chore(deps): update dependency next to 12.1.0 [security] - abandoned #486
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
10.0.0
->12.1.0
GitHub Vulnerability Alerts
CVE-2021-39178
Impact
next.config.js
file hasimages.domains
array assignedimages.domains
allows user-provided SVGnext.config.js
file hasimages.loader
assigned to something other than defaultPatches
Next.js v11.1.1
CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the
next.config.js
file must have animages.domains
array assigned and the image host assigned inimages.domains
must allow user-provided SVG. If thenext.config.js
file hasimages.loader
assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, changenext.config.js
to use a differentloader configuration
other than the default.Impact
next.config.js
file has images.domains array assignednext.config.js
file has images.loader assigned to something other than defaultPatches
Next.js 12.1.0
Workarounds
Change
next.config.js
to use a different loader configuration other than the default, for example:Or if you want to use the
loader
prop on the component, you can usecustom
:CVE-2021-43803
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package
next
hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when
pages/_error.js
was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.Impact
10.0.5
and10.2.0
11.0.0
and11.0.1
usingpages/_error.js
withoutgetInitialProps
11.0.0
and11.0.1
usingpages/_error.js
andnext export
pages/404.js
next
npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
Patches
https://github.com/vercel/next.js/releases/tag/v11.1.0
Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.