This repository has been archived by the owner on May 7, 2020. It is now read-only.
[Snyk] Upgrade next from 9.3.1 to 9.3.2 #35
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Snyk has created this PR to upgrade next from 9.3.1 to 9.3.2. See this package in NPM: https://www.npmjs.com/package/next See this project in Snyk: https://app.snyk.io/org/cds-snc/project/d09e85f4-d6ff-4544-9d6b-c543735be38c?utm_source=github&utm_medium=upgrade-pr
|
Closed since bb700df |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade next from 9.3.1 to 9.3.2.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.The recommended version fixes:
SNYK-JS-NEXT-561584
Release notes
Package name: next
-
9.3.2 - 2020-03-26
- We have released patch versions for both the stable and canary channels of Next.js.
- To upgrade run
- Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected
- Not affected: Deployments using the
- Not affected: Deployments using
- Affected: Users of Next.js below 9.3.2 that use
- We have notified known Next.js users in advance of this publication.
- A public CVE was issued.
- If you want to stay on top of our security related news impacting Next.js or other ZEIT projects, please join this mailing list.
- We encourage responsible disclosure of future issues. Please email us at security@zeit.co. We are actively monitoring this mailbox.
- Add Numeric Separator Support for TypeScript: #11308
- Update CLI custom config documentation link: #11152
- Add error when attempting to export GSSP page: #11154
- Update blog-starter example: #11071
- Add CSS file to build output: #11145
- Update <dir> reference in help text: 5274535
- Clean up examples directory: #11169
- Remove react-ssr-prepass alias as it's not longer needed: #11170
- Upgrade @ampproject/toolbox-optimizer to 2.0.1: #11168
- Add section on reading files: #11084
- [Examples] fix
- Updated with-typescript example to SSG: #11081
- Add CMS example for Sanity: #10907
- Group CSS files in shared build output separate from JS files: #11184
- Updating min nodejs requirement: #11181
- Docs(ssr): req is an IncomingMessage instance, not HttpRequest: #11194
- Add support for baseUrl option in tsconfig and jsconfig: #11203
- [Example] with-passport: #10529
- CMS TakeShape Example: #11038
- Ensure hybrid AMP works correctly with SSG: #11205
- Update mocha example with yml configuration.: #11214
- Fix with-firebase-cloud-messaging example setup code: #10686
- Update wording of new data fetching methods recommendation: #11221
- Updated Api Routes Middleware example to use getServerSideProps: #11128
- With Firebase Client-Side example: #11053
- Docs(example): Load basic-css example on codesandbox: #11227
- Remove mkdirp, bump fs-extra to 9.0.0: #11251
- Add support for paths in tsconfig.json and jsconfig.json: #11293
- Add test for single alias: #11296
- Update GIP docs: #11303
- Add custom amp optimizer and skip validation mode: #10705
- Update handling for ENOENT from GSSP methods: #11302
- Docs: clarify how to customize next/babel presets: #11316
- Fix assignment of props in WithApollo.getInitialProps: #11236
- Fix: typo in
- Skip paths that are routed to a .d.ts file: #11322
- Upgrade loader-utils: #11324
- Fix warning for API routes with next export: #11330
- Make sure to copy AMP SSG files during export: #11331
- Just a small typo I think, right?: #11344
- [docs] Mention our channels: #11336
- Use records to init store: #11343
- Update data-fetching.md: 074c60e
- Fix preview-mode docs/examples typo: #11345
- Update to prevent re-using workers for getStaticPaths in dev mode: #11347
-
9.3.2-canary.9 - 2020-03-26
- [Example] Use .jpg for images in blog-starter: #11176
- Add with-redux-toolkit example: #11358
-
9.3.2-canary.8 - 2020-03-26
- Fix
-
9.3.2-canary.7 - 2020-03-26
- Update AMP docs: #11353
- Add docs for multi zones: #11348
- Add initial support for new env handling: #10525
-
9.3.2-canary.6 - 2020-03-25
- Make sure to copy AMP SSG files during export: #11331
- Just a small typo I think, right?: #11344
- [docs] Mention our channels: #11336
- Use records to init store: #11343
- Update data-fetching.md: 074c60e
- Fix preview-mode docs/examples typo: #11345
- Update to prevent re-using workers for getStaticPaths in dev mode: #11347
-
9.3.2-canary.5 - 2020-03-25
- Upgrade loader-utils: #11324
- Fix warning for API routes with next export: #11330
-
9.3.2-canary.4 - 2020-03-24
- Update GIP docs: #11303
- Add custom amp optimizer and skip validation mode: #10705
- Update handling for ENOENT from GSSP methods: #11302
- Docs: clarify how to customize next/babel presets: #11316
- Fix assignment of props in WithApollo.getInitialProps: #11236
- Fix: typo in
- Skip paths that are routed to a .d.ts file: #11322
-
9.3.2-canary.3 - 2020-03-23
- Add Numeric Separator Support for TypeScript: #11308
- Add test for single alias: #11296
-
9.3.2-canary.2 - 2020-03-23
- Updated Api Routes Middleware example to use getServerSideProps: #11128
- With Firebase Client-Side example: #11053
- Docs(example): Load basic-css example on codesandbox: #11227
- Remove mkdirp, bump fs-extra to 9.0.0: #11251
- Add support for paths in tsconfig.json and jsconfig.json: #11293
-
9.3.2-canary.1 - 2020-03-20
- Updated with-typescript example to SSG: #11081
- Add CMS example for Sanity: #10907
- Group CSS files in shared build output separate from JS files: #11184
- Updating min nodejs requirement: #11181
- Docs(ssr): req is an IncomingMessage instance, not HttpRequest: #11194
- Add support for baseUrl option in tsconfig and jsconfig: #11203
- [Example] with-passport: #10529
- CMS TakeShape Example: #11038
- Ensure hybrid AMP works correctly with SSG: #11205
- Update mocha example with yml configuration.: #11214
- Fix with-firebase-cloud-messaging example setup code: #10686
- Update wording of new data fetching methods recommendation: #11221
-
9.3.2-canary.0 - 2020-03-18
-
9.3.1 - 2020-03-17
from next GitHub release notesThis upgrade is completely backwards compatible and recommended for all users on versions below 9.3.2. For future security related communications of our OSS projects, please join this mailing list.
Next.js has just been audited by one of the top security firms in the world.
They found that attackers could craft special requests to access files in the dist directory (
.next).This does not affect files outside of the dist directory (
.next).In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.
We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
How to Upgrade
npm install next@latest --saveImpact
serverlesstargetnext exportnext startWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
How to Assess Impact
If you think sensitive code or data could have been exposed, you can filter logs of affected sites by
../with a 200 response.What is Being Done
As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Luca Carettoni from Doyensec for their investigation and discovery of the original bug and subsequent responsible disclosure.
We've landed a patch that ensures only known filesystem paths of
.next/staticare made available under/_next/static.Regression tests for this attack were added to the security integration test suite.
Patches
remarklink in blog-starter's README: #11177isStaginginwith-envexample: #11305Credits
Huge thanks to @chibicode, @ijjk, @timneutkens, @sebastianbenz, @zhe, @shaswatsaxena, @prateekbh, @vvo, @lfades, @bbortt, @aviaryan, @mgranados, @julianbenegas, @gregrickaby, @dulmandakh, @yosuke-furukawa, @tinymachine, @bgoerdt, @nicolasrouanne, @filipesmedeiros, @rishabhsaxena, and @queq1890 for helping!
Patches
Credits
Huge thanks to @lfades and @JazibJafri for helping!
Patches
static/file name encoding: #11373Patches
Credits
Huge thanks to @lfades and @ijjk for helping!
Patches
Credits
Huge thanks to @ijjk, @filipesmedeiros, @lfades, @rishabhsaxena, and @queq1890 for helping!
Patches
Credits
Huge thanks to @timneutkens and @ijjk for helping!
Patches
isStaginginwith-envexample: #11305Credits
Huge thanks to @lfades, @yosuke-furukawa, @ijjk, @tinymachine, @bgoerdt, and @nicolasrouanne for helping!
Minor Changes
Patches
Credits
Huge thanks to @timneutkens for helping!
Patches
Credits
Huge thanks to @mgranados, @julianbenegas, @gregrickaby, @dulmandakh, and @timneutkens for helping!
Patches
Credits
Huge thanks to @shaswatsaxena, @ijjk, @prateekbh, @vvo, @lfades, @chibicode, @bbortt, and @aviaryan for helping!
Commit messages
Package name: next
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs