Update npm package `next` to v14 [SECURITY] #5037

hash-worker · 2024-09-10T07:26:49Z

This PR contains the following updates:

Package	Type	Update	Change
next (source)	devDependencies	major	`13.5.5` -> `14.1.1`
next (source)	dependencies	major	`13.5.5` -> `14.2.7`

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

Next.js (<14.1.1) is running in a self-hosted* manner.
The Next.js application makes use of Server Actions.
The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

CVE-2024-46982

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

Next.js between 13.5.1 and 14.2.9
Using pages router
Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

Deployments using only app router
Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

Allam Rachid (zhero_)
Henry Chen

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

Release Notes

vercel/next.js (next)

`v14.1.1`

Compare Source

Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary

Core Changes

Should not warn metadataBase missing if only absolute urls are present: https://github.com/vercel/next.js/pull/61898
Fix trailing slash for canonical url: https://github.com/vercel/next.js/pull/62109
Fix metadata json manifest convention: https://github.com/vercel/next.js/pull/62615
Improve the Server Actions SWC transform: https://github.com/vercel/next.js/pull/61001
Fix Server Reference being double registered: https://github.com/vercel/next.js/pull/61244
Improve the Server Actions SWC transform (part 2): https://github.com/vercel/next.js/pull/62052
Fix module-level Server Action creation with closure-closed values: https://github.com/vercel/next.js/pull/62437
Fix draft mode invariant: https://github.com/vercel/next.js/pull/62121
fix: babel usage with next/image: https://github.com/vercel/next.js/pull/61835
Fix next/server api alias for ESM pkg: https://github.com/vercel/next.js/pull/61721
Replace image optimizer IPC call with request handler: https://github.com/vercel/next.js/pull/61471
chore: refactor image optimization to separate external/internal urls: https://github.com/vercel/next.js/pull/61172
fix(image): warn when animated image is missing unoptimized prop: https://github.com/vercel/next.js/pull/61045
fix(build-output): show stack during CSR bailout warning: https://github.com/vercel/next.js/pull/62863
Fix extra swc optimizer applied to node_modules in browser layer: https://github.com/vercel/next.js/pull/62051
fix(next-swc): Detect exports.foo from cjs_finder: https://github.com/vercel/next.js/pull/61795
Fix attempted import error for react: https://github.com/vercel/next.js/pull/61791
Add stack trace to client rendering bailout error: https://github.com/vercel/next.js/pull/61200
fix router crash on revalidate popstate: https://github.com/vercel/next.js/pull/62383
fix loading issue when navigating to page with async metadata: https://github.com/vercel/next.js/pull/61687
revert changes to process default routes at build: https://github.com/vercel/next.js/pull/61241
fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: https://github.com/vercel/next.js/pull/60776
Improve redirection handling: https://github.com/vercel/next.js/pull/62561
Simplify node/edge server chunking some: https://github.com/vercel/next.js/pull/62424

Credits

Huge thanks to @huozhi, @shuding, @Ethan-Arrowood, @styfle, @ijjk, @ztanner, @balazsorban44, @kdy1, and @williamli for helping!

`v14.1.0`

Compare Source

Core Changes

Turbopack: switch to a single client components entrypoint: #59352
Update swc_core to v0.86.98 and turbopack: #59393
Fix cases for the optimize_server_react transform: #59390
Use new JSX transform: #56294
loading.tsx should have no effect on partial rendering when PPR is enabled: #59196
Update font data: #86326
Remove CacheNode.status field: #86372
Rename CacheNode.data → .lazyData : #86373
Generate Params Cleanup: #86331
Fix webpack chunks handling in traces: #86398
Rename CacheNode.subTreeData -> .rsc : #86391
fix NODE_OPTIONS=inspect: #59530
Add CacheNode.prefetchRsc field: #59537
allow passing wildcard domains in serverActions.allowedDomains: #86328
Page Info Cleanup: #86330
Fix force-static and fetch no-store cases: #59549
Should not show no index for client rendering bailout: #59531
Enable build worker by default: #86305
Fork navigateReducer into PPR and non-PPR versions: #59538
cleanup magic segment strings: #59552
chore: update Turbopack: #59589
Fix another magic segment string constant: #59591
Make CacheNodeSeedData match FlightRouterState more closely: #59590
transpilePackages should override default settings for external packages: #59385
move segment constants to separate file: #59587
Revert "Page Info Cleanup (#86330)": #59592
Fix useOptimistic in server components bug. Add tests for invalid React server APIs: #59621
Partial Pre Rendering Headers: #86347
Add tests for invalid React server APIs: #59622
Refactor setup-dev-bundler to make Turbopack/Webpack split clearer: #59650
refactor and simplify app dynamic components: #59658
Change manifestPath to pagesManifestPath: #59657
Fix issue with outputFileTracingExcludes and pages/api edge runtime: #59157
Update font data: #59722
Remove path normalization logic when uploading .next/trace traces: #59305
LayoutRouter: Support segment value of Promise to asynchronously bail out and trigger a server patch: #59724
fix: Allow start turbopack dev server for a project using middleware: #59759
fix: gracefully shutdown server: #59551
Revert "fix: gracefully shutdown server (#59551)": #59792
Optionally bundle legacy react-dom/server APIs based on usage: #59737
fix default handling in route groups that handle interception: #59752
Transpile all code on app browser layer: #59569
Initial implementation of PPR client navigations: #59725
fix(turbopack): prevent edge entrypoint from becoming an async module: #59818
Ensure we validate revalidate configs properly: #59822
Update error check in validateRevalidate: #59826
Rename confusing loaders: #59827
Upgrade og dependencies: #59541
[PPR Navs] Bugfix: Dynamic data never streams in if prefetch entry is stale: #59833
fix parallel catch-all route normalization: #59791
fix router prefetch cache key to work with route interception: #59861
Alias nextjs api entry to esm version for app router: #59852
Remove duplicate standalone check: #60085
Remove return on void function: #60087
Ensure NextBuildContext is only used during build: #60099
Add PageExtensions type: #60108
Ensure instrumentation file does not affect middleware count: #60102
Use WebpackError type instead of any: #60105
Remove root parameter: #60112
Remove extra duplicate pages warning: #60113
Add MappedPages type: #60106
Always call createPagesMapping for root paths: #60107
Fix path issues on linux machines when build created on windows: #60116
fix: Fix wrong cjs detection of auto-cjs pass: #60118
chore: update Copyright time from 2023 to 2024: #60071
Filter out duplicate paths in build output: #59858
chore: align webpack config node version: #59862
gracefully handle client router segment mismatches: #60141
Fix start build log being overwritten by logs from page: #60122
Allow using ESM pkg with custom incremental cache: #59863
Fix emitting ESM swc helpers for 3rd parties CJS libs in bundle: #60169
Move cacheDir logic to getCacheDir: #60133
Refactor to unify writeFile, readFile, and add readManifest: #60137
chore: bump @vercel/[email protected]: #60172
fix: <Script> with beforeInteractive strategy ignores additional attributes in App Router: #59779
Fix invalid comment: #60182
Refactor: Separate RSC renderer from SSR wrapping component: #59676
fix: cache next font during development to avoid FOUC: #60175
Add writeManifest: #60138
Add writePrerenderManifest: #60158
Add writeStandaloneDirectory: #60162
Always write FunctionsConfigManifest: #60163
Upgrade @vercel/og: #60205
Improve consistency of issues and diagnostics for napi calls: #60198
Change server actions cache default to no-store: #60170
Allow undefined environment variables in config: #58247
Add writeFullyStaticExport: #60200
fix: Mark file as ESM if it has an export from auto-cjs pass: #60216
log a dev warning when a missing parallel slot results in a 404: #60186
Fix: Throw an error for empty array return in generateStaticParams with output:export: #57053
Ensure appPathsManifest variable is inside if block: #60210
Remove NEXT_TURBO_FILTER_PAGES internal variable: #60217
fix: add node-web-audio-api to server-external-packages.json: #60243
Disable 2mb limit for custom incrementalCacheHandler: #59976
[PPR Nav] Fix: Page data should always be applied: #60242
Add writeImagesManifest: #60209
feat(next-core): apply rsc transform in turbopack: #59629
Move buildId logic to getBuildId: #60132
fix catch-all route normalization for default parallel routes: #60240
micro fix of the cache limit check: #60249
parallel routes: fix @children slots: #60288
Bump webpack-bundle-analyzer: #58442
docs: Add docs for next dev --experimental-https: #60357
Update React from 0cdfef1 to f1039be: #60368
Simplify if condition: #60250
Fix dynamic sitemap detection: #60356
chore(font): enable minification: #60319
chore(precompile): remove obsolete precompiled assets : #60316
refactor: simplify the call in lib.picocolors: #60386
chore(precompile): re-add watchpack to the precompile: #60309
refactor(dev-overlay): remove chalk: #60317
Fix: HMR in multi-zone handling 🌱: #86371
HMR development stats: include updatedModules for App Router and Turbopack changes: #59785
Change color of output bundle size: #60385
Fix TypeError when using params in RootLayout with parallel routes: #60401
Fix missing source code display for some jsx errors: #60390
Refactor unstable_cache implementation: #60403
Missing Postpone Detection Fix: #59891
refactor(next/core): reorganize next.js custom transforms for next-swc/turbopack: #60400
Fix custom cache handler importing on windows: #60312
Display original failed fetch trace: #60274
feat(app-router): introduce experimental.missingSuspenseWithCSRBailout flag: #57642
update turbopack: #60208
update turbopack: #60478
feat(turbopack): support named client references properly: #59578
Fix intercepted segments with basepath: #60485
parallel routes: fix client reference manifest grouping for catch-all segments: #60482
Group small chunks in shared js section of output: #60479
filter default segments from prerender manifest: #60499
Add experimental options for more parallelization in webpack builds: #60177
move custom allocator flag and add rustls-tls comment: #60128
fix: redirect logic missing basePath in App Render: #60184
Revert "feat(app-router): introduce experimental.missingSuspenseWithCSRBailout flag": #60508
add retry logic to loadClientReferenceManifest: #56518
Turbopack hmr: record forwarded client spans: #60500
chore(turbopack): check for unsupported next config options instead of supported ones: #58781
Handle non server action post requests safely: #60526
Fix global-error for nested routes: #60539
chore(examples): use default prettier for examples/templates: #60530
Update default error rate for client filter: #60542
Enable windowHistorySupport by default: #60557
Fix logging order of build jobs: #60564
propagate notFound errors past a segment's error boundary: #60567
Tracing: attach Turbopack session value to root span: #60576
[PPR Nav] Fix flash of loading state during back/forward: #60578
Fix react-refresh for transpiled packages: #60563
Ensure client filter with basePath is correct: #60580
Update React from f1039be to 60a927d: #60619
Add cache reason for using fetch with noStore: #60630
chore: remove unused export: #60647
remove next build turbopack version: #60655
fix breakpoints on reload: #60507
Fix hmr updates with rebuilding for build errors: #60676
graceful shutdown: #60059
refactor(next-swc): remove unused crashreporter: #60593
chore(eslint-plugin-next): upgrade glob dependency: #60732
Fix client reference keys of barrel-optimized files: #60685
Fix recursive ignoring case in build traces: #60740
Telemetry: allow disabling of fetch tracing: #60588
chore: typo, responseCookes to responseCookies: #60654
Telemetry code load: #60863
allow to pass available chunk items when creating a chunk group: #60554
separate chunking per layout parts: #60569
feat(next-core): port remaining next.js custom transforms: #60498
Reapply "feat(app-router): introduce experimental.missingSuspenseWithCSRBailout flag" (#60508): #60751
Skip postcss config location resolving in node_modules: #60697
apply page transforms only on pages: #60779
fix layout segment key to match up with manifest: #60783
Fix locale domain public files check: #60749
Stabilize custom cache handlers and changing memory size.: #57953
feat: stabilize unstable_getImgProps() => getImageProps(): #60739
Fix Server Actions compiler bug: #60794
Dev Server: Preserve globals overwrites in the initialization hook: #60796
add missing function call to normalize-catchall-routes test case: #60777
Use snapshots for component-stack tests: #60768
Support next/og usage in ESM nextjs app: #60818
fix(ts): auto-complete next/headers: #60817
Remove the warning for build worker when custom webpack present: #60820
chore(deps): update browserslist and caniuse-lite: #60827
feat: support custom image loaders in turbopack: #60736
Ensure request specific caches for revalidate are reset: #60810
Add metrics names for unstable_cache: #60802
Fix: respect init.cache if fetch input is request instance: #60821
Revert "Fix: Throw an error for empty array return in generateStaticParams with output:export": #60831
turbopack: rename custom cache handler configs: #60828
dx: warn the deprecated cache configs are used: #60836
Enable missing suspense bailout by default: #60840

Documentation Changes

Docs: Update Server Actions Docs: #59080
Docs: Polish Server Actions Page 💅🏼 : #86300
Update 10-route-handlers.mdx: #86343
docs: remove broken link: #86387
Docs: Add App Router Testing Guides and update /examples: #59268
docs: fix bad closed tag: #59575
Fix closing tags for jest docs: #59579
Docs: Fix formatting in testing docs and update examples dependencies: #59572
Docs: Add missing closing tag: #59581
Docs: Review and update getServerSideProps page: #59545
docs: add note for environment variables on Vercel deployment: #59237
docs(accessibility): updates WCAG version to 2.2: #59646
docs: small tweaks: #59638
docs: fix broken backtick for link: #59717
Docs: Document generateSitemaps: #59626
Docs: Polish testing section: #59618
docs: improve docs around geolocation and IP headers: #59719
Docs: Review and Typo Fix - getServerSideProps: #59616
docs: fix vitest example link in testing with vitest: #59659
docs: fix grammar issue in 03-get-server-side-props.mdx: #59670
Includes section to @next/third-parties documentation for Google Analytics: #59671
Change file extension to .tsx: #59763
docs: clarify data fetching pattern: #59602
change 'themeColor' to 'viewport' in the viewport section: #59764
docs: add missing comma to sitemap.mdx: #59788
Chore docs fix runon and definition of trailing slash redirect: #59889
Minor grammar edits: #59887
Introduce cache version history in cache API: #59799
docs: correct type in sitemap.mdx: #59787
chore(docs): Remove typesafe-i18n from thrid-party i18n options: #59624
docs: Add Chakra UI setup guide: #59275
Update not-found.mdx: #86378
Updates references for styled-components configuration in next.config.js: #86395
Update 05-mdx.mdx: #57988
Mention remark-mdx-frontmatter in frontmatter docs: #59238
Docs: Rename React Query to TanStack Query: #59004
Add cwd to VSCode debugging setup steps: #58689
[Docs]: fix tiny typo: #59897
[docs] Add sensible name for Cookie deleting functions: #57893
Update generate-viewport.mdx: #57701
Update opengraph-image.mdx: #57810
[docs] Update example links.: #57891
docs: clarify setting and reading cookies from Route Handlers: #59915
docs: add Sirv loader for next/image: #57102
docs: fix prettier lint: #59918
docs: Add media example for icon metadata: #56141
Fix typo in generate-sitemaps.mdx docs: #59964
Update 02-server-actions-and-mutations.mdx: #59935
Update 08-parallel-routes.mdx: #59966
Updates "No Before Interactive" error message for App router: #56033
docs: Update Middleware docs on ignoring prefetches: #56799
docs: add note that contentlayer is unmaintained: #59927
docs: small changes to linking docs: #59982
docs: opengraph / twitter image needs absolute URL: #59985
docs: fix typo for useFormState: #60010
docs: clarify using redirect with client components: #60056
Update documentation to reflect added support for 'userScalable' field in 'viewport': #60033
docs: Add section for CSP without nonces: #60067
docs: update install count: #60072
docs: fix version history order in sitemap.mdx: #60054
docs: clarify generateStaticParams and dynamicParams: #60083
docs: update maxDuration info: #60086
docs: ⌘ Enter for forms: #60090
Clarify measurement ID in Optimizing: Third Party Libraries: #60136
Update 03-css-in-js.mdx : fix typo: #60114
docs: small wording fix for 03-linking-and-navigating.mdx: #60089
Docs: If revalidatePath's path has dynamic segment path, type must be page.: #59149
docs: improve grammar: #60149
Fix config code in the CSS-in-JS chapter: #60164
Updating example with required content type in header: #59990
Adds a section to Optimizing: Third Party Libraries on tracking pageviews for Google Analytics: #60176
Update route-segment-config.mdx: #60179
docs: Fix typo on generate-sitemaps.mdx: #60188
small correction in 11-middleware.mdx: #60189
docs(trailingSlashes): add note for SSG generation: #57628
docs: fix typos and broken links in the image.mdx: #60221
Docs: Fix revalidate type annotation: #60230
Update 02-server-actions-and-mutations.mdx: #60222
fix(docs): add missing docs on external packages: #60244
Docs: Add "Going to production" page for App Router: #59304
Docs: Update compression docs: #60264
Docs: Clarify useSearchParams behavior: #60257
Docs: Add more clarification about compress : #60268
Clarify searchParams is not passed to Layouts: #60277
docs(testing): add bun command to running your tests section: #60281
chore(docs): add section for Custom Type Declarations: #60282
docs: small corrections to bundle analyzer docs: #60285
docs: typo fix in compression page: #60318
docs: add example of webhooks with App Router: #60276
docs: add optional catch-all segments typescript example: #60237
Update use-search-params.mdx: #55357
docs: address a few open issues: #60329
docs: next/head: Document error cases with head/body-tags; add subheadings: #56412
Fix bundle analyzer NPM package name in documentation: #60339
[doc] Update 03-linking-and-navigating.mdx: #60345
add missing types: #60346
docs: update docs for remotePatterns to mention what happens when prop is omitted: #60387
Docs: Update note on @next/third-parties being experimental: #60372
chore(docs): fix 14 upgrade guide mentioning export: #60429
chore(docs/errors): Improve documentation grammar: #60452
Docs: Address Community Feedback: #60476
for #59178 - addition to robots.mdx - Customize user-agent rules: #60361
Docs: Document windowHistorySupport flag, and add pushState/replaceState examples: #60374
docs: correct windowHistorySupport title: #60503
chore: correct subject-verb conjugation in Client Components doc: #60538
Add "Redirecting" page in the Routing section: #60435
docs: small fix in Redirecting page: #60583
fix(mdx): update word order, fix typo: #60466
Add documentation for client router filter: #60585
docs: Update Google Analytics error doc: #60612
docs: remove Next 13 mention for App Router: #60632
Fix Typo in Testing Documentation Description: #60601
chore: remove duplicate package name: #60652
chore(docs): add docs for .svg unoptimized behavior: #60735
add authentication docs page: #60388
chore(docs): fix example documentation for Art Direction: #60823
docs: add build worker optout error back with upgrade advice: #60826
Docs: Use JS comment for MDX: #60825
Fix error from the auth docs.: #60829

Example Changes

Updates the with-vitest example. Unlocks the tests passing with server-only usage: #58902
Add text-wrap: balance to CNA template for card descriptions: #59384
fix: Invalid next version tag name in with-cypress example: #59647
Fix: Add matcher for middleware: #59651
examples: Add new NextAuth.js example: #56914
examples: add required env vars to auth example.: #59901
examples: update Redis to App Router: #59311
examples: remove broken deploy button: #58794
examples: progressive enhancement for Redis example: #59937
Update .env.local.example of with-firebase example: #59954
Upgrade with-algolia-react-instantsearch example to latest major version and use app router: #59961
Rename .env.local.example to .env.example: #59984
Update Convex Example: #59789
examples: Update next-forms example: #60052
chore(cms-contentfu): fix contentful instructions: #60050
examples: improve typings for i18n app dir: #60160
chore(examples): migrate image-component example to App Router: #60289
fix(#58695): improve zustand example: #58696
examples: add allow-unauthenticated option to cloud run deploy: #58792
fixed import path in with-jest template.: #60332
chore(examples): fix image-component example viewsource paths, shimmer page filename: #60451
Update cache-handler-redis example dependencies: #86358
examples: Update hello world: #60502
chore: Fix typo s/desireable/desirable/: #60518
chore: Fix multiple typos: #60531
examples: Update redis example with useOptimistic: #60596
Update README.md: #60595
chore(example): update storybook: #60737

Misc Changes

Revert "Skip latest commit check for stable release": #86301
ci(workflow): restore publish wasm binary: #86314
ci: only run release commit check on canary releases: #86323
test(runner): preserve browser tracing if test fails: #86369
Adding Google analytics to next/third-parties: #58418
ci(test): upload playwright artifacts seperately: #86396
fix integration test workflow: #59508
Fix third party typings: #59503
test(fixture): try to include sources in the snapshot: #86399
chore: bump typescript-eslint to 6.14: #59514
Update Deployment Testing: #86348
fix(playwright): teardown when global quit force terminates browser: #59548
chore(create-next-app): bump prompts to v2.4.2: #59006
types: cover the tests with root tsconfig.json: #59550
Fix test/tsconfig.json alias for internal test utils: #59570
test(integration): adjust fixture to work with turbopack: #59595
Add test for importing client components from server actions: #59615
chore: extends from shared base tsconfig: #59776
Update Turbopack test manifest: #59798
Fix CI: Skip test in PPR dev mode, too: #59817
Add unstable_cache validate test case: #59828
Update swc_core to v0.87.10: #59834
chore: add github bug report item type module resolution: #60121
chore: add myself to created-by: Next.js team: #60144
chore: include required Next.js stages to issue template: #60142
searchParameters test for PPR: #59678
Getting rid of a few TypeScript anys.: #60017
fix responsiveness in starter templates: #60140
fix(generators): update errors gen: #60233
chore: test against latest sharp: #60226
style: enforce prop immutability in new next app: #58845
Update flakey test from port re-use: #60291
chore: update pnpm to the latest (v8.14.0): #60295
docs: update broken link in UPGRADING.md: #60342
Update Turbopack test manifest: #60306
Update Turbopack test manifest: #60371
Update swc_core to v0.87.16: #60192
Add replay.io test suite dependencies: #60381
chore: update turbo to the latest: #60294
Update Turbopack test manifest: #60413
Update testing contributor guide: #60421
chore: skip flaky turbopack navigation test: #60431
ci: skip cron workflows on forks: #60422
Add reproduction for HMR moving / renaming files.: #57230
add tests for incremental-cache: #60331
chore: fix postinstall when using tarball: #60443
test: use replay jest runner to add current test name to recording: #60438
misc: Skip cron workflows on forks: #60487
Handle pages double render for useParams in tests: #60486
Transition some check calls in tests to retry: #60489
Use next.config.mjs for CNA templates: #60494
Update Turbopack test manifest: #60504
run tests from test suite that are not listed in the manifest: #58401
Add --ci to jest tests in CI: #60432
Ensure aliased variable is used in test: #60428
Update Turbopack test manifest: #60506
Skip webpack loader test in Turbopack: #60509
Revert "Skip webpack loader test in Turbopack": #60513
Revert "Revert "Skip webpack loader test in Turbopack"": #60514
Remove unused target: es5 from tsconfig.json in create-next-app: #60521
refactor(cna): make create-next-app even smaller and faster: #58030
Expand hydration error test to check recovery: #60423
chore: update pull_request_approved workflow: #60537
chore: add issue_popular workflow: #60543
Update Turbopack test manifest: #60553
chore: update next-repo-info actions: #60559
chore(git): add .git-blame-ignore-revs: #60582
chore: remove pr_approved workflow & update popular_issues workflow: [#60584](https

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

github-actions · 2024-10-12T11:46:14Z

Benchmark results

@rust/graph-benches – Integrations

representative_read_entity

Function	Value	Mean	Flame graphs
entity_by_id	entity type ID: `https://blockprotocol.org/@alice/types/entity-type/book/v/1`	$$16.6 \mathrm{ms} \pm 141 \mathrm{μs}\left({\color{red}26.1 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: `https://blockprotocol.org/@alice/types/entity-type/playlist/v/1`	$$16.7 \mathrm{ms} \pm 186 \mathrm{μs}\left({\color{red}8.60 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: `https://blockprotocol.org/@alice/types/entity-type/page/v/2`	$$16.1 \mathrm{ms} \pm 192 \mathrm{μs}\left({\color{lightgreen}-28.963 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: `https://blockprotocol.org/@alice/types/entity-type/block/v/1`	$$16.6 \mathrm{ms} \pm 224 \mathrm{μs}\left({\color{lightgreen}-30.752 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: `https://blockprotocol.org/@alice/types/entity-type/song/v/1`	$$15.3 \mathrm{ms} \pm 166 \mathrm{μs}\left({\color{lightgreen}-9.597 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: `https://blockprotocol.org/@alice/types/entity-type/building/v/1`	$$15.8 \mathrm{ms} \pm 148 \mathrm{μs}\left({\color{gray}1.31 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: `https://blockprotocol.org/@alice/types/entity-type/person/v/1`	$$16.3 \mathrm{ms} \pm 179 \mathrm{μs}\left({\color{red}6.02 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: `https://blockprotocol.org/@alice/types/entity-type/uk-address/v/1`	$$15.5 \mathrm{ms} \pm 192 \mathrm{μs}\left({\color{lightgreen}-6.034 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: `https://blockprotocol.org/@alice/types/entity-type/organization/v/1`	$$15.5 \mathrm{ms} \pm 188 \mathrm{μs}\left({\color{gray}-1.976 \mathrm{\%}}\right) $$	Flame Graph

representative_read_entity_type

Function	Value	Mean	Flame graphs
get_entity_type_by_id	Account ID: `d4e16033-c281-4cde-aa35-9085bf2e7579`	$$1.42 \mathrm{ms} \pm 8.75 \mathrm{μs}\left({\color{gray}1.59 \mathrm{\%}}\right) $$	Flame Graph

scaling_read_entity_complete_zero_depth

Function	Value	Mean	Flame graphs
entity_by_id	50 entities	$$3.98 \mathrm{ms} \pm 15.7 \mathrm{μs}\left({\color{gray}-2.468 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	10 entities	$$2.03 \mathrm{ms} \pm 8.33 \mathrm{μs}\left({\color{gray}-2.078 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	25 entities	$$2.55 \mathrm{ms} \pm 15.7 \mathrm{μs}\left({\color{lightgreen}-15.612 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	1 entities	$$1.87 \mathrm{ms} \pm 9.71 \mathrm{μs}\left({\color{gray}0.513 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	5 entities	$$1.90 \mathrm{ms} \pm 9.04 \mathrm{μs}\left({\color{gray}0.807 \mathrm{\%}}\right) $$	Flame Graph

scaling_read_entity_linkless

Function	Value	Mean	Flame graphs
entity_by_id	1000 entities	$$2.79 \mathrm{ms} \pm 21.9 \mathrm{μs}\left({\color{gray}-2.364 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	100 entities	$$2.03 \mathrm{ms} \pm 7.19 \mathrm{μs}\left({\color{gray}1.09 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	10 entities	$$1.85 \mathrm{ms} \pm 4.94 \mathrm{μs}\left({\color{gray}0.317 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	10000 entities	$$12.3 \mathrm{ms} \pm 106 \mathrm{μs}\left({\color{gray}-0.943 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	1 entities	$$1.88 \mathrm{ms} \pm 7.52 \mathrm{μs}\left({\color{gray}0.293 \mathrm{\%}}\right) $$	Flame Graph

representative_read_multiple_entities

Function	Value	Mean	Flame graphs
entity_by_property	depths: DT=2, PT=2, ET=2, E=2	$$58.9 \mathrm{ms} \pm 290 \mathrm{μs}\left({\color{gray}-2.032 \mathrm{\%}}\right) $$	Flame Graph
entity_by_property	depths: DT=255, PT=255, ET=255, E=255	$$68.2 \mathrm{ms} \pm 298 \mathrm{μs}\left({\color{gray}-0.241 \mathrm{\%}}\right) $$	Flame Graph
entity_by_property	depths: DT=0, PT=0, ET=0, E=0	$$39.7 \mathrm{ms} \pm 95.5 \mathrm{μs}\left({\color{gray}-0.510 \mathrm{\%}}\right) $$	Flame Graph
entity_by_property	depths: DT=0, PT=0, ET=0, E=2	$$44.1 \mathrm{ms} \pm 317 \mathrm{μs}\left({\color{gray}-1.654 \mathrm{\%}}\right) $$	Flame Graph
entity_by_property	depths: DT=0, PT=2, ET=2, E=2	$$54.7 \mathrm{ms} \pm 268 \mathrm{μs}\left({\color{gray}-1.227 \mathrm{\%}}\right) $$	Flame Graph
entity_by_property	depths: DT=0, PT=0, ET=2, E=2	$$50.6 \mathrm{ms} \pm 348 \mathrm{μs}\left({\color{gray}-0.242 \mathrm{\%}}\right) $$	Flame Graph
link_by_source_by_property	depths: DT=2, PT=2, ET=2, E=2	$$98.3 \mathrm{ms} \pm 364 \mathrm{μs}\left({\color{gray}-0.314 \mathrm{\%}}\right) $$	Flame Graph
link_by_source_by_property	depths: DT=255, PT=255, ET=255, E=255	$$107 \mathrm{ms} \pm 655 \mathrm{μs}\left({\color{gray}-0.172 \mathrm{\%}}\right) $$	Flame Graph
link_by_source_by_property	depths: DT=0, PT=0, ET=0, E=0	$$42.0 \mathrm{ms} \pm 230 \mathrm{μs}\left({\color{gray}-0.362 \mathrm{\%}}\right) $$	Flame Graph
link_by_source_by_property	depths: DT=0, PT=0, ET=0, E=2	$$79.1 \mathrm{ms} \pm 316 \mathrm{μs}\left({\color{gray}-0.847 \mathrm{\%}}\right) $$	Flame Graph
link_by_source_by_property	depths: DT=0, PT=2, ET=2, E=2	$$93.9 \mathrm{ms} \pm 512 \mathrm{μs}\left({\color{gray}-0.272 \mathrm{\%}}\right) $$	Flame Graph
link_by_source_by_property	depths: DT=0, PT=0, ET=2, E=2	$$90.0 \mathrm{ms} \pm 369 \mathrm{μs}\left({\color{gray}0.360 \mathrm{\%}}\right) $$	Flame Graph

scaling_read_entity_complete_one_depth

Function	Value	Mean	Flame graphs
entity_by_id	50 entities	$$274 \mathrm{ms} \pm 2.12 \mathrm{ms}\left({\color{lightgreen}-30.316 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	10 entities	$$51.2 \mathrm{ms} \pm 164 \mathrm{μs}\left({\color{gray}-1.328 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	25 entities	$$72.7 \mathrm{ms} \pm 303 \mathrm{μs}\left({\color{gray}-2.543 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	1 entities	$$20.0 \mathrm{ms} \pm 103 \mathrm{μs}\left({\color{gray}-0.629 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	5 entities	$$25.1 \mathrm{ms} \pm 232 \mathrm{μs}\left({\color{gray}1.69 \mathrm{\%}}\right) $$	Flame Graph

hash-worker · 2024-10-19T07:11:15Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

warning Resolution field "[email protected]" is incompatible with requested version "react@^17.0.2"
warning Resolution field "[email protected]" is incompatible with requested version "react-dom@^17.0.2"
warning Resolution field "@types/[email protected]" is incompatible with requested version "@types/react@^17.0.39"
warning Resolution field "@opentelemetry/[email protected]" is incompatible with requested version "@opentelemetry/exporter-metrics-otlp-grpc@^0.41.2"
warning Resolution field "@opentelemetry/[email protected]" is incompatible with requested version "@opentelemetry/exporter-metrics-otlp-http@^0.41.2"
warning Resolution field "@opentelemetry/[email protected]" is incompatible with requested version "@opentelemetry/exporter-metrics-otlp-proto@^0.41.2"
warning Resolution field "@opentelemetry/[email protected]" is incompatible with requested version "@opentelemetry/exporter-trace-otlp-grpc@^0.43.0"
warning Resolution field "@opentelemetry/[email protected]" is incompatible with requested version "@opentelemetry/exporter-trace-otlp-http@^0.41.2"
warning Resolution field "@opentelemetry/[email protected]" is incompatible with requested version "@opentelemetry/exporter-trace-otlp-proto@^0.41.2"
error Error: https://registry.yarnpkg.com/@llamaindex/cloud/-/cloud-0.0.5.tgz: Request failed "502 Bad Gateway"
    at ResponseError.ExtendableBuiltin (/usr/local/lib/node_modules/yarn/lib/cli.js:696:66)
    at new ResponseError (/usr/local/lib/node_modules/yarn/lib/cli.js:802:124)
    at Request.<anonymous> (/usr/local/lib/node_modules/yarn/lib/cli.js:66750:16)
    at Request.emit (node:events:519:28)
    at module.exports.Request.onRequestResponse (/usr/local/lib/node_modules/yarn/lib/cli.js:142287:10)
    at ClientRequest.emit (node:events:519:28)
    at HTTPParser.parserOnIncomingClient (node:_http_client:702:27)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:118:17)
    at TLSSocket.socketOnData (node:_http_client:544:22)
    at TLSSocket.emit (node:events:519:28)

hash-worker bot enabled auto-merge September 10, 2024 07:26

hashdotai previously approved these changes Sep 10, 2024

View reviewed changes

vercel bot deployed to Preview – hashdotdesign September 10, 2024 07:32 View deployment

TimDiekmann marked this pull request as draft September 10, 2024 07:33

auto-merge was automatically disabled September 10, 2024 07:33
Pull request was converted to draft

vercel bot deployed to Preview – hash September 10, 2024 07:35 View deployment

vercel bot deployed to Preview – hashdotdev September 10, 2024 07:38 View deployment

TimDiekmann requested a review from CiaranMn September 10, 2024 07:44

TimDiekmann assigned CiaranMn Sep 10, 2024

hash-worker bot dismissed hashdotai’s stale review via 9efc988 September 14, 2024 15:16

hash-worker bot force-pushed the deps/js/npm-next-vulnerability branch from ca6e3ab to 9efc988 Compare September 14, 2024 15:16

hashdotai previously approved these changes Sep 14, 2024

View reviewed changes

vercel bot deployed to Preview – hashdotdev September 14, 2024 15:45 View deployment

vercel bot deployed to Preview – hashdotdesign September 14, 2024 15:49 View deployment

vercel bot deployed to Preview – hash September 14, 2024 15:54 View deployment

hash-worker bot dismissed hashdotai’s stale review via 5af455f September 28, 2024 06:44

hash-worker bot force-pushed the deps/js/npm-next-vulnerability branch from 9efc988 to 5af455f Compare September 28, 2024 06:44

hashdotai previously approved these changes Sep 28, 2024

View reviewed changes

vercel bot deployed to Preview – hashdotdev September 28, 2024 06:51 View deployment

vercel bot deployed to Preview – hash September 28, 2024 06:54 View deployment

vercel bot deployed to Preview – hashdotdesign September 28, 2024 06:57 View deployment

hash-worker bot force-pushed the deps/js/npm-next-vulnerability branch from 5af455f to e8ce774 Compare September 29, 2024 21:16

vercel bot deployed to Preview – hashdotdev September 29, 2024 21:23 View deployment

vercel bot deployed to Preview – hash September 29, 2024 21:26 View deployment

vercel bot deployed to Preview – hashdotdesign September 29, 2024 21:29 View deployment

hash-worker bot dismissed hashdotai’s stale review via 9c0f173 October 12, 2024 07:41

hash-worker bot force-pushed the deps/js/npm-next-vulnerability branch from e8ce774 to 9c0f173 Compare October 12, 2024 07:41

hashdotai previously approved these changes Oct 12, 2024

View reviewed changes

vercel bot deployed to Preview – hash October 12, 2024 07:53 View deployment

vercel bot deployed to Preview – hashdotdev October 12, 2024 07:58 View deployment

vercel bot deployed to Preview – hashdotdesign October 12, 2024 08:02 View deployment

hash-worker bot dismissed hashdotai’s stale review via 063f247 October 12, 2024 11:12

hash-worker bot force-pushed the deps/js/npm-next-vulnerability branch from 9c0f173 to 063f247 Compare October 12, 2024 11:12

hashdotai previously approved these changes Oct 12, 2024

View reviewed changes

vercel bot deployed to Preview – hash October 12, 2024 12:02 View deployment

vercel bot deployed to Preview – hashdotdesign October 12, 2024 12:03 View deployment

vercel bot deployed to Preview – hashdotdev October 12, 2024 12:10 View deployment

hash-worker bot dismissed hashdotai’s stale review via ab72805 October 19, 2024 07:10

hash-worker bot force-pushed the deps/js/npm-next-vulnerability branch from 063f247 to ab72805 Compare October 19, 2024 07:10

hashdotai previously approved these changes Oct 19, 2024

View reviewed changes

vercel bot deployed to Preview – hashdotdesign October 19, 2024 07:18 View deployment

vercel bot deployed to Preview – hashdotdev October 19, 2024 07:19 View deployment

vercel bot deployed to Preview – hash October 19, 2024 07:36 View deployment

Update npm package next to v14 [SECURITY]

6a45069

hash-worker bot dismissed hashdotai’s stale review via 6a45069 October 30, 2024 23:39

hash-worker bot force-pushed the deps/js/npm-next-vulnerability branch from ab72805 to 6a45069 Compare October 30, 2024 23:39

hashdotai approved these changes Oct 30, 2024

View reviewed changes

vercel bot deployed to Preview – hashdotdesign October 30, 2024 23:47 View deployment

vercel bot deployed to Preview – hashdotdev October 30, 2024 23:47 View deployment

vercel bot deployed to Preview – hash October 30, 2024 23:49 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update npm package `next` to v14 [SECURITY] #5037

Update npm package `next` to v14 [SECURITY] #5037

hash-worker bot commented Sep 10, 2024 •

edited

Loading

github-actions bot commented Oct 12, 2024

@rust/graph-benches – Integrations

representative_read_entity

representative_read_entity_type

scaling_read_entity_complete_zero_depth

scaling_read_entity_linkless

representative_read_multiple_entities

scaling_read_entity_complete_one_depth

hash-worker bot commented Oct 19, 2024 •

edited

Loading

Update npm package next to v14 [SECURITY] #5037

Are you sure you want to change the base?

Update npm package next to v14 [SECURITY] #5037

Conversation

hash-worker bot commented Sep 10, 2024 • edited Loading

GitHub Vulnerability Alerts

CVE-2024-34351

Impact

Prerequisites

Patches

Workarounds

Credit

CVE-2024-46982

Impact

Patches

Workarounds

Credits

CVE-2024-47831

Impact

Patches

Workarounds

Credits

Release Notes

v14.1.1

Core Changes

Credits

v14.1.0

Core Changes

Documentation Changes

Example Changes

Misc Changes

Configuration

github-actions bot commented Oct 12, 2024

Benchmark results

@rust/graph-benches – Integrations

representative_read_entity

representative_read_entity_type

scaling_read_entity_complete_zero_depth

scaling_read_entity_linkless

representative_read_multiple_entities

scaling_read_entity_complete_one_depth

hash-worker bot commented Oct 19, 2024 • edited Loading

⚠️ Artifact update problem

File name: yarn.lock

Update npm package `next` to v14 [SECURITY] #5037

Update npm package `next` to v14 [SECURITY] #5037

hash-worker bot commented Sep 10, 2024 •

edited

Loading

`v14.1.1`

`v14.1.0`

hash-worker bot commented Oct 19, 2024 •

edited

Loading