Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade: react, react-dom, next #902

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

blakegreendev
Copy link
Owner

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

react
from 16.13.1 to 16.14.0 | 1 version ahead of your current version | 4 years ago
on 2020-10-14
react-dom
from 16.13.1 to 16.14.0 | 1 version ahead of your current version | 4 years ago
on 2020-10-14
next
from 9.5.2 to 9.5.5 | 59 versions ahead of your current version | 4 years ago
on 2020-10-10

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-ANSIREGEX-1583908
696 Proof of Concept
critical severity Incomplete List of Disallowed Inputs
SNYK-JS-BABELTRAVERSE-5962462
696 Proof of Concept
medium severity Open Redirect
SNYK-JS-NEXT-1063481
696 No Known Exploit
low severity Regular Expression Denial of Service (ReDoS)
npm:debug:20170905
696 Proof of Concept
Release notes
Package name: react from react GitHub release notes
Package name: react-dom from react-dom GitHub release notes
Package name: next
  • 9.5.5 - 2020-10-10

    Core Changes

    • Update to have default locale matched on root: #17669
    • Handle css-loader file resolving change: #17724

    Example Changes

    • Fix with-apollo example : #17686
    • Fix with-msw example: #17695

    Credits

    Huge thanks to @ HaNdTriX, and @ jensmeindertsma for helping!

  • 9.5.5-canary.1 - 2020-10-09

    Core Changes

    • Update to generate auto static pages with all locales: #17730
  • 9.5.5-canary.0 - 2020-10-08

    Core Changes

    • Add initial changes for i18n support: #17370
    • Update to have default locale matched on root: #17669
    • Handle css-loader file resolving change: #17724

    Example Changes

    • Fix with-apollo example : #17686
    • Fix with-msw example: #17695

    Credits

    Huge thanks to @ HaNdTriX and @ jensmeindertsma for helping!

  • 9.5.4 - 2020-10-07

    This upgrade is completely backwards compatible and recommended for all users on versions below 9.5.4. For future security related communications of our OSS projects, please join this mailing list.

    A security team from one of our partners noticed an issue in Next.js that allowed for open redirects to occur.

    Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site.

    In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.

    We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

    How to Upgrade

    • We have released patch versions for both the stable and canary channels of Next.js.
    • To upgrade run npm install next@latest --save

    Impact

    • Affected: Users of Next.js between 9.5.0 and 9.5.3
    • Not affected: Deployments on Vercel (https://vercel.com) are not affected
    • Not affected: Deployments using next export

    We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

    How to Assess Impact

    If you think users could have been affected, you can filter logs of affected sites by %2F with a 308 response.

    What is Being Done

    As Next.js has grown in popularity, it has received the attention of security teams and auditors. We are thankful to those that reached out for their investigation and discovery of the original bug and subsequent responsible disclosure.

    We've landed a patch that ensures encoding is handled properly for these types of redirects so the open redirect can no longer occur.

    Regression tests for this attack were added to the security integration test suite.

    • We have notified known Next.js users in advance of this publication.
    • A public CVE was released.
    • If you want to stay on top of our security related news impacting Next.js or other Vercel projects, please join this mailing list.
    • We encourage responsible disclosure of future issues. Please email us at [email protected]. We are actively monitoring this mailbox.

    Core Changes

    • Make the image post-processor ignore SVG images: #16732
    • Only update lookups for dev overlay if mounted: #16776
    • Ensure interpolating dynamic href values works correctly: #16774
    • Add automatic reloading when editing GS(S)P methods: #16744
    • Update to show build indicator while re-fetching GS(S)P data in dev: #16789
    • make parseRelativeUrl return a UrlObject: #16809
    • Add tests for searchParams dev warning: #16798
    • Fix invalid config export errors: #16834
    • Correct client rewrite resolving with query: #16860
    • Fix href resolving with trailing slash enabled: #16873
    • Divide export build output into 4 segments instead of showing it one by one: #16815
    • Include additional query values when interpolating href: #16878
    • Correct page path for GS(S)P data refreshing: #16939
    • Fix align documentation with the code: #16843
    • Remove next-head-count: #16758
    • Add Support for CSS Module Value Imports: #16973
    • Fix resolving href with a rewrite: #16975
    • Correct query behavior for falsey values to pre 9.5.1 behavior: #16608
    • Importing CSS from Third Party React Components: #16993
    • Add error when href interpolation fails: #16946
    • Security upgrade node-fetch: #17009
    • Upgrade sass loader: #16970
    • Prefer builtin optional chaining and nullish coalescing: #16780
    • Upgrade cacache of terser-webpack-plugin: #17022
    • Upgrade web-vitals: #17028
    • Remove false positive in circular structure detection: #16380
    • Fix Webpack 5 configuration for v5.0.0-beta.30: #17038
    • Improve custom document error message: #17048
    • Use babel 7 jsx syntax: #17043
    • [Fix] [email protected]: Invalid configuration: #17045
    • Normalize asPath for GS(S)P pages: #17081
    • Polyfill missing std lib fns for module browsers: #17083
    • Provide resolvedUrl to getServerSideProps: #17082
    • Fix API page check during SSG page collecting: #17092
    • Update webpack 5 resolving: #17095
    • Separate resolved asPath from resolved URL for GSSP: #17121
    • Fix export-cli progress label default value: #17106
    • Improve server performance by skipping decode/re-encode: #17323
    • Remove extra check in config loading: #17336
    • Expose dotenv loading under separate package: #17152
    • Fix empty title in head: #17430
    • Ensure optional-chaining/nullish coalescing is included: #17429
    • Remove left-over api-utils method: #17595
    • Add warning when exporting with custom routes: #17538
    • Normalize optional catch-all fallback: true page params: #17551
    • Update to use hasNextSupport for custom-routes in next export check: #17630

    Documentation Changes

    • Add Fast Refresh Demo: #16576
    • Update dynamic-import docs: #16803
    • Update link docs to reflect changes on dynamic routing (#16634)
    • Add handling for redirects from getStaticProps/getServerSideProps (#16642)
    • Document CSS Grid Better: #16996
    • Improve Asset Prefix Docs: #16998
    • Update build time env variable link in the runtime config section: #17017
    • fix gtag syntax in measuring docs: #16933
    • docs(babelrc): precise usage without configuring plugins: #16779
    • Improve Document Component Error: #17047
    • Add missing comma in docs example: #17129
    • Adds note about public directory: #17203
    • Fix invalid href error message: #17183
    • Update trailingSlash parameter name: #17228
    • Update cdn-support-with-asset-prefix.md: #17237
    • Docs(api-middlewares): use typings for serialize options from @ types/cookie: #17285
    • Remove reference to now env example: #17341
    • Mention required version for global CSS imports in node_modules: #17506
    • Mention favicon.ico in static file serving docs.: #17540
    • Add note about priority to rewrites docs: #17535
    • [docs] Fix typo Next.js -> TypeScript: #17561
    • Add missing introductory exportPathMap purpose description: #17444
    • Add docs on how to migrate from Gatsby.: #17491
    • Update migrating from Gatsby docs.: #17636
    • change anonymous functions to named in docs examples: #17510

    Example Changes

    • force persistor persist again after persistStore bootstrap done: #16085
    • Create _document.js to include current language in HTML tag: #16360
    • [Example] Fix relay network request: #16525
    • Minor spelling fix in zones example's readme: #16822
    • Update with-stitches example: #16827
    • Undo unrequired readme changes done to examples: #16831
    • chore(examples): fix missing document components error messages: #16802
    • Use useRouter over Router for with-google-analytics example: #16846
    • chore: update example names to match their folders: #16268
    • [EXAMPLE] with-cssed: #16735
    • update nextjs-auth0 versionfor auth0 example: #16871
    • Remove path specific switch statement from http2 example: #16558
    • Fix Three.js example's BoxesPage variable name: #16900
    • Fix extension name for example app (#16916)
    • Fix typo in Pet mongoose model: #16943
    • Ignore .next also in subfolders: #16962
    • Update with-slate example: #16959
    • Adding globalStyled with styled components: #16783
    • Updates "msw" package to version 0.21.0: #17012
    • Examples blogs: fix spelling: #17049
    • Include all files in Prettier: #17050
    • feat(examples/with-react-intl): add locale negotation to client side: #16806
    • Update PatternFly example to v4: #17241
    • Fix for missing babel dependencies in with-rebass example: #16839
    • [Example] With TS Eslint Jest - unnecessary package: #17170
    • [Example] with-react-intl: fix getInitialProps props ordering: #17174
    • [Example] with-react-intl: fix doubling messages: #17175
    • [Examples] Optimize with-docker: #17116
    • Add with-chakra-ui-typescript example: #16561
    • Delete vercel.json from "yarn workspaces" example: #17263
    • Add project name to examples/with-three-js create command: #17256
    • Example: with-next-auth updated to v3: #17266
    • fix(examples/with-redux-wrapper): wrong initial state (close #17299): #17335
    • Update README.md: #17347
    • Fix a small typo in index.css: #17399
    • Fixed minor typo: #17456
    • with-google-analytics-amp needs in Document component: #17462
    • update README for vercel.app, stream.new: #17539
    • Improve formatting in examples: #17571
    • Fixes #16431: #17610
    • fix typo: #17653

    Misc Changes

    • Update to check for overlay in client nav tests: #17002
    • Update workflow to use latest webpack 5 beta
    • fix(eslint-plugin-next): support src/pages folder in no-html-link-for-pages rule: #16743
    • Update no-document-viewport-meta.md
    • Rename exportTrailingSlash to trailingSlash in docs: #17268
    • Remove duplicate should in test name: #17303
    • Remove Random Blank Line in create-next-app: #17328
    • Update release stats workflow: #17533
    • Update release stats workflow: #17580
    • test(create-next-app): increase coverage: #17507
    • Update release stats workflow step to restore cache: #17656

    Credits

    Huge ...

Snyk has created this PR to upgrade:
  - react from 16.13.1 to 16.14.0.
    See this package in npm: https://www.npmjs.com/package/react
  - react-dom from 16.13.1 to 16.14.0.
    See this package in npm: https://www.npmjs.com/package/react-dom
  - next from 9.5.2 to 9.5.5.
    See this package in npm: https://www.npmjs.com/package/next

See this project in Snyk:
https://app.snyk.io/org/bgreengo/project/c67b0416-6731-48fc-a0d4-d334e8c257d3?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

vercel bot commented Sep 11, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
nextjs-and-tailwindcss-app ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 11, 2024 3:08am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

with-redux-wrapper example bug with-storybook doesn't work without React import
2 participants