@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

🚨 Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 12.0.10
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

See the full diff on Github. The new version differs by more commits than we can show here.

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

🚨 DOS Vulnerability for self-hosted next.js apps using i18n

Impact

Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version >= 12.0.0, and using i18n functionality.

• Affected: All of the following must be true to be affected by this CVE
  • Next.js versions above v12.0.0
  • Using next start or a custom server
  • Using the built-in i18n support
• Not affected:
  • Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

Patches

A patch has been released, [email protected], that mitigates this issue. We recommend all affected users upgrade as soon as possible.

Workarounds

We recommend upgrading whether you can reproduce or not although you can ensure /${locale}/_next/ is blocked from reaching the Next.js instance until you upgrade.

For more information

If you have any questions or comments about this advisory:

• Open an issue in next
• Email us at [email protected]

12.0.9

Core Changes

• middlewares: limit process.env to inferred usage: #33186
• update webpack: #33207
• Abstract out native filesystem usage from the base server: #33226
• use text data url instead of base64 for shorter encoding: #33218
• chore(deps): upgrade postcss: #33142
• Fix global process testing for the process polyfill: #33220
• Update swc: #33201
• improve full refresh overlay: #33301
• Custom app for server components: #33149
• Update yarn PnP tests and disable swc file reading for PnP: #33236
• Base Http for BaseServer: #32999
• Update swc: #33342
• Update check for fallback pages during export: #33323
• Pre-compile more dependencies: #32742
• Remove node fetch polyfill from base server: #33395
• Replace regexp to plain string for optimization render HTML: #33306
• Fix broken html on streaming render for error page: #33399
• Disable cache for rsc pages: #33438
• Fix pre-compiled check from copying react-refresh-utils: #33442
• fix(next-swc): Update swc: #33427
• Move middleware handling to node server: #33448
• Enforce absolute URLs in Edge Functions runtime: #33410
• feat(next-swc): Update swc: #33461
• Update main field for nccd jest-worker: #33465
• chore(deps): upgrade node-fetch: #33466
• Move static serving to next server: #33475
• feat(next-swc): Update swc: #33485
• Fix multiple calls to image onLoadingComplete(): #33474
• Refactor base server to remove native dependencies: #33499
• Update swc: #33514
• Implement abstract methods to get manifest files in the base server: #33537
• Simplify getMiddlewareInfo calls: #33542
• Fix static file check with i18n: #33503
• Bump styled-jsx: #33546
• Ensure optional value normalizing is correct for index: #33547
• Bump nft to 0.17.4: #33548
• Add next-multilingual example: #29386
• Removed the s from NextConfig: #33560
• feat(next-swc): Update swc: #33595
• Fix rsc export component name detection: #33608
• upgrade webpack: #33549
• Ensure fetch polyfill is loaded in next-server: #33616
• feat(next-swc): Update swc: #33628
• Add lazyRoot optional property to next/image component : #33290
• feat(next-swc): Update swc: #33675
• Implement web server as the request handler for edge SSR: #33635
• Relay Support in Rust Compiler: #33240
• Revert "Relay Support in Rust Compiler": #33699

Documentation Changes

• Fixed broken link related to the recently merged Data fetching docs refactor: #33209
• Removed backticks on data fetching api titles: #33216
• Added links to data fetching api refs, fixed title: #33221
• Remove outdated & possibly confusing statement about redirects: #33224
• [examples] Add a statically generated blog example using Next.js and Builder.io: #22094
• Typo Fix: #33252
• Update font-optimization.md: #33266
• Fixed broken links in data fetching docs: #33250
• docs: Mention middleware for getStaticProps: #33273
• Add sections for Remove React Properties and Remove Console to compiler docs: #33311
• Update links in next export + next/image error message: #33317
• Add onLoad gottcha note to next/script docs: #33097
• Update security-headers.md: fix path does not match homepage: #33137
• fix minor typo in SWR: #33378
• ReferenceError in authentication.md example fixed: #33411
• docs: fix url: #33409
• fix(docs): Fix typo in Custom Build Id docs: #33515
• [docs] Update authentication docs to fix iron-session link.: #33483
• docs(authentication): fix iron-session example link: #33502
• Update middleware documentation for custom server: #33535
• Removed unrequired path in docs' manifest: #33579
• Update next/server documentation for geo: #33609
• Clarify next/image usage with next export based on feedback.: #33555
• Clarify headers config option description: #33484
• fix(errors/no-cache): netlify-plugin-cache-nextjs has been deprecated: #33629
• Updated docs for getServerSideProps and getStaticProps return values: #33577
• Use relative path for example: #33565
• chore(docs): update security headers specification: #33673
• REMOVE: duplicate key in docs/testing.md: #33681

Example Changes

• [examples] Update remark dependency for blog-starter: #33313
• Update package.json for examples/with-supabase-auth-realtime-db: #33321
• Working example for building forms with Next.js: #32669
• Updates dependency version of frontend SDK in with-supertokens example: #33393
• docs: add skynexui to examples: #33326
• Update with-linaria dependency: #33487
• Update Supabase example README.: #33610
• [examples] Add new Tailwind CSS Prettier plugin to example: #33614

Misc Changes

• Update license year
• fix(docs): master branch renaming: #33312
• Add link to security email directly.: #33358
• Fix getServerSideProps hanging in dev on early end: #33366
• [docs] Fix 404 link for testing example.: #33407
• Update to latest version of turbo: #33613
• Update other instances of node-fetch: #33617

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

🚨 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Overview

Versions <=8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the secretOrPublicKey argument from the readme link) will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens.

Am I affected?

You will be affected if your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

How do I fix it?

Update to version 9.0.0

Will the fix impact my users?

There is no impact for end users

🚨 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Overview

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Am I affected?

You will be affected if you do not specify algorithms in the jwt.verify() function

How do I fix it?

Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

🚨 jsonwebtoken unrestricted key type could lead to legacy keys usage

Overview

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Am I affected?

You are affected if you are using an algorithm and a key type other than the combinations mentioned below

Key type	algorithm
ec	ES256, ES384, ES512
rsa	RS256, RS384, RS512, PS256, PS384, PS512
rsa-pss	PS256, PS384, PS512

And for Elliptic Curve algorithms:

alg	Curve
ES256	prime256v1
ES384	secp384r1
ES512	secp521r1

How do I fix it?

Update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, If you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you already use a valid secure combination of key type and algorithm. Otherwise, use the allowInvalidAsymmetricKeyTypes option to true in the sign() and verify() functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.

🚨 jsonwebtoken has insecure input validation in jwt.verify function

Overview

For versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).

Am I affected?

You are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.

How do I fix it?

Update to version 9.0.0

Will the fix impact my users?

The fix has no impact on end users.

Credits

Palo Alto Networks

See the full diff on Github. The new version differs by 17 commits:

• Merge pull request from GHSA-8cf7-32gw-wr33
• chore(ci): remove github test actions job (#861)
• chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• fix!: Prevent accidental use of insecure key sizes & misconfiguration of secrets (#852)
• fix(sign&verify)!: Remove default `none` support from `sign` and `verify` methods, and require it to be explicitly configured (#851)
• Upload OpsLevel YAML (#849)
• docs: update references vercel/ms references (#770)
• docs: document "invalid token" error
• docs: fix spelling in README.md: Peak -> Peek (#754)
• docs: make decode impossible to discover before verify
• refactor: make decode non-enumerable
• docs: add jwtid to options of jwt.verify (#704)
• Replace tilde-indexOf with includes (#647)
• Adds not to README on decoded payload validation (#646)
• docs: fix tiny style change in readme (#622)
• style: add missing semicolon (#641)
• ci: use circleci (#589)

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)