fix(deps): update dependency next to v12 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	^11.1.2 -> ^12.0.0

GitHub Vulnerability Alerts

CVE-2022-23646

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 12.0.10
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

CVE-2021-43803

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

---

Release Notes

vercel/next.js (next)

v12.1.0

Compare Source

Core Changes

• Relay Support in Rust Compiler: #​33702
• fix eslint link-passhref rule: #​33857
• update webpack: #​33831
• Flush buffered vitals metrics on page mount: #​33867
• fix problem with HMR when middleware and page reference the same node_module: #​33873
• Refactor page component getter in web server: #​33759
• update NextResponse default redirect status to 307 to match docs: #​33505
• Bug fix: dynamic page should not be interpreted as predefined page: #​33808
• Group streaming experimental apis: #​33878
• Encapsulate routing and initial hydration: #​33875
• Optimize offline condition judgment: #​33238
• Ensure external beforeFiles rewrites are handled with next/link: #​33888
• Fix parsing params for i18n optional route in minimal mode: #​33896
• Ensure browserslist extends works properly: #​33890
• Fix image cache race condition: #​33883
• Add support for Relay projects without artifactDirectory: #​33918
• fix: handle jsxspreadattribute in inline-script-id eslint rule: #​32421
• feat(next-swc): Update swc: #​33724
• Update to latest version of amphtml-validator: #​33967
• Warn in dev mode when script tags are added with next/head: #​33968
• Ensure optional chaining in swc matches babel: #​33995
• Use react-dom/server.browser in Node.js: #​33950
• Ensure external middleware rewrite is handled correctly: #​33962
• Update Terser to v5.10.0, fix minification issues: #​33045
• Warn in dev mode when stylesheets are added using next/head: #​34004
• Use ReadableStream in RenderResult: #​34005
• Fix suffix ordering while streaming: #​34011
• Don't use yarn if a package-lock.json file is found: #​31926
• Do not warn when application/ld+json scripts are used with next/head: #​34021
• Babel & next-swc: Fix exporting page config with AsExpression: #​32702
• Detect per page runtime config for functions manifest: #​33945
• Add JSDoc to config options: #​32915
• Update font-stylesheet-gathering-plugin.ts: #​30709
• Add decoratorMetadata flag if enabled by tsconfig: #​32914
• fix: data url handling in css-loader: #​34034
• Place 'charset' element at the top of : #​28119
• Fix detection of anchor click events inside svg: #​23272
• Allow passing nothing as custom jest config: #​32328
• Fixes #​31240: Adding a recursive addPackagePath function in webpack-config: #​31264
• Require component rendered as child of Link to pass event to onClick handler: #​27723
• Allow scroll prevention on hash change: #​31921
• Add support for async fn / promise in next.config.js/.mjs: #​33662
• Fix lazyRoot functionality for next/image: #​33933
• Change SWC minify from beta to release candidate: #​34056
• Make Router state immutable: #​33925
• Stop exposing internal render and renderError methods from next/client: #​34069
• Add api-utils helper for testing: #​34078
• feat(next-swc): Update swc: #​34045
• Deprecate concurrentFeatures with runtime: #​34068
• Add check for resolveWeak to next/dynamic: #​33908
• remove unneeded and broken plugin: #​34087
• Remove experimental warning from next/jest: #​34096
• fix: arrow function export in rsc client component: #​34105
• Use renderToStream with React 18: #​34106
• Fix static result being piped: #​34111
• Polyfill pipeTo and pipeThrough: #​34112
• Update to leverage response-cache for image-optimizer: #​34075
• fix: next/image usage from node_modules: #​33559
• Fix included flight manifest on node runtime: #​34113
• Fix: Use react-dom/server.browser when reactRoot: true: #​34116
• Fix image-optimizer requires in next-server: #​34141
• Fix required files matching in rsc: #​34137
• Throw error when ts file contains css.resolve: #​34149
• Chore/stable swc compiler options: #​34074
• Fix bug with "Circular Structure" error: #​23905
• Add _document and _app pre-import: #​23261
• Ensure standalone server handles SIGTERM: #​34151
• Bump nft to 0.17.5: #​34190
• feat: copy .env file in standalone mode: #​34143
• Fix reuse of inline flight response and 404 for RSC in node runtime: #​34202
• Use updated recursive rm fs method for image-optimizer: #​34210
• Fix link for "Delete Query Params in Middleware" error message in next-server.ts: #​34230
• Enable dynamic HTML in minimal mode: #​34222
• Fix uncaught error in getInitialProps when runtime is set to nodejs: #​34228
• Optimize the web server size: #​34242
• feat: allow node-sass@7 as peer dependency: #​34107
• Adding step to build the app with docker in existing projects: #​34083
• Changed all occurrences of etc to match: #​34280
• Align reactRoot config between server and webpack config: #​34328
• Fix <RouteAnnouncer/> shouldn't announce initial path under strict mode and React 18: #​34338
• Fix flight root failed to hydrate in strict mode: #​34333
• Allow dismissing full refresh warning for session: #​33868
• Remove experimental image optimization feature: #​34349
• Add support for "type": "module" in package.json: #​33637
• feat(next-swc): Update swc: #​34355
• Ensure invalid request to static page is handled correctly: #​34346
• Add Error Handing section for ISR: #​34360
• feat(next-swc): Update swc: #​34408
• feat: improve opening a new issue flow: #​34434
• Ensure we don't poll page in development when notFound: true is returned: #​34352
• Add image config for dangerouslyAllowSVG and contentSecurityPolicy: #​34431
• Revert swc css bump temporarily: #​34440
• update webpack: #​34444
• Update server-only changes HMR handling: #​34298
• Fix .svg image optimization with a loader prop: #​34452
• Allow reading request bodies in middlewares: #​34294
• Revert "Allow reading request bodies in middlewares": #​34479
• update webpack: #​34477
• Fix chunk buffering for server components: #​34474
• Remove deprecation for relative URL usage in middlewares: #​34461

Documentation Changes

• Building web forms with Next.js and Vercel: #​32525
• Add Clarity About Downloading and Self-Hosting a Font File: #​33760
• Correct pluralization in newly added Relay documentation: #​33880
• Update MDX document: #​33916
• Update info on how to process webhooks by disabling bodyParser: #​33909
• Update deployment docs to fix oversized image.: #​33934
• docs: recommend .end instead of .send when no body is being sent: #​33611
• Update custom document docs to prepare for React 18.: #​33814
• Fix typo in new experimental Relay support docs: #​33963
• docs(isr): add missing key prop in jsx loop: #​33984
• docs: use function for components in general: #​33990
• Updated going-to-production with loading performance: #​33179
• docs: fix variable name from profileData to data in CSR page: #​34018
• Improve Form Guide Contents: #​33913
• Add async to middleware docs.: #​31356
• (docs): update i18n-routing.md: #​33123
• Fix redirect url for prefixing the default locale: #​33762
• Add note about dns-prefetch as fallback: #​30385
• Update custom server docs for async methods: #​30521
• Update multiple docs pages to follow Docs Content style guide: #​33855
• fix: Change url to nextUrl inside delete-query-params-in-middlewa…: #​33796
• Changing GitHub Actions cache documentation: #​28228
• [docs] Add env var load order: #​32350
• docs: add Ory vercel example to auth page: #​33029
• Add note about crawlers and fallback: true: #​34114
• docs(api-routes): fix node docs links: #​34125
• add note to clarify use of Link when clearing preview cookies (issue #​34129): #​34142
• Re-render details if rewrites are used: #​34049
• Add heading to invalid-api-status-body error: #​34150
• Ensure /index route is redirected correctly for docs: #​34206
• Update docs for image lazyRoot prop: #​34241
• Update link for includeFiles glob reference: #​34269
• Update Preview Mode docs.: #​34278
• Update frequently asked questions in documentation: #​34252
• Alphabetize auth docs providers.: #​34281
• Replace babel with SWC & minor changes in getting started: #​34282
• Update Middleware docs to add version history.: #​34302
• Fix typo on getInitialProps: #​34309
• Update missing curly brace in image.md: #​34307
• docs: Add link to pageExtensions config in page-without-valid-component.md: #​34285
• Add an example to Write server-side code directly section: #​34319
• Few touch-ups to the docs on web forms in Next: #​34286
• Update MDX Custom Elements setup: #​34175
• Update image.md: #​34374
• Updated failed to load error page to include info about node versions: #​34362
• docs: react 18, streaming SSR, rsc with new apis: #​33986
• Update MDX Guide config example: #​34405
• Remove hello world RSC example.: #​34456
• Fix typo: #​34480

Example Changes

• Update npm comment in Docker example: #​33881
• Update Contentful example to add validations to solve graphql complexity errors.: #​33958
• Update all CMS examples dependencies.: #​33580
• Fix warning unknown prettier option when running yarn lint.: #​34019
• [New Example] with docker - multiple deployment environments: #​34015
• Fix ambiguous flags in Dockerfile example: #​33417
• fix(examples/with-docker): update env comments: #​29972
• Remove unused "start" script from with-docker/package.json: #​31053
• Update remark in blog-starter-typescript: #​31393
• Update _document.js: #​29930
• Docs: use the nextv12 example from the storybook-addon-next repo as the with-storybook example: #​33891
• examples, update with new URL: #​34035
• [with-typescript-graphql] fixes breaking changes in graphql-let v0.18.0: #​32681
• fix(example): with-typescript-graphql graphql-let package migrate: #​29996
• feat: update firebase in with-firebase: #​29581
• progressive web app example converted to typescript : #​33100
• Make adjustment to cache config of with-apollo example: #​32733
• Fix error thrown by next/image in the Sanity example: #​34203
• Update examples/active-class-name: #​34205
• chore(example): update preact links in examples: #​34233
• fix: don't wrap profile in firebase example: #​34457

Misc Changes

• Fix flakey image-optimizer test: #​33957
• Update azure config: #​33999
• Add types to nextConfig in default template : #​34029
• docs(contributing): Search GitHub for an open or closed PR that relates to your submission: #​22533
• fix(create-next-app): add default version: #​33006
• chore: do not run lock/stale actions on forks: #​34053
• Fix functions manifest test: #​34092
• add pnpm debug file in gitignore templates: #​34091
• Update failing tests from upstream resource: #​34110
• Update version number in next.config.js API reference
• chore: log lock bot output: #​34168
• chore: decrease lock action runs #​34180
• Allow listening for page requests in tests: #​34204
• Update code of conduct from v1.4 to v2.1: #​34208
• Update contributing.md to link to walkthrough video.: #​34299
• fix: typo in gitignore in typescript template: #​34372
• test: add inline flight response reuse test: #​34364
• Update 2.example_bug_report.yml
• Update 1.bug_report.yml
• Update 2.example_bug_report.yml
• Update font-optimization test snapshot: #​34478

Credits

Huge thanks to @​MaedahBatool, @​mutebg, @​sokra, @​huozhi, @​hanford, @​shuding, @​sean6bucks, @​jameshfisher, @​devknoll, @​yuta-ike, @​zh-lx, @​amandeepmittal, @​alunyov, @​stefanprobst, @​leerob, @​balazsorban44, @​kdy1, @​brittanyrw, @​jord1e, @​kara, @​vvo, @​ismaelrumzan, @​dlindenkreuz, @​MohammadxAli, @​nguyenyou, @​thibautsabot, @​hanneslund, @​vertti, @​KateKate, @​stefee, @​mikinovation, @​Leticijak, @​mohsen1, @​ncphillips, @​ehowey, @​lancechentw, @​krychaxp, @​fmacherey, @​pklawansky, @​RyanClementsHax, @​lakbychance, @​sannajammeh, @​oliviertassinari, @​alexander-akait, @​u-yas, @​Cheprer, @​msp5382, @​chrispat, @​getspooky, @​Ryz0nd, @​klaasman, @​midgleyc, @​kumard3, @​jesstelford, @​neeraj3029, @​glenngijsberts, @​pie6k, @​wouterraateland, @​timneutkens, @​11koukou, @​thesyedbasim, @​aeneasr, @​ijjk, @​lfades, @​JuniorTour, @​xavhan, @​mattyocode, @​padmaia, @​Skn0tt, @​gwer, @​Nutlope, @​styfle, @​stipsan, @​xhoantran, @​eolme, @​sespinosa, @​zenorocha, @​hjaber, @​benmvp, @​T-O-R-U-S, @​dburrows, @​atcastle, @​kiriny, @​molebox, @​kitayoshi, and @​Schniz for helping!

v12.0.10

Compare Source

Core Changes

• fix: image optimizer hangs when invalid image is requested: #​33719
• feat: make compress configurable in standalone mode: #​33717
• fix: allow certain variable names in development: #​33638
• Use swc parse for flight server and client loaders: #​33713
• Properly support custom 500 page in the web server: #​33729
• chore: deprecate process.browser: #​32862
• Improve tests for streaming and server components: #​33740
• fix: fixes #​33314 move is-plain-object for es5 compilation: #​33690
• Add stale-while-revalidate pattern to Image Optimization API: #​33735
• Allow to delete URL search params in middleware rewrites: #​33725
• Ensure all CSS files are included for experimental critical CSS: #​33752
• Ensure non-error thrown in getStaticPaths shows correctly: #​33753
• Fix encoding error with location and refresh headers: #​33763
• Fix duplicate image src causing canceled request: #​33776
• Generate functions manifest: #​33770
• Enable jest hoist transform when using next/jest: #​33731
• fix typo: #​33840
• fix(next/image): render valid html according to W3C: #​33825

Documentation Changes

• Update Time to First Byte (TTFB) link: #​33715
• Changed data fetching file name to overview to fix meta data title: #​33232
• Correct misspelling in testing documentation #​33754: #​33755
• Move custom server note from middleware doc: #​33744
• Fixed duplicate data fetching overview page + links: #​33774
• [docs] Mention SWC in TypeScript documentation.: #​33801
• Testing docs: Comment out optional config that points to a file: #​33827
• Update Content-Security-Policy header usage explanation: #​33833

Example Changes

• Fix with-docker example dockerfile: #​33695
• Added next.config.js with datocms-assets domain in allow list: #​33647
• Fix: broken npm install: #​33767
• [example] Upgrade the with-stripe-typescript example app: #​33761
• Upgrade to @​stitches/react 1.2.6: #​33817
• Doc: fix broken link to api routes doc: #​33836

Misc Changes

• run stale 20 minutes earlier
• fix: use github action instead of bot: #​33718
• fix syntax error in lock.yml
• fix rsc test suite runner: #​33745

Credits

Huge thanks to @​Vienio99, @​balazsorban44, @​kyliau, @​molebox, @​huozhi, @​shuding, @​PepijnSenders, @​krystofex, @​PizzaPete, @​souljuse, @​styfle, @​Schniz, @​Nelsonfrank, @​ijjk, @​Mhmdrza, @​timneutkens, @​hideokamoto-stripe, @​Emrin, @​gr-qft, @​delbaoliveira, @​redbar0n, @​amandeepmittal, @​lxy-yz, and @​Divlo for helping!

v12.0.9

Compare Source

This upgrade is completely backward-compatible and recommended for all users on versions below 12.0.9

Vulnerable code could allow a bad actor to trigger a denial of service attack via the /${locale}/_next/ route for anyone running a Next.js app at version >= 12.0.0, and using built-in i18n routing functionality.

How to Upgrade

• We have released patch versions for both the stable and canary channels of Next.js.
• To upgrade run npm install next@latest --save

Impact

• Affected: All of the following must be true to be affected by this CVE
  • Next.js versions between v12.0.0 and v12.0.9
  • Using next start or a custom server
  • Using the built-in i18n support
• Not affected:
  • Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If your server has seen requests to any route under the prefix /${locale}/_next/ that have triggered a heap overflow error, this was caused by the patched issue.

What is Being Done

As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to our users for their investigation and responsible disclosure of the original bug.

We've landed a patch that ensures this is handled properly so the requested route no longer crashes and triggers a heap overflow.

Regression tests for this attack were added to the i18n integration test suite

• A public CVE was released.
• We encourage responsible disclosure of future reports. Please email us at [email protected]. We are actively monitoring this mailbox.

Core Changes

• middlewares: limit process.env to inferred usage: #​33186
• update webpack: #​33207
• Abstract out native filesystem usage from the base server: #​33226
• use text data url instead of base64 for shorter encoding: #​33218
• chore(deps): upgrade postcss: #​33142
• Fix global process testing for the process polyfill: #​33220
• Update swc: #​33201
• improve full refresh overlay: #​33301
• Custom app for server components: #​33149
• Update yarn PnP tests and disable swc file reading for PnP: #​33236
• Base Http for BaseServer: #​32999
• Update swc: #​33342
• Update check for fallback pages during export: #​33323
• Pre-compile more dependencies: #​32742
• Remove node fetch polyfill from base server: #​33395
• Replace regexp to plain string for optimization render HTML: #​33306
• Fix broken html on streaming render for error page: #​33399
• Disable cache for rsc pages: #​33438
• Fix pre-compiled check from copying react-refresh-utils: #​33442
• fix(next-swc): Update swc: #​33427
• Move middleware handling to node server: #​33448
• Enforce absolute URLs in Edge Functions runtime: #​33410
• feat(next-swc): Update swc: #​33461
• Update main field for nccd jest-worker: #​33465
• chore(deps): upgrade node-fetch: #​33466
• Move static serving to next server: #​33475
• feat(next-swc): Update swc: #​33485
• Fix multiple calls to image onLoadingComplete(): #​33474
• Refactor base server to remove native dependencies: #​33499
• Update swc: #​33514
• Implement abstract methods to get manifest files in the base server: #​33537
• Simplify getMiddlewareInfo calls: #​33542
• Fix static file check with i18n: #​33503
• Bump styled-jsx: #​33546
• Ensure optional value normalizing is correct for index: #​33547
• Bump nft to 0.17.4: #​33548
• Add next-multilingual example: #​29386
• Removed the s from NextConfig: #​33560
• feat(next-swc): Update swc: #​33595
• Fix rsc export component name detection: #​33608
• upgrade webpack: #​33549
• Ensure fetch polyfill is loaded in next-server: #​33616
• feat(next-swc): Update swc: #​33628
• Add lazyRoot optional property to next/image component : #​33290
• feat(next-swc): Update swc: #​33675
• Implement web server as the request handler for edge SSR: #​33635
• Relay Support in Rust Compiler: #​33240
• Revert "Relay Support in Rust Compiler": #​33699

Documentation Changes

• Fixed broken link related to the recently merged Data fetching docs refactor: #​33209
• Removed backticks on data fetching api titles: #​33216
• Added links to data fetching api refs, fixed title: #​33221
• Remove outdated & possibly confusing statement about redirects: #​33224
• [examples] Add a statically generated blog example using Next.js and Builder.io: #​22094
• Typo Fix: #​33252
• Update font-optimization.md: #​33266
• Fixed broken links in data fetching docs: #​33250
• docs: Mention middleware for getStaticProps: #​33273
• Add sections for Remove React Properties and Remove Console to compiler docs: #​33311
• Update links in next export + next/image error message: #​33317
• Add onLoad gottcha note to next/script docs: #​33097
• Update security-headers.md: fix path does not match homepage: #​33137
• fix minor typo in SWR: #​33378
• ReferenceError in authentication.md example fixed: #​33411
• docs: fix url: #​33409
• fix(docs): Fix typo in Custom Build Id docs: #​33515
• [docs] Update authentication docs to fix iron-session link.: #​33483
• docs(authentication): fix iron-session example link: #​33502
• Update middleware documentation for custom server: #​33535
• Removed unrequired path in docs' manifest: #​33579
• Update next/server documentation for geo: #​33609
• Clarify next/image usage with next export based on feedback.: #​33555
• Clarify headers config option description: #​33484
• fix(errors/no-cache): netlify-plugin-cache-nextjs has been deprecated: #​33629
• Updated docs for getServerSideProps and getStaticProps return values: #​33577
• Use relative path for example: #​33565
• chore(docs): update security headers specification: #​33673
• REMOVE: duplicate key in docs/testing.md: #​33681

Example Changes

• [examples] Update remark dependency for blog-starter: #​33313
• Update package.json for examples/with-supabase-auth-realtime-db: #​33321
• Working example for building forms with Next.js: #​32669
• Updates dependency version of frontend SDK in with-supertokens example: #​33393
• docs: add skynexui to examples: #​33326
• Update with-linaria dependency: #​33487
• Update Supabase example README.: #​33610
• [examples] Add new Tailwind CSS Prettier plugin to example: #​33614

Misc Changes

• Update license year
• fix(docs): master branch renaming: #​33312
• Add link to security email directly.: #​33358
• Fix getServerSideProps hanging in dev on early end: #​33366
• [docs] Fix 404 link for testing example.: #​33407
• Update to latest version of turbo: #​33613
• Update other instances of node-fetch: #​33617

Credits

Huge thanks to @​molebox, @​Schniz, @​sokra, @​kachkaev, @​shuding, @​teleaziz, @​OgbeniHMMD, @​goncy, @​balazsorban44, @​MaedahBatool, @​bennettdams, @​kdy1, @​huozhi, @​hsynlms, @​styfle, @​ijjk, @​callumgare, @​jonrosner, @​karaggeorge, @​rpie3, @​MartijnHols, @​leerob, @​bashunaimiroy, @​NOCELL, @​rishabhpoddar, @​omariosouto, @​hanneslund, @​theMosaad, @​javivelasco, @​pierrenel, @​lobsterkatie, @​tharakabimal, @​vvo, @​saevarb, @​lfades, @​nbouvrette, @​paulnbrd, @​ecklf, @​11koukou, @​renbaoshuo, @​chozzz, @​tbezman, @​karlhorky, @​j-mendez, and @​ffan0811 for helping!

v12.0.8

Compare Source

Core Changes

• Fix no-server-import-in-page eslint rule for subfolder middleware: #​32139
• Create Base Server: #​32154
• Revert support for render prop in <Main />: #​32184
• Refactor FS references in the Base Server: #​32179
• telemetry: collect feature usage for linting during build: #​32022
• Chore/load bindings improvements: #​32191
• fix(NODE_ENV): Warn when launching start or build on development: #​14033
• Fix crash in no-page-custom-font eslint rule when default export is unnamed.: #​32251
• Add docs for leveraging outputStandalone config: #​32255
• Replace raw-body with get-stream and bytes: #​21915
• Update to latest ncc and ensure caniuse-lite data is external : #​32064
• Update swc: #​32210
• Simplify custom Writable: #​32247
• Add shake exports transform to next-swc: #​32253
• Revert "Replace raw-body with get-stream and bytes": #​32305
• Re-open chore(deps): upgrade browserslist: #​32300
• Fix RSC link navigation: #​32303
• Compile escape-string-regexp: #​32310
• Add unstable_useRefreshRoot: #​32342
• Upate swc: #​32365
• fix unstable_useRefreshRoot typing: #​32364
• fix(next-swc/styled-jsx): Fix nth: #​32358
• Rename experimental vital hook: #​32343
• Inline server data response with partial hydration: #​32330
• Update jsx transform of swc: #​32383
• Fix running server with Polyfilled fetch: #​32368
• Fix dynamic routes with pages under index folder: #​32440
• Fixes #​32338 missing Document components trigger an error for production builds: #​32345
• Fixes for inline embedding data in the web runtime: #​32471
• Add vitals and rsc to npm files: #​32472
• fixes to allow lazy compilation for import(): #​32441
• upgrade webpack and watchpack: #​32173
• Update to filter loader specific files from traces: #​32267
• Fix server data cache key: #​32506
• [middleware] Fix hydration for rewrites to dynamic pages: #​32534
• Ensure image-optimizer is traced for standalone mode: #​32522
• Remove unused classnames dependency from react-dev-overlay: #​32487
• next-swc: Emit errors and add tests to next-ssg: #​32254
• Include message body in redirect responses: #​31886
• Prevent NEXT_PHASE env change in workers: #​28941
• Check stack property for page export exceptions: #​32289
• fix(next-swc/styled-jsx): Fix interpolation in media query: #​32490
• Update swc: #​32566
• Add turbo / improve Rust build caching in GitHub Actions: #​31464
• Fix ReadableStream.pipeTo() being unimplemented in the web runtime: #​32602
• Ensure AMP optimizer is only excluded from trace when not used: #​32577
• Upgraded next-env dependencies: #​32613
• Feat/14701 full reload notification: #​28866
• Move fs API for inc cache to node server: #​32604
• Add options to defaultGetInitialProps and upgrade styled-jsx-with-csp example: #​32594
• Fix style.filter on image with placeholder=blur: #​32623
• Fix writing strings to the writable stream writer: #​32637
• fix(next/jest): do not watch .next folder: #​32659
• chore: Update swc: #​32664
• Pre-compile more dependencies: #​32627
• Upgrade react 18 to rc, drop prerelease warning: #​32619
• next-swc: styled-jsx error checking and reporting updated (invalid-styled-jsx-children.md): #​31940
• Fix style reset on image with placeholder=blur: #​32680
• Pre-compile more dependencies continued: #​32679
• web runtime: add AbortController & AbortSignal: #​32089
• Don't swallow test failures caused by POSIX signals: #​32688
• Escape from next head in rsc _error page: #​32624
• fix popstate detection for safari when basepath is present: #​32687
• Bust cache for RSC in each render: #​32710
• Update web r

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[github-actions]

🎉 Deployment for commit 0408d86 :

Ingresses

• 🚀 https://standup-renovate-npm-next-vulnerability-51pl9r.dev.fabrique.social.gouv.fr/

Docker images

• 📦 docker pull ghcr.io/socialgouv/standup/app:sha-0408d860c21b0d21cc46812ff8d4ae0bf372efca

Debug

• 📕 Loki logs for namespace standup-renovate-npm-next-vulnerability-51pl9r
• 📈 Pods monitoring for namespace standup-renovate-npm-next-vulnerability-51pl9r
• 📈 Workloads monitoring for namespace standup-renovate-npm-next-vulnerability-51pl9r
• 👮‍♂️ Namespace rancher standup-renovate-npm-next-vulnerability-51pl9r
• 👮‍♂️ Deployment app

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
next	11.1.2...12.3.4	None	+22/-158	573 MB	vercel-release-bot

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication