🚨 [security] Update all of nextjs 14.2.7 → 14.2.12 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint-config-next (14.2.6 → 14.2.12)

Sorry, we couldn't find anything useful about this release.

✳️ next (14.2.7 → 14.2.12) · Repo

Security Advisories 🚨

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9
• Using pages router
• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

• Deployments using only app router
• Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

• Allam Rachid (zhero_)
• Henry Chen

Release Notes

14.2.11

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: correct metadata url suffix (#69959)
• fix: setting assetPrefix to URL format breaks HMR (#70040)
• Update revalidateTag to batch tags in one request (#65296)

Credits

Huge thanks to @huozhi, @devjiwonchoi, and @ijjk for helping!

14.2.10

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Remove invalid fallback revalidate value (#69990)
• Revert server action optimization (#69925)
• Add ability to customize Cache-Control (#69802)

Credits

Huge thanks to @huozhi and @ijjk for helping!

14.2.9

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Revert "Fix esm property def in flight loader (#66990)" (#69749)
• Disable experimental.optimizeServer by default to fix failed server action (#69788)
• Fix middleware fallback: false case (#69799)
• Fix status code for /_not-found route (#64058) (#69808)
• Fix metadata prop merging (#69807)
• create-next-app: fix font file corruption when using import alias (#69806)

Credits

Huge thanks to @huozhi, @ztanner, @ijjk, and @lubieowoce for helping!

14.2.8

What's Changed

Note

This release is backporting bug fixes and minor improvements. It does not include all pending features/changes on canary.

Support esmExternals in app directory

• Support esm externals in app router (#65041)
• Turbopack: Allow client components from foreign code in app routes (#64751)
• Turbopack: add support for esm externals in app dir (#64918)
• other related PRs: #66990 #66727 #66286 #65519

Reading cookies set in middleware in components and actions

• initialize ALS with cookies in middleware (#65008)
• fix middleware cookie initialization (#65820)
• ensure cookies set in middleware can be read in a server action (#67924)
• fix: merged middleware cookies should preserve options (#67956)

Metadata and icons

• support facebook-specific metadata (fb:app_id, fb:admins) in generateMetaData (#65713)
• Always collect static icons for all segments (#68712)
• Fix favicon merging with customized icons (#67982)
• Warn metadataBase missing in standalone mode or non vercel deployment (#66296)

Parallel routes fixes

• fix missing stylesheets when parallel routes are present (#69507)

Draft mode and edge improvements

• fix: unstable_cache should not cache new result in draft mode (#67772)
• Add draft mode flag for multi-zone (#68997)
• Fix edge preview props are not matched with cookie (#67779)
• other related PRs: #65426, #67787, #64946, #64313, #64370

next/image fixes

• Allow external image urls with _next/image pathname to be rendered via Image component (#69586)

Server actions improvements

• optimize server actions (#66523)
• Apply optimization for unused actions (#69178)
• Improve SWC transform ID generation (#69183)

Other changes

• Ensure we match comment minify behavior between terser and swc (#68372)
• send initialCanonicalUrl in array format to prevent crawler confusion (#69509)

Create-next-app updates

• enable @typescript-eslint/recommended in create-next-app --typescript (#52845)
• Update create-next-app template CSS (#66233)
• Update create-next-app template CSS (#66043)
• Update create-next-app template (#65803)
• add font antialiasing to templates (#67425)
• Move create-next-app public/ assets from local folder→ remote URL (#66931)
• Use classnames to set font family in Tailwind create-next-app templates (#66374)
• other related PRs: #64478, #68899, #68534, #69021, #67146, #66145

Full Changelog: v14.2.7...v14.2.8

---

Huge thanks to everyone who contributed to this release:
@abhi12299, @delbaoliveira, @eps1lon, @ForsakenHarmony, @huozhi, @ijjk, @JoshuaKGoldberg, @leerob, @lubieowoce, @Netail, @ronanru, @samcx, @shuding, @sokra, @stylessh, @timfuhrmann, @wbinnssmith, @wyattjoh, @ypessoa, @ztanner

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
ts-nextjs-tailwind-starter	✅ Ready (Inspect)	Visit Preview	Sep 18, 2024 7:07am