Skip to content

fix(deps): update dependency next to v14 [security] #1189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency next to v14 [security] #1189

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 25, 2024
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
next (source) 11.1.414.2.35 age confidence

GitHub Vulnerability Alerts

CVE-2022-23646

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

  • Affected: All of the following must be true to be affected
    • Next.js between version 10.0.0 and 12.0.10
    • The next.config.js file has images.domains array assigned
    • The image host assigned in images.domains allows user-provided SVG
  • Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

CVE-2023-46298

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

  • The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
  • The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

CVE-2024-51479

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

Release Notes

vercel/next.js (next)

v14.2.35

Compare Source

v14.2.34

Compare Source

v14.2.33

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • omit searchParam data from FlightRouterState before transport (#​80734)
Credits

Huge thanks to @​ztanner for helping!

v14.2.32

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix router handling when setting a location response header #​82588
Credits

Huge thanks to @​ztanner for helping!

v14.2.31

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix(next/image): improve and simplify detect-content-type (#​82179)
  • fix(next/image): fix image-optimizer.ts headers (#​82178)
Credits

Huge thanks to @​styfle and @​ztanner for helping!

v14.2.30

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​ijjk and @​ztanner for helping!

v14.2.29

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Only share incremental cache for edge in next start (#​79389)
Credits

Huge thanks to @​ijjk for helping!

v14.2.28

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: node.js module import error when using middleware (#​77945)
Credits

Huge thanks to @​ztanner for helping!

v14.2.27

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix dynamic route interception not working when deployed with middleware (#​64923)
Credits

Huge thanks to @​ztanner for helping!

v14.2.26

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Match subrequest handling for edge and node (#​77476)

v14.2.25

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.
This release contains a security patch for CVE-2025-29927.

Core Changes
  • Update middleware request header (#​77202)
Credits

Huge thanks to @​ijjk for helping!

v14.2.24

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​ztanner for helping!

v14.2.23

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • backport: force module format for virtual client-proxy (#​74590)
  • Backport: Use provided waitUntil for pending revalidates (#​74573)
  • Feature: next/image: add support for images.qualities in next.config (#​74500)
Credits

Huge thanks to @​styfle, @​ijjk and @​lubieowoce for helping!

v14.2.22

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Retry manifest file loading only in dev mode: #​73900
  • Ensure workers are cleaned up: #​71564
  • Use shared worker for lint & typecheck steps: #​74154
Credits

Huge thanks to @​unstubbable, @​ijjk, and @​ztanner for helping!

v14.2.21

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Misc Changes
  • chore(docs): add missing search: '' on remotePatterns: #​73927
  • chore(docs): update version history of next/image: #​73926
Credits

Huge thanks to @​unstubbable, @​ztanner, and @​styfle for helping!

v14.2.20

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​wyattjoh for helping!

v14.2.19

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • ensure worker exits bubble to parent process (#​73433)
  • Increase max cache tags to 128 (#​73125)
Misc Changes
  • Update max tag items limit in docs (#​73445)
Credits

Huge thanks to @​ztanner and @​ijjk for helping!

v14.2.18

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​huozhi and @​ijjk for helping!

v14.2.17

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: revert the bad node binary handling (#​72356)
  • Ensure pages/500 handles cache-control as expected (#​72050) (#​72110)
  • fix unhandled runtime error from generateMetadata in parallel routes (#​72153)
Credits

Huge thanks to @​huozhi, @​ztanner, and @​ijjk for helping!

v14.2.16

Compare Source

v14.2.15

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • support breadcrumb style catch-all parallel routes #​65063
  • Provide non-dynamic segments to catch-all parallel routes #​65233
  • Fix client reference access causing metadata missing #​70732
  • feat(next/image): add support for decoding prop #​70298
  • feat(next/image): add images.localPatterns config #​70529
  • fix(next/image): handle undefined images.localPatterns config in images-manifest.json
  • fix: Do not omit alt on getImgProps return type, ImgProps #​70608
  • [i18n] Routing fix #​70761
Credits

Huge thanks to @​ztanner, @​agadzik, @​huozhi, @​styfle, @​icyJoseph and @​wyattjoh for helping!

v14.2.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: clone response in first handler to prevent race (#​70082) (#​70649)
  • Respect reexports from metadata API routes (#​70508) (#​70647)
  • Externalize node binary modules for app router (#​70646)
  • Fix revalidateTag() behaviour when invoked in server components (#​70446) (#​70642)
  • Fix prefetch bailout detection for nested loading segments (#​70618)
  • Add missing node modules to externals (#​70382)
  • Feature: next/image: add support for images.remotePatterns.search (#​70302)
Credits

Huge thanks to @​styfle, @​ztanner, @​ijjk, @​huozhi and @​wyattjoh for helping!

v14.2.13

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix missing cache-control on SSR app route (#​70265)
  • feat: add polyfill of URL.canParse for browser compatibility (#​70228)
  • Fix vercel og package memory leak (#​70214)
  • Fix startTime error on Android 9 with Chrome 74 (#​67391)
Credits

Huge thanks to @​raeyoung-kim, @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

v14.2.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • update prefetching jsdoc & documentation (#​68047)
  • Ensure we chunk revalidate tag requests (#​70189)
  • (backport) fix(eslint): allow typescript-eslint v8 (#​70090)
  • [ppr] Don't mark RSC requests as /_next/data requests (backport of #​66249) (#​70083)
Credits

Huge thanks to @​alvarlagerlof, @​wyattjoh, @​delbaoliveira, and @​ijjk for helping!

v14.2.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: correct metadata url suffix (#​69959)
  • fix: setting assetPrefix to URL format breaks HMR (#​70040)
  • Update revalidateTag to batch tags in one request (#​65296)
Credits

Huge thanks to @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

v14.2.10

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Remove invalid fallback revalidate value (#​69990)
  • Revert server action optimization (#​69925)
  • Add ability to customize Cache-Control (#​69802)
Credits

Huge thanks to @​huozhi and @​ijjk for helping!

v14.2.9

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Revert "Fix esm property def in flight loader (#​66990)" (#​69749)
  • Disable experimental.optimizeServer by default to fix failed server action (#​69788)
  • Fix middleware fallback: false case (#​69799)
  • Fix status code for /_not-found route (#​64058) (#​69808)
  • Fix metadata prop merging (#​69807)
  • create-next-app: fix font file corruption when using import alias (#​69806)
Credits

Huge thanks to @​huozhi, @​ztanner, @​ijjk, and @​lubieowoce for helping!

v14.2.8

Compare Source

What's Changed

[!NOTE]
This release is backporting bug fixes and minor improvements. It does not include all pending features/changes on canary.

Support esmExternals in app directory
Reading cookies set in middleware in components and actions
  • initialize ALS with cookies in middleware (#​65008)
  • fix middleware cookie initialization (#​65820)
  • ensure cookies set in middleware can be read in a server action (#​67924)
  • fix: merged middleware cookies should preserve options (#​67956)
Metadata and icons
  • support facebook-specific metadata (fb:app_id, fb:admins) in generateMetaData (#​65713)
  • Always collect static icons for all segments (#​68712)
  • Fix favicon merging with customized icons (#​67982)
  • Warn metadataBase missing in standalone mode or non vercel deployment (#​66296)
Parallel routes fixes
  • fix missing stylesheets when parallel routes are present (#​69507)
Draft mode and edge improvements
next/image fixes
  • Allow external image urls with _next/image pathname to be rendered via Image component (#​69586)
Server actions improvements
  • optimize server actions (#​66523)
  • Apply optimization for unused actions (#​69178)
  • Improve SWC transform ID generation (#​69183)
Other changes
  • Ensure we match comment minify behavior between terser and swc (#​68372)
  • send initialCanonicalUrl in array format to prevent crawler confusion (#​69509)
Create-next-app updates

Full Changelog: vercel/next.js@v14.2.7...v14.2.8

Huge thanks to everyone who contributed to this release:
@​abhi12299, @​delbaoliveira, @​eps1lon, @​ForsakenHarmony, @​huozhi, @​ijjk, @​JoshuaKGoldberg, @​leerob, @​lubieowoce, @​Netail, @​ronanru, @​samcx, @​shuding, @​sokra, @​stylessh, @​timfuhrmann, @​wbinnssmith, @​wyattjoh, @​ypessoa, @​ztanner

v14.2.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Revert "chore: externalize undici for bundling" (#​65727)
  • Refactor internal routing headers to use request meta (#​66987)
  • fix(next): add cross origin in react dom preload (#​67423)
  • build: upgrade edge-runtime (#​67565)
  • GTM dataLayer parameter should take an object, not an array of strings (#​66339)
  • fix: properly patch lockfile against swc bindings (#​66515)
  • Add deployment id header for rsc payload if present (#​67255)
  • Update font data (#​68639)
  • fix i18n data pathname resolving (#​68947)
  • pages router: ensure x-middleware-cache is respected (#​67734)
  • Fix bad modRequest in flight entry manifest #​68888
  • Reject next image urls in image optimizer #​68628
  • Fix hmr assetPrefix escaping and reuse logic from other files #​67983
Credits

Huge thanks to @​kjugi, @​huozhi, @​ztanner, @​SukkaW, @​marlier, @​Kikobeats, @​syi0808, @​ijjk, and @​samcx for helping!

v14.2.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Ensure fetch cache TTL is updated properly (#​69164)

v14.2.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • avoid merging global css in a way that leaks into other chunk groups (#​67373)
  • Fix server action edge redirect with middleware rewrite (#​67148)
  • fix(next): reject protocol-relative URLs in image optimization (#​65752)
  • fix(next-swc): correct path interop to filepath for wasm (#​65633)
  • Use addDependency to track metadata route file changes (#​66714)
  • Fix noindex is missing on static not-found page (#​67135)
  • perf: improve retrieving versionInfo on Turbo HMR (#​67309)
  • fix(next/image): handle invalid url (#​67465)
  • fix(next): initial prefetch cache not set properly with different search params (#​65977)
  • fix: Backport class properties fix (#​67377)
  • Upgrade acorn (#​67592)
Misc
  • Log stdio for pull-turbo-cache script (#​66759)
  • Ensure turbo is setup when building in docker (#​66804)
Credits

Huge thanks to @​devjiwonchoi, @​ijjk, @​emmerich, @​huozhi, @​kdy1, @​kwonoj, @​styfle, and @​sokra for helping!

v14.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: ensure route handlers properly track dynamic access (#​66446)
  • fix NextRequest proxy in edge runtime (#​66551)
  • Fix next/dynamic with babel and src dir (#​65177)
  • Use vercel deployment url for metadataBase fallbacks (#​65089)
  • fix(next/image): detect react@​19 for fetchPriority prop (#​65235)
  • Fix loading navigation with metadata and prefetch (#​66447)
  • prevent duplicate RSC fetch when action redirects (#​66620)
  • ensure router cache updates reference the latest cache values (#​66681)
  • Prevent append of trailing slash in cases where path ends with a file extension (#​66636)
  • Fix inconsistency with 404 getStaticProps cache-control (#​66674)
  • Use addDependency to track metadata route file changes (#​66714)
  • Add timeout/retry handling for fetch cache (#​66652)
  • fix: app-router prefetch crash when an invalid URL is passed to Link (#​66755)
Credits

Huge thanks to @​ztanner, @​ijjk, @​wbinnssmith, @​huozhi, and @​lubieowoce for helping!

v14.2.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: resolve mixed re-exports module as cjs (#​64681)
  • fix: mixing namespace import and named import client components (#​64809)
  • Fix mixed exports in server component with barrel optimization (#​64894)
  • Fix next/image usage in mdx(#​64875)
  • fix(fetch-cache): fix additional typo, add type & data validation (#​64799)
  • prevent erroneous route interception during lazy fetch (#​64692)
  • fix root page revalidation when redirecting in a server action (#​64730)
  • fix: remove traceparent from cachekey should not remove traceparent from original object (#​64727)
  • Clean-up fetch metrics tracking (#​64746)
Credits

Huge thanks to @​huozhi, @​samcx, @​ztanner, @​Jeffrey-Zutt, and @​ijjk for helping!

v14.2.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix Server Action error logs for unhandled POST requests (#​64315)
  • Improve rendering performance (#​64408)
  • Fix the method prop case in Server Actions transform (#​64398)
  • fix(next-lint): update option --report-unused-disable-directives to --report-unused-disable-directives-severity (#​64405)
  • tweak test for Azure (#​64424)
  • router restore should take priority over pending actions (#​64449)
  • Fix client boundary inheritance for barrel optimization (#​64467)
  • improve turborepo caching (#​64493)
  • feat: strip traceparent header from cachekey (#​64499)
  • Fix more Turbopack build tests
  • Update lockfile for compatibility with turbo (#​64360)
  • Fix typo in dynamic-rendering.ts (#​64365)
  • Fix DynamicServerError not being thrown in fetch (#​64511)
  • fix(next): Metadata.openGraph values not resolving basic values when type is set (#​63620)
  • disable production chunking in dev (#​64488)
  • Fix cjs client components tree-shaking (#​64558)
  • fix refresh behavior for discarded actions (#​64532)
  • fix: filter out middleware requests in logging (#​64549)
  • Turbopack: Allow client components to be imported in app routes (#​64520)
  • Fix ASL bundling for dynamic css (#​64451)
  • add pathname normalizer for actions (#​64592)
  • fix incorrect refresh request when basePath is set (#​64589)
  • test: skip turbopack build test (#​64356)
  • hotfix(turbopack): Update with patch for postcss.config.js path resolution on Windows (#​64677)
Credits

Huge thanks to @​shuding, @​coltonehrman, @​ztanner, @​huozhi, @​sokra, @​Jeffrey-Zutt, @​timneutkens, @​wbinnssmith, @​wiesson, @​ijjk, @​devjiwonchoi, and @​bgw for helping!

v14.2.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • use pathToFileUrl to make esm import()s work with absolute windows paths (#​64386) @​sokra
Credits

Huge thanks to @​sokra for helping!

v14.2.0

Compare Source

Learn more: https://nextjs.org/blog/next-14-2

Core Changes
  • Update build worker warning to use debug: #​60847
  • fix: added @​sentry/profiling-node to sep list to prevent build/bundle breakage: #​60855
  • Optimize build trace ignores: #​60859
  • Deprecation warning for config.analyticsId: #​60677
  • chore: indicate staleness more prominently in next info output: #​60376
  • Telemetry: createComponentTree span: #​60857
  • chore: replace micromatch w/ picomatch: #​60699
  • Report HMR latency as trace spans for Turbopack: #​60799
  • Turbopack: always log HMR rebuild times: #​60908
  • Error overlay refactors: #​60886
  • Use precompiled source-map in overlay middleware: #​60932
  • Use more precompiled deps in react-dev-overlay: #​60959
  • Fix next phase for next build: #​60969
  • chore: update turbopack: #​60980
  • refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc: #​59300
  • disable static generation on interception routes: #​61004
  • Docs: Address community feedback: #​60960
  • avoid output of webpack stats: #​61023
  • Revert "refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc": #​61021
  • fix useSelectedLayoutSegment's support for parallel routes: #​60912
  • Dynamic APIs: #​60645
  • Enable next.js version checker in turbopack: #​61034
  • chore: Update terser to v5.27.0: #​61068
  • Update swc_core to v0.87.28: #​60876
  • update turbopack: #​61015
  • Implement client_root for edge in Turbopack: #​61024
  • fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: #​60776
  • fix(image): warn when animated image is missing unoptimized prop: #​61045
  • Fix version checker not displaying when version newer than npm: #​61075
  • Fix sitemap generateSitemaps support for string id: #​61088
  • ppr: ensure the router state tree is provided for interception routes: #​61059
  • Improve the Server Actions SWC transform: #​61001
  • Fix instrument bundling as client components: #​60984
  • fix(turbopack): use correct layout for 404 page: #​61032
  • fix: emotion import source should be enabled in SSR contexts: #​61099
  • chore: update turbopack: #​61090
  • fix(turbopack): custom page extensions for _app: #​60789
  • Disable trace uploads with NEXT_TRACE_UPLOAD_DISABLE: #​61101
  • add optimizeServerReact to config-shared: #​61106
  • Fix filesystempublicroutes test for Turbopack: #​61132
  • chore: upgrade webpack to 5.90.0: #​61109
  • Add maxDuration to typescript plugin allowed exports: #​59193
  • Upgrade Turbopack: #​61190
  • build: remove sentry from the externals list: #​61194
  • exclude default routes from isPageStatic check: #​61173
  • Add stack trace to client rendering bailout error: #​61200
  • chore: refactor image optimization to separate external/internal urls: #​61172
  • parallel routes: support multi-slot layouts: #​61115
  • Refine revalidatePath warning message: #​61220
  • revert changes to process default routes at build: #​61241
  • Fix cookie merging in Server Action redirections: #​61113
  • Update swc_core to v0.89.x: #​61086
  • Fix Server Reference being double registered: #​61244
  • Fix Server Action redirection with absolute internal URL: #​60798
  • Fix indentation in source code of dev overlay: #​61216
  • Update swc_core to v0.89.4: #​61285
  • fix: Revert preset-env mode of styled-jsx in webpack mode: #​61306
  • DX: add route context to the dynamic errors: #​61332
  • Telemetry: add time-to-first-byte signal: #​61238
  • Refine logging message of experiments: #​61337
  • fix(turbopack): don't parse .ts files as .tsx: #​61219
  • Update turbopack: #​61381
  • Same as #​61360: #​61369
  • Always respect NEXT_TRACE_UPLOAD_DISABLED: #​61402
  • parallel routes: fix catch-all slots being treated as optional catch-all: #​61174
  • fix hmr telemetry reporting: #​61420
  • chore: Update swc_core to v0.89.6: #​61426
  • Update turbopack: #​61433
  • fix a perf problem in VersionedContentMap: #​61442
  • Fix next dynamic import named export from client components: #​61378
  • fix issues loading CSS in default slots: #​61428
  • avoid sending issues turbopack messages to browser: #​61443
  • Support crossOrigin in Turbopack: #​61461
  • Pass down __NEXT_EXPERIMENTAL_REACT env to webpack build worker explicitly: #​61463
  • Replace image optimizer IPC call with request handler: #​61471
  • feat(next): trace build dependencies for turborepo: #​59553
  • Turbopack: fix telemetry attributes for swc options: #​61474
  • Always show version text in error overlay: #​61421
  • Fix build worker callback arg missing correct page path : #​61347
  • Update font data: #​61479
  • build: upgrade edge-runtime: #​61030
  • Fix ex

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@ti-chi-bot ti-chi-bot bot requested review from purelind and wuhuizuo September 25, 2024 14:58
@ti-chi-bot ti-chi-bot bot added dco-signoff: yes Indicates the PR's author has signed the dco. contribution This PR is from a community contributor. needs-ok-to-test Indicates a PR created by contributors and need ORG member send '/ok-to-test' to start testing. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Sep 25, 2024
@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Sep 25, 2024

Hi @renovate[bot]. Thanks for your PR.

I'm waiting for a ti-community-infra member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@renovate renovate bot changed the title fix(deps): update dependency next to v13 [security] fix(deps): update dependency next to v13 [security] - autoclosed Sep 25, 2024
@renovate renovate bot closed this Sep 25, 2024
@renovate renovate bot deleted the renovate/npm-next-vulnerability branch September 25, 2024 16:10
@renovate renovate bot changed the title fix(deps): update dependency next to v13 [security] - autoclosed fix(deps): update dependency next to v13 [security] Sep 26, 2024
@renovate renovate bot reopened this Sep 26, 2024
@renovate renovate bot restored the renovate/npm-next-vulnerability branch September 26, 2024 20:00
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from e4e37ee to 300ad2e Compare September 26, 2024 20:03
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 300ad2e to 8eb0b68 Compare October 15, 2024 00:37
@ti-chi-bot ti-chi-bot bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 15, 2024
@renovate renovate bot changed the title fix(deps): update dependency next to v13 [security] fix(deps): update dependency next to v14 [security] Oct 15, 2024
@ti-chi-bot ti-chi-bot bot added the lgtm label Oct 25, 2024
@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Oct 25, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wuhuizuo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot bot added the approved label Oct 25, 2024
@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Oct 25, 2024

@renovate[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-tichi-web-node14-lint 8eb0b68 link true /test pull-tichi-web-node14-lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 8eb0b68 to f589178 Compare December 17, 2024 20:20
@ti-chi-bot ti-chi-bot bot removed the lgtm label Dec 17, 2024
@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Dec 17, 2024

[LGTM Timeline notifier]

Timeline:

  • 2024-10-25 07:32:19.738755332 +0000 UTC m=+595540.435545939: ☑️ agreed by wuhuizuo.
  • 2024-12-17 20:20:31.442401633 +0000 UTC m=+988221.531204178: ✖️🔁 reset by renovate[bot].

@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Dec 17, 2024

New changes are detected. LGTM label has been removed.

@ti-chi-bot
Copy link
Member

ti-chi-bot commented Mar 19, 2025

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-community-infra or wuhuizuo.
/lifecycle stale

@ti-chi-bot
Copy link
Member

ti-chi-bot commented Apr 18, 2025

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-community-infra or Mini256.
/lifecycle rotten

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from f589178 to 3211d1b Compare May 17, 2025 02:14
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 3211d1b to 3da5c84 Compare August 10, 2025 14:30
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 3da5c84 to 20443f6 Compare August 19, 2025 15:37
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 20443f6 to af80f94 Compare August 31, 2025 10:05
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch 2 times, most recently from d6b9a22 to d875801 Compare September 26, 2025 22:38
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from d875801 to f711fb9 Compare October 25, 2025 04:03
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from f711fb9 to 6e7848b Compare November 10, 2025 20:47
@ti-chi-bot ti-chi-bot bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Nov 10, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 6e7848b to b563951 Compare November 19, 2025 00:50
@ti-chi-bot ti-chi-bot bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 19, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from b563951 to f5f704c Compare December 3, 2025 18:29
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from f5f704c to a4c11d2 Compare December 12, 2025 03:57
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from a4c11d2 to a1c5be6 Compare January 1, 2026 01:26
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from a1c5be6 to 59e77ff Compare January 8, 2026 19:23
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 59e77ff to 0ff235f Compare January 19, 2026 15:38
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 0ff235f to 46be728 Compare February 2, 2026 20:06
@renovate
fix(deps): update dependency next to v14 [security]
611cb7a 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 46be728 to 611cb7a Compare February 12, 2026 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wuhuizuo wuhuizuo wuhuizuo approved these changes

@purelind purelind Awaiting requested review from purelind

Assignees

@wuhuizuo wuhuizuo

Labels

approved contribution This PR is from a community contributor. dco-signoff: yes Indicates the PR's author has signed the dco. lifecycle/rotten needs-ok-to-test Indicates a PR created by contributors and need ORG member send '/ok-to-test' to start testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ti-chi-bot @wuhuizuo