-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency next [security] #5538
base: next
Are you sure you want to change the base?
Conversation
✅ Deploy Preview for dev-web-novu canceled.
|
✅ Deploy Preview for novu-design canceled.
|
d73e6e0
to
f802390
Compare
Hey there and thank you for opening this pull request! 👋 We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Your PR title is: Details: Unknown scope "deps" found in pull request title "fix(deps): update dependency next [security]". Scope must match one of: root, api, dashboard, inbound-mail, web, webhook, widget, worker, ws, ee-auth, ee-billing, ee-dal, ee-shared-services, ee-translation, application-generic, automation, dal, design-system, embed, novui, testing, novu, client, framework, headless, js, nest, node, notification-center, providers, react, shared, stateless, nextjs. |
Hey there and thank you for opening this pull request! 👋 We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Your PR title is: Details:
|
f802390
to
a4d3d18
Compare
a4d3d18
to
57da0f1
Compare
57da0f1
to
87957af
Compare
87957af
to
ff4ca94
Compare
dc6f1aa
to
403e637
Compare
403e637
to
440e72f
Compare
440e72f
to
504b1c1
Compare
7c2bba1
to
24f36bb
Compare
24f36bb
to
a5004f2
Compare
a5004f2
to
0fd4709
Compare
0fd4709
to
18874c6
Compare
18874c6
to
04c8a60
Compare
04c8a60
to
f430ed6
Compare
f430ed6
to
fade8b7
Compare
This PR contains the following updates:
14.2.4
->14.2.10
^13.5.4
->^14.0.0
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-34351
Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the
Host
header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.Prerequisites
<14.1.1
) is running in a self-hosted* manner./
.* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in #62561 and fixed in Next.js
14.1.1
.Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js
14.1.1
.Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
Adam Kues - Assetnote
Shubham Shah - Assetnote
CVE-2024-46982
Impact
By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a
Cache-Control: s-maxage=1, stale-while-revalidate
header which some upstream CDNs may cache as well.To be potentially affected all of the following must apply:
pages/dashboard.tsx
notpages/blog/[slug].tsx
The below configurations are unaffected:
Patches
This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.
Workarounds
There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.
Credits
Release Notes
vercel/next.js (next)
v14.2.10
Compare Source
v14.2.9
Compare Source
v14.2.8
Compare Source
v14.2.7
Compare Source
v14.2.6
Compare Source
v14.2.5
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.