fix(deps): update dependency next to ~14.1.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	~14.0.0 -> ~14.1.0

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

• Next.js (<14.1.1) is running in a self-hosted* manner.
• The Next.js application makes use of Server Actions.
• The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #​62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

---

Release Notes

vercel/next.js (next)

v14.1.1

Compare Source

Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary

Core Changes

• Should not warn metadataBase missing if only absolute urls are present: https://github.com/vercel/next.js/pull/61898
• Fix trailing slash for canonical url: https://github.com/vercel/next.js/pull/62109
• Fix metadata json manifest convention: https://github.com/vercel/next.js/pull/62615
• Improve the Server Actions SWC transform: https://github.com/vercel/next.js/pull/61001
• Fix Server Reference being double registered: https://github.com/vercel/next.js/pull/61244
• Improve the Server Actions SWC transform (part 2): https://github.com/vercel/next.js/pull/62052
• Fix module-level Server Action creation with closure-closed values: https://github.com/vercel/next.js/pull/62437
• Fix draft mode invariant: https://github.com/vercel/next.js/pull/62121
• fix: babel usage with next/image: https://github.com/vercel/next.js/pull/61835
• Fix next/server api alias for ESM pkg: https://github.com/vercel/next.js/pull/61721
• Replace image optimizer IPC call with request handler: https://github.com/vercel/next.js/pull/61471
• chore: refactor image optimization to separate external/internal urls: https://github.com/vercel/next.js/pull/61172
• fix(image): warn when animated image is missing unoptimized prop: https://github.com/vercel/next.js/pull/61045
• fix(build-output): show stack during CSR bailout warning: https://github.com/vercel/next.js/pull/62594
• Fix extra swc optimizer applied to node_modules in browser layer: https://github.com/vercel/next.js/pull/62051
• fix(next-swc): Detect exports.foo from cjs_finder: https://github.com/vercel/next.js/pull/61795
• Fix attempted import error for react: https://github.com/vercel/next.js/pull/61791
• Add stack trace to client rendering bailout error: https://github.com/vercel/next.js/pull/61200
• fix router crash on revalidate + popstate: https://github.com/vercel/next.js/pull/62383
• fix loading issue when navigating to page with async metadata: https://github.com/vercel/next.js/pull/61687
• revert changes to process default routes at build: https://github.com/vercel/next.js/pull/61241
• fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: https://github.com/vercel/next.js/pull/60776
• Improve redirection handling: https://github.com/vercel/next.js/pull/62561
• Simplify node/edge server chunking some: https://github.com/vercel/next.js/pull/62424

Credits

Huge thanks to @​huozhi, @​shuding, @​Ethan-Arrowood, @​styfle, @​ijjk, @​ztanner, @​balazsorban44, @​kdy1, and @​williamli for helping!

v14.1.0

Compare Source

v14.0.4

Compare Source

v14.0.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 14 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 30, reused 0, downloaded 0, added 0
Progress: resolved 40, reused 0, downloaded 0, added 0
Progress: resolved 53, reused 0, downloaded 0, added 0
Progress: resolved 55, reused 0, downloaded 0, added 0
Progress: resolved 76, reused 0, downloaded 0, added 0
Progress: resolved 166, reused 0, downloaded 0, added 0
Progress: resolved 250, reused 0, downloaded 0, added 0
Progress: resolved 339, reused 0, downloaded 0, added 0
Progress: resolved 363, reused 0, downloaded 0, added 0
Progress: resolved 409, reused 0, downloaded 0, added 0
Progress: resolved 444, reused 0, downloaded 0, added 0
Progress: resolved 517, reused 0, downloaded 0, added 0
Progress: resolved 591, reused 0, downloaded 0, added 0
Progress: resolved 652, reused 0, downloaded 0, added 0
Progress: resolved 765, reused 0, downloaded 0, added 0
Progress: resolved 892, reused 0, downloaded 0, added 0
Progress: resolved 951, reused 0, downloaded 0, added 0
Progress: resolved 1017, reused 0, downloaded 0, added 0
Progress: resolved 1059, reused 0, downloaded 0, added 0
Progress: resolved 1152, reused 0, downloaded 0, added 0
Progress: resolved 1193, reused 0, downloaded 0, added 0
Progress: resolved 1311, reused 0, downloaded 0, added 0
Progress: resolved 1414, reused 0, downloaded 0, added 0
Progress: resolved 1497, reused 0, downloaded 0, added 0
Progress: resolved 1574, reused 0, downloaded 0, added 0
Progress: resolved 1692, reused 0, downloaded 0, added 0
Progress: resolved 1777, reused 0, downloaded 0, added 0
Progress: resolved 1867, reused 0, downloaded 0, added 0
 WARN  18 deprecated subdependencies found: @babel/plugin-proposal-class-properties@7.18.6, @babel/plugin-proposal-nullish-coalescing-operator@7.18.6, @babel/plugin-proposal-numeric-separator@7.18.6, @babel/plugin-proposal-optional-chaining@7.21.0, @babel/plugin-proposal-private-methods@7.18.6, @babel/plugin-proposal-private-property-in-object@7.21.0, abab@2.0.5, core-js@3.20.3, domexception@2.0.1, eslint-plugin-import@2.27.0, querystring@0.2.1, rollup-plugin-terser@7.0.2, source-map-url@0.4.1, sourcemap-codec@1.4.8, stable@0.1.8, svgo@1.3.2, w3c-hr-time@1.0.2, workbox-google-analytics@6.4.2
Progress: resolved 1905, reused 0, downloaded 0, added 0
Progress: resolved 1905, reused 0, downloaded 0, added 0, done
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

apps/storybook
└─┬ webpack-dev-server 4.7.3
  └─┬ http-proxy-middleware 2.0.2
    └── ✕ missing peer @types/express@^4.17.13
Peer dependencies that should be installed:
  @types/express@^4.17.13

hint: If you want peer dependencies to be automatically installed, add "auto-install-peers=true" to an .npmrc file at the root of your project.
hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.