fix(deps): update dependency next to v12.0.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	12.0.7 -> 12.0.9

GitHub Vulnerability Alerts

CVE-2022-21721

Impact

Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version >= 12.0.0, and using i18n functionality.

• Affected: All of the following must be true to be affected by this CVE
  • Next.js versions above v12.0.0
  • Using next start or a custom server
  • Using the built-in i18n support
• Not affected:
  • Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

Patches

A patch has been released, next@12.0.9, that mitigates this issue. We recommend all affected users upgrade as soon as possible.

Workarounds

We recommend upgrading whether you can reproduce or not although you can ensure /${locale}/_next/ is blocked from reaching the Next.js instance until you upgrade.

For more information

If you have any questions or comments about this advisory:

• Open an issue in next
• Email us at security@vercel.com

---

Release Notes

vercel/next.js

v12.0.9

Compare Source

This upgrade is completely backward-compatible and recommended for all users on versions below 12.0.9

Vulnerable code could allow a bad actor to trigger a denial of service attack via the /${locale}/_next/ route for anyone running a Next.js app at version >= 12.0.0, and using built-in i18n routing functionality.

How to Upgrade

• We have released patch versions for both the stable and canary channels of Next.js.
• To upgrade run npm install next@latest --save

Impact

• Affected: All of the following must be true to be affected by this CVE
  • Next.js versions between v12.0.0 and v12.0.9
  • Using next start or a custom server
  • Using the built-in i18n support
• Not affected:
  • Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If your server has seen requests to any route under the prefix /${locale}/_next/ that have triggered a heap overflow error, this was caused by the patched issue.

What is Being Done

As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to our users for their investigation and responsible disclosure of the original bug.

We've landed a patch that ensures this is handled properly so the requested route no longer crashes and triggers a heap overflow.

Regression tests for this attack were added to the i18n integration test suite

• A public CVE was released.
• We encourage responsible disclosure of future reports. Please email us at security@vercel.com. We are actively monitoring this mailbox.

Core Changes

• middlewares: limit process.env to inferred usage: #​33186
• update webpack: #​33207
• Abstract out native filesystem usage from the base server: #​33226
• use text data url instead of base64 for shorter encoding: #​33218
• chore(deps): upgrade postcss: #​33142
• Fix global process testing for the process polyfill: #​33220
• Update swc: #​33201
• improve full refresh overlay: #​33301
• Custom app for server components: #​33149
• Update yarn PnP tests and disable swc file reading for PnP: #​33236
• Base Http for BaseServer: #​32999
• Update swc: #​33342
• Update check for fallback pages during export: #​33323
• Pre-compile more dependencies: #​32742
• Remove node fetch polyfill from base server: #​33395
• Replace regexp to plain string for optimization render HTML: #​33306
• Fix broken html on streaming render for error page: #​33399
• Disable cache for rsc pages: #​33438
• Fix pre-compiled check from copying react-refresh-utils: #​33442
• fix(next-swc): Update swc: #​33427
• Move middleware handling to node server: #​33448
• Enforce absolute URLs in Edge Functions runtime: #​33410
• feat(next-swc): Update swc: #​33461
• Update main field for nccd jest-worker: #​33465
• chore(deps): upgrade node-fetch: #​33466
• Move static serving to next server: #​33475
• feat(next-swc): Update swc: #​33485
• Fix multiple calls to image onLoadingComplete(): #​33474
• Refactor base server to remove native dependencies: #​33499
• Update swc: #​33514
• Implement abstract methods to get manifest files in the base server: #​33537
• Simplify getMiddlewareInfo calls: #​33542
• Fix static file check with i18n: #​33503
• Bump styled-jsx: #​33546
• Ensure optional value normalizing is correct for index: #​33547
• Bump nft to 0.17.4: #​33548
• Add next-multilingual example: #​29386
• Removed the s from NextConfig: #​33560
• feat(next-swc): Update swc: #​33595
• Fix rsc export component name detection: #​33608
• upgrade webpack: #​33549
• Ensure fetch polyfill is loaded in next-server: #​33616
• feat(next-swc): Update swc: #​33628
• Add lazyRoot optional property to next/image component : #​33290
• feat(next-swc): Update swc: #​33675
• Implement web server as the request handler for edge SSR: #​33635
• Relay Support in Rust Compiler: #​33240
• Revert "Relay Support in Rust Compiler": #​33699

Documentation Changes

• Fixed broken link related to the recently merged Data fetching docs refactor: #​33209
• Removed backticks on data fetching api titles: #​33216
• Added links to data fetching api refs, fixed title: #​33221
• Remove outdated & possibly confusing statement about redirects: #​33224
• [examples] Add a statically generated blog example using Next.js and Builder.io: #​22094
• Typo Fix: #​33252
• Update font-optimization.md: #​33266
• Fixed broken links in data fetching docs: #​33250
• docs: Mention middleware for getStaticProps: #​33273
• Add sections for Remove React Properties and Remove Console to compiler docs: #​33311
• Update links in next export + next/image error message: #​33317
• Add onLoad gottcha note to next/script docs: #​33097
• Update security-headers.md: fix path does not match homepage: #​33137
• fix minor typo in SWR: #​33378
• ReferenceError in authentication.md example fixed: #​33411
• docs: fix url: #​33409
• fix(docs): Fix typo in Custom Build Id docs: #​33515
• [docs] Update authentication docs to fix iron-session link.: #​33483
• docs(authentication): fix iron-session example link: #​33502
• Update middleware documentation for custom server: #​33535
• Removed unrequired path in docs' manifest: #​33579
• Update next/server documentation for geo: #​33609
• Clarify next/image usage with next export based on feedback.: #​33555
• Clarify headers config option description: #​33484
• fix(errors/no-cache): netlify-plugin-cache-nextjs has been deprecated: #​33629
• Updated docs for getServerSideProps and getStaticProps return values: #​33577
• Use relative path for example: #​33565
• chore(docs): update security headers specification: #​33673
• REMOVE: duplicate key in docs/testing.md: #​33681

Example Changes

• [examples] Update remark dependency for blog-starter: #​33313
• Update package.json for examples/with-supabase-auth-realtime-db: #​33321
• Working example for building forms with Next.js: #​32669
• Updates dependency version of frontend SDK in with-supertokens example: #​33393
• docs: add skynexui to examples: #​33326
• Update with-linaria dependency: #​33487
• Update Supabase example README.: #​33610
• [examples] Add new Tailwind CSS Prettier plugin to example: #​33614

Misc Changes

• Update license year
• fix(docs): master branch renaming: #​33312
• Add link to security email directly.: #​33358
• Fix getServerSideProps hanging in dev on early end: #​33366
• [docs] Fix 404 link for testing example.: #​33407
• Update to latest version of turbo: #​33613
• Update other instances of node-fetch: #​33617

Credits

Huge thanks to @​molebox, @​Schniz, @​sokra, @​kachkaev, @​shuding, @​teleaziz, @​OgbeniHMMD, @​goncy, @​balazsorban44, @​MaedahBatool, @​bennettdams, @​kdy1, @​huozhi, @​hsynlms, @​styfle, @​ijjk, @​callumgare, @​jonrosner, @​karaggeorge, @​rpie3, @​MartijnHols, @​leerob, @​bashunaimiroy, @​NOCELL, @​rishabhpoddar, @​omariosouto, @​hanneslund, @​theMosaad, @​javivelasco, @​pierrenel, @​lobsterkatie, @​tharakabimal, @​vvo, @​saevarb, @​lfades, @​nbouvrette, @​paulnbrd, @​ecklf, @​11koukou, @​renbaoshuo, @​chozzz, @​tbezman, @​karlhorky, @​j-mendez, and @​ffan0811 for helping!

v12.0.8

Compare Source

Core Changes

• Fix no-server-import-in-page eslint rule for subfolder middleware: #​32139
• Create Base Server: #​32154
• Revert support for render prop in <Main />: #​32184
• Refactor FS references in the Base Server: #​32179
• telemetry: collect feature usage for linting during build: #​32022
• Chore/load bindings improvements: #​32191
• fix(NODE_ENV): Warn when launching start or build on development: #​14033
• Fix crash in no-page-custom-font eslint rule when default export is unnamed.: #​32251
• Add docs for leveraging outputStandalone config: #​32255
• Replace raw-body with get-stream and bytes: #​21915
• Update to latest ncc and ensure caniuse-lite data is external : #​32064
• Update swc: #​32210
• Simplify custom Writable: #​32247
• Add shake exports transform to next-swc: #​32253
• Revert "Replace raw-body with get-stream and bytes": #​32305
• Re-open chore(deps): upgrade browserslist: #​32300
• Fix RSC link navigation: #​32303
• Compile escape-string-regexp: #​32310
• Add unstable_useRefreshRoot: #​32342
• Upate swc: #​32365
• fix unstable_useRefreshRoot typing: #​32364
• fix(next-swc/styled-jsx): Fix nth: #​32358
• Rename experimental vital hook: #​32343
• Inline server data response with partial hydration: #​32330
• Update jsx transform of swc: #​32383
• Fix running server with Polyfilled fetch: #​32368
• Fix dynamic routes with pages under index folder: #​32440
• Fixes #​32338 missing Document components trigger an error for production builds: #​32345
• Fixes for inline embedding data in the web runtime: #​32471
• Add vitals and rsc to npm files: #​32472
• fixes to allow lazy compilation for import(): #​32441
• upgrade webpack and watchpack: #​32173
• Update to filter loader specific files from traces: #​32267
• Fix server data cache key: #​32506
• [middleware] Fix hydration for rewrites to dynamic pages: #​32534
• Ensure image-optimizer is traced for standalone mode: #​32522
• Remove unused classnames dependency from react-dev-overlay: #​32487
• next-swc: Emit errors and add tests to next-ssg: #​32254
• Include message body in redirect responses: #​31886
• Prevent NEXT_PHASE env change in workers: #​28941
• Check stack property for page export exceptions: #​32289
• fix(next-swc/styled-jsx): Fix interpolation in media query: #​32490
• Update swc: #​32566
• Add turbo / improve Rust build caching in GitHub Actions: #​31464
• Fix ReadableStream.pipeTo() being unimplemented in the web runtime: #​32602
• Ensure AMP optimizer is only excluded from trace when not used: #​32577
• Upgraded next-env dependencies: #​32613
• Feat/14701 full reload notification: #​28866
• Move fs API for inc cache to node server: #​32604
• Add options to defaultGetInitialProps and upgrade styled-jsx-with-csp example: #​32594
• Fix style.filter on image with placeholder=blur: #​32623
• Fix writing strings to the writable stream writer: #​32637
• fix(next/jest): do not watch .next folder: #​32659
• chore: Update swc: #​32664
• Pre-compile more dependencies: #​32627
• Upgrade react 18 to rc, drop prerelease warning: #​32619
• next-swc: styled-jsx error checking and reporting updated (invalid-styled-jsx-children.md): #​31940
• Fix style reset on image with placeholder=blur: #​32680
• Pre-compile more dependencies continued: #​32679
• web runtime: add AbortController & AbortSignal: #​32089
• Don't swallow test failures caused by POSIX signals: #​32688
• Escape from next head in rsc _error page: #​32624
• fix popstate detection for safari when basepath is present: #​32687
• Bust cache for RSC in each render: #​32710
• Update web runtime externals: #​32717
• Reduce styled-jsx size in client bundle: #​32730
• Bump nft to version 0.17.1: #​32737
• Remove anonymous default export rule from Babel: #​32763
• feat(eslint): allow a for internal url when target="blank" present: #​32780
• fix(eslint-plugin-next): Broken links in eslint output: #​32837
• [ESLint] Adds lint rule to flag usage of <head>: #​32897
• ignore .d.ts files inside pages folder: #​30728
• Fix next/image noscript tag to only render when lazy: #​32918
• Simplify trace span id generation: #​32946
• Move resolve-url-loader into Next.js: #​32932
• fix(router): scroll to top when href="/" and hash already present: #​32954
• Remove un-needed test dependency: #​32616
• Fix issue with escape-string-regexp in IE11: #​32708
• Allow to opt-out from preflight cache: #​32767
• Ensure setImmediate and punycode are polyfilled: #​32768
• Fixes issue with makeStylesheetInert: #​32027
• Reduce install size for linux glibc/musl: #​32850
• Ensure middleware is output in standalone mode: #​32967
• Revert "Reduce install size for linux glibc/musl": #​32973
• feat(cli): introduce next info CLI command: #​32972
• Ensure NODE_ENV is not inlined for next/jest: #​33032
• converted the old tailwind css example to typescript : #​32808
• fix: ensure revalidation error is logged from response-cache: #​32657
• Bump @vercel/nft to 0.17.2: #​33048
• Add util for generating new tests/error documents: #​33001
• Fix middleware at root in standalone mode: #​33053
• Update swc: #​33063
• use a separate webpack runtime for middleware: #​33134
• Allow dependencies to use environment variables in middlewares: #​33141
• next-swc: fix ssg code elimination when used in render: #​32709
• drop dynamic import with ssr: false on server-side: #​32606
• Fix broken yarn pnp: #​32867
• Add util for normalizing errors: #​33159

Documentation Changes

• Fixed Yarn and NPM dev swapped arguments: #​32135
• Removed misleading id's from headings: #​32163
• Details about starting dev server Next.js docs.: #​32002
• Add Umbraco Heartcore blog example: #​21409
• Fix error page doc for no server import in page: #​32164
• Document staticPageGenerationTimeout config: #​32306
• Change using-preact example dependencies and docs: #​30394
• Updated link to Local Images: #​32427
• docs: remove empty example link: #​32439
• Update react version to rc in react-18 doc: #​32473
• doc: update remark import: #​32481
• Include mention of the onError Prop for next/script: #​31945
• Document basePath redirect field for getStaticProps/getServerSideProps: #​32550
• Fix typo in documentation: #​32581
• Add moduleDirectories for TS Jest Config: #​32574
• Added section about router methods returning a promise: #​31341
• Added example for setting cookie before redirect in middleware: #​32542
• chore: convert Jest examples to TypeScript: #​32705
• Update note about .next/static in standalone mode: #​32771
• Fixed syntax error in the example of React Hydration Error: #​32773
• fix: typo: #​32820
• Update the React 18 documentation: #​32896
• doc: add quotes to api: #​32898
• Update lint-staged example to use node.js path: #​30510
• Update scrolling example using query param instead of hash: #​31473
• Updated wrong link to example of gtag init in measuring-performance.md: #​32974
• Update deployment documentation.: #​32006
• Fix link for Next.js Analytics in docs: #​33049
• docs: fix typo in MDX docs: #​33077
• docs: minor text-copy cleanup: #​33120
• No info on environment variables in the src folder (#​33110): #​33136
• Add Caveats section to custom error page: #​33160
• Fixes #​33153: Updating cross-references from master to main + canary: #​33198
• Docs: correct ignorance pattern for .env.local: #​32647
• Refactor data fetching API docs: #​30615

Example Changes

• fix cms-sanity example: #​32182
• Fix issue in auth0 example: #​32293
• Update Next.js version in api rate limits example: #​32326
• Update example for Tailwind v3: #​32339
• chore: remove duplicate example: #​32391
• Updated to working example: #​32256
• Update Dockerfile: #​32299
• Update docker image to leverage output traces: #​32258
• chore(blog-starter): update tailwindcss to v3: #​32398
• fix: setup prismic image host: #​31589
• fix: add .web.jsx extension support in react-native-web example: #​32076
• Update 14-alpine to 16-alpine: #​31777
• chore(blog-starter-typescript): update tailwindcss to v3: #​32579
• Typo fix in comments: #​32609
• This example does not show how to use Jest with TypeScript: #​32633
• Updates with-supertokens example: Fixes init race condition: #​32706
• Add authentication example using Stytch: #​32194
• Update Sentry example readme to mention Next.js 12 support: #​32724
• fix(examples): Update nextjs-graphql-with-prisma-simple example API endpoint: #​32759
• chore(examples): remove duplicate examples: #​32779
• fix(examples): bring with-semantic-ui example up-to-date: #​32805
• fix(examples): update link URL in cms-kontent example: #​32806
• Add id to inline Segment script: #​32878
• Remove un-necessary second yarn install from example Dockerfile: #​32934
• fix(examples): add missing dependencies: #​32977
• Rename api in with-redis example: #​33016
• fix(examples/cms-contentful): add correct Content-Type + missing closing tag for html: #​30321
• Avoid page double render with emotion vanilla: #​30541
• fix: typescript example supporting strict w/ version >= 4.4: #​33042
• [chore] Update deta version in examples: #​30204
• (examples/with-next-translate) Removed Redundancies in Strings: #​29501
• Remove extra config from tailwind example: #​33062
• Adding Asset Component for Rich Text Renderer: #​32503

Misc Changes

• chore: auto close inactive issues without reproduction: #​32214
• Ensure wasm dev artifact uploads even on cache hit: #​32248
• Ensure test wasm does not fail for docs only change: #​32259
• chore: lock version on stale action: #​32262
• Fix styled-jsx tests from swc bump: #​32297
• Update AMP validation tests: #​32327
• Update only fetch all tags for publish commits: #​32337
• Fix flakey next/link react streaming test: #​32351
• test: add wait timeout between clicks for rsc link: #​32376
• test: add timeout for dev entries to avoid hard navigation: #​32476
• chore: lock stale & closed issues sooner
• Added docs issue template: #​32488
• Ensure experimental SWC options invalidate the cache: #​32540
• Edited contribution docs: #​32583
• Update contributing guidelines for examples: #​32584
• Remove unused turbo env vars: #​32588
• Move some img tests out of serverless mode: #​32620
• Disable turbo for build-native temporarily: #​32621
• Add test case for middleware rewrite to fallback: true page: #​32626
• Ensure device IP is used for safari browserstack test: #​32712
• fix: run prettier on with-jest and with-jest-babel examples
• Update readme.md of next-mdx to allow typescript file extensions for pages: #​32830
• chore: decrease stale time before closing issues with no reproduction: #​32955
• Re-enable turbo caching for swc build jobs: #​32617
• fix(ci): Remove unused turbo remote cache env vars: #​33030
• Update next.config.js: #​33091

Credits

Huge thanks to @​arthurfiorette, @​thibautsabot, @​shuding, @​chimit, @​joperron, @​devknoll, @​MaedahBatool, @​kyliau, @​padmaia, @​moh12594, @​rasmusjp, @​balazsorban44, @​molebox, @​bryanrsmith, @​TrySound, @​josharsh, @​kdy1, @​styfle, @​huozhi, @​delbaoliveira, @​PizzaPete, @​thecrypticace, @​arturparkhisenko, @​segheysens, @​thevinter, @​AryanBeezadhur, @​xiaohp, @​tknickman, @​javivelasco, @​oriolcp, @​sokra, @​smakosh, @​ijjk, @​jorrit, @​timneutkens, @​hanneslund, @​mix3d, @​Clecio013, @​michielvangendt, @​intergalacticspacehighway, @​jbraithwaite, @​marcelocarmona, @​benmerckx, @​haykerman, @​steven-tey, @​jaredpalmer, @​pi-guy-in-the-sky, @​JuanM04, @​apollisa, @​D-Pagey, @​jameshfisher, @​rishabhpoddar, @​Kikobeats, @​ramosbugs, @​dan-weaver, @​chris-stytch, @​MikevPeeren, @​janpio, @​emw3, @​nubpro, @​cmdcolin, @​joostdecock, @​sgallese, @​housseindjirdeh, @​minervabot, @​cjboco, @​Ryuurock, @​dm430, @​mkarkachov, @​nvh95, @​gfortaine, @​kumard3, @​zifeo, @​vicente-s, @​Rohithgilla12, @​brookton, @​leerob, @​skirsten, @​davidfateh, @​DavidBabel, @​mannybecerra, @​Schniz, @​glenngijsberts, @​pveyes, @​kaykdm, and @​xhiroga for helping!

---

Configuration

📅 Schedule: "" in timezone America/Toronto.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.