Update dependency next to v15.1.2 [SECURITY] #329
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
15.0.1
->15.1.2
GitHub Vulnerability Alerts
CVE-2024-56332
Impact
A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.
Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.
Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.
This is the same issue as if the incoming HTTP request has an invalid
Content-Length
header or never closes. If the host has no other mitigations to those then this vulnerability is novel.This vulnerability affects only Next.js deployments using Server Actions.
Patches
This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
Thanks to the PackDraw team for responsibly disclosing this vulnerability.
Next.js Allows a Denial of Service (DoS) with Server Actions
CVE-2024-56332 / GHSA-7m27-7ghc-44w9
More information
Details
Impact
A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.
Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.
Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.
This is the same issue as if the incoming HTTP request has an invalid
Content-Length
header or never closes. If the host has no other mitigations to those then this vulnerability is novel.This vulnerability affects only Next.js deployments using Server Actions.
Patches
This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
Thanks to the PackDraw team for responsibly disclosing this vulnerability.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vercel/next.js (next)
v15.1.2
Compare Source
v15.1.1
Compare Source
v15.1.0
Compare Source
Core Changes
server-source-maps
scenarios to cover Edge runtime: #72288swc_css
: #72602rc
from URL: #72599no-img-element
lint error message: #72410"use cache"
closure args into a single parameter: #72587"use cache"
functions: #72506clientSegmentCache
flag: #72626compiler.define
option: #71802getting-started/react-essentials
path: #722505.6.3
: #72625@capsizecss/metrics
to 3.4.0 for Geist Google Font: #72746enabled
config from server actions transforms: #72755eslint-plugin-react
to 7.37.0: #727595c56b873-20241107
to7ac8e612-20241113
: #72768"use cache"
is used withoutdynamicIO
enabled: #72781legacy-js-api
warning: #726327ac8e612-20241113
to380f5d67-20241113
: #72819revalidate(Tag|Path)
toexpire(Tag|Path)
: #72826prefetch
API: #72861next-size-adjust
meta tag: #72994typedEnv
: #70951next start
: #73105380f5d6
-20241113 tob01722d
-20241114: #73107exactOptionalPropertyTypes
: #72936revalidate(Tag|Path)
toexpire(Tag|Path)
": #73269notFound()
work in"use cache"
page: #73210@swc/core
to 1.9.3: #73420warnOnce()
: #73483b01722d5-20241114
to1b1283ad-20241203
: #735061b1283ad-20241203
tode68d2f4-20241204
: #73525@types/react
: #73563de68d2f4-20241204
to1c9b1387-20241204
: #73565unstable_after
: #736051c9b1387-20241204
to7283a213-20241206
: #73608warnOnce()
lru: #73742Example Changes
playwright
.gitignore: #72447await
params when dynamic routing: #72896app-dir
ini18n-routing
directory name: #73453examples/**
Eslint to v9: #73560next-env.d.ts
files: #73673with-sass
README.md: #73668next-offline
example: #73675with-postgres
: #73587with-emotion-*
directories: #73674with-styletron
README.md: #73411with-babel-macros
README.md: #73410with-plausible
README: #73305image-legacy-component
: #73414with-styled-components-babel
: #73229with-storybook-styled-jsx-scss
: #73228Misc Changes
next.config.js
API pages under aconfig
folder, fix headings in TS and ESLint config pages: #72465return Err(anyhow!())
withanyhow::bail!()
: #7248766855b96-20241106
to5c56b873-20241107
: #72469swc_core
tov5.0.4
fromv5.0.1
: #72604patchFileDelay
flag: #72439function
to page component examples: #72620ResolvedVc
forturbopack
crate: #72791@container
: #72607emit_error
function: #72811ResolvedVc
forturbopack-ecmascript
: #72564rootDir
doc: #72893frameborder
, adjustallowFullScreen
and update the demo: #72644customServer
flag from custom server docs: #72962FnExpr
andFnDecl
server function transforms: #72960debug
script in test directories: #72992all_modules_and_affecting_sources
helper function: #73016retry
aroundbrowser.eval
: #72999await
when using params: #73044params.id
: #73045Redirecting
fix route handler path: #72617waitForAndOpenRuntimeError
toopenRedbox
: #72996expirePath
andexpireTag
: #73096"use memo"
: #73053this
andarguments
in server functions: #73059lightningcss
tov1.0.0-alpha.61
: #73161forbidden
,unauthorized
, andauthInterrupts
: #73039.eslintrc.json
witheslint.config.mjs
: #73162ResolvedVc
forturbopack-css
: #73172ResolvedVc
forturbopack-core
: #73065ResolvedVc
forturbopack
,turbopack-tests
,turbopack-wasm
: #73196ResolvedVc
forturbopack-nodejs
: #73200ResolvedVc
forturbopack-env
: #73202forbidden
andunauthorized
nits: #73213turbopack
API Reference: #73215super
in static class methods with server function directives: #73061ResolvedVc
fornext-api
, part 1: #73234ResolvedVc
fornext-api
, part 2: #73235params
toawait params
: #73254Layouts and Pages
: #73268ResolvedVc
fornext-api
, part 3: #73236ResolvedVc
fornext-api
, part 4: #73237ResolvedVc
forturbopack-browser
: #73198ResolvedVc
fornext-core
: #73177ResolvedVc
fornext-api
, part 5: #73238Vc<T>
in turbo-tasks types: #73298nwsapi
(revert later): #73351nwsapi
(revert later)": #73353ResolvedVc<T>
for struct fields innext-core
: #73310ResolvedVc<T>
for struct fields inturbopack-ecmascript
: #73302ResolvedVc<T>
for struct fields inturbopack-css
: #73300ResolvedVc<T>
for struct fields innext-api
, part 1: #73366default
to page component examples: #73233.gitignore
to ignore all.env
files: #73415swcMinify
flag: #73281file conventions
,functions
, anderrors
: #73376Images and Fonts
feedback: #73470ResolvedVc<T>
for struct fields inturbopack-core
: #73301ResolvedVc<T>
for struct fields inturbo-tasks
: #73371ResolvedVc<T>
for trivial struct fields: #73372Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.