-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update npm package next
to v14 [SECURITY]
#5037
Draft
hash-worker
wants to merge
1
commit into
main
Choose a base branch
from
deps/js/npm-next-vulnerability
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
+192
−64
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hashdotai
previously approved these changes
Sep 10, 2024
github-actions
bot
added
area/deps
Relates to third-party dependencies (area)
area/apps > hash*
Affects HASH (a `hash-*` app)
area/apps > hash.dev
Affects the `hash.dev` developer site (app)
area/libs
Relates to first-party libraries/crates/packages (area)
type/eng > frontend
Owned by the @frontend team
type/eng > backend
Owned by the @backend team
area/apps
labels
Sep 10, 2024
auto-merge was automatically disabled
September 10, 2024 07:33
Pull request was converted to draft
hash-worker
bot
force-pushed
the
deps/js/npm-next-vulnerability
branch
from
September 14, 2024 15:16
ca6e3ab
to
9efc988
Compare
hashdotai
previously approved these changes
Sep 14, 2024
hash-worker
bot
force-pushed
the
deps/js/npm-next-vulnerability
branch
from
September 28, 2024 06:44
9efc988
to
5af455f
Compare
hashdotai
previously approved these changes
Sep 28, 2024
hash-worker
bot
force-pushed
the
deps/js/npm-next-vulnerability
branch
from
September 29, 2024 21:16
5af455f
to
e8ce774
Compare
hashdotai
previously approved these changes
Oct 12, 2024
hash-worker
bot
force-pushed
the
deps/js/npm-next-vulnerability
branch
from
October 19, 2024 07:10
063f247
to
ab72805
Compare
hashdotai
previously approved these changes
Oct 19, 2024
hash-worker
bot
force-pushed
the
deps/js/npm-next-vulnerability
branch
from
October 30, 2024 23:39
ab72805
to
6a45069
Compare
hashdotai
previously approved these changes
Oct 30, 2024
hash-worker
bot
force-pushed
the
deps/js/npm-next-vulnerability
branch
from
November 28, 2024 14:09
6a45069
to
1ab30af
Compare
hashdotai
previously approved these changes
Nov 28, 2024
hash-worker
bot
force-pushed
the
deps/js/npm-next-vulnerability
branch
from
November 29, 2024 19:37
1ab30af
to
27a469e
Compare
hashdotai
approved these changes
Nov 29, 2024
Benchmark results
|
Function | Value | Mean | Flame graphs |
---|---|---|---|
entity_by_id | entity type ID: https://blockprotocol.org/@alice/types/entity-type/block/v/1
|
Flame Graph | |
entity_by_id | entity type ID: https://blockprotocol.org/@alice/types/entity-type/playlist/v/1
|
Flame Graph | |
entity_by_id | entity type ID: https://blockprotocol.org/@alice/types/entity-type/organization/v/1
|
Flame Graph | |
entity_by_id | entity type ID: https://blockprotocol.org/@alice/types/entity-type/page/v/2
|
Flame Graph | |
entity_by_id | entity type ID: https://blockprotocol.org/@alice/types/entity-type/person/v/1
|
Flame Graph | |
entity_by_id | entity type ID: https://blockprotocol.org/@alice/types/entity-type/book/v/1
|
Flame Graph | |
entity_by_id | entity type ID: https://blockprotocol.org/@alice/types/entity-type/song/v/1
|
Flame Graph | |
entity_by_id | entity type ID: https://blockprotocol.org/@alice/types/entity-type/building/v/1
|
Flame Graph | |
entity_by_id | entity type ID: https://blockprotocol.org/@alice/types/entity-type/uk-address/v/1
|
Flame Graph |
representative_read_multiple_entities
Function | Value | Mean | Flame graphs |
---|---|---|---|
entity_by_property | depths: DT=255, PT=255, ET=255, E=255 | Flame Graph | |
entity_by_property | depths: DT=0, PT=0, ET=0, E=0 | Flame Graph | |
entity_by_property | depths: DT=2, PT=2, ET=2, E=2 | Flame Graph | |
entity_by_property | depths: DT=0, PT=0, ET=0, E=2 | Flame Graph | |
entity_by_property | depths: DT=0, PT=0, ET=2, E=2 | Flame Graph | |
entity_by_property | depths: DT=0, PT=2, ET=2, E=2 | Flame Graph | |
link_by_source_by_property | depths: DT=255, PT=255, ET=255, E=255 | Flame Graph | |
link_by_source_by_property | depths: DT=0, PT=0, ET=0, E=0 | Flame Graph | |
link_by_source_by_property | depths: DT=2, PT=2, ET=2, E=2 | Flame Graph | |
link_by_source_by_property | depths: DT=0, PT=0, ET=0, E=2 | Flame Graph | |
link_by_source_by_property | depths: DT=0, PT=0, ET=2, E=2 | Flame Graph | |
link_by_source_by_property | depths: DT=0, PT=2, ET=2, E=2 | Flame Graph |
representative_read_entity_type
Function | Value | Mean | Flame graphs |
---|---|---|---|
get_entity_type_by_id | Account ID: d4e16033-c281-4cde-aa35-9085bf2e7579
|
Flame Graph |
scaling_read_entity_complete_one_depth
Function | Value | Mean | Flame graphs |
---|---|---|---|
entity_by_id | 50 entities | Flame Graph | |
entity_by_id | 5 entities | Flame Graph | |
entity_by_id | 1 entities | Flame Graph | |
entity_by_id | 10 entities | Flame Graph | |
entity_by_id | 25 entities | Flame Graph |
scaling_read_entity_linkless
Function | Value | Mean | Flame graphs |
---|---|---|---|
entity_by_id | 1 entities | Flame Graph | |
entity_by_id | 100 entities | Flame Graph | |
entity_by_id | 10 entities | Flame Graph | |
entity_by_id | 1000 entities | Flame Graph | |
entity_by_id | 10000 entities | Flame Graph |
scaling_read_entity_complete_zero_depth
Function | Value | Mean | Flame graphs |
---|---|---|---|
entity_by_id | 50 entities | Flame Graph | |
entity_by_id | 5 entities | Flame Graph | |
entity_by_id | 1 entities | Flame Graph | |
entity_by_id | 10 entities | Flame Graph | |
entity_by_id | 25 entities | Flame Graph |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/apps > hash.dev
Affects the `hash.dev` developer site (app)
area/apps > hash*
Affects HASH (a `hash-*` app)
area/apps
area/deps
Relates to third-party dependencies (area)
area/libs
Relates to first-party libraries/crates/packages (area)
type/eng > backend
Owned by the @backend team
type/eng > frontend
Owned by the @frontend team
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
13.5.5
->14.1.1
13.5.5
->14.2.7
GitHub Vulnerability Alerts
CVE-2024-34351
Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the
Host
header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.Prerequisites
<14.1.1
) is running in a self-hosted* manner./
.* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in #62561 and fixed in Next.js
14.1.1
.Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js
14.1.1
.Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
Adam Kues - Assetnote
Shubham Shah - Assetnote
CVE-2024-46982
Impact
By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a
Cache-Control: s-maxage=1, stale-while-revalidate
header which some upstream CDNs may cache as well.To be potentially affected all of the following must apply:
pages/dashboard.tsx
notpages/blog/[slug].tsx
The below configurations are unaffected:
Patches
This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.
Workarounds
There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.
Credits
CVE-2024-47831
Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Not affected:
next.config.js
file is configured withimages.unoptimized
set totrue
orimages.loader
set to a non-default value.Patches
This issue was fully patched in Next.js
14.2.7
. We recommend that users upgrade to at least this version.Workarounds
Ensure that the
next.config.js
file has eitherimages.unoptimized
,images.loader
orimages.loaderFile
assigned.Credits
Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras
Release Notes
vercel/next.js (next)
v14.1.1
Compare Source
Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary
Core Changes
Credits
Huge thanks to @huozhi, @shuding, @Ethan-Arrowood, @styfle, @ijjk, @ztanner, @balazsorban44, @kdy1, and @williamli for helping!
v14.1.0
Compare Source
Core Changes
swc_core
tov0.86.98
and turbopack: #59393optimize_server_react
transform: #59390default
handling in route groups that handle interception: #59752auto-cjs
pass: #60118@vercel/[email protected]
: #60172<Script>
withbeforeInteractive
strategy ignores additional attributes in App Router: #59779auto-cjs
pass: #60216generateStaticParams
withoutput:export
: #57053node-web-audio-api
to server-external-packages.json: #60243next dev --experimental-https
: #603570cdfef1
tof1039be
: #60368watchpack
to the precompile: #60309chalk
: #60317updatedModules
for App Router and Turbopack changes: #59785RootLayout
with parallel routes: #60401unstable_cache
implementation: #60403experimental.missingSuspenseWithCSRBailout
flag: #57642experimental.missingSuspenseWithCSRBailout
flag": #60508f1039be
to60a927d
: #60619experimental.missingSuspenseWithCSRBailout
flag" (#60508): #60751unstable_getImgProps()
=>getImageProps()
: #60739normalize-catchall-routes
test case: #60777next/headers
: #60817browserslist
andcaniuse-lite
: #60827generateStaticParams
withoutput:export
": #60831Documentation Changes
getServerSideProps
page: #59545generateSitemaps
: #59626@next/third-parties
documentation for Google Analytics: #59671typesafe-i18n
from thrid-party i18n options: #59624cwd
to VSCode debugging setup steps: #58689useFormState
: #60010redirect
with client components: #60056maxDuration
info: #60086⌘+Enter
for forms: #60090Optimizing: Third Party Libraries
: #60136revalidatePath
'spath
has dynamic segment path,type
must bepage
.: #59149Optimizing: Third Party Libraries
on tracking pageviews for Google Analytics: #60176revalidate
type annotation: #60230compression
docs: #60264useSearchParams
behavior: #60257compress
: #60268searchParams
is not passed to Layouts: #60277remotePatterns
to mention what happens when prop is omitted: #60387@next/third-parties
being experimental: #60372windowHistorySupport
flag, and addpushState
/replaceState
examples: #60374windowHistorySupport
title: #60503.svg
unoptimized behavior: #60735Example Changes
with-vitest
example. Unlocks the tests passing withserver-only
usage: #58902with-algolia-react-instantsearch
example to latest major version and use app router: #59961image-component
example to App Router: #60289cache-handler-redis
example dependencies: #59458useOptimistic
: #60596Misc Changes
swc_core
tov0.87.10
: #59834swc_core
tov0.87.16
: #60192create-next-app
even smaller and faster: #58030.git-blame-ignore-revs
: #60582Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.