Skip to content
This repository has been archived by the owner on Apr 20, 2023. It is now read-only.

[Snyk] Upgrade next from 9.3.2 to 9.3.4 #46

Merged
merged 1 commit into from
Apr 13, 2020

Conversation

snyk-bot
Copy link
Contributor

Snyk has created this PR to upgrade next from 9.3.2 to 9.3.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
  • The recommended version is 8 versions ahead of your current version.
  • The recommended version was released 11 days ago, on 2020-04-01.
Release notes
Package name: next
  • 9.3.4 - 2020-04-01

    Patches

    • Refactor and expand ncc optimization
    • Update to not add path segments to redirect query automatically: #11497
    • Use Lax Cookie for Preview Mode: #11495
    • Fix(performance-relayer): properly clean up event listeners: #11410
    • Drop url dependency: #11503
    • Update environment support: #11524
    • Update checking for existing dotenv usage: #11496
    • Update auth0 example with getServerSideProps: #11051
    • Added "with-route-as-modal" example: #11473
    • Generic Type for GetStaticPaths: #11430

    Credits

    Huge thanks to @ijjk, @shYkiSto, @guybedford, @timneutkens, @alfrejivi, @IAmMorrow, and @wongmjane for helping!

  • 9.3.4-canary.4 - 2020-04-01

    Patches

    • Add notes to styled-components example README: #11540
    • Update hello-world example React version & name for CodeSandbox: #11550

    Credits

    Huge thanks to @mattcarlotta and @jamesmosier for helping!

  • 9.3.4-canary.3 - 2020-04-01

    Patches

    • Remove passing of NODE_OPTIONS='--inspect' to subprocesses: #11041
    • Update to make sure AMP only bundles are always removed in pro…: #11527
    • Example/update unstated: #11534
    • Update build output with renamed column: #11401

    Credits

    Huge thanks to @vvo, @ijjk, and @lfades for helping!

  • 9.3.4-canary.2 - 2020-03-31

    Patches

    • Drop url dependency: #11503
    • Update environment support: #11524
    • Update checking for existing dotenv usage: #11496
    • Update auth0 example with getServerSideProps: #11051
    • Added "with-route-as-modal" example: #11473
    • Generic Type for GetStaticPaths: #11430

    Credits

    Huge thanks to @guybedford, @timneutkens, @alfrejivi, @IAmMorrow, and @wongmjane for helping!

  • 9.3.4-canary.1 - 2020-03-30

    Minor Changes

    • Refactor and expand ncc optimization
  • 9.3.4-canary.0 - 2020-03-30

    Patches

    • Update to not add path segments to redirect query automatically: #11497
    • Use Lax Cookie for Preview Mode: #11495
    • Fix(performance-relayer): properly clean up event listeners: #11410

    Credits

    Huge thanks to @ijjk and @shYkiSto for helping!

  • 9.3.3 - 2020-03-30

    Patches

    • Revert "Fix assignment of props in WithApollo.getInitialProps " (#11384): #11236
    • Add support for comments in tsconfig.json: e7ea276
    • Docs: Replace micro-cors with cors middleware: #11395
    • Add support for comments in tsconfig.json: #11392
    • Fixed typo: libraray -> library: #11435
    • Minor change in README.md: #11434
    • Fix with-aphrodite readme typo: #11436
    • Update api-rest-example to SSG: #11362
    • Change mdx options description: #11409
    • Update .gitignore: #11421
    • Update emotion dependencies in with-emotion-11: #11414
    • Fix #11396: #11397
    • Fix type ignore: #11479
    • Typos fixed: overriden --> overridden and innaccurate -->inacc…: #11454
    • Fix small punctuation issue: #11439

    Credits

    Huge thanks to @bgoerdt, @herrstucki, @MichelleLucero, @liulanz, @sdhani, @JazibJafri, @ElForastero, @moeyashi, @Andarist, @comxd, @chislee0708, and @PullJosh for helping!

  • 9.3.3-canary.0 - 2020-03-30

    Patches

    • Revert "Fix assignment of props in WithApollo.getInitialProps " (#11384): #11236
    • Add support for comments in tsconfig.json: e7ea276
    • Docs: Replace micro-cors with cors middleware: #11395
    • Add support for comments in tsconfig.json: #11392
    • Fixed typo: libraray -> library: #11435
    • Minor change in README.md: #11434
    • Fix with-aphrodite readme typo: #11436
    • Update api-rest-example to SSG: #11362
    • Change mdx options description: #11409
    • Update .gitignore: #11421
    • Update emotion dependencies in with-emotion-11: #11414
    • Fix #11396: #11397
    • Fix type ignore: #11479
    • Typos fixed: overriden --> overridden and innaccurate -->inacc…: #11454
    • Fix small punctuation issue: #11439
    • Merge branch 'canary' of github.com:zeit/next.js into canary: dd098ca

    Credits

    Huge thanks to @bgoerdt, @herrstucki, @MichelleLucero, @liulanz, @sdhani, @JazibJafri, @ElForastero, @moeyashi, @Andarist, @comxd, @chislee0708, and @PullJosh for helping!

  • 9.3.2 - 2020-03-26

    This upgrade is completely backwards compatible and recommended for all users on versions below 9.3.2. For future security related communications of our OSS projects, please join this mailing list.

    Next.js has just been audited by one of the top security firms in the world.

    They found that attackers could craft special requests to access files in the dist directory (.next).

    This does not affect files outside of the dist directory (.next).

    In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.

    We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

    How to Upgrade

    • We have released patch versions for both the stable and canary channels of Next.js.
    • To upgrade run npm install next@latest --save

    Impact

    • Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected
    • Not affected: Deployments using the serverless target
    • Not affected: Deployments using next export
    • Affected: Users of Next.js below 9.3.2 that use next start

    We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

    How to Assess Impact

    If you think sensitive code or data could have been exposed, you can filter logs of affected sites by ../ with a 200 response.

    What is Being Done

    As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Luca Carettoni from Doyensec for their investigation and discovery of the original bug and subsequent responsible disclosure.

    We've landed a patch that ensures only known filesystem paths of .next/static are made available under /_next/static.
    Regression tests for this attack were added to the security integration test suite.

    • We have notified known Next.js users in advance of this publication.
    • A public CVE was issued.
    • If you want to stay on top of our security related news impacting Next.js or other ZEIT projects, please join this mailing list.
    • We encourage responsible disclosure of future issues. Please email us at [email protected]. We are actively monitoring this mailbox.

    Patches

    • Add Numeric Separator Support for TypeScript: #11308
    • Update CLI custom config documentation link: #11152
    • Add error when attempting to export GSSP page: #11154
    • Update blog-starter example: #11071
    • Add CSS file to build output: #11145
    • Update <dir> reference in help text: 5274535
    • Clean up examples directory: #11169
    • Remove react-ssr-prepass alias as it's not longer needed: #11170
    • Upgrade @ampproject/toolbox-optimizer to 2.0.1: #11168
    • Add section on reading files: #11084
    • [Examples] fix remark link in blog-starter's README: #11177
    • Updated with-typescript example to SSG: #11081
    • Add CMS example for Sanity: #10907
    • Group CSS files in shared build output separate from JS files: #11184
    • Updating min nodejs requirement: #11181
    • Docs(ssr): req is an IncomingMessage instance, not HttpRequest: #11194
    • Add support for baseUrl option in tsconfig and jsconfig: #11203
    • [Example] with-passport: #10529
    • CMS TakeShape Example: #11038
    • Ensure hybrid AMP works correctly with SSG: #11205
    • Update mocha example with yml configuration.: #11214
    • Fix with-firebase-cloud-messaging example setup code: #10686
    • Update wording of new data fetching methods recommendation: #11221
    • Updated Api Routes Middleware example to use getServerSideProps: #11128
    • With Firebase Client-Side example: #11053
    • Docs(example): Load basic-css example on codesandbox: #11227
    • Remove mkdirp, bump fs-extra to 9.0.0: #11251
    • Add support for paths in tsconfig.json and jsconfig.json: #11293
    • Add test for single alias: #11296
    • Update GIP docs: #11303
    • Add custom amp optimizer and skip validation mode: #10705
    • Update handling for ENOENT from GSSP methods: #11302
    • Docs: clarify how to customize next/babel presets: #11316
    • Fix assignment of props in WithApollo.getInitialProps: #11236
    • Fix: typo in isStaging in with-env example: #11305
    • Skip paths that are routed to a .d.ts file: #11322
    • Upgrade loader-utils: #11324
    • Fix warning for API routes with next export: #11330
    • Make sure to copy AMP SSG files during export: #11331
    • Just a small typo I think, right?: #11344
    • [docs] Mention our channels: #11336
    • Use records to init store: #11343
    • Update data-fetching.md: 074c60e
    • Fix preview-mode docs/examples typo: #11345
    • Update to prevent re-using workers for getStaticPaths in dev mode: #11347

    Credits

    Huge thanks to @chibicode, @ijjk, @timneutkens, @sebastianbenz, @zhe, @shaswatsaxena, @prateekbh, @vvo, @lfades, @bbortt, @aviaryan, @mgranados, @julianbenegas, @gregrickaby, @dulmandakh, @yosuke-furukawa, @tinymachine, @bgoerdt, @nicolasrouanne, @filipesmedeiros, @rishabhsaxena, and @queq1890 for helping!

from next GitHub release notes
Commit messages
Package name: next
  • 8c899ee v9.3.4
  • e000d84 v9.3.4-canary.4
  • 7b546a9 Update hello-world example React version & name for CodeSandbox (#11550)
  • a37ad0a Add notes to styled-components example README (#11540)
  • a992444 v9.3.4-canary.3
  • 3f6bd47 Update build output with renamed column (#11401)
  • 1992e2a Example/update unstated (#11534)
  • d61eced Update to make sure AMP only bundles are always removed in pro… (#11527)
  • fa5da6d Remove passing of NODE_OPTIONS='--inspect' to subprocesses (#11041)
  • f9cd7c5 v9.3.4-canary.2
  • c17ee73 Generic Type for GetStaticPaths (#11430)
  • 2263876 added "with-route-as-modal" example (#11473)
  • f2315ff update auth0 example with getServerSideProps (#11051)
  • b307ed9 Update checking for existing dotenv usage (#11496)
  • b8d075e Update environment support (#11524)
  • ce3f7d0 Drop url dependency (#11503)
  • 0bfc0b3 v9.3.4-canary.1
  • b88f20c Fix lockfile
  • d7f9a52 correct babel dev dependency
  • 755dc40 postcss loaders
  • a3ec26d ignore-loader
  • 8dad5ab file-loader
  • c855a38 babel-loader, cache-loader
  • 84a46df thread-loader

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

@yowainwright yowainwright merged commit 266f1c7 into master Apr 13, 2020
@yowainwright yowainwright deleted the snyk-upgrade-05c2eeff3cc840f9dea7628859e537a8 branch April 13, 2020 06:58
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Cannot find module '../lib/load-env-config'.
2 participants