Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
12.18.3
->18.17.1
14.14.28
->20.5.1
17.0.2
->18.2.20
5.0.0
->5.0.4
5.1.7
->5.1.26
0.21.1
->0.21.2
1.12.0
->2.1.4
12.18.3
->17.2.0
7.20.0
->8.47.0
18.2.1
->19.0.4
7.2.0
->9.0.0
2.22.1
->2.28.1
24.1.3
->27.2.3
6.4.1
->6.7.1
3.3.1
->5.0.0
7.22.0
->7.33.2
26.6.3
->29.6.2
10.0.6
->12.1.0
12.20.1
->18.17.1
2.2.1
->3.0.2
2.2.1
->3.0.2
15.7.2
->15.8.1
17.0.1
->18.2.0
5.0.3
->5.1.0
17.0.1
->18.2.0
11.3.1
->14.2.3
1.3.2
->3.0.2
5.2.1
->6.0.7
4.1.5
->5.1.6
GitHub Vulnerability Alerts
CVE-2021-3749
axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.
CVE-2021-39178
Impact
next.config.js
file hasimages.domains
array assignedimages.domains
allows user-provided SVGnext.config.js
file hasimages.loader
assigned to something other than defaultPatches
Next.js v11.1.1
CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the
next.config.js
file must have animages.domains
array assigned and the image host assigned inimages.domains
must allow user-provided SVG. If thenext.config.js
file hasimages.loader
assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, changenext.config.js
to use a differentloader configuration
other than the default.Impact
next.config.js
file has images.domains array assignednext.config.js
file has images.loader assigned to something other than defaultPatches
Next.js 12.1.0
Workarounds
Change
next.config.js
to use a different loader configuration other than the default, for example:Or if you want to use the
loader
prop on the component, you can usecustom
:CVE-2021-43803
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package
next
hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when
pages/_error.js
was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.Impact
10.0.5
and10.2.0
11.0.0
and11.0.1
usingpages/_error.js
withoutgetInitialProps
11.0.0
and11.0.1
usingpages/_error.js
andnext export
pages/404.js
next
npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
Patches
https://github.com/vercel/next.js/releases/tag/v11.1.0
Release Notes
nodejs/node (node)
v18.17.1
: 2023-08-09, Version 18.17.1 'Hydrogen' (LTS), @βRafaelGSSCompare Source
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.
Commits
fe3abdf82e
] - deps: update archs files for openssl-3.0.10+quic1 (Node.js GitHub Bot) #β490362c5a522d9c
] - deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 (Node.js GitHub Bot) #β4903615bced0bde
] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#417d4570fae35
] - policy: disable process.binding() when enabled (Tobias NieΓen) nodejs-private/node-private#460v18.17.0
: 2023-07-18, Version 18.17.0 'Hydrogen' (LTS), @βdanielleadamsCompare Source
Notable Changes
Ada 2.0
Node.js v18.17.0 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements
to URL parsing, including enhancements to the url.domainToASCII and url.domainToUnicode functions in node:url.
Ada 2.0 has been integrated into the Node.js codebase, ensuring that all parts of the application can benefit from the
improved performance. Additionally, Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4,
while also eliminating the need for the ICU requirement for URL hostname parsing.
Contributed by Yagiz Nizipli and Daniel Lemire in #β47339
Web Crypto API
Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations.
This further improves interoperability with other implementations of Web Crypto API.
Contributed by Filip Skokan in #β46067
test
(Chemi Atlow) #β47909Commits
2ba08ac002
] - benchmark: usecluster.isPrimary
instead ofcluster.isMaster
(Deokjin Kim) #β4800260ca69d96c
] - benchmark: add eventtarget creation bench (Rafael Gonzaga) #β47774d8233d96bb
] - benchmark: add a benchmark fordefaultResolve
(Antoine du Hamel) #β47543a1aabb6912
] - benchmark: fix invalid requirementsURL (Deokjin Kim) #β47378394c61caf9
] - bootstrap: support namespaced builtins in snapshot scripts (Joyee Cheung) #β474670165a765a0
] - bootstrap: do not expand process.argv[1] for snapshot entry points (Joyee Cheung) #β47466cca557cdd9
] - buffer: combine checking range of sourceStart inbuf.copy
(Deokjin Kim) #β477584c69be467c
] - buffer: use private properties for brand checks in File (Matthew Aitken) #β47154d002f9b6e2
] - build: revert unkonwn ruff selector (Moshe Atlow) #β4875393f77cb762
] - build: set v8_enable_webassembly=false when lite mode is enabled (Cheng Shao) #β482481662e894f3
] - build: add action to close stale PRs (Michael Dawson) #β480515ca437b288
] - build: use pathlib for paths (Mohammed Keyvanzadeh) #β4758172443bc54b
] - build: refactor configure.py (Mohammed Keyvanzadeh) #β47667d4eecb5be9
] - build: add devcontainer configuration (Tierney Cyren) #β40825803ed41144
] - build: bump ossf/scorecard-action from 2.1.2 to 2.1.3 (dependabot[bot]) #β4736748468c4413
] - build: replace Python linter flake8 with ruff (Christian Clauss) #β475193ceb2c4387
] - build: add node-core-utils to setup (Jiawen Geng) #β47442fdc59b8e14
] - build: bump github/codeql-action from 2.2.6 to 2.2.9 (dependabot[bot]) #β473663924893023
] - build: update stale action from v7 to v8 (Rich Trott) #β47357753185c5b0
] - build: remove Python pip--no-user
option (Christian Clauss) #β4737267af0a6a2b
] - build: avoid usage of pipes library (Mohammed Keyvanzadeh) #β47271db910dd6b2
] - build, deps, tools: avoid excessive LTO (Konstantin Demin) #β4731335d1def891
] - child_process: use signal.reason in child process abort (Debadree Chatterjee) #β478177692d2e7b9
] - cluster: use ObjectPrototypeHasOwnProperty (Daeyeon Jeong) #β481417617772762
] - crypto: use openssl's own memory BIOs in crypto_context.cc (GauriSpears) #β471608cabfe7c6e
] - crypto: fix setEngine() when OPENSSL_NO_ENGINE set (Tobias NieΓen) #β47977de1338da05
] - crypto: fix webcrypto private/secret import with empty usages (Filip Skokan) #β4787727a696fda9
] - crypto: update root certificates to NSS 3.89 (Node.js GitHub Bot) #β47659e2292f936e
] - crypto: remove INT_MAX restriction in randomBytes (Tobias NieΓen) #β47559a5f214c00c
] - crypto: replace THROW with CHECK for scrypt keylen (Tobias NieΓen) #β47407dd42214fd4
] - crypto: unify validation of checkPrime checks (Tobias NieΓen) #β4716576e4d12fb3
] - crypto: re-add padding for AES-KW wrapped JWKs (Filip Skokan) #β465639d894c17dd
] - crypto: use WebIDL converters in WebCryptoAPI (Filip Skokan) #β460676f3a8b45a5
] - deps: update ada to 2.5.0 (Node.js GitHub Bot) #β48223075b6db919
] - deps: update ada to 2.4.2 (Node.js GitHub Bot) #β48092a4ee1f652c
] - deps: update ada to 2.4.1 (Node.js GitHub Bot) #β4803681b514d3f0
] - deps: update ada to 2.4.0 (Node.js GitHub Bot) #β47922575ddf694f
] - deps: update ada to 2.3.1 (Node.js GitHub Bot) #β478932d03d5f458
] - deps: update ada to 2.3.0 (Node.js GitHub Bot) #β4773742e690f2d5
] - deps: update ada to 2.2.0 (Node.js GitHub Bot) #β4767808dd271521
] - deps: update ada to 2.1.0 (Node.js GitHub Bot) #β4759896c50ba71f
] - deps: update ada to 2.0.0 (Node.js GitHub Bot) #β473394d1c38b758
] - deps: update zlib to337322d
(Node.js GitHub Bot) #β4821874206b2549
] - deps: update histogram 0.11.8 (Marco Ippolito) #β47742fbb4b3775d
] - deps: update histogram to 0.11.7 (Marco Ippolito) #β47742e88c079022
] - deps: update simdutf to 3.2.12 (Node.js GitHub Bot) #β4811848bd1248b9
] - deps: update minimatch to 9.0.1 (Node.js GitHub Bot) #β48094d4572d31fa
] - deps: update corepack to 0.18.0 (Node.js GitHub Bot) #β480918090d29dc4
] - deps: update uvwasi to 0.0.18 (Node.js GitHub Bot) #β47866169c8eea2e
] - deps: update uvwasi to 0.0.17 (Node.js GitHub Bot) #β478666acbb23380
] - deps: upgrade npm to 9.6.7 (npm team) #β48062e8f2c0a58b
] - deps: update undici to 5.22.1 (Node.js GitHub Bot) #β479949309fd3120
] - deps: update simdutf to 3.2.9 (Node.js GitHub Bot) #β47983b796d3560a
] - deps: upgrade npm to 9.6.6 (npm team) #β47862cce372e14e
] - deps: V8: cherry-pickc5ab3e4
(Richard Lau) #β477367283486adb
] - deps: update undici to 5.22.0 (Node.js GitHub Bot) #β476792ea6e03003
] - deps: add minimatch as a dependency (Moshe Atlow) #β47499261e1d23d1
] - deps: update ICU to 73.1 release (Steven R. Loomis) #β47456f532f9df5f
] - deps: update undici to 5.21.2 (Node.js GitHub Bot) #β47508dcb8c038b9
] - deps: update simdutf to 3.2.8 (Node.js GitHub Bot) #β475076c8456d61f
] - deps: update undici to 5.21.1 (Node.js GitHub Bot) #β47488d3b2e8a438
] - deps: update simdutf to 3.2.7 (Node.js GitHub Bot) #β4747364a5fe0499
] - deps: update corepack to 0.17.2 (Node.js GitHub Bot) #β474746f0f61a7d3
] - deps: upgrade npm to 9.6.4 (npm team) #β47432443a72e207
] - deps: update zlib to upstream5edb52d
(Luigi Pinca) #β47151dc3bc46914
] - deps: update simdutf to 3.2.3 (Node.js GitHub Bot) #β47331b2f2bebbc2
] - deps: update timezone to 2023c (Node.js GitHub Bot) #β47302c10729ffa7
] - deps: upgrade npm to 9.6.3 (npm team) #β47325420deac1de
] - deps: update corepack to 0.17.1 (Node.js GitHub Bot) #β47156966ba28491
] - deps: V8: cherry-pick3e4952c
(Richard Lau) #β47236fc6ab26824
] - deps: update timezone to 2023b (Node.js GitHub Bot) #β472562700e70215
] - deps: upgrade npm to 9.6.2 (npm team) #β4710829ba98a0a5
] - deps: V8: cherry-pick975ff4d
(Debadree Chatterjee) #β47209be34777be8
] - deps: cherry-pick win/arm64/clang fixes (Cheng Zhao) #β47011b52aacb614
] - deps: update uvwasi to v0.0.16 (Michael Dawson) #β4643427a76cf5e0
] - deps,test: update postject to 1.0.0-alpha.6 (Node.js GitHub Bot) #β48072b171c1a3a4
] - dgram: convert macro to template (Tobias NieΓen) #β47891709bf1c758
] - (SEMVER-MINOR) dns: expose getDefaultResultOrder (btea) #β469732f202c93e7
] - doc: clarify array args to Buffer.from() (Bryan English) #β4827427f195f8d8
] - doc: document watch option for node:test run() (Moshe Atlow) #β482567558ef350a
] - doc: update documentation for FIPS support (Richard Lau) #β48194f2bb1919e5
] - doc: improve the documentation of the stdio option (Kumar Arnav) #β48110a2aa52ba92
] - doc: update Buffer.allocUnsafe description (sinkhaha) #β4818319ad471d52
] - doc: update codeowners with website team (Claudio Wunder) #β4819767b2c2a98f
] - doc: fix broken link to new folder doc/contributing/maintaining (Andrea Fassina) #β48205795ca70815
] - doc: add atlowChemi to triagers (Chemi Atlow) #β48104e437a0aff1
] - doc: fix typo in readline completer function section (Vadym) #β4818892e0ea496d
] - doc: remove broken link for keygen (Rich Trott) #β48176fe15dae8e6
] - doc: addauto
intrinsic height to prevent jitter/flicker (Daniel Holbert) #β48195230335e21f
] - doc: add version info on the SEA docs (Antoine du Hamel) #β48173e6f37d1b80
] - doc: add Ruy to list of TSC members (Michael Dawson) #β4817269205a250c
] - doc: update socket.remote* properties documentation (Saba Kharanauli) #β48139e4a5d6298c
] - doc: update outdated section on TLSv1.3-PSK (Tobias NieΓen) #β48123d14018ed99
] - doc: improve HMAC key recommendations (Tobias NieΓen) #β48121e9d4baf770
] - doc: clarify mkdir() recursive behavior (Stephen Odogwu) #β481093e4a469139
] - doc: fix typo in crypto legacy streams API section (Tobias NieΓen) #β48122bdf366ab88
] - doc: update SEA source link (Rich Trott) #β480802a4f79a75f
] - doc: clarify tty.isRaw (Roberto Vidal) #β4805598c6e4be03
] - doc: use secure key length for HMAC generateKey (Tobias NieΓen) #β480528ae5c8cf9d
] - doc: update broken EVP_BytesToKey link (Rich Trott) #β480643c713e7caa
] - doc: update broken spkac link (Rich Trott) #β48063c22f739e94
] - doc: document node-api version process (Chengzhong Wu) #β47972ce859f9f9f
] - doc: fix typo in binding functions (Deokjin Kim) #β48003070c3457b7
] - doc: mark Node.js 14 as End-of-Life (Richard Lau) #β480233611027d8e
] - doc: clarify CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED (Tobias NieΓen) #β47976dbffad958c
] - doc: add missing deprecated blocks to cluster (Tobias NieΓen) #β47981035356f711
] - doc: update description of global (Tobias NieΓen) #β47969081a6ffaea
] - doc: update measure memory rejection information (Yash Ladha) #β416393460cf9c23
] - doc: fix broken link to TC39 import attributes proposal (Rich Trott) #β479543b018c8aa9
] - doc: fix broken link (Rich Trott) #β47953244db960a9
](https://togithub.com/nodejs/node/commit/244dConfiguration
π Schedule: Branch creation - "before 5am on monday" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Never, or you tick the rebase/retry checkbox.
π» Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate. View repository job log here.