true - /@next/swc-win32-x64-msvc@14.2.10: - resolution: {integrity: sha512-UjeVoRGKNL2zfbcQ6fscmgjBAS/inHBh63mjIlfPg/NG8Yn2ztqylXt5qilYb6hoHIwaU2ogHknHWWmahJjgZQ==} + /@next/swc-win32-x64-msvc@14.2.21: + resolution: {integrity: sha512-sT6+llIkzpsexGYZq8cjjthRyRGe5cJVhqh12FmlbxHqna6zsDDK8UNaV7g41T6atFHCJUPeLb3uyAwrBwy0NA==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -2130,7 +2130,7 @@ packages: /@ungap/structured-clone@1.2.0: resolution: {integrity: sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==} - /@vercel/analytics@1.3.1(next@14.2.10)(react@18.3.1): + /@vercel/analytics@1.3.1(next@14.2.21)(react@18.3.1): resolution: {integrity: sha512-xhSlYgAuJ6Q4WQGkzYTLmXwhYl39sWjoMA3nHxfkvG+WdBT25c563a7QhwwKivEOZtPJXifYHR1m2ihoisbWyA==} peerDependencies: next: '>= 13' @@ -2141,7 +2141,7 @@ packages: react: optional: true dependencies: - next: 14.2.10(@babel/core@7.23.6)(react-dom@18.3.1)(react@18.3.1) + next: 14.2.21(@babel/core@7.23.6)(react-dom@18.3.1)(react@18.3.1) react: 18.3.1 server-only: 0.0.1 dev: false @@ -5405,8 +5405,8 @@ packages: /natural-compare@1.4.0: resolution: {integrity: sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==} - /next@14.2.10(@babel/core@7.23.6)(react-dom@18.3.1)(react@18.3.1): - resolution: {integrity: sha512-sDDExXnh33cY3RkS9JuFEKaS4HmlWmDKP1VJioucCG6z5KuA008DPsDZOzi8UfqEk3Ii+2NCQSJrfbEWtZZfww==} + /next@14.2.21(@babel/core@7.23.6)(react-dom@18.3.1)(react@18.3.1): + resolution: {integrity: sha512-rZmLwucLHr3/zfDMYbJXbw0ZeoBpirxkXuvsJbk7UPorvPYZhP7vq7aHbKnU7dQNCYIimRrbB2pp3xmf+wsYUg==} engines: {node: '>=18.17.0'} hasBin: true peerDependencies: @@ -5423,7 +5423,7 @@ packages: sass: optional: true dependencies: - '@next/env': 14.2.10 + '@next/env': 14.2.21 '@swc/helpers': 0.5.5 busboy: 1.6.0 caniuse-lite: 1.0.30001599 @@ -5433,15 +5433,15 @@ packages: react-dom: 18.3.1(react@18.3.1) styled-jsx: 5.1.1(@babel/core@7.23.6)(react@18.3.1) optionalDependencies: - '@next/swc-darwin-arm64': 14.2.10 - '@next/swc-darwin-x64': 14.2.10 - '@next/swc-linux-arm64-gnu': 14.2.10 - '@next/swc-linux-arm64-musl': 14.2.10 - '@next/swc-linux-x64-gnu': 14.2.10 - '@next/swc-linux-x64-musl': 14.2.10 - '@next/swc-win32-arm64-msvc': 14.2.10 - '@next/swc-win32-ia32-msvc': 14.2.10 - '@next/swc-win32-x64-msvc': 14.2.10 + '@next/swc-darwin-arm64': 14.2.21 + '@next/swc-darwin-x64': 14.2.21 + '@next/swc-linux-arm64-gnu': 14.2.21 + '@next/swc-linux-arm64-musl': 14.2.21 + '@next/swc-linux-x64-gnu': 14.2.21 + '@next/swc-linux-x64-musl': 14.2.21 + '@next/swc-win32-arm64-msvc': 14.2.21 + '@next/swc-win32-ia32-msvc': 14.2.21 + '@next/swc-win32-x64-msvc': 14.2.21 transitivePeerDependencies: - '@babel/core' - babel-plugin-macros diff --git a/website/package.json b/website/package.json index 4a26e6fbf..5bf83306b 100644 --- a/website/package.json +++ b/website/package.json @@ -47,7 +47,7 @@ "dayjs": "^1.11.11", "framer-motion": "11.2.10", "html-to-react": "^1.7.0", - "next": "14.2.10", + "next": "14.2.21", "react": "18.3.1", "react-dom": "18.3.1", "sharp": "^0.33.4",