Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Bump next from 8.1.0 to 10.0.0 #29

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot-preview[bot]
Copy link

@dependabot-preview dependabot-preview bot commented Nov 2, 2020

Bumps next from 8.1.0 to 10.0.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects next

Impact

  • Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected
  • Not affected: Deployments using the serverless target
  • Not affected: Deployments using next export
  • Affected: Users of Next.js below 9.3.2

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

Patches

https://github.com/zeit/next.js/releases/tag/v9.3.2

References

https://github.com/zeit/next.js/releases/tag/v9.3.2

Affected versions: < 9.3.2

Release notes

Sourced from next's releases.

v10.0.0

Core Changes

  • Add handling for domain to locale mapping: #17771
  • Make sure locale detecting is case-insensitive: #17757
  • Fix a couple i18n cases: #17805
  • Font optimization for webpack 5: #17450
  • Allow pages to be async modules to enable top-level-await: #17590
  • Update redirect handling for locale domains: #17856
  • Image component foundation: #17343
  • chore(collect-plugins.ts): removes duplicated entries: #17441
  • Resolve to real path before checking for path inequality: #17279
  • Handle preferring default locale over accept-lang preferred locale: #17883
  • Add locale prop for transitioning locales client side: #17898
  • Make sure that params are properly passed to hybrid amp pages: #17461
  • Add i18n items to routes manifest: #17893
  • Add support for returning 404 from getStaticProps: #17755
  • Ensure i18n support with AMP: #17923
  • Call Web Vitals reporting at correct time: #17933
  • Fix initialRevalidateSeconds manifest field with i18n: #17926
  • Add support for Image Optimizer: #17749
  • Add missing next/image package file: #17940
  • Only load plugins with @next prefix: #17945
  • Update default configuration to match image optimization: #17943
  • Fix width param name for Image Optimizer: #17952
  • Unify config.image.breakpoints to config.image.sizes: #17953
  • Improve types for Image Component: #17954
  • Add perf data experiment: #17956
  • Make sure w parameter is only included when a width is provided.: #17971
  • Image component lazy loading: #17916
  • Make sure animated assets aren't de-animated by optimizer: #17974
  • Fix types for lazy image component: #17984
  • Update to postcss-loader 4.0.2.: #17458
  • Update handling for relative files in image-optimizer: #17998
  • Ensure correct default locale is detected for domain locale: #18046
  • Remove multi-host support for image component and support quality pass-through: #18038
  • Add width and height props to Image component: #18031
  • Ensure root index GSP page's revalidate is recorded: #18053
  • Update resolve-url-loader to fix vulnerability: #18064
  • Pass locales to getStaticPaths for i18n: #18077
  • Add unsized property to Image component: #18059
  • Fix css dependency in /_error: #17301
  • Move sharp to optionalDependencies: #18068
  • Update to PostCSS 8.: #17415
  • Update peerdependency to account for React 17: #18089
  • Upgrade to Chokidar 3.: #17558
  • Upgrade @ampproject/toolbox-optimizer: #18087
  • Fix precompiled code: #18093
  • Image Component: Support for Akamai image CDN: #18100
  • Fix Image component defaults & remove autoOptimize: #18101
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

  • Update frequency
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Bumps [next](https://github.com/vercel/next.js) from 8.1.0 to 10.0.0. **This update includes a security fix.**
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v8.1.0...v10.0.0)

Signed-off-by: dependabot-preview[bot] <[email protected]>
@dependabot-preview
Copy link
Author

The following labels could not be found: dependencies, worktree.

@dependabot-preview dependabot-preview bot added the security Pull requests that address a security vulnerability label Nov 2, 2020
@dependabot-preview
Copy link
Author

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants