Skip to content

chore(deps): update dependency next to v14.2.25 [security] (app-router) #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: app-router
Choose a base branch
from
Open

chore(deps): update dependency next to v14.2.25 [security] (app-router) #85

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 24, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 14.2.3 -> 14.2.25 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js 13.x, this issue is fixed in 13.5.9
  • For Next.js 12.x, this issue is fixed in 12.3.5
  • For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)

Release Notes

vercel/next.js (next)

v14.2.25

Compare Source

v14.2.24

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​ztanner for helping!

v14.2.23

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • backport: force module format for virtual client-proxy (#​74590)
  • Backport: Use provided waitUntil for pending revalidates (#​74573)
  • Feature: next/image: add support for images.qualities in next.config (#​74500)
Credits

Huge thanks to @​styfle, @​ijjk and @​lubieowoce for helping!

v14.2.22

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Retry manifest file loading only in dev mode: #​73900
  • Ensure workers are cleaned up: #​71564
  • Use shared worker for lint & typecheck steps: #​74154
Credits

Huge thanks to @​unstubbable, @​ijjk, and @​ztanner for helping!

v14.2.21

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Misc Changes
Credits

Huge thanks to @​unstubbable, @​ztanner, and @​styfle for helping!

v14.2.20

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​wyattjoh for helping!

v14.2.19

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • ensure worker exits bubble to parent process (#​73433)
  • Increase max cache tags to 128 (#​73125)
Misc Changes
  • Update max tag items limit in docs (#​73445)
Credits

Huge thanks to @​ztanner and @​ijjk for helping!

v14.2.18

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​huozhi and @​ijjk for helping!

v14.2.17

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: revert the bad node binary handling (#​72356)
  • Ensure pages/500 handles cache-control as expected (#​72050) (#​72110)
  • fix unhandled runtime error from generateMetadata in parallel routes (#​72153)
Credits

Huge thanks to @​huozhi, @​ztanner, and @​ijjk for helping!

v14.2.16

Compare Source

v14.2.15

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • support breadcrumb style catch-all parallel routes #​65063
  • Provide non-dynamic segments to catch-all parallel routes #​65233
  • Fix client reference access causing metadata missing #​70732
  • feat(next/image): add support for decoding prop #​70298
  • feat(next/image): add images.localPatterns config #​70529
  • fix(next/image): handle undefined images.localPatterns config in images-manifest.json
  • fix: Do not omit alt on getImgProps return type, ImgProps #​70608
  • [i18n] Routing fix #​70761
Credits

Huge thanks to @​ztanner, @​agadzik, @​huozhi, @​styfle, @​icyJoseph and @​wyattjoh for helping!

v14.2.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: clone response in first handler to prevent race (#​70082) (#​70649)
  • Respect reexports from metadata API routes (#​70508) (#​70647)
  • Externalize node binary modules for app router (#​70646)
  • Fix revalidateTag() behaviour when invoked in server components (#​70446) (#​70642)
  • Fix prefetch bailout detection for nested loading segments (#​70618)
  • Add missing node modules to externals (#​70382)
  • Feature: next/image: add support for images.remotePatterns.search (#​70302)
Credits

Huge thanks to @​styfle, @​ztanner, @​ijjk, @​huozhi and @​wyattjoh for helping!

v14.2.13

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix missing cache-control on SSR app route (#​70265)
  • feat: add polyfill of URL.canParse for browser compatibility (#​70228)
  • Fix vercel og package memory leak (#​70214)
  • Fix startTime error on Android 9 with Chrome 74 (#​67391)
Credits

Huge thanks to @​raeyoung-kim, @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

v14.2.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • update prefetching jsdoc & documentation (#​68047)
  • Ensure we chunk revalidate tag requests (#​70189)
  • (backport) fix(eslint): allow typescript-eslint v8 (#​70090)
  • [ppr] Don't mark RSC requests as /_next/data requests (backport of #​66249) (#​70083)
Credits

Huge thanks to @​alvarlagerlof, @​wyattjoh, @​delbaoliveira, and @​ijjk for helping!

v14.2.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

v14.2.10

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​huozhi and @​ijjk for helping!

v14.2.9

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Revert "Fix esm property def in flight loader (#​66990)" (#​69749)
  • Disable experimental.optimizeServer by default to fix failed server action (#​69788)
  • Fix middleware fallback: false case (#​69799)
  • Fix status code for /_not-found route (#​64058) (#​69808)
  • Fix metadata prop merging (#​69807)
  • create-next-app: fix font file corruption when using import alias (#​69806)
Credits

Huge thanks to @​huozhi, @​ztanner, @​ijjk, and @​lubieowoce for helping!

v14.2.8

Compare Source

What's Changed

[!NOTE]
This release is backporting bug fixes and minor improvements. It does not include all pending features/changes on canary.

Support esmExternals in app directory
Reading cookies set in middleware in components and actions
  • initialize ALS with cookies in middleware (#​65008)
  • fix middleware cookie initialization (#​65820)
  • ensure cookies set in middleware can be read in a server action (#​67924)
  • fix: merged middleware cookies should preserve options (#​67956)
Metadata and icons
  • support facebook-specific metadata (fb:app_id, fb:admins) in generateMetaData (#​65713)
  • Always collect static icons for all segments (#​68712)
  • Fix favicon merging with customized icons (#​67982)
  • Warn metadataBase missing in standalone mode or non vercel deployment (#​66296)
Parallel routes fixes
  • fix missing stylesheets when parallel routes are present (#​69507)
Draft mode and edge improvements
next/image fixes
  • Allow external image urls with _next/image pathname to be rendered via Image component (#​69586)
Server actions improvements
  • optimize server actions (#​66523)
  • Apply optimization for unused actions (#​69178)
  • Improve SWC transform ID generation (#​69183)
Other changes
  • Ensure we match comment minify behavior between terser and swc (#​68372)
  • send initialCanonicalUrl in array format to prevent crawler confusion (#​69509)
Create-next-app updates

Full Changelog: vercel/next.js@v14.2.7...v14.2.8

Huge thanks to everyone who contributed to this release:
@​abhi12299, @​delbaoliveira, @​eps1lon, @​ForsakenHarmony, @​huozhi, @​ijjk, @​JoshuaKGoldberg, @​leerob, @​lubieowoce, @​Netail, @​ronanru, @​samcx, @​shuding, @​sokra, @​stylessh, @​timfuhrmann, @​wbinnssmith, @​wyattjoh, @​ypessoa, @​ztanner

v14.2.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Revert "chore: externalize undici for bundling" (#​65727)
  • Refactor internal routing headers to use request meta (#​66987)
  • fix(next): add cross origin in react dom preload (#​67423)
  • build: upgrade edge-runtime (#​67565)
  • GTM dataLayer parameter should take an object, not an array of strings (#​66339)
  • fix: properly patch lockfile against swc bindings (#​66515)
  • Add deployment id header for rsc payload if present (#​67255)
  • Update font data (#​68639)
  • fix i18n data pathname resolving (#​68947)
  • pages router: ensure x-middleware-cache is respected (#​67734)
  • Fix bad modRequest in flight entry manifest #​68888
  • Reject next image urls in image optimizer #​68628
  • Fix hmr assetPrefix escaping and reuse logic from other files #​67983
Credits

Huge thanks to @​kjugi, @​huozhi, @​ztanner, @​SukkaW, @​marlier, @​Kikobeats, @​syi0808, @​ijjk, and @​samcx for helping!

v14.2.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Ensure fetch cache TTL is updated properly (#​69164)

v14.2.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • avoid merging global css in a way that leaks into other chunk groups (#​67373)
  • Fix server action edge redirect with middleware rewrite (#​67148)
  • fix(next): reject protocol-relative URLs in image optimization (#​65752)
  • fix(next-swc): correct path interop to filepath for wasm (#​65633)
  • Use addDependency to track metadata route file changes (#​66714)
  • Fix noindex is missing on static not-found page (#​67135)
  • perf: improve retrieving versionInfo on Turbo HMR (#​67309)
  • fix(next/image): handle invalid url (#​67465)
  • fix(next): initial prefetch cache not set properly with different search params (#​65977)
  • fix: Backport class properties fix (#​67377)
  • Upgrade acorn (#​67592)
Misc
  • Log stdio for pull-turbo-cache script (#​66759)
  • Ensure turbo is setup when building in docker (#​66804)
Credits

Huge thanks to @​devjiwonchoi, @​ijjk, @​emmerich, @​huozhi, @​kdy1, @​kwonoj, @​styfle, and @​sokra for helping!

v14.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: ensure route handlers properly track dynamic access (#​66446)
  • fix NextRequest proxy in edge runtime (#​66551)
  • Fix next/dynamic with babel and src dir (#​65177)
  • Use vercel deployment url for metadataBase fallbacks (#​65089)
  • fix(next/image): detect react@19 for fetchPriority prop (#​65235)
  • Fix loading navigation with metadata and prefetch (#​66447)
  • prevent duplicate RSC fetch when action redirects (#​66620)
  • ensure router cache updates reference the latest cache values (#​66681)
  • Prevent append of trailing slash in cases where path ends with a file extension (#​66636)
  • Fix inconsistency with 404 getStaticProps cache-control (#​66674)
  • Use addDependency to track metadata route file changes (#​66714)
  • Add timeout/retry handling for fetch cache (#​66652)
  • fix: app-router prefetch crash when an invalid URL is passed to Link (#​66755)
Credits

Huge thanks to @​ztanner, @​ijjk, @​wbinnssmith, @​huozhi, and @​lubieowoce for helping!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@renovate renovate bot requested a review from a team as a code owner March 24, 2025 15:34
@vercel Vercel
Copy link

vercel bot commented Mar 24, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
demo-graphql-presentation-nextjs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Mar 24, 2025 3:36pm

@socket-security Socket Security
Copy link

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/[email protected]14.2.25 None +14 90.4 MB vercel-release-bot

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
License Policy Violation npm/[email protected]
  • License: CC-BY-SA-4.0 (package/dist/compiled/glob/LICENSE)
 ⚠︎

View full report↗︎

Next steps

What is a license policy violation?

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
🤖 bot 📦 deps
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants