[Snyk] Upgrade next from 9.5.2 to 9.5.5

[blakegreendev]

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade next from 9.5.2 to 9.5.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 59 versions ahead of your current version.

• The recommended version was released on 4 years ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	482	Proof of Concept
	Open Redirect SNYK-JS-NEXT-1063481	482	No Known Exploit

Release notes

Package name: next

• 9.5.5 - 2020-10-10
  

  Core Changes

  • Update to have default locale matched on root: #17669
  • Handle css-loader file resolving change: #17724

  Example Changes

  • Fix with-apollo example : #17686
  • Fix with-msw example: #17695

  Credits

  Huge thanks to @ HaNdTriX, and @ jensmeindertsma for helping!

• 9.5.5-canary.1 - 2020-10-09
  

  Core Changes

  • Update to generate auto static pages with all locales: #17730
• 9.5.5-canary.0 - 2020-10-08
  

  Core Changes

  • Add initial changes for i18n support: #17370
  • Update to have default locale matched on root: #17669
  • Handle css-loader file resolving change: #17724

  Example Changes

  • Fix with-apollo example : #17686
  • Fix with-msw example: #17695

  Credits

  Huge thanks to @ HaNdTriX and @ jensmeindertsma for helping!

• 9.5.4 - 2020-10-07
  

  This upgrade is completely backwards compatible and recommended for all users on versions below 9.5.4. For future security related communications of our OSS projects, please join this mailing list.

  A security team from one of our partners noticed an issue in Next.js that allowed for open redirects to occur.

  Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site.

  In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.

  We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

  How to Upgrade

  • We have released patch versions for both the stable and canary channels of Next.js.
  • To upgrade run npm install next@latest --save

  Impact

  • Affected: Users of Next.js between 9.5.0 and 9.5.3
  • Not affected: Deployments on Vercel (https://vercel.com) are not affected
  • Not affected: Deployments using next export

  We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

  How to Assess Impact

  If you think users could have been affected, you can filter logs of affected sites by %2F with a 308 response.

  What is Being Done

  As Next.js has grown in popularity, it has received the attention of security teams and auditors. We are thankful to those that reached out for their investigation and discovery of the original bug and subsequent responsible disclosure.

  We've landed a patch that ensures encoding is handled properly for these types of redirects so the open redirect can no longer occur.

  Regression tests for this attack were added to the security integration test suite.

  • We have notified known Next.js users in advance of this publication.
  • A public CVE was released.
  • If you want to stay on top of our security related news impacting Next.js or other Vercel projects, please join this mailing list.
  • We encourage responsible disclosure of future issues. Please email us at [email protected]. We are actively monitoring this mailbox.

  ---

  Core Changes

  • Make the image post-processor ignore SVG images: #16732
  • Only update lookups for dev overlay if mounted: #16776
  • Ensure interpolating dynamic href values works correctly: #16774
  • Add automatic reloading when editing GS(S)P methods: #16744
  • Update to show build indicator while re-fetching GS(S)P data in dev: #16789
  • make parseRelativeUrl return a UrlObject: #16809
  • Add tests for searchParams dev warning: #16798
  • Fix invalid config export errors: #16834
  • Correct client rewrite resolving with query: #16860
  • Fix href resolving with trailing slash enabled: #16873
  • Divide export build output into 4 segments instead of showing it one by one: #16815
  • Include additional query values when interpolating href: #16878
  • Correct page path for GS(S)P data refreshing: #16939
  • Fix align documentation with the code: #16843
  • Remove next-head-count: #16758
  • Add Support for CSS Module Value Imports: #16973
  • Fix resolving href with a rewrite: #16975
  • Correct query behavior for falsey values to pre 9.5.1 behavior: #16608
  • Importing CSS from Third Party React Components: #16993
  • Add error when href interpolation fails: #16946
  • Security upgrade node-fetch: #17009
  • Upgrade sass loader: #16970
  • Prefer builtin optional chaining and nullish coalescing: #16780
  • Upgrade cacache of terser-webpack-plugin: #17022
  • Upgrade web-vitals: #17028
  • Remove false positive in circular structure detection: #16380
  • Fix Webpack 5 configuration for v5.0.0-beta.30: #17038
  • Improve custom document error message: #17048
  • Use babel 7 jsx syntax: #17043
  • [Fix] [email protected]: Invalid configuration: #17045
  • Normalize asPath for GS(S)P pages: #17081
  • Polyfill missing std lib fns for module browsers: #17083
  • Provide resolvedUrl to getServerSideProps: #17082
  • Fix API page check during SSG page collecting: #17092
  • Update webpack 5 resolving: #17095
  • Separate resolved asPath from resolved URL for GSSP: #17121
  • Fix export-cli progress label default value: #17106
  • Improve server performance by skipping decode/re-encode: #17323
  • Remove extra check in config loading: #17336
  • Expose dotenv loading under separate package: #17152
  • Fix empty title in head: #17430
  • Ensure optional-chaining/nullish coalescing is included: #17429
  • Remove left-over api-utils method: #17595
  • Add warning when exporting with custom routes: #17538
  • Normalize optional catch-all fallback: true page params: #17551
  • Update to use hasNextSupport for custom-routes in next export check: #17630

  Documentation Changes

  • Add Fast Refresh Demo: #16576
  • Update dynamic-import docs: #16803
  • Update link docs to reflect changes on dynamic routing (#16634)
  • Add handling for redirects from getStaticProps/getServerSideProps (#16642)
  • Document CSS Grid Better: #16996
  • Improve Asset Prefix Docs: #16998
  • Update build time env variable link in the runtime config section: #17017
  • fix gtag syntax in measuring docs: #16933
  • docs(babelrc): precise usage without configuring plugins: #16779
  • Improve Document Component Error: #17047
  • Add missing comma in docs example: #17129
  • Adds note about public directory: #17203
  • Fix invalid href error message: #17183
  • Update trailingSlash parameter name: #17228
  • Update cdn-support-with-asset-prefix.md: #17237
  • Docs(api-middlewares): use typings for serialize options from @ types/cookie: #17285
  • Remove reference to now env example: #17341
  • Mention required version for global CSS imports in node_modules: #17506
  • Mention favicon.ico in static file serving docs.: #17540
  • Add note about priority to rewrites docs: #17535
  • [docs] Fix typo Next.js -> TypeScript: #17561
  • Add missing introductory exportPathMap purpose description: #17444
  • Add docs on how to migrate from Gatsby.: #17491
  • Update migrating from Gatsby docs.: #17636
  • change anonymous functions to named in docs examples: #17510

  Example Changes

  • force persistor persist again after persistStore bootstrap done: #16085
  • Create _document.js to include current language in HTML tag: #16360
  • [Example] Fix relay network request: #16525
  • Minor spelling fix in zones example's readme: #16822
  • Update with-stitches example: #16827
  • Undo unrequired readme changes done to examples: #16831
  • chore(examples): fix missing document components error messages: #16802
  • Use useRouter over Router for with-google-analytics example: #16846
  • chore: update example names to match their folders: #16268
  • [EXAMPLE] with-cssed: #16735
  • update nextjs-auth0 versionfor auth0 example: #16871
  • Remove path specific switch statement from http2 example: #16558
  • Fix Three.js example's BoxesPage variable name: #16900
  • Fix extension name for example app (#16916)
  • Fix typo in Pet mongoose model: #16943
  • Ignore .next also in subfolders: #16962
  • Update with-slate example: #16959
  • Adding globalStyled with styled components: #16783
  • Updates "msw" package to version 0.21.0: #17012
  • Examples blogs: fix spelling: #17049
  • Include all files in Prettier: #17050
  • feat(examples/with-react-intl): add locale negotation to client side: #16806
  • Update PatternFly example to v4: #17241
  • Fix for missing babel dependencies in with-rebass example: #16839
  • [Example] With TS Eslint Jest - unnecessary package: #17170
  • [Example] with-react-intl: fix getInitialProps props ordering: #17174
  • [Example] with-react-intl: fix doubling messages: #17175
  • [Examples] Optimize with-docker: #17116
  • Add with-chakra-ui-typescript example: #16561
  • Delete vercel.json from "yarn workspaces" example: #17263
  • Add project name to examples/with-three-js create command: #17256
  • Example: with-next-auth updated to v3: #17266
  • fix(examples/with-redux-wrapper): wrong initial state (close #17299): #17335
  • Update README.md: #17347
  • Fix a small typo in index.css: #17399
  • Fixed minor typo: #17456
  • with-google-analytics-amp needs in Document component: #17462
  • update README for vercel.app, stream.new: #17539
  • Improve formatting in examples: #17571
  • Fixes #16431: #17610
  • fix typo: #17653

  Misc Changes

  • Update to check for overlay in client nav tests: #17002
  • Update workflow to use latest webpack 5 beta
  • fix(eslint-plugin-next): support src/pages folder in no-html-link-for-pages rule: #16743
  • Update no-document-viewport-meta.md
  • Rename exportTrailingSlash to trailingSlash in docs: #17268
  • Remove duplicate should in test name: #17303
  • Remove Random Blank Line in create-next-app: #17328
  • Update release stats workflow: #17533
  • Update release stats workflow: #17580
  • test(create-next-app): increase coverage: #17507
  • Update release stats workflow step to restore cache: #17656

  Credits

  Huge thanks to @ YichiZ, @ weichienhung, @ atcastle, @ ijjk, @ seosmmbusiness, @ HsuTing, @ gsimone, @ peduarte, @ Janpot, @ ztanner, @ lfades, @ neighborhood999, @ chibicode, @ merceyz, @ opudalo, @ lunchboxav, @ mohsen1, @ akd-io, @ justman00, @ helloworld, @ devknoll, @ borekb, @ HaNdTriX, @ ArthurMaverick, @ sakito21,

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
nextjs-and-tailwindcss-app	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 31, 2024 3:05am