Update dependency next to v9 [SECURITY] #166
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^8.0.0
->^9.3.2
GitHub Vulnerability Alerts
CVE-2020-5284
Impact
serverless
targetnext export
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
Patches
https://github.com/zeit/next.js/releases/tag/v9.3.2
References
https://github.com/zeit/next.js/releases/tag/v9.3.2
Release Notes
vercel/next.js (next)
v9.3.2
Compare Source
This upgrade is completely backwards compatible and recommended for all users on versions below 9.3.2. For future security related communications of our OSS projects, please join this mailing list.
Next.js has just been audited by one of the top security firms in the world.
They found that attackers could craft special requests to access files in the dist directory (
.next
).This does not affect files outside of the dist directory (
.next
).In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.
We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
How to Upgrade
npm install next@latest --save
Impact
serverless
targetnext export
next start
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
How to Assess Impact
If you think sensitive code or data could have been exposed, you can filter logs of affected sites by
../
with a 200 response.What is Being Done
As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Luca Carettoni from Doyensec for their investigation and discovery of the original bug and subsequent responsible disclosure.
We've landed a patch that ensures only known filesystem paths of
.next/static
are made available under/_next/static
.Regression tests for this attack were added to the security integration test suite.
Patches
5274535
remark
link in blog-starter's README: #11177isStaging
inwith-env
example: #11305074c60e
Credits
Huge thanks to @chibicode, @ijjk, @timneutkens, @sebastianbenz, @zhe, @shaswatsaxena, @prateekbh, @vvo, @lfades, @bbortt, @aviaryan, @mgranados, @julianbenegas, @gregrickaby, @dulmandakh, @yosuke-furukawa, @tinymachine, @bgoerdt, @nicolasrouanne, @filipesmedeiros, @rishabhsaxena, and @queq1890 for helping!
v9.3.1
Compare Source
Patches
39ed664
c135830
a231315
Credits
Huge thanks to @ijjk, @chibicode, @5alidz, @watanabeyu, @messa, @timneutkens, @followbl, @herrstucki, @danlutz, @Spy-Seth, @asotoglez, @josiahwiebe, @ragingwind, @ruisaraiva19, @SarKurd, @bobaaaaa, @akhila-ariyachandra, @lfades, @matamatanot, @JazibJafri, @tomdohnal, @carlospavanetti, @giuseppeg, @lifeiscontent, @7ma7X, @PaulHale, @john015, and @petamoriken for helping!
v9.3.0
Compare Source
Minor Changes
Patches
80bdf73
b331338
cedd6fa
fc9f18d
c0f4283
663f5c4
unstable_
prefix from new methods: #10723dangerousAsPath
fromRenderOpts
: #10773next-server
: #10776getStaticProps
,getServerSideProps
: #10800getServerSideProps
Requests: #10826a61dfb2
69ba793
getServerSideProps
Test Case: #1086283b4fd1
Credits
Huge thanks to @arcanis, @lgordey, @ijjk, @martpie, @jaywink, @fabianishere, @dijs, @TheRusskiy, @quinnturner, @timneutkens, @lfades, @vvo, @adithwip, @rafaelalmeidatk, @bmathews, @Spy-Seth, @EvgeniyKumachev, @chibicode, @piglovesyou, @HaNdTriX, @Timer, @janicklas-ralph, @devknoll, @prateekbh, @ethanryan, @MoOx, @rifaidev, @msweeneydev, @motiko, and @balazsorban44 for helping!
v9.2.2
Compare Source
Patches
c71694e
c71694e
with-next-seo
sample issues: #10335builds
from examples: #10417native-url
: #10419native-url
Again: #10526isFallback
Router Property: #10539Credits
Huge thanks to @borisowsky, @piglovesyou, @dannytatom, @msweeneydev, @bartdeslagmulder, @stigkj, @jamesmosier, @chibicode, @lfades, @Timer, @RobinCsl, @apollonian, @alejalapeno, @dmitrika, @micahalcorn, @ijjk, @pacocoursey, @zhe, @ivan-kleshnin, @stryder03, @38elements, @msnider, @TheDSCPL, @vasco3, @lachlanjc, @AndyBitz, @atcastle, @pex, @Janpot, @HaNdTriX, @afsanefda, @Nainterceptor, @areai51, @thorsten-stripe, @vvo, @markhaslam, @devknoll, and @sebastianbenz for helping!
v9.2.1
Compare Source
Minor Changes
href
andas
when manually provided: #9837Patches
defer
toasync
: #10143native-url
: #10176public/
folder when page routes are disabled: #10169with-stencil
example: #10125pageExtensions
: #10178592a2c2
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.