Update dependency next [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	13.4.10 -> 13.5.0
next (source)	13.4.19 -> 13.5.0
next (source)	^12.1.0 -> ^12.3.4

GitHub Vulnerability Alerts

CVE-2023-46298

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

---

Release Notes

vercel/next.js (next)

v13.5.0

Compare Source

v13.4.19

Compare Source

Core Changes

• fix: invalid module transform for @headlessui/react: #​54206
• chore: remove unnecessary type cast in dev-build-watcher: #​54221
• fix process.env not being available in standalone mode: #​54203
• Fix missing devPageFiles collection: #​54224
• Add Route and LinkProps stub generics: #​54226
• Use createClientModuleProxy from Flight Server: #​54232
• Add default not found to loader tree of group routes root layer: #​54228
• feat(image): add support for custom loaderFile when loader: default: #​53417
• Fix renamed export of Server Actions: #​54241
• Ensures App Router Link respects scroll-behavior: smooth when only hash is changed.: #​54243

Misc Changes

• Update dd-trace used for internal tools: #​54214
• (Fix)Broken upgrading.mdx link : #​54234
• chore: skip CI run on forks: #​54219
• chore(ci): bump [email protected]: #​54246

Credits

Huge thanks to @​opnay, @​styfle, @​timneutkens, @​ztanner, @​shuding, @​huozhi, @​vinaykulk621, @​balazsorban44, @​goguda, and @​coreyleelarson for helping!

v13.4.18

Compare Source

Core Changes

• refactor: remove edge condition for module proxy path: #​54167
• Remove unused variables: #​54149
• chore: improve ts types for position in dev-build-watcher: #​54124
• Turbopack: Strip relative path prefix when generating PageLoaderAsset: #​54040
• Add size property to ReadonlySearchParams: #​53144
• Assign default not-found boundary if custom not-found is not present for root layer only: #​54185
• Allow range version for eslint config: #​53751
• Automatically modularizeImports for the popular @​headlessui/react library: #​54188
• fix bfcache restoration behavior: #​54198

Misc Changes

• Update rust toolchain: #​54130

Credits

Huge thanks to @​huozhi, @​shuding, @​styfle, @​jridgewell, @​bencmbrook, @​cramforce, and @​ztanner for helping!

v13.4.17

Compare Source

Core Changes

• fix(next/image): empty blur image when animated #​54028
• Do not output pages 404 in tree view if app not-found is used: #​54051
• Fix scroll bailout logic when targeting fixed/sticky elements: #​53873
• Debug tracing: add updated modules and page to HMR span: #​53698
• fix(next-swc): coerce mdxrs default options: #​54068
• fix: don't add forceConsistentCasingInFileNames to tsconfig when ts version >= 5.0: #​51564
• fix(47299): allow testing pages with metadata in jsdom test environment: #​53578
• upgrade edge-runtime dependency: #​54117
• Fix root not-found page tree loader structure: #​54080
• chore: remove as any type cast: #​54074
• chore: refactor to use fs.promises.rm(): #​54076
• Refactor layout router creation in app-render: #​54126
• chore(image): remove apple silicon workaround for versions older than [email protected]: #​54125
• fix routing bug when bfcache is hit following an mpa navigation: #​54081
• Tracing: add opt-in flag to send a subset of development traces to url: #​53880
• fix(edge): override init when cloning with NextRequest: #​54108
• OpenTel: remove the internal (ipc) fetched from traces in a non-verbose mode: #​54083
• cleanup: remove unnecessary effect dep: #​54134
• Next build: use exported handle_issues from turbopack: #​52972
• node-web-streams: remove tee shim, use ReadableStream.tee: #​54079
• fix: cookies().has() breaks in app-route: #​54112
• Revert "fix(47299): allow testing pages with metadata in jsdom test environment": #​54160

Documentation Changes

• fix missing ' in data-fetching/fetching-caching-and-revalidating: #​54058

Example Changes

• Update Docker example to remove HOSTNAME: #​54102

Misc Changes

• chore: hide "same on new version" without link: #​54048
• chore(ci): small notes for the build steps: #​54073
• chore: update lock bot wording: #​54099
• Update swc_core to v0.79.59: #​54082
• install-native.mjs: include packageManager field: #​54132

Credits

Huge thanks to @​balazsorban44, @​huozhi, @​ztanner, @​williamli, @​wbinnssmith, @​kwonoj, @​stefanprobst, @​feugy, @​timneutkens, @​kdy1, @​Kikobeats, @​styfle, @​dvoytenko, @​MaxLeiter, and @​devjiwonchoi for helping!

v13.4.16

Compare Source

Core Changes

• Concept: test mode for Playwright and similar integration tools: #​52520
• Turbopack: fix hiding node_modules warnings in error overlay.: #​54022
• ci(next-swc): print glibc version when build: #​54026
• Adjust internal action proxy export: #​54004

Documentation Changes

• Update 05-client-side-rendering.mdx with latest tanstack query version: #​54009
• Open Graph Image font declaration moved to correct place: #​53998
• Update opengraph-image.mdx: Fix typo: #​54020

Misc Changes

• Remove extra label from runner: #​54002
• add standalone testcase for ipv6 hostnames: #​53999
• release: add release log generation script: #​54006
• test(ci): refine test suite name unique: #​54013
• Leverage previous swc build images: #​54027
• chore: mark build folder indexable: #​54029
• Move turbo outside of build for docker swc builds: #​54035

Credits

Huge thanks to @​ijjk, @​ztanner, @​huozhi, @​lacymorrow, @​dvoytenko, @​kylemcd, @​kwonoj, @​tibi1220, @​wbinnssmith, and @​shuding for helping!

v13.4.15

Compare Source

Core Changes

• Fix action failures due to state tree encoding: #​53655
• Initial HMR Nexturbo API implementation: #​52950
• Turbopack: add edge app routes : #​53387
• Turbopack: Hide Turbo Engine internals: #​53007
• add unit test case for next.rs api: #​53679
• Fix not-found rendering in production with edge: #​53687
• fix(next/image): don't call ReactDOM.preload if missing, such as jest: #​53443
• Add docs page for uncaught DynamicServerErrors: #​53402
• Consolidate Server and Routing process into one process: #​53523
• fix: Update outdated transform imports lucide-react: #​53697
• Update font data: #​53759
• Add warnings for static generation bail outs: #​53761
• Sort root entries per pageExtensions config for consistency: #​53769
• improve error message for conflicting parallel segments: #​53803
• Add changeFrequency and priority attributes to sitemaps: #​48484
• Ensure we set cache-control: no-cache for actions: #​53824
• Reuse RenderWorker type: #​53782
• fix: normalize backslash in getStaticPaths() for windows: #​53876
• Delete errorneous empty content length header: #​53843
• Turbopack: more tests and bugfixes for next.rs api: #​53809
• Add @heroicons/react to modularizeImports: #​53902
• Turbopack: Fix debugging in napi for next-api: #​53889
• Fix/match resource: #​53796
• Use summary_large_image as twitter card if images present by default: #​53919
• Turbopack: Emit whether server or client assets changed: #​53879
• Limit sharp's concurrency: #​53385
• enable @​vercel/og support for turbopack: #​53917
• feat(image): DataURL placeholder support for : #​53442
• Recover not found errors from flight data to render with proper boundary: #​53703
• Update React to 18.3.0-canary-1a001dac6-20230812: #​53881
• add "expect" to list of forbidden IPC headers: #​53947
• Update swc runners config: #​53939
• Better IPv6 support for next-server: #​53131

Documentation Changes

• Update 11-middleware.mdx: Added Switcher: #​53977
• Fix doc grammatical errors: #​53672
• Fix a link in incrementalCacheHandlerPath.mdx: #​53718
• Fix typo in data fetching documentation: #​53772
• Docs: Add option for fetching data using route handlers - from the client: #​53793
• docs: Add more information about Server Actions: #​53805
• docs: document cache tagging mechanism: #​53806
• chore(docs): add missing "try it out": #​53815
• docs: Opting out of scrolling with next/link and useRouter.: #​53804
• chore(docs): note cache-control header for preview/draft mode: #​53825
• Include instructions for bun package manager: #​53590
• Docs: Update confusing wording in intercepting routes: #​53854
• (docs) Fixes Server Actions example: #​53920
• fix typo: #​53908
• Docs: fix pnpm command for saving dev deps (#​53937): #​53938
• The extra word 'the' has been deleted: #​53951

Example Changes

• [Examples] Update Example Prepr CMS: #​49224
• Update to with-supertokens example app: #​53434
• docs(with-stripe-typescript): Update README demo link: #​53662
• (example) update github-pages example: #​52168
• chore: add light/dark mode theme detection to image component example: #​53760

Misc Changes

• Remove tsconfig extending for @​next/thrid-parties package: #​53991
• Make next as dependency of @next/third-parties package: #​53996
• update eslint config: #​53637
• enable more test cases for next.rs api: #​53670
• fix(node): pnpm 8.6 needs node 16.14: #​53677
• fix(create-next-app): fix CI defaults (default to typescript): #​53686
• fix azure test cases: #​53692
• Adding GoogleMaps and Youtube embed components: #​52909
• Update env variable for fonts data workflow: #​53701
• Move next-rs API tests from unit to e2e: #​53771
• test(turbo): allow to run test with --experimental-turbo: #​53396
• chore(actions): exclude drafts from PR notificiation: #​53669
• Update runner labels: #​53925
• Update swc_core to v0.79.55: #​53831
• [chore] Upgrade playwright to 1.35.1: #​53875
• Update turbo env handling: #​53970

Credits

Huge thanks to @​iamarpitpatidar, @​pythagoras-yamamoto, @​alexkirsz, @​sokra, @​jsteele-stripe, @​tknickman, @​gaojude, @​styfle, @​janicklas-ralph, @​huozhi, @​ijjk, @​vinaykulk621, @​balazsorban44, @​ztanner, @​timneutkens, @​ericfennis, @​JohnAdib, @​MiLk, @​kwonoj, @​delbaoliveira, @​leerob, @​LuudJanssen, @​lucasconstantino, @​davecarlson, @​colinhacks, @​shuding, @​jridgewell, @​jantimon, @​Banbarashik, @​ForsakenHarmony, @​kdy1, @​dvoytenko, @​arturbien, @​gnoff, @​hsrvms, and @​DuCanhGH, @​tim-hanssen, @​Aryan9592, and @​rishabhpoddar for helping!

v13.4.13

Compare Source

Core Changes

• Improve internal web stream utils: #​53004
• fix: Add Next-Url to http vary in consideration of intercept routes.: #​52746
• update Turbopack: #​53098
• Add app, error, and document entrypoints: #​53013
• Turbopack: use edge environment in server-side rendering of client components too: #​53099
• refactor(codemod): replace chalk with picocolors: #​53115
• move webpack specific logic into a separate file: #​53114
• feat(turbopack): emit MODULE_FEATURE telemetry from turbopack: #​52356
• Fix not found hangs the build with overridden node env: #​53106
• chore: update warning message from yarn add sharp to npm i sharp: #​53130
• fix(edge): allow Request cloning via NextRequest: #​53157
• chore: extract common get-validated-args: #​53165
• Fix minimal basePath handling: #​53174
• Updates @​typescript-eslint/parser to 6.1.0: #​52848
• fix(next/image): washed out blur placeholder: #​52583
• Handle basePath app-dir minimal case: #​53189

Documentation Changes

• (Docs) add missing import.: #​52992
• Fix formData code snippet in route handler docs: #​52532
• docs: remove unneeded good to know section during installation: #​53078
• docs: fix typo in 08-parallel-routes.mdx: #​53069
• chore(docs): Extend the options for custom server init: #​52851
• (Docs) Add missing import for useRef(): #​53015
• (Docs) Remove FormData type on formData defined in .js file: #​53014
• docs: fix codeblock for redirect: #​53120
• chore(docs): client-side data fetching loading state: #​53164

Example Changes

• feat: remove unused global variable: #​51767

Misc Changes

• chore(ci): always run validate-docs-links action: #​53022
• update install-native postinstall to use pnpm: #​53080
• chore(ci): make validate-docs-links required: #​53123
• chore(test): fix flaky tsconfig.json test: #​53132
• chore(ci): fix validate-docs-links for non-PR: #​53129
• Temporarily skip flakey action revalidate: #​53134

Credits

Huge thanks to @​vinaykulk621, @​Lantianyou, @​styfle, @​shuding, @​joulev, @​AkifumiSato, @​trigaten, @​HurSungYun, @​DevLab2425, @​sokra, @​alexkirsz, @​ztanner, @​leerob, @​SukkaW, @​kwonoj, @​huozhi, @​ijjk, @​balazsorban44, @​daniel-web-developer, @​ky1ejs, and @​arturbien for helping!

v13.4.12

Compare Source

Core Changes

• Separate routing code from render servers: #​52492
• Move Pages API rendering into bundle: #​52149
• update Turbopack: #​52986
• Turbopack: Refactoring module references: #​52930
• Increase timeout for 404 tests: #​52998
• Reland "Refine the not-found rendering process for app router": #​52985
• Revert "Separate routing code from render servers (#​52492)": #​53016

Documentation Changes

• "Clarify the 'Existing Projects' section of the TypeScript docs:: #​52944
• Update 02-dynamic-routes.mdx: #​52975
• chore(docs): fix broken link: #​53021

Misc Changes

• Update to latest version of turborepo: #​52979
• Update swc_core to v0.79.22: #​52945
• chore(ci): add pnpm workspace for github actions: #​52976
• Changed package manager for install-native.mjs to pnpm: #​52971
• update CODEOWNERS config: #​53017

Credits

Huge thanks to @​ijjk, @​wyattjoh, @​sokra, @​kdy1, @​alexkirsz, @​styfle, @​ShaunFerris, @​syedtaqi95, @​Heidar-An, @​huozhi, and @​ztanner for helping!

v13.4.11

Compare Source

Core Changes

• fix: add missing <preload> for next/image in App Router: #​52425
• Support metadata exports for server components not-found: #​52678
• feat(next-swc): try to fallback native bindings with MODULE_NOT_FOUND: #​52667
• Turbopack: Vc and Turbo Engine type system improvements : #​51792
• Fix runtime edge not-found handling: #​52754
• fix: forward NavigateOptions in adaptForAppRouterInstance: #​52498
• fix(output): do not slice pathname unless ends with .txt: #​52640
• Fix tagsManifest initialization check: #​52776
• Turbopack: Experimental dev app pages support: #​52680
• Turbopack: move Asset::ident to more specific traits: #​52683
• Fix tracking of ContextModule: #​52795
• Set process.title for router and render workers: #​52779
• fix Remove unnecessary await: #​52800
• Revert "perf: improve URL validation performance": #​52818
• Refactor the client entry plugin: #​52798
• Turbopack: Add manifest generation to pages: #​52793
• Turbopack: move references() to specific traits: #​52822
• Update default moduleResolution in tsconfig.json from node to bundler: #​51957
• Turbopack: Next.rs API improvements: #​52856
• update turbopack: #​52899
• Update vendor @​vercel/og: #​52897
• Fixed:#​52853 Lacking 'color' attribute in IconDescriptor Metadata: #​52902
• Support basePath with edge runtime for Custom App Routes: #​52910
• improve error DX on pages with RSC build errors: #​52843
• fix: allow smooth scrolling if only hash changes (pages & app): #​52915
• add edge support for next.rs API: #​52885
• Allow general language codes in the Metadata API: #​52920
• Fix client reference manifest for interception routes: #​52961
• Refine the not-found rendering process for app router: #​52790
• app-router: prefetching tweaks: #​52949
• Revert "Refine the not-found rendering process for app router": #​52977

Documentation Changes

• Update mention of route handlers for forms: #​52781
• (Docs) add missing js version for generateMetadata.: #​52763
• docs : fix typo in React cache example: #​52787
• chore(docs): Add mentioning of HOSTNAME env variable for standalone output: #​52804
• Fix typo in docs: #​52815
• Update 02-edge-and-nodejs-runtimes.mdx: #​52888
• chore(docs): add Typescript statically typed links mention in link doc: #​52847
• chore(docs): fix typo in generate metadata docs: #​52904
• fix example component in MDX documentation: #​52753
• wrong content for next.config.mjs for MDX Plugins: #​52738
• Update 06-lazy-loading.mdx: Incorrect filename in Example on "Importing Named Imports": #​52932
• Change "publically" to "publicly" in the routing docs: #​52966

Example Changes

• examples: export force-dynamic from all dynamic routes: #​52916

Misc Changes

• chore: add "please simplify reproduction" comment: #​52631
• update job concurrency: #​52788
• Lock node version to 18.16: #​52894
• Update runs-on tags
• chore: add GitHub Action to manage "+1" comments: #​52866

Credits

Huge thanks to @​styfle, @​huozhi, @​balazsorban44, @​kwonoj, @​alexkirsz, @​ijjk, @​Jeffrey-Zutt, @​timneutkens, @​vinaykulk621, @​Ryan-Dia, @​sokra, @​shuding, @​steppefox, @​hiro0218, @​rjsdnql123, @​feedthejim, @​fgiuliani, @​steven-tey, @​AntoineBourin, @​adamrhunter, @​darshanjain-entrepreneur, @​s0h311, @​wyattjoh, @​ztanner, @​djreillo, @​dijonmusters, and @​cassidoo for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
hand-pickr	❌ Failed (Inspect)			Mar 6, 2025 7:43am

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request updates the Next.js dependency from version 13.4.10 to 13.5.0 across multiple packages in the project. The update includes security fixes, particularly addressing CVE-2023-46298, which was a vulnerability in Next.js versions before 13.4.20-canary.13.

No sequence diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Update Next.js to version 13.5.0	Update Next.js from 13.4.10 to 13.5.0 Update @next/env from 13.4.10 to 13.5.0 Update @swc/helpers from 0.5.1 to 0.5.2 Update caniuse-lite to version 1.0.30001664	app-directory/css-in-js/pnpm-lock.yaml app-directory/i18n/pnpm-lock.yaml app-directory/redirect-with-fallback/pnpm-lock.yaml app-directory/share-state/pnpm-lock.yaml edge-middleware/feature-flag-split/pnpm-lock.yaml edge-middleware/feature-flag-launchdarkly/pnpm-lock.yaml
Address security vulnerability CVE-2023-46298	Fix cache-control header issue in Next.js versions before 13.4.20-canary.13
Update dependencies and configurations	Add settings for autoInstallPeers and excludeLinksFromLockfile Remove 'fibers' from peerDependencies Update various SWC packages to version 13.5.0 Update nanoid from 3.3.6 to 3.3.7 Update picocolors from 1.0.0 to 1.1.0 Update source-map-js from 1.0.2 to 1.2.1	app-directory/css-in-js/pnpm-lock.yaml app-directory/i18n/pnpm-lock.yaml app-directory/redirect-with-fallback/pnpm-lock.yaml app-directory/share-state/pnpm-lock.yaml edge-middleware/feature-flag-split/pnpm-lock.yaml edge-middleware/feature-flag-launchdarkly/pnpm-lock.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.