Update dependency next to ^14.2.23 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	^14.2.18 -> ^14.2.23

GitHub Vulnerability Alerts

CVE-2024-56332

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

---

Release Notes

vercel/next.js (next)

v14.2.23

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: force module format for virtual client-proxy (#​74590)
• Backport: Use provided waitUntil for pending revalidates (#​74573)
• Feature: next/image: add support for images.qualities in next.config (#​74500)

Credits

Huge thanks to @​styfle, @​ijjk and @​lubieowoce for helping!

v14.2.22

Compare Source

v14.2.21

Compare Source

v14.2.20

Compare Source

v14.2.19

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• ensure worker exits bubble to parent process (#​73433)
• Increase max cache tags to 128 (#​73125)

Misc Changes

• Update max tag items limit in docs (#​73445)

Credits

Huge thanks to @​ztanner and @​ijjk for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

[14:43:20.359] INFO (933): Installing tool [email protected]...
[14:43:20.551] ERROR (933): download failed
    run: 3
    err: {
      "type": "HTTPError",
      "message": "Response code 504 (Gateway Time-out)",
      "stack":
          HTTPError: Response code 504 (Gateway Time-out)
              at _Request._onResponseBase (/snapshot/dist/containerbase-cli.js:30109:25)
              at _Request._onResponse (/snapshot/dist/containerbase-cli.js:30165:18)
              at ClientRequest.<anonymous> (/snapshot/dist/containerbase-cli.js:30180:17)
              at Object.onceWrapper (node:events:639:26)
              at ClientRequest.emit (node:events:536:35)
              at ClientRequest.emit (node:domain:489:12)
              at HTTPParser.parserOnIncomingClient (node:_http_client:710:27)
              at HTTPParser.parserOnHeadersComplete (node:_http_common:117:17)
              at TLSSocket.socketOnData (node:_http_client:552:22)
              at TLSSocket.emit (node:events:524:28)
      "code": "ERR_NON_2XX_3XX_RESPONSE",
      "timings": {
        "start": 1738248200545,
        "socket": 1738248200546,
        "lookup": 1738248200546,
        "connect": 1738248200546,
        "secureConnect": 1738248200546,
        "upload": 1738248200546,
        "response": 1738248200548,
        "end": 1738248200550,
        "phases": {
          "wait": 1,
          "dns": 0,
          "tcp": 0,
          "tls": 0,
          "request": 0,
          "firstByte": 2,
          "download": 2,
          "total": 5
        }
      },
      "name": "HTTPError",
      "options": {
        "agent": {},
        "decompress": true,
        "timeout": {},
        "prefixUrl": "",
        "ignoreInvalidCookies": false,
        "context": {},
        "hooks": {
          "init": [],
          "beforeRequest": [],
          "beforeError": [],
          "beforeRedirect": [],
          "beforeRetry": [],
          "afterResponse": []
        },
        "followRedirect": true,
        "maxRedirects": 10,
        "throwHttpErrors": true,
        "username": "",
        "password": "",
        "http2": false,
        "allowGetBody": false,
        "headers": {
          "user-agent": "containerbase/13.7.2 node/22.12.0 (https://github.com/containerbase)",
          "accept-encoding": "gzip, deflate, br"
        },
        "methodRewriting": false,
        "retry": {
          "limit": 2,
          "methods": [
            "GET",
            "PUT",
            "HEAD",
            "DELETE",
            "OPTIONS",
            "TRACE"
          ],
          "statusCodes": [
            408,
            413,
            429,
            500,
            502,
            503,
            504,
            521,
            522,
            524
          ],
          "errorCodes": [
            "ETIMEDOUT",
            "ECONNRESET",
            "EADDRINUSE",
            "ECONNREFUSED",
            "EPIPE",
            "ENOTFOUND",
            "ENETUNREACH",
            "EAI_AGAIN"
          ],
          "backoffLimit": null,
          "noise": 100
        },
        "method": "GET",
        "cacheOptions": {},
        "https": {},
        "resolveBodyOnly": false,
        "isStream": true,
        "responseType": "text",
        "url": "https://github.com/containerbase/node-prebuild/releases/download/18.20.6/node-18.20.6-x86_64.tar.xz",
        "pagination": {
          "countLimit": null,
          "backoff": 0,
          "requestLimit": 10000,
          "stackAllItems": false
        },
        "setHost": true,
        "enableUnixSockets": false
      }
    }
[14:43:20.562] ERROR (933): download failed
[14:43:20.563] FATAL (933): Install tool node failed in 229ms.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud