[Snyk] Upgrade: , , , react, react-dom, , algoliasearch, isomorphic-unfetch, koa, koa-session, next, snyk, webpack #893
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯♂ The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
@babel/polyfill
from 7.4.4 to 7.12.1 | 9 versions ahead of your current version | 4 years ago
on 2020-10-15
@material-ui/core
from 4.3.1 to 4.12.4 | 48 versions ahead of your current version | 2 years ago
on 2022-04-03
@material-ui/icons
from 4.2.1 to 4.11.3 | 6 versions ahead of your current version | 2 years ago
on 2022-04-03
react
from 16.8.6 to 16.14.0 | 11 versions ahead of your current version | 4 years ago
on 2020-10-14
react-dom
from 16.8.6 to 16.14.0 | 11 versions ahead of your current version | 4 years ago
on 2020-10-14
@material-ui/styles
from 4.3.0 to 4.11.5 | 21 versions ahead of your current version | 2 years ago
on 2022-04-03
algoliasearch
from 3.33.0 to 3.35.1 | 3 versions ahead of your current version | 5 years ago
on 2019-10-08
isomorphic-unfetch
from 3.0.0 to 3.1.0 | 1 version ahead of your current version | 4 years ago
on 2020-09-29
koa
from 2.7.0 to 2.15.2 | 19 versions ahead of your current version | 6 months ago
on 2024-03-21
koa-session
from 5.12.2 to 5.13.1 | 3 versions ahead of your current version | 5 years ago
on 2020-02-01
next
from 9.2.1 to 9.5.5 | 284 versions ahead of your current version | 4 years ago
on 2020-10-10
snyk
from 1.278.0 to 1.1292.4 | 1174 versions ahead of your current version | a month ago
on 2024-08-12
webpack
from 4.39.1 to 4.47.0 | 22 versions ahead of your current version | a year ago
on 2023-09-06
Issues fixed by the recommended upgrade:
SNYK-JS-BABELTRAVERSE-5962462
SNYK-JS-SSRI-1246392
SNYK-JS-PARSEURL-2935944
SNYK-JS-PARSEURL-2935947
SNYK-JS-PARSEURL-2936249
SNYK-JS-LODASHTEMPLATE-1088054
SNYK-JS-ACORN-559469
SNYK-JS-ACORN-559469
SNYK-JS-AJV-584908
SNYK-JS-AJV-584908
SNYK-JS-BL-608877
SNYK-JS-AJV-584908
SNYK-JS-ANSIHTML-1296849
SNYK-JS-IP-6240864
SNYK-JS-PACRESOLVER-1564857
SNYK-JS-PARSEPATH-2936439
SNYK-JS-SERIALIZEJAVASCRIPT-536840
SNYK-JS-SERIALIZEJAVASCRIPT-570062
SNYK-JS-SERIALIZEJAVASCRIPT-6056521
SNYK-JS-NCONF-2395478
SNYK-JS-NETMASK-1089716
SNYK-JS-NETMASK-6056519
SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555
SNYK-JS-LODASH-1040724
SNYK-JS-LODASH-567746
SNYK-JS-LODASH-608086
SNYK-JS-LODASH-6139239
SNYK-JS-LODASHSET-1320032
SNYK-JS-PARSEURL-2942134
SNYK-JS-PARSEURL-3023021
SNYK-JS-PARSEURL-3024398
SNYK-JS-SNYK-3038622
SNYK-JS-SNYK-3111871
SNYK-JS-SNYKDOCKERPLUGIN-3039679
SNYK-JS-SNYKGOPLUGIN-3037316
SNYK-JS-SNYKGRADLEPLUGIN-3038624
SNYK-JS-SNYKMVNPLUGIN-3038623
SNYK-JS-SNYKPYTHONPLUGIN-3039677
SNYK-JS-SNYKSBTPLUGIN-3038626
SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625
SNYK-JS-DOTPROP-543489
SNYK-JS-GOT-2932019
SNYK-JS-HOSTEDGITINFO-1088355
SNYK-JS-BABELTRAVERSE-5962462
SNYK-JS-NEXT-561584
SNYK-JS-IP-7148531
SNYK-JS-JSZIP-1251497
SNYK-JS-JSZIP-3188562
SNYK-JS-SNYK-3037342
SNYK-JS-PATHTOREGEXP-7925106
SNYK-JS-XML2JS-5414874
SNYK-JS-XML2JS-5414874
SNYK-JS-LODASH-1018905
SNYK-JS-SEND-7926862
Release notes
Package name: @babel/polyfill
Package name: @material-ui/core
Package name: @material-ui/icons
Package name: react
React
React DOM
componentWillReceiveProps
,shouldComponentUpdate
, and so on). (@ gaearon in #18330)Artifacts
React
React.createFactory()
(@ trueadm in #17878)React DOM
style
may cause an unexpected collision (@ sophiebits in #14181, #18002)unstable_createPortal
(@ trueadm in #17880)onMouseEnter
being fired on disabled buttons (@ AlfredoGJ in #17675)shouldComponentUpdate
twice when developing inStrictMode
(@ bvaughn in #17942)version
property to ReactDOM (@ ealush in #15780)toString()
ofdangerouslySetInnerHTML
(@ sebmarkbage in #17773)Concurrent Mode (Experimental)
ReactDOM.createRoot()
(@ trueadm in #17937)ReactDOM.createRoot()
callback params and added warnings on usage (@ bvaughn in #17916)SuspenseList
CPU bound heuristic (@ sebmarkbage in #17455)isPending
only being true when transitioning from inside an input event (@ acdlite in #17382)React.memo
components dropping updates when interrupted by a higher priority update (@ acdlite in #18091)Artifacts
React DOM
useEffect
) not being fired in a multi-root app. (@ acdlite in #17347)React Is
lazy
andmemo
types considered elements instead of components (@ bvaughn in #17278)Artifacts
• react: https://unpkg.com/[email protected]/umd/
• react-art: https://unpkg.com/[email protected]/umd/
• react-dom: https://unpkg.com/[email protected]/umd/
• react-is: https://unpkg.com/[email protected]/umd/
• react-test-renderer: https://unpkg.com/[email protected]/umd/
• scheduler: https://unpkg.com/[email protected]/umd/
Package name: react-dom
React
React DOM
componentWillReceiveProps
,shouldComponentUpdate
, and so on). (@ gaearon in #18330)Artifacts
React
React.createFactory()
(@ trueadm in #17878)React DOM
style
may cause an unexpected collision (@ sophiebits in #14181, #18002)unstable_createPortal
(@ trueadm in #17880)onMouseEnter
being fired on disabled buttons (@ AlfredoGJ in #17675)shouldComponentUpdate
twice when developing inStrictMode
(@ bvaughn in #17942)version
property to ReactDOM (@ ealush in #15780)toString()
ofdangerouslySetInnerHTML
(@ sebmarkbage in #17773)Concurrent Mode (Experimental)
ReactDOM.createRoot()
(@ trueadm in #17937)ReactDOM.createRoot()
callback params and added warnings on usage (@ bvaughn in #17916)SuspenseList
CPU bound heuristic (@ sebmarkbage in #17455)isPending
only being true when transitioning from inside an input event (@ acdlite in #17382)React.memo
components dropping updates when interrupted by a higher priority update (@ acdlite in #18091)Artifacts
React DOM
useEffect
) not being fired in a multi-root app. (@ acdlite in #17347)React Is
lazy
andmemo
types considered elements instead of components (@ bvaughn in #17278)Artifacts
• react: https://unpkg.com/[email protected]/umd/
• react-art: https://unpkg.com/[email protected]/umd/
• react-dom: https://unpkg.com/[email protected]/umd/
• react-is: https://unpkg.com/[email protected]/umd/
• react-test-renderer: https://unpkg.com/[email protected]/umd/
• scheduler: https://unpkg.com/[email protected]/umd/
Package name: @material-ui/styles
Package name: algoliasearch
Package name: isomorphic-unfetch
[email protected]
Package name: koa
Release 2.15.2
Release 2.15.1
Release 2.15.0
Release 2.14.2
Release 2.14.1
Release 2.14.0
Release 2.13.4
Package name: koa-session
Release 5.13.1
Release 5.13.0
Release 5.12.3
Release 5.12.2
Package name: next
Core Changes
Example Changes
Credits
Huge thanks to @ HaNdTriX, and @ jensmeindertsma for helping!
Core Changes
Core Changes
Example Changes
Credits
Huge thanks to @ HaNdTriX and @ jensmeindertsma for helping!
This upgrade is completely backwards compatible and recommended for all users on versions below 9.5.4. For future security related communications of our OSS projects, please join this mailing list.
A security team from one of our partners noticed an issue in Next.js that allowed for open redirects to occur.
Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site.
In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.
We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
How to Upgrade
npm install next@latest --save
Impact
next export
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
How to Assess Impact
If you think users could have been affected, you can filter logs of affected sites by
%2F
with a 308 response.What is Being Done
As Next.js has grown in popularity, it has received the attention of security teams and auditors. We are thankful to those that reached out for their investigation and discovery of the original bug and subsequent responsible disclosure.
We've landed a patch that ensures encoding is handled properly for these types of redirects so the open redirect can no longer occur.
Regression tests for this attack were added to the security integration test suite.
Core Changes
next-head-count
: #16758