这是indexloc提供的服务,不要输入任何密码
Skip to content

fix(deps): update dependency next to v15.2.3 [security] - autoclosed #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency next to v15.2.3 [security] - autoclosed #149

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 21, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
next (source) 15.1.5 -> 15.2.3 age confidence

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js 13.x, this issue is fixed in 13.5.9
  • For Next.js 12.x, this issue is fixed in 12.3.5
  • For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)

CVE-2025-32421

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

CVE-2025-48068

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

CVE-2025-49826

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

  • Allam Rachid zhero;
  • Allam Yasser (inzo)

Release Notes

vercel/next.js (next)

v15.2.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.
This release contains a security patch for CVE-2025-29927.

Core Changes
  • Update default allowed origins list (#​77212)
  • unify allowed origin detection handling (#​77053)
  • Add dev warning for cross-origin and stabilize allowedDevOrigins (#​77044)
  • Ensure deploymentId is used for CSS preloads (#​77210)
  • Update middleware request header (#​77201)
  • [metadata] remove the default segement check for metadata rendering (#​77119)
  • [ts-hint] fix vscode type hint plugin enabling (#​77099)
  • [metadata] re-insert icons to head for streamed metadata (#​76915)
Credits

Huge thanks to @​ijjk, @​ztanner, and @​huozhi for helping!

v15.2.2

Compare Source

Core Changes
  • [dev-overlay] fix styling on overflow error messages, add button hover state: #​76771
  • Fix: respond 405 status code on OPTIONS request to SSG page: #​76767
  • [dev-overlay] Always show relative paths: #​76742
  • [metadata] remove the duplicate metadata in the error boundary: #​76791
  • Upgrade React from d55cc79b-20250228 to 443b7ff2-20250303: #​76804
  • [dev-overlay] Ignore animations on page load: #​76834
  • fix: remove useless set-cookie in action-handler: #​76839
  • Turbopack: handle task cancelation: #​76831
  • Upgrade React from 443b7ff2-20250303 to e03ac20f-20250305: #​76842
  • add types for __next_app__ module loading functions: #​74566
  • fix duplicated noindex when server action is triggered: #​76847
  • fix: don't drop queued actions when navigating: #​75362
  • [dev-overlay]: remove dependency on platform for focus trapping: #​76849
  • Turbopack: Add turbopack_load_by_url: #​76814
  • Add handling of origin in dev mode: #​76880
  • [dev-overlay] Stop grouping callstack frames into ignored vs. not ignored: #​76861
  • Upgrade React from e03ac20f-20250305 to 029e8bd6-20250306: #​76870
  • [dev-overlay] Increase padding if no x button present: #​76898
  • fix: prevent incorrect searchParams being applied on certain navs: #​76914
  • [dev-overlay] Dim ignore-listed callstack frames when shown: #​76862
Example Changes
  • chore(cna): update tailwind styles to be closer to non-tw cna: #​76647
Misc Changes
  • Fix canary only warning for devlow-bench: #​76772
  • [test] Add special placeholder if stackframes point into dist dir: #​76741
  • [test] Use new Redbox matchers in pages/ service-side-dev-errors: #​76779
  • [test] Use new Redbox matchers in app/ dynamic-error-trace: #​76783
  • [test] Use new Redbox matchers in app/ owner-stack-invalid-element-type: #​76786
  • [test] Use new Redbox matchers in app/ hook-functuon-names: #​76785
  • [test] Use new Redbox matchers in app/ undefined-default-export: #​76781
  • [test] Use new Redbox matchers in server-navigation-error: #​76787
  • [test] Fix flaky error-recovery test: #​76789
  • [test] Use new Redbox matchers in pages/ gssp-ssr-change-reloading: #​76788
  • [docs] update Tailwind CSS installation and configuration instructions: #​76259
  • docs: Tailwind v4: #​76801
  • chore(docs): update minimumCacheTTL example to 31 days: #​76796
  • Turbopack: improve sectioned source maps: #​76627
  • [test] Use new Redbox matchers in pages/ middleware-errors: #​76797
  • doc: use redirect in client components: #​76332
  • [docs] document experimental viewTransition flag: #​76832
  • docs(errors): remove confusing good-to-know since global-errors.tsx also show in dev as of 15.2: #​76825
  • Turbopack: don't use HashMap in manifests: #​76833
  • Update labeler.json: #​76828
  • Fix missing turbo command for rust-check: #​76851
  • fix(turbopack): Use correct SyntaxContext for __turbopack_esm__: #​73544
  • Cleanup pure span handling: #​76846
  • Turbopack: remove unused IncludeModulesModule: #​76868
  • Update test snapshots for alternative bundler [5/n]: #​76617
  • Update test snapshots for alternative bundler [6/n]: #​76768
  • [test] Use next.browser instead of webdriver in pages/ client-navigation: #​76867
  • fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files: #​76773
  • Revert "fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and next-api crates to fix stale git lock files": #​76879
  • build: Update swc_core to v16.4.0: #​76596
  • docs: update Turbopack docs: #​76799
  • build: Update lightningcss to v1.0.0-alpha.64: #​76856
  • build: Fix warning: #​76890
  • Turbopack: fix __dirname: #​76902
  • Turbopack: deterministic server action order: #​76905
  • docs: reword the docs of veiw transition flag: #​76841
  • fix(turbopack): Use vergen-gitcl instead of shadow-rs (or vergen-git2) for napi and next-api crates to fix stale git lock files: #​76889
  • Turbopack: ensure default layout is provided in default not-found entrypoint: #​76912
  • chore(github): add moar labels: #​76922
  • [test] Use new Redbox matchers in pages/ client-navigation/rendering: #​76798
  • docs: fix create-next-app cli title: #​76908
Credits

Huge thanks to @​pranathip, @​gaojude, @​ijjk, @​eps1lon, @​Nayeem-XTREME, @​leerob, @​styfle, @​samcx, @​sokra, @​huozhi, @​raunofreiberg, @​mischnic, @​lubieowoce, @​unstubbable, @​ztanner, @​kdy1, @​timneutkens, @​wbinnssmith, @​bgw, and @​oscr for helping!

v15.2.1

Compare Source

Core Changes
  • Unify Link and Form prefetching: #​76184
  • Turbopack: Ensure server actions sourcemaps tests pass: #​76157
  • [dev-overlay] control dark theme in one place: #​76528
  • [dev-overlay] change css var for terminal: #​76590
  • [dev-overlay] Discriminate stack frame settled typed: #​76517
  • Remove obsolete sourcePackage references: #​76550
  • refactor: remove unused variable in externals handling: #​76599
  • fix: Add popular embedding libraries to serverExternalPackages: #​76574
  • [Segment Cache] Implement hash-only navigations: #​76179
  • Webpack: abstract away getting compilation spans: #​76579
  • report compiler duration for webpack and improve numbers: #​76665
  • [dev-overlay] fix dark theme missing close bracket: #​76672
  • Remove revalidate property from incremental cache ctx for FETCH kind: #​76500
  • [dev-overlay] fix: env name label style was out of sync with error type label: #​76668
  • Turbopack: avoid celling source maps before minify: #​76626
  • refactor(CI): Merge all four bundler test manifest scripts into one: #​76652
  • [metadata] fix duplicate metadata for parallel routes: #​76669
  • [Segment Cache] Omit from bundle if flag disabled: #​76622
  • [Segment Cache] Support output: "export" mode: #​75671
  • [Segment Cache] Refresh on same-page navigation: #​76223
  • [metadata] re-enable streaming metadata with PPR: #​76119
  • [Segment Cache] Search param fallback handling: #​75990
  • [Segment Cache] Fix: canonicalURL omits origin: #​76444
  • fix metadata basePath for manifest: #​76681
  • Propagate expire time to cache-control header and prerender manifest: #​76207
  • Show revalidate/expire columns in build output: #​76343
  • Gate alternate bundler behind canary only: #​76634
  • [dynamicIO] routes with dynamic segments should be able to be static in dev: #​76691
  • [repo] upgrade ts 5.8.2: #​76709
  • [metadata]: ensure metadata boundary is only rendered once on client nav: #​76692
  • [metadata] clean up redudant options: #​76712
  • Fix uniqueness detection for generateStaticParams: #​76713
  • Upgrade React from 22e39ea7-20250225 to d55cc79b-20250228: #​76680
  • [Turbopack] Compute module batches and use them for chunking: #​76133
  • [Dev Tools] Improve keyboard interactions for menu & overlays: #​76754
  • Keep server code out of browser chunks: #​76660
  • Turbopack: inline minify into code generation and make it a plain function instead of a turbo tasks function: #​76628
  • fix edge runtime asset fetch in pages api: #​76750
  • Update use-cache-unknown-cache-kind.test.ts snapshot for alternate bundler: #​76682
Example Changes
  • docs: fix reading params code blocks: #​76705
Misc Changes
  • fix(rustdoc): Fix rustdoc warnings, block on rustdoc failures in CI: #​76448
  • Update more global turbo CLI usage: #​76576
  • docs: Node.js runtime support for Middleware: #​76556
  • build: Update swc_core to v16.0.0: #​76414
  • Turbopack: prevent panic in swc issue emitter: #​76595
  • Unflake parallel-routes-revalidation test: #​76600
  • Fix octokit.rest.issues.addLabels call: #​76601
  • [test] Use new Redbox matchers in app/ error-recovery: #​76552
  • [test] Use new Redbox matchers in pages/ ReactRefreshLogBox-app-doc: #​76551
  • Run nightly bundler integration tests also with React 18: #​76606
  • 15.2: Add version history for devIndicators and note on deprecated options: #​76611
  • 15.2 docs: document missing htmlLimitedBots option: #​76616
  • Update bundler production test manifest: #​76584
  • Update bundler development test manifest: #​76585
  • Fix test after CI switched to pnpm 10: #​76615
  • chore(cna): fix theme extend for tailwind v4: #​76583
  • [test] Use new Redbox matchers in app/ ReactRefreshLogBoxMisc: #​76563
  • Don’t use native built-ins for additional bundler: #​76577
  • Revert "Run nightly bundler integration tests also with React 18": #​76640
  • Update bundler production test manifest: #​76643
  • Update bundler development test manifest: #​76644
  • Turbopack: dedupe middleware-manifest entries: #​76621
  • Turbopack: Improve edge tests: #​76607
  • Turbopack: add test test for css order: #​76675
  • Turbopack: fix order of chunk items in cycles: #​76676
  • [ci] Fix test-turbopack-integration not having any shards : #​76355
  • Update Turbopack development test manifest: #​76658
  • Update Turbopack production test manifest: #​76659
  • fix(CI): Upload to areweturboyet immediately after a manifest is updated, not only on a fixed cron schedule: #​76688
  • Update test snapshots for alternative bundler [4/n]: #​76578
  • fix(turbopack): Fix analysis of private properties: #​76654
  • Turbopack: Simplify emitDecoratorMetadata test: #​76678
  • [test] Use new Redbox matchers in pages/ ReactRefreshRegression: #​76743
  • [test] Remove describeVariants helper: #​76631
  • [test] Fix flaky error-recovery test: #​76753
  • [test] Use new Redbox matchers in app/ dynamic-error: #​76744
  • [test] Use new Redbox matchers in app/ rsc-runtime-errors: #​76745
  • Turbopack: avoid panic in module batches: #​76757
  • Revert "test: temporarily disable after deploy test": #​74990
  • toDisplayRedbox(): replace all occurrences of testDir: #​76618
  • Fix: missing close brace in demo code: #​76549
  • Disable flaky Turbopack tests: #​76760
  • feat(CI): Revalidate vercel data cache on areweturboyet after uploading data to KV store: #​76693
  • chore(github): move top prs and feature requests to different Slack channel: #​76764
  • Fix flaky Bun test: #​76763
Credits

Huge thanks to @​acdlite, @​bgw, @​ijjk, @​molebox, @​kdy1, @​timneutkens, @​devjiwonchoi, @​mischnic, @​unstubbable, @​eps1lon, @​huozhi, @​philipithomas, @​delbaoliveira, @​samcx, @​wbinnssmith, @​sokra, @​gnoff, @​leerob, @​ztanner, @​raunofreiberg, @​lubieowoce, and @​LihaoWang for helping!

v15.2.0

Compare Source

Core Changes
  • Fix unstable_allowDynamic when used with pnpm: #​73732
  • [dynamicIO] use new heuristic to track whether server render is dynamic: #​73751
  • Fix receiveExpiredTags not always called: #​73759
  • error-overlay: Rename "Error" to "Issue": #​72817
  • remove redundant segment collection call: #​73773
  • Metadata resolvers can be fetched synchronously: #​73771
  • Turbopack: migrate client references to single-graph-traversal: #​73322
  • next-codemod: update gitignore file for parity for yarn recommendations: #​71963
  • feat: error code: #​73332
  • Detach next-error-code-swc-plugin from workspace: #​73806
  • [CI] Prominent error message for check_error_codes: #​73807
  • [Segment Cache] Add PPR header to segment prefetch: #​73756
  • fix: path escaping issue on windows: #​73843
  • Rename variables in LayoutRouter for clarity: #​73826
  • [Segment Cache] Skip prefetched segments on server: #​73626
  • [Segment Cache] No data on tree prefetch if no PPR: #​73767
  • Remove segmentPath from RSC payload: #​73827
  • build: better error if fetching AMP validator fails: #​73851
  • Escape the '.' in '.json' when making static data routes.: #​73850
  • fix(next@15): use the asset prefix when loading a CSS in App Router: #​72095
  • Exclude .test. files from using error code plugin: #​73868
  • Refactor telemetry API: #​73865
  • Add additional error classes and error codes: #​73862
  • refactor: collectAppPageSegments: #​73908
  • cleanup unnecessary map in dev server: #​73745
  • Retry manifest file loading only in dev mode: #​73900
  • Turbopack: ignore empty NEXT_TURBOPACK_TRACING var: #​73903
  • Ignore RSC fetch errors after hard navigation: #​73975
  • Fix error code check in windows: #​73981
  • Separate viewport and metadata in rsc and cache: #​73867
  • Add feature flag for new dev overlay: #​73977
  • Restore RSC fetch error handling after navigating back: #​73985
  • refactor: make locales array immutable: #​74037
  • fix: skip rendering dynamic root segment routes: #​74039
  • refactor: cache lowercasing all the locales: #​74038
  • Add SRI support for Node.js Runtime : #​73891
  • Separate bots detection utils: #​74000
  • docs: remove a duplicated word in redirect code comment: #​74043
  • examples: update gitignore files for parity for yarn recommendations: #​71956
  • chore: update turbopack document path in the warning message: #​72597
  • Clean up react-dev-overlay before fork: #​74016
  • chore(next/image): improve imgopt api bypass detection for unsupported images: #​73909
  • [Segment Cache] Add CacheStatus.Empty: #​73667
  • chore: move static paths utils into own folder: #​73928
  • Delete unused GroupedStackFrames.tsx: #​74028
  • [Segment Cache] Move cache key creation to client : #​73853
  • feat: added partial shell generation using root params: #​73816
  • feat: added error when there's missing root params in generateStaticParams: #​73933
  • Remove parentRendered argument: #​73877
  • Generate per-segment responses for any static page: #​73945
  • feat: added fallback route params to prerender manifest: #​74004
  • refactor(turbopack): Make various types directly or indirectly included in State<T> types into OperationValues and/or NonLocalValues: #​74008
  • Fork react-dev-overlay for new UI: #​74017
  • fix: added fallback source route to prerender manifest: #​74052
  • Add storybook for UI testing: #​74032
  • [Segment Cache] Support for non-PPR projects/pages: #​73960
  • exclude .stories. and .test. files from taskfile watch and error plugin: #​74064
  • Upgrade React from 7283a213-20241206 to 372ec00c-20241209: #​73749
  • fix: aria attribute typo for error overlay: #​74074
  • fix: set x-deployment-id to every middleware prefetch request: #​71193
  • Add middleware handler for error code telemetry: #​74088
  • Create ErrorOverlay component: #​74073
  • fix(typed-routes): Fix route type fallback: #​73271
  • Rename root-layout-missing-tags-error.tsx to pascal case: #​74089
  • Turbopack: next/dynamic use transitions instead of AST analysis: #​73627
  • [Turbopack] fix root and project path usages in a monorepo: #​73552
  • support bun.lock as package manager lockfile: #​74056
  • Stop sourcemapping function names: #​74085
  • Move ErrorIndicator to separate file: #​74090
  • Upgrade React from 372ec00c-20241209 to 518d06d2-20241219: #​74155
  • used shared worker for lint & typecheck steps: #​74154
  • chore(turbopack): Ignore no-vc-struct lint in trybuild proc macro tests: #​74110
  • Use provided waitUntil for pending revalidates: #​74164
  • Port ErrorPagination: #​74097
  • Port LeftIcon RightIcon from ErrorPagination: #​74098
  • Port ToolButtonsGroup: #​74099
  • [Turbopack] fix import.meta.url in monorepo: #​72612
  • refactor: rename the react client error callbacks module: #​74192
  • Use ErrorOverlayLayout in Errors component: #​74107
  • refactor: remove internal queries, move to request metadata: #​74100
  • Fix accessing headers in progressively enhanced form actions: #​74196
  • Use Geist font in Dev Overlay: #​74160
  • [metadata] Align prefetch head type with head: #​74161
  • refactor: error boundary rendering in app-render: #​74259
  • [metadata] Merge the metadata resolve apis into one api: #​74191
  • [DevOverlay] fix: restore pagination style: #​74296
  • fix: update broken links in config-shared.d.ts: #​74122
  • fix: fix typos in errors.json & create-component-tree.tsx: #​74471
  • Safely retrieve router, improve page reload logic: #​74209
  • docs: bump year: #​74475
  • [DevOverlay] Remove Dialog Banner: #​74464
  • [DevOverlay] Add color palette script: #​74465
  • Fix: Preserve intentional percent encoding in search param for client nav: #​74473
  • [DevOverlay] Implement New Overlay Layout with Bottom Stacks: #​74466
  • [DevOverlay] Add error overlay footer and feedback: #​74472
  • [DevOverlay] Remove temporary header children: #​74490
  • fix: server functions x-forwarded-host possible multiple values: #​73701
  • [DevOverlay] Pass footer message from error containers: #​74493
  • feat(rsc): allow host or forwarded: #​74199
  • [DevOverlay] Adjust border style for header and footer: #​74480
  • feat(next/image): add support for images.qualities in next.config: #​74257
  • Upgrade React from 518d06d2-20241219 to 3b009b4c-20250102: #​74492
  • fix: add node internals stack frames to ignored list: #​73698
  • chore: break calls to forEach into for loops: #​74523
  • [DevOverlay] Add error message: #​74541
  • [DevOverlay] Add error type label: #​74543
  • feat: connect error rating buttons to telemetry API: #​74496
  • [metadata] Move metadata rendering adjacent to page component: #​74262
  • Delete set-cache-busting-search-param.test.ts: #​74561
  • fix: enhance a11y, prevent double firing in error rating: #​74563
  • fix: add aria-hidden to error overlay voting icons: #​74568
  • Update font data: #​74572
  • Upgrade React from 3b009b4c-20250102 to 3ce77d55-20250106: #​74557
  • [metadata] Change the array head to single node in flight data: #​74299
  • [DevOverlay] Add Toolbar: #​74555
  • restore deleted comment in next-app-loader: #​74597
  • Turbopack dev: Remove client to server websocket ping event: #​74584
  • Fix prerender tags when notFound is called: #​74577
  • fix: add prerender abort errors to unstable rethrow: #​74556
  • Upgrade React from 3ce77d55-20250106 to 7b402084-20250107: #​74599
  • fix: handle optional catchall parameters properly when deployed: #​74562
  • refactor: generic dev build indicator: #​74615
  • ensure custom cache handlers are preloaded: #​74622
  • feat: dev build indicator for App Router: #​74618
  • fix fetch lock not being consistently released: #​74623
  • Ensure global cache handlers are used properly: #​74626
  • Ensure custom Suspense boundaries in layouts resolve if they contain the page: #​74552
  • test: exclude the ts testing files from tsconfig during local dev in nextjs repo: #​74647
  • Remove unused dependencyFactory plugin code: #​74661
  • test: do not log the changes for local dev tsconfig: #​74674
  • [metadata] initial support of streaming metadata: #​74619
  • Remove PPR feature check from Segment Cache client: #​74669
  • [Segment Cache] Add act-inspired internal router testing helper: #​74668
  • [Segment Cache] Background segment revalidation: #​74057
  • Upgrade React from 7b402084-20250107 to 42687267-20250108: #​74649
  • Indicate boolean value for configured experimental features on startup: #​74691
  • Implement encryption key into turbopack as hash salt: #​72933
  • Show numerical values for configured experimental features: #​74692
  • Upgrade React from 42687267-20250108 to 74ea0c73-20250109: #​74693
  • feat: DevToolsIndicator: #​74679
  • Fix presentation when onerror receives an event without error: #​74643
  • refactor: move the global client error code: #​74699
  • fix: ts language server rule metadata should allow null: #​74704
  • [DevTools] create error state for indicator: #​74717
  • [DevOverlay] Add Basic Stories for Error Containers: #​74697
  • Add experimental flag for View Transitions: #​74659
  • [DevOverlay] Floating Header and Bottom Stacks: #​74581
  • [DevOverlay] Add Pagination: #​74583
  • Fix @​vercel/og license SPDX expression: #​74745
  • [DevOverlay] Add Next.js version staleness indicator: #​74601
  • Write errors.json fully formatted: #​74753
  • [DevOverlay] Fix style details and correctly pass version info: #​74606
  • [DevOverlay] Decouple Dialog component from Error Overlay: #​74638
  • [DevOverlay] Apply Turbopack Styling: #​74636
  • [DevOverlay] Add Call Stack: #​74658
  • [DevOverlay] Add Runtime Error CodeFrame: #​74682
  • Do not warn during build for supported modules in the Edge runtime: #​74752
  • Ensure metadata doesn't break scroll-to-top on navigation: #​74748
  • [Segment Cache] Fix stale time unit conversion: #​74759
  • [metadata] add option of configuring ua of async metadata: #​74594
  • SingleModuleGraph: yield edge weights during traversal: #​74620
  • refactor(turbopack/next-api): Implement NonLocalValue for TracedDiGraph and SingleModuleGraph: #​74506
  • Always display version indicator: #​74774
  • Update font data: #​74777
  • Upgrade React from 74ea0c73-20250109 to 056073de-20250109: #​74754
  • [DevOverlay] Improve Storybook Structure: #​74764
  • fix: always show indicator in app router: #​74758
  • Upgrade React from 056073de-20250109 to 540efebc-20250112: #​74805
  • [DevOverlay] Fix Style Regression: #​74768
  • Fix output files warning by Turborepo: #​74811
  • perf(lint): cache the returned regex result: #​74827
  • Upgrade React from 540efebc-20250112 to cabd8a0e-20250113: #​74828
  • feat: added rewrite headers after user-supplied rewrites: #​74776
  • Add partial support for "use cache" in metadata route handlers: #​74835
  • [DevOverlay] Hydration Error Code Frame: #​74822
  • fix: when metadatabase is set we should not warn: #​74840
  • [DevOverlay] Sync Terminal component with CodeFrame for Build Error: #​74831
  • feat: animated dev build/render indicator: #​74833
  • Fix mojibake in server action inputs (fixes #​74843): #​74845
  • [DevOverlay] Add Turbopack story for Error Containers: #​74834
  • Add pagination SEO link tags: #​74737
  • chore: fix local development warnings inside next monorepo: #​74863
  • fix: eslint rule of using img in metadata routes: #​74864
  • Upgrade React from cabd8a0e-20250113 to b3a95caf-20250113: #​74868
  • [Segment Cache] Support <Link prefetch={true}>: #​74172
  • Remove unnecessary re render on link reveal: #​74670
  • [Segment Cache] Cancel prefetch on viewport exit: #​74671
  • [Segment Cache] Prioritize hovered links: #​74672
  • Refine NextLogo Accessibility and Styling: #​74869
  • Disable failed scroll restoration warning: #​74875
  • Polish UI for dev indicator popover: #​74872
  • [DevTools] Add CMD + . keyboard shortcut to show/hide: #​74878
  • [DevOverlay] use buttons for interactive indicator row options: #​74887
  • [DevOverlay] close popover/overlay on Esc: #​74889
  • Skip client reference manifests for static metadata route handlers: #​74876
  • Upgrade React from b3a95caf-20250113 to f0edf41e-20250115: #​74890
  • fix: moved down segment path handling after cache headers are set: #​74893
  • [Turbopack] improve task optimization: #​74837
  • Ensure client reference manifest is traced for global not found page: #​74919
  • Polish error feedback row: #​74880
  • fix: static indicator for new overlay decoupled from appIsrStatus: #​74933
  • [test] Avoid hydration errors in react-compiler tests: #​74928
  • feat: write the segment path data out from the incremental cache: #​74892
  • Track dynamic IO feature usage: #​74942
  • Upgrade React from f0edf41e-20250115 to b158439a-20250115: #​74936
  • Turbopack: chunk_group_multiple: #​74859
  • [DevOverlay] Fix floating header invisble on small screen: #​74886
  • rest errors queue after passing to handler: #​74982
  • [DevOverlay] Keep pagination on Build Error: #​74905
  • [Segment Cache] Evict client cache on revalidate: #​74874
  • Upgrade React from b158439a-20250115 to 5b51a2b9-20250116: #​74993
  • [DevOverlay] Gather Feedback per Error: #​74908
  • Fix dev server ignores ENOENT error when loading page: #​65213
  • refactor: updated route regexp handling to simplify: #​74996
  • [DevOverlay] Rename file names to kebab: #​75000
  • Fix dhat support for turbo dev: #​67166
  • Fix missing revalidate with notFound(): #​75009
  • fix: always ensure element before set to weakmap: #​75012
  • Fix ping event being sent unintentionally for Pages Router with Turbopack: #​75030
  • fix: don't memory-leak promises passed to waitUntil: #​75041
  • refactor: include new option for including prefixes: #​75015
  • Disable colormin feature from cssnano: #​53393
  • types: improve types in app-index: #​75045
  • feature(error): capture ssr error in overlay during dev: #​74983
  • [DevOverlay] Polish new Error Overlay badge: #​74975
  • [DevOverlay]: hook up issue click handlers in NextLogo: #​75069
  • error when output: export is used with intercepting routes: #​75058
  • Display global-error along dev overlay during development: #​75101
  • [DevOverlay] Decouple Error Overlay with DevTools Indicator: #​74999
  • [DevOverlay] Open Error Overlay when DevTools Indicator clicked: #​75025
  • fix: be more defensive in useMergedRef: #​75088
  • [Dev Badge] Focus states and fluid transitioning between states: #​75141
  • polish indicator loading behaviour for new dev overlay: #​75149
  • clean unused stop: #​75156
  • [Segment Cache] Remove segment access tokens: #​75157
  • [Segment Cache] Minimize special root key handling: #​75159
  • [next:dev] fix: console error conflicting public file: #​75140
  • [Turbopack] allow to disable source maps: #​75136
  • Allow disabling HTTP request logs in dev server: #​74349
  • [metadata] Fix streaming metadata was missing in ssr: #​75155
  • fix(turbopack/napi): Flush optional task cache hit statistics upon completion of build: #​75122
  • add hostname to default error boundary message: #​75151
  • [Segment Cache] Predictable fallback param encoding: #​75166
  • misc: remove authors section in the readme: #​75184
  • Track use cache usage: #​75007
  • Upgrade React from 5b51a2b9-20250116 to 9b62ee71-20250122: #​75187
  • fix after export in next-types-plugin: #​75190
  • fix: Merge link header from middleware with the ones from React: #​73431
  • Restore and enhance error handling for hanging inputs in "use cache": #​74652
  • Error handli

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Mar 21, 2025

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@codesandbox
Copy link

codesandbox bot commented Mar 21, 2025

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@sourcery-ai
Copy link
Contributor

sourcery-ai bot commented Mar 21, 2025
edited
Loading

Reviewer's Guide by Sourcery

This pull request updates the nextjs dependency from version 15.1.5 to 15.2.3. This update addresses a security vulnerability (CVE-2025-29927) where authorization checks in Next.js middleware could be bypassed. Review the linked security advisory for more details on the vulnerability and its potential impact.

Sequence diagram for middleware authorization check before and after fix

sequenceDiagram
    participant User
    participant Next.js Middleware
    participant Application Logic

    alt Before Fix (v15.1.5)
        User->>Next.js Middleware: Request with x-middleware-subrequest header
        Next.js Middleware->>Application Logic: Proceeds without proper authorization check
        Application Logic-->>Next.js Middleware: Response
        Next.js Middleware-->>User: Response
    else After Fix (v15.2.3)
        User->>Next.js Middleware: Request with x-middleware-subrequest header
        Next.js Middleware->>Next.js Middleware: Check authorization and filter x-middleware-subrequest header
        Next.js Middleware->>Application Logic: Proceeds with proper authorization check
        Application Logic-->>Next.js Middleware: Response
        Next.js Middleware-->>User: Response
    end
Loading

File-Level Changes

Change Details Files
Updated the nextjs dependency to address a security vulnerability.
  • Updated next from version 15.1.5 to 15.2.3.
  • Addressed CVE-2025-29927, which involves bypassing authorization checks in Next.js middleware.
 pnpm-lock.yaml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!
  • Generate a plan of action for an issue: Comment @sourcery-ai plan on
    an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Mar 21, 2025
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!

@qodo-merge-pro
Copy link

qodo-merge-pro bot commented Mar 21, 2025
edited
Loading

CI Feedback 🧐

(Feedback updated until commit a41a89d)

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Build and Test

Failed stage: Setup pnpm [❌]

Failure summary:

The action failed due to two distinct issues:

1. PNPM Setup Error: There's a version conflict in the pnpm configuration:
- The GitHub
Action is configured to use the latest version
- The project's package.json specifies pnpm@9.0.0
in the packageManager field
- This conflict needs to be resolved by using only one version
specification

2. Codecov Test Results Error: No JUnit XML test result files were found for the Codecov test
results action to process and upload.

Relevant error logs: 
1:  ##[group]Operating System
2:  Ubuntu
...

136:  ##[endgroup]
137:  ##[warning]Cache not found for keys: Linux-turbo-27830e2df2c9b635bef9411ebd5e485a4eb795f3, Linux-turbo-
138:  Cache not found for input keys: Linux-turbo-27830e2df2c9b635bef9411ebd5e485a4eb795f3, Linux-turbo-
139:  ##[group]Run pnpm/action-setup@v4.0.0
140:  with:
141:  version: latest
142:  dest: ~/setup-pnpm
143:  run_install: null
144:  package_json_file: package.json
145:  standalone: false
146:  env:
147:  TURBO_TOKEN: 
148:  TURBO_TEAM: 
149:  ##[endgroup]
150:  ##[group]Running self-installer...
151:  Error: Multiple versions of pnpm specified:
152:  - version latest in the GitHub Action config with the key "version"
153:  - version pnpm@9.0.0 in the package.json with the key "packageManager"
154:  Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_PM_VERSION
155:  at readTarget (/home/runner/work/_actions/pnpm/action-setup/v4.0.0/dist/index.js:1:4528)
156:  at runSelfInstaller (/home/runner/work/_actions/pnpm/action-setup/v4.0.0/dist/index.js:1:3742)
157:  at async install (/home/runner/work/_actions/pnpm/action-setup/v4.0.0/dist/index.js:1:2976)
158:  at async main (/home/runner/work/_actions/pnpm/action-setup/v4.0.0/dist/index.js:1:444)
159:  ##[error]Error: Multiple versions of pnpm specified:
160:    - version latest in the GitHub Action config with the key "version"
161:    - version pnpm@9.0.0 in the package.json with the key "packageManager"
162:  Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_PM_VERSION
163:  ##[group]Run codecov/test-results-action@v1.0.2
...

176:  gpg: Total number processed: 1
177:  gpg:               imported: 1
178:  gpg: Signature made Tue Mar 25 17:04:28 2025 UTC
179:  gpg:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
180:  gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" [unknown]
181:  gpg: WARNING: This key is not certified with a trusted signature!
182:  gpg:          There is no indication that the signature belongs to the owner.
183:  Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C  62FF 806B B28A ED77 9869
184:  ==> Uploader SHASUM verified (e2cfdb658c569e92cbb413237a1e9a266f1cb6285bf10c3793d6d606979e2049  codecov)
185:  ==> Running version latest
186:  ==> Running version v10.3.0
187:  ==> Running command '/home/runner/work/_actions/codecov/test-results-action/v1.0.2/dist/codecov do-upload'
188:  [command]/home/runner/work/_actions/codecov/test-results-action/v1.0.2/dist/codecov do-upload -C a41a89df354a4246ff6d0fcc7e4f9853079936a4 --report-type test_results
189:  info - 2025-04-01 10:28:02,390 -- ci service found: github-actions
190:  info - 2025-04-01 10:28:02,431 -- Found 0 test_results files to report
191:  error - 2025-04-01 10:28:02,432 -- No JUnit XML reports found. Please review our documentation (https://docs.codecov.com/docs/test-result-ingestion-beta) to generate and upload the file.
192:  info - 2025-04-01 10:28:02,854 -- No test results reports found. Triggering notifications without uploading.

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 7eb8640 to 5d239da Compare March 23, 2025 16:47
@renovate renovate bot changed the title fix(deps): update dependency next to v15.2.3 [security] fix(deps): update dependency next to v15.2.3 [security] - autoclosed Mar 24, 2025
@renovate renovate bot closed this Mar 24, 2025
@renovate renovate bot deleted the renovate/npm-next-vulnerability branch March 24, 2025 16:23
@renovate renovate bot changed the title fix(deps): update dependency next to v15.2.3 [security] - autoclosed fix(deps): update dependency next to v15.2.3 [security] Mar 24, 2025
@renovate renovate bot reopened this Mar 24, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 2 times, most recently from 5d239da to f9cb3e3 Compare March 25, 2025 03:36
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from f9cb3e3 to a41a89d Compare April 1, 2025 10:27
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from a41a89d to eb60844 Compare April 8, 2025 11:47
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from eb60844 to 0584c97 Compare April 24, 2025 09:40
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 0584c97 to 8c0cdc7 Compare May 19, 2025 17:46
@renovate renovate bot changed the title fix(deps): update dependency next to v15.2.3 [security] fix(deps): update dependency next to v15.2.3 [security] - autoclosed May 22, 2025
@renovate renovate bot closed this May 22, 2025
@renovate renovate bot changed the title fix(deps): update dependency next to v15.2.3 [security] - autoclosed fix(deps): update dependency next to v15.2.3 [security] May 24, 2025
@renovate renovate bot reopened this May 24, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 3 times, most recently from 7eba892 to b9b5b53 Compare May 28, 2025 08:32
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from b9b5b53 to 805c987 Compare June 4, 2025 09:41
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 805c987 to 6e44d51 Compare June 22, 2025 13:47
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 6e44d51 to 3c370bb Compare July 2, 2025 15:03
@renovate renovate bot changed the title fix(deps): update dependency next to v15.2.3 [security] fix(deps): update dependency next to v15.2.3 [security] - autoclosed Jul 10, 2025
@renovate renovate bot closed this Jul 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants