Update dependency next to v9.5.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	9.5.2 -> 9.5.4

GitHub Vulnerability Alerts

CVE-2020-15242

Impact

• Affected: Users of Next.js between 9.5.0 and 9.5.3
• Not affected: Deployments on Vercel (https://vercel.com) are not affected
• Not affected: Deployments using next export

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

Patches

https://github.com/vercel/next.js/releases/tag/v9.5.4

References

https://github.com/vercel/next.js/releases/tag/v9.5.4

---

Release Notes

vercel/next.js

v9.5.4

Compare Source

This upgrade is completely backwards compatible and recommended for all users on versions below 9.5.4. For future security related communications of our OSS projects, please join this mailing list.

A security team from one of our partners noticed an issue in Next.js that allowed for open redirects to occur.

Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site.

In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

How to Upgrade

• We have released patch versions for both the stable and canary channels of Next.js.
• To upgrade run npm install next@latest --save

Impact

• Affected: Users of Next.js between 9.5.0 and 9.5.3
• Not affected: Deployments on Vercel (https://vercel.com) are not affected
• Not affected: Deployments using next export

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If you think users could have been affected, you can filter logs of affected sites by %2F with a 308 response.

What is Being Done

As Next.js has grown in popularity, it has received the attention of security teams and auditors. We are thankful to those that reached out for their investigation and discovery of the original bug and subsequent responsible disclosure.

We've landed a patch that ensures encoding is handled properly for these types of redirects so the open redirect can no longer occur.

Regression tests for this attack were added to the security integration test suite.

• We have notified known Next.js users in advance of this publication.
• A public CVE was released.
• If you want to stay on top of our security related news impacting Next.js or other Vercel projects, please join this mailing list.
• We encourage responsible disclosure of future issues. Please email us at security@vercel.com. We are actively monitoring this mailbox.

---

Core Changes

• Make the image post-processor ignore SVG images: #​16732
• Only update lookups for dev overlay if mounted: #​16776
• Ensure interpolating dynamic href values works correctly: #​16774
• Add automatic reloading when editing GS(S)P methods: #​16744
• Update to show build indicator while re-fetching GS(S)P data in dev: #​16789
• make parseRelativeUrl return a UrlObject: #​16809
• Add tests for searchParams dev warning: #​16798
• Fix invalid config export errors: #​16834
• Correct client rewrite resolving with query: #​16860
• Fix href resolving with trailing slash enabled: #​16873
• Divide export build output into 4 segments instead of showing it one by one: #​16815
• Include additional query values when interpolating href: #​16878
• Correct page path for GS(S)P data refreshing: #​16939
• Fix align documentation with the code: #​16843
• Remove next-head-count: #​16758
• Add Support for CSS Module Value Imports: #​16973
• Fix resolving href with a rewrite: #​16975
• Correct query behavior for falsey values to pre 9.5.1 behavior: #​16608
• Importing CSS from Third Party React Components: #​16993
• Add error when href interpolation fails: #​16946
• Security upgrade node-fetch: #​17009
• Upgrade sass loader: #​16970
• Prefer builtin optional chaining and nullish coalescing: #​16780
• Upgrade cacache of terser-webpack-plugin: #​17022
• Upgrade web-vitals: #​17028
• Remove false positive in circular structure detection: #​16380
• Fix Webpack 5 configuration for v5.0.0-beta.30: #​17038
• Improve custom document error message: #​17048
• Use babel 7 jsx syntax: #​17043
• [Fix] webpack@5.0.0-beta.30: Invalid configuration: #​17045
• Normalize asPath for GS(S)P pages: #​17081
• Polyfill missing std lib fns for module browsers: #​17083
• Provide resolvedUrl to getServerSideProps: #​17082
• Fix API page check during SSG page collecting: #​17092
• Update webpack 5 resolving: #​17095
• Separate resolved asPath from resolved URL for GSSP: #​17121
• Fix export-cli progress label default value: #​17106
• Improve server performance by skipping decode/re-encode: #​17323
• Remove extra check in config loading: #​17336
• Expose dotenv loading under separate package: #​17152
• Fix empty title in head: #​17430
• Ensure optional-chaining/nullish coalescing is included: #​17429
• Remove left-over api-utils method: #​17595
• Add warning when exporting with custom routes: #​17538
• Normalize optional catch-all fallback: true page params: #​17551
• Update to use hasNextSupport for custom-routes in next export check: #​17630

Documentation Changes

• Add Fast Refresh Demo: #​16576
• Update dynamic-import docs: #​16803
• Update link docs to reflect changes on dynamic routing (#​16634)
• Add handling for redirects from getStaticProps/getServerSideProps (#​16642)
• Document CSS Grid Better: #​16996
• Improve Asset Prefix Docs: #​16998
• Update build time env variable link in the runtime config section: #​17017
• fix gtag syntax in measuring docs: #​16933
• docs(babelrc): precise usage without configuring plugins: #​16779
• Improve Document Component Error: #​17047
• Add missing comma in docs example: #​17129
• Adds note about public directory: #​17203
• Fix invalid href error message: #​17183
• Update trailingSlash parameter name: #​17228
• Update cdn-support-with-asset-prefix.md: #​17237
• Docs(api-middlewares): use typings for serialize options from @​types/cookie: #​17285
• Remove reference to now env example: #​17341
• Mention required version for global CSS imports in node_modules: #​17506
• Mention favicon.ico in static file serving docs.: #​17540
• Add note about priority to rewrites docs: #​17535
• [docs] Fix typo Next.js -> TypeScript: #​17561
• Add missing introductory exportPathMap purpose description: #​17444
• Add docs on how to migrate from Gatsby.: #​17491
• Update migrating from Gatsby docs.: #​17636
• change anonymous functions to named in docs examples: #​17510

Example Changes

• force persistor persist again after persistStore bootstrap done: #​16085
• Create _document.js to include current language in HTML tag: #​16360
• [Example] Fix relay network request: #​16525
• Minor spelling fix in zones example's readme: #​16822
• Update with-stitches example: #​16827
• Undo unrequired readme changes done to examples: #​16831
• chore(examples): fix missing document components error messages: #​16802
• Use useRouter over Router for with-google-analytics example: #​16846
• chore: update example names to match their folders: #​16268
• [EXAMPLE] with-cssed: #​16735
• update nextjs-auth0 versionfor auth0 example: #​16871
• Remove path specific switch statement from http2 example: #​16558
• Fix Three.js example's BoxesPage variable name: #​16900
• Fix extension name for example app (#​16916)
• Fix typo in Pet mongoose model: #​16943
• Ignore .next also in subfolders: #​16962
• Update with-slate example: #​16959
• Adding globalStyled with styled components: #​16783
• Updates "msw" package to version 0.21.0: #​17012
• Examples blogs: fix spelling: #​17049
• Include all files in Prettier: #​17050
• feat(examples/with-react-intl): add locale negotation to client side: #​16806
• Update PatternFly example to v4: #​17241
• Fix for missing babel dependencies in with-rebass example: #​16839
• [Example] With TS Eslint Jest - unnecessary package: #​17170
• [Example] with-react-intl: fix getInitialProps props ordering: #​17174
• [Example] with-react-intl: fix doubling messages: #​17175
• [Examples] Optimize with-docker: #​17116
• Add with-chakra-ui-typescript example: #​16561
• Delete vercel.json from "yarn workspaces" example: #​17263
• Add project name to examples/with-three-js create command: #​17256
• Example: with-next-auth updated to v3: #​17266
• fix(examples/with-redux-wrapper): wrong initial state (close #​17299): #​17335
• Update README.md: #​17347
• Fix a small typo in index.css: #​17399
• Fixed minor typo: #​17456
• with-google-analytics-amp needs in Document component: #​17462
• update README for vercel.app, stream.new: #​17539
• Improve formatting in examples: #​17571
• Fixes #​16431: #​17610
• fix typo: #​17653

Misc Changes

• Update to check for overlay in client nav tests: #​17002
• Update workflow to use latest webpack 5 beta
• fix(eslint-plugin-next): support src/pages folder in no-html-link-for-pages rule: #​16743
• Update no-document-viewport-meta.md
• Rename exportTrailingSlash to trailingSlash in docs: #​17268
• Remove duplicate should in test name: #​17303
• Remove Random Blank Line in create-next-app: #​17328
• Update release stats workflow: #​17533
• Update release stats workflow: #​17580
• test(create-next-app): increase coverage: #​17507
• Update release stats workflow step to restore cache: #​17656

Credits

Huge thanks to @​YichiZ, @​weichienhung, @​atcastle, @​ijjk, @​seosmmbusiness, @​HsuTing, @​gsimone, @​peduarte, @​Janpot, @​ztanner, @​lfades, @​neighborhood999, @​chibicode, @​merceyz, @​opudalo, @​lunchboxav, @​mohsen1, @​akd-io, @​justman00, @​helloworld, @​devknoll, @​borekb, @​HaNdTriX, @​ArthurMaverick, @​sakito21, @​TrySound, @​omBratteng, @​svenheden, @​hallaji, @​kettanaito, @​vvo, @​m-lautenbach, @​jensmeindertsma, @​Zeko369, @​Timer, @​longlho, @​stefanprobst, @​laugharn, @​sdornan, @​daneroo, @​mohd-akram, @​austingmhuang, @​sphilee, @​devinekadeni, @​Bacher, @​nghiepit, @​tomasdisk, @​leader22, @​paulogdm, @​284km, @​belgattitude, @​geritol, @​stigkj, @​sampoder, @​samrobbins85, @​Pitasi, @​digitalPlayer1125, @​timfee, @​plug-n-play, @​philihp, @​leerob, @​dylanjha, @​Kerumen, @​rdimaio, @​jorisw, @​zerbinidamata, @​jamesgeorge007, @​Jashnm, and @​futantan for helping!

v9.5.3

Compare Source

Core Changes

• Add codemod documentation: #​16067
• Remove tslint disables: #​16116
• Strongly type PageLoader: #​16132
• Strongly type Head Manager: #​16144
• Improve page loader types: #​16145
• Dedupe ComponentRes type: #​16148
• Remove unused router method: #​16149
• Add initial handling for dynamic route href resolving and rewrites on the client: #​15231
• Reduce router code: #​16159
• Convert performance relayer to TypeScript: #​16161
• Convert next/client to TypeScript: #​16167
• Remove unused dependency: #​16168
• Share NEXT_DATA type instead of recreating it: #​16174
• Modify low priority files in manifest: #​16181
• fix: add missing dependency caniuse-lite: #​16091
• Refactor files: #​16184
• Update rewrite params query appending: #​16189
• Update to Terser 5: #​16194
• Make css-minimizer compatible with webpack 5: #​16250
• Fix data URL with root-catchall and basePath: #​16263
• Handle cases where config is exported after its declaration: #​16211
• ci: add pnp test: #​16255
• Update stylesheets on page navigation: #​16126
• Fix forEach error in CSS commit in ie11: #​16282
• Allow React experimental version without warning: #​16140
• Add experimental webpack 5 cache option: #​16307
• Fix old TypeScript version compatibility: #​16288
• Replace broken prop-types-exact package: #​15953
• Force browser to recompute layout on page nav: #​16318
• Add <link> attributes in proper order: #​16319
• Add at attribute to image preload link: #​16328
• Fix IE11 CSS Compatibility: #​16336
• Make loadPage track success of script loading: #​16334
• Normalize request URL/asPath for fallback SSG pages: #​16352
• Reduce filesystem lookups during bootup: #​16354
• Fix basePath and public folder check ending routes early: #​16356
• Fix page checking failing with trailingSlash: #​16362
• Add serialization for mini-css-plugin webpack 5 caching: #​16379
• Correct comment on --help: #​16391
• Fix mini-css-plugin webpack 5 deprecation warnings: #​16390
• Add debug flag for extra build output: #​16399
• Warn on duplicate Sass deps: #​16398
• Ensure unknown static paths 404 for data request: #​16401
• AMP compatibility for Font optimization: #​16208
• Solve last mini-css-plugin webpack 5 warning: #​16447
• Fix optional catch-all /index revalidate params: #​16451
• Do not alias Node modules for webpack 4: #​16452
• Fix un-transpiled client file with rewrites: #​16453
• Make sure to break rewrites chain when dynamic route matches: #​16455
• Fix render cancel behavior: #​16462
• Add webpack 5 caching for css optimizer: #​16467
• Correct shallow routing behavior through history: #​16477
• Correct initial fallback route param values: #​16485
• Add webpack 5 cache invalidation: #​16494
• Add error when document component isn't rendered: #​16459
• Update Fast Refresh warning: #​16496
• Store css file dependencies info for dynamic imports and apply it at SSR: #​12843
• Enable webpack 5 caching by default: #​16531
• Reuse existing <link rel=stylesheet> on nav: #​16537
• Replace client-side transitions with <style> tags: #​16581
• Do not rely on cssText: #​16611
• remove unneeded error: #​16636
• fix: Promise.prototype.finally is object: #​16620
• Auto enable React's new JSX transform on 17.x: #​16603
• fix: Promise.prototype.finally is object: #​16620
• Export return type for GetStaticPaths: #​16580
• [test] Update hydration marker for React 17: #​16756
• Revert #​14580: #​16757

Documentation Changes

• Fix link to create-next-app docs: #​16069
• Mention header overriding behavior: #​16089
• Correct a couple of small grammar errors.: #​16221
• how to bundle-analyzer with next-compose-plugins: #​15370
• Update docs for server-side code in GS(S)P props: #​16198
• Fix typo in fast-refresh.md: #​16292
• Update build CLI docs with new flag: #​16419
• Add version note to path aliases docs: #​16479
• Document req and res: #​16432
• Documentation updates: #​16503
• Update fast-refresh.md to fix 404 link: #​16505
• Add Kontent example: #​16034
• Fix github docs links: #​16540
• Include yarn instructions: #​16565
• Add activeClassName to Link examples: #​16658
• Clarify sending to Google Analytics in reportWebVitals: #​16664
• Update preview mode docs to include API Routes: #​16705

Example Changes

• Fix: with-firebase-authentication event listener: #​16057
• update with-filbert-js: #​15968
• Add stripPrefix of webpack://_N_E/: #​15955
• Add with-reactstrap example: #​15474
• removed renderToHTML definition from with-flow example: #​16137
• removed renderToHTML from ssr-caching and custom-server-hapi in examples: #​16138
• examples: Add with-supabase-auth-realtime-db example.: #​16016
• Add MSW usage example: #​13731
• Update Storybook examples to v6.0: #​16139
• Added next-sitemap example: #​15997
• [Examples] Remove horizontal scroll in CMS examples : #​16295
• Add example: Unsplash integration: #​16142
• Remove experimental example: #​16497
• basePath should also append in urlPrefix: #​16376
• Update environment variables example: #​16536
• examples/with-styled-components: Fix missing peerDependency: #​16532
• feat: upgrade react-intl workflow in example: #​16215
• Update with-tailwindcss example: #​16370
• Add with-mdx-remote example: #​16613
• Update README.mb: #​16676
• Update with-typescript-graphql: #​16101
• Upgrade typescript to 4.0: #​16673
• [Example] fix with-firebase-hosting: #​16577
• Simplify example usage instructions: #​16678
• Ensure all examples are MIT licensed: #​16691
• Update _app.js to use a function component.: #​16683
• Add cross-env to ensure examples work on Windows 10: #​16694
• fix: fix hashing algo and locale value hydration: #​16692
• [EXAMPLE] with-framer-motion: fix broken images: #​16714

Misc Changes

• Add test case for preloading buildManifest: #​16183
• Test basic css module prefetching without compose: #​16134
• Fix module not found test
• CNA: Add warning about permission: #​14889
• Eslint preload: #​16199
• Update next-google-analytics to work with .env files: #​16529
• Increase font test timeout for Windows: #​16527
• Add tests for preview mode caching: #​16579
• Add missing gitignore files

Credits

Huge thanks to @​francisrod01, @​kuldeepkeshwar, @​tm1000, @​ijjk, @​khasty720, @​Timer, @​madiknox, @​thorwebdev, @​merceyz, @​kettanaito, @​rafaelalmeidatk, @​tuan-m-ng, @​cargallo, @​chicoxyzzy, @​kevva, @​iamvishnusankar, @​agarwalrounak, @​jamesmosier, @​louisjuliendo, @​timneutkens, @​todortotev, @​atcastle, @​matamatanot, @​sclm, @​prateekbh, @​janicklas-ralph, @​crashncrow, @​sharils, @​lfades, @​weichienhung, @​khades, @​christianpv, @​Simply007, @​simnalamburt, @​jaredpalmer, @​longlho, @​needcaffeine, @​rparet, @​Janpot, @​samrobbins85, @​daneden, @​NorbertLuszkiewicz, @​piglovesyou, @​awareness481, @​sakito21, @​balazsorban44, @​tengmaoqing, @​pkrawc, @​arthurjdam, and @​joris for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.