Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency next to 12.1.0 [SECURITY] - abandoned #183

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency next to 12.1.0 [SECURITY] - abandoned #183

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 14, 2021
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change
next 10.2.3 -> 12.1.0

GitHub Vulnerability Alerts

CVE-2021-39178

Impact

  • Affected: All of the following must be true to be affected
    • Next.js between version 10.0.0 and 11.1.0
    • The next.config.js file has images.domains array assigned
    • The image host assigned in images.domains allows user-provided SVG
  • Not affected: The next.config.js file has images.loader assigned to something other than default
  • Not affected: Deployments on Vercel are not affected

Patches

Next.js v11.1.1

CVE-2022-23646

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

  • Affected: All of the following must be true to be affected
    • Next.js between version 10.0.0 and 12.0.10
    • The next.config.js file has images.domains array assigned
    • The image host assigned in images.domains allows user-provided SVG
  • Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Contributor Author

renovate bot commented Aug 14, 2021
edited
Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
npm WARN using --force Recommended protections disabled.
npm notice 
npm notice New minor version of npm available! 8.3.1 -> 8.5.3
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v8.5.3>
npm notice Run `npm install -g [email protected]` to update!
npm notice 
npm WARN using --force Recommended protections disabled.
chmod: cannot access '/home/ubuntu/.npm': No such file or directory
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/react
npm ERR!   react@"17.0.1" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer react@"^17.0.2 || ^18.0.0-0" from [email protected]
npm ERR! node_modules/next
npm ERR!   next@"12.1.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate-cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate-cache/others/npm/_logs/2022-03-07T14_05_16_904Z-debug-0.log

@vercel
Copy link

vercel bot commented Aug 14, 2021
edited
Loading

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/d2p/skyfall/DWrZr31MvsevjsZHXBnFoRPdzMbn
✅ Preview: Failed

[Deployment for 046691c failed]

@renovate renovate bot changed the title Update dependency next to v11 [SECURITY] Update dependency next to v11 [SECURITY] - autoclosed Sep 1, 2021
@renovate renovate bot closed this Sep 1, 2021
@renovate renovate bot deleted the renovate/npm-next-vulnerability branch September 1, 2021 15:12
@renovate renovate bot changed the title Update dependency next to v11 [SECURITY] - autoclosed Update dependency next to v11 [SECURITY] Sep 1, 2021
@renovate renovate bot restored the renovate/npm-next-vulnerability branch September 1, 2021 16:38
@renovate renovate bot reopened this Sep 1, 2021
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 900ee93 to 897daff Compare September 1, 2021 16:38
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 897daff to 0f752b3 Compare September 4, 2021 02:31
@renovate renovate bot changed the title Update dependency next to v11 [SECURITY] Update dependency next to 11.1.1 [SECURITY] Nov 13, 2021
@renovate renovate bot changed the title Update dependency next to 11.1.1 [SECURITY] Update dependency next to 11.1.3 [SECURITY] Dec 9, 2021
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 0f752b3 to 046691c Compare March 7, 2022 14:05
@renovate renovate bot changed the title Update dependency next to 11.1.3 [SECURITY] Update dependency next to 12.1.0 [SECURITY] Mar 7, 2022
@renovate
Copy link
Contributor Author

renovate bot commented Mar 23, 2023
edited
Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title Update dependency next to 12.1.0 [SECURITY] Update dependency next to 12.1.0 [SECURITY] - abandoned Aug 6, 2024
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Aug 6, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot