chore(deps): update dependency next to v14.2.15 [security] #1556
Conversation
![code-review-assist[bot]](https://avatars.githubusercontent.com/in/1008254?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hi team,
I'm currently reviewing this pull request and will post my full review in a few minutes. In the meantime, here's a quick summary for you and other reviewers to get up to speed:
This pull request, submitted by renovate-bot, updates the next dependency from version 14.2.11 to 14.2.15. The primary reason for this update is to address a security vulnerability (CVE-2024-51479) that could allow authorization bypass in Next.js middleware under certain conditions. The update affects the package.json and package-lock.json files within the genkit/postcard-generator directory. The changes involve updating the version number and associated integrity checksums for next and related Next.js packages in the package-lock.json file. If your Next.js application is hosted on Vercel, this vulnerability has already been mitigated.
The changes are limited to updating version numbers and checksums in the project's dependency files. No functional code changes are included.
Here's a little haiku to brighten your day:
Update the Next.js,
Security patch applied now,
Code runs smoothly on.
Thanks,
Gemini
There was a problem hiding this comment.
This pull request updates the next dependency to version 14.2.15, which addresses a critical security vulnerability (CVE-2024-51479) that could allow authorization bypasses. The provided information in the description is comprehensive, detailing the impact, patches, workarounds, and release notes. This level of detail is commendable and makes it easy for reviewers and other developers to understand the importance and scope of the update. Given the security implications, thorough testing is highly recommended after merging this PR.
renovate-bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
cd23f41 to
bed0d77
Compare
renovate-bot
force-pushed
the
renovate/npm-next-vulnerability
branch
11 times, most recently
from
41e63ee to
eb6268b
Compare
renovate-bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
eb6268b to
499956d
Compare
This PR contains the following updates:
14.2.11->14.2.15Warning
Some dependencies could not be looked up. Check the warning logs for more information.
GitHub Vulnerability Alerts
CVE-2024-51479
Impact
If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.
Patches
This issue was patched in Next.js
14.2.15and later.If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.
Release Notes
vercel/next.js (next)
v14.2.15Compare Source
Core Changes
Credits
Huge thanks to @ztanner, @agadzik, @huozhi, @styfle, @icyJoseph and @wyattjoh for helping!
v14.2.14Compare Source
Core Changes
Credits
Huge thanks to @styfle, @ztanner, @ijjk, @huozhi and @wyattjoh for helping!
v14.2.13Compare Source
v14.2.12Compare Source
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.