-
Notifications
You must be signed in to change notification settings - Fork 879
Commit 1830db4
authored
![pulumi-renovate[bot]](https://avatars.githubusercontent.com/u/21992475?v=4&size=40){kind=avatar}
Update dependency next to v15.2.3 [SECURITY] (#2095)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [next](https://nextjs.org)
([source](https://redirect.github.com/vercel/next.js)) | dependencies |
patch | [`15.2.1` ->
`15.2.3`](https://renovatebot.com/diffs/npm/next/15.2.1/15.2.3) |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
### GitHub Vulnerability Alerts
####
[CVE-2025-29927](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw)
# Impact
It is possible to bypass authorization checks within a Next.js
application, if the authorization check occurs in middleware.
# Patches
* For Next.js 15.x, this issue is fixed in `15.2.3`
* For Next.js 14.x, this issue is fixed in `14.2.25`
* For Next.js versions `11.1.4` thru `13.5.6`, consult the below
workaround.
# Workaround
If patching to a safe version is infeasible, it is recommend that you
prevent external user requests which contain the
`x-middleware-subrequest` header from reaching your Next.js application.
## Credits
- Allam Rachid (zhero;)
- Allam Yasser (inzo_)
---
### Release Notes
<details>
<summary>vercel/next.js (next)</summary>
###
[`v15.2.3`](https://redirect.github.com/vercel/next.js/releases/tag/v15.2.3)
[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.2.2...v15.2.3)
> \[!NOTE]\
> This release is backporting bug fixes. It does **not** include all
pending features/changes on canary.
> This release contains a security patch for
[CVE-2025-29927](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw).
##### Core Changes
- Update default allowed origins list
([#​77212](https://redirect.github.com/vercel/next.js/issues/77212))
- unify allowed origin detection handling
([#​77053](https://redirect.github.com/vercel/next.js/issues/77053))
- Add dev warning for cross-origin and stabilize allowedDevOrigins
([#​77044](https://redirect.github.com/vercel/next.js/issues/77044))
- Ensure deploymentId is used for CSS preloads
([#​77210](https://redirect.github.com/vercel/next.js/issues/77210))
- Update middleware request header
([#​77201](https://redirect.github.com/vercel/next.js/issues/77201))
- \[metadata] remove the default segement check for metadata rendering
([#​77119](https://redirect.github.com/vercel/next.js/issues/77119))
- \[ts-hint] fix vscode type hint plugin enabling
([#​77099](https://redirect.github.com/vercel/next.js/issues/77099))
- \[metadata] re-insert icons to head for streamed metadata
([#​76915](https://redirect.github.com/vercel/next.js/issues/76915))
##### Credits
Huge thanks to [@​ijjk](https://redirect.github.com/ijjk),
[@​ztanner](https://redirect.github.com/ztanner), and
[@​huozhi](https://redirect.github.com/huozhi) for helping!
###
[`v15.2.2`](https://redirect.github.com/vercel/next.js/releases/tag/v15.2.2)
[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v15.2.1...v15.2.2)
##### Core Changes
- \[dev-overlay] fix styling on overflow error messages, add button
hover state:
[#​76771](https://redirect.github.com/vercel/next.js/issues/76771)
- Fix: respond 405 status code on OPTIONS request to SSG page:
[#​76767](https://redirect.github.com/vercel/next.js/issues/76767)
- \[dev-overlay] Always show relative paths:
[#​76742](https://redirect.github.com/vercel/next.js/issues/76742)
- \[metadata] remove the duplicate metadata in the error boundary:
[#​76791](https://redirect.github.com/vercel/next.js/issues/76791)
- Upgrade React from `d55cc79b-20250228` to `443b7ff2-20250303`:
[#​76804](https://redirect.github.com/vercel/next.js/issues/76804)
- \[dev-overlay] Ignore animations on page load:
[#​76834](https://redirect.github.com/vercel/next.js/issues/76834)
- fix: remove useless set-cookie in action-handler:
[#​76839](https://redirect.github.com/vercel/next.js/issues/76839)
- Turbopack: handle task cancelation:
[#​76831](https://redirect.github.com/vercel/next.js/issues/76831)
- Upgrade React from `443b7ff2-20250303` to `e03ac20f-20250305`:
[#​76842](https://redirect.github.com/vercel/next.js/issues/76842)
- add types for `__next_app__` module loading functions:
[#​74566](https://redirect.github.com/vercel/next.js/issues/74566)
- fix duplicated noindex when server action is triggered:
[#​76847](https://redirect.github.com/vercel/next.js/issues/76847)
- fix: don't drop queued actions when navigating:
[#​75362](https://redirect.github.com/vercel/next.js/issues/75362)
- \[dev-overlay]: remove dependency on platform for focus trapping:
[#​76849](https://redirect.github.com/vercel/next.js/issues/76849)
- Turbopack: Add **turbopack_load_by_url**:
[#​76814](https://redirect.github.com/vercel/next.js/issues/76814)
- Add handling of origin in dev mode:
[#​76880](https://redirect.github.com/vercel/next.js/issues/76880)
- \[dev-overlay] Stop grouping callstack frames into ignored vs. not
ignored:
[#​76861](https://redirect.github.com/vercel/next.js/issues/76861)
- Upgrade React from `e03ac20f-20250305` to `029e8bd6-20250306`:
[#​76870](https://redirect.github.com/vercel/next.js/issues/76870)
- \[dev-overlay] Increase padding if no `x` button present:
[#​76898](https://redirect.github.com/vercel/next.js/issues/76898)
- fix: prevent incorrect searchParams being applied on certain navs:
[#​76914](https://redirect.github.com/vercel/next.js/issues/76914)
- \[dev-overlay] Dim ignore-listed callstack frames when shown:
[#​76862](https://redirect.github.com/vercel/next.js/issues/76862)
##### Example Changes
- chore(cna): update tailwind styles to be closer to non-tw cna:
[#​76647](https://redirect.github.com/vercel/next.js/issues/76647)
##### Misc Changes
- Fix canary only warning for devlow-bench:
[#​76772](https://redirect.github.com/vercel/next.js/issues/76772)
- \[test] Add special placeholder if stackframes point into dist dir:
[#​76741](https://redirect.github.com/vercel/next.js/issues/76741)
- \[test] Use new Redbox matchers in pages/ service-side-dev-errors:
[#​76779](https://redirect.github.com/vercel/next.js/issues/76779)
- \[test] Use new Redbox matchers in app/ dynamic-error-trace:
[#​76783](https://redirect.github.com/vercel/next.js/issues/76783)
- \[test] Use new Redbox matchers in app/
owner-stack-invalid-element-type:
[#​76786](https://redirect.github.com/vercel/next.js/issues/76786)
- \[test] Use new Redbox matchers in app/ hook-functuon-names:
[#​76785](https://redirect.github.com/vercel/next.js/issues/76785)
- \[test] Use new Redbox matchers in app/ undefined-default-export:
[#​76781](https://redirect.github.com/vercel/next.js/issues/76781)
- \[test] Use new Redbox matchers in server-navigation-error:
[#​76787](https://redirect.github.com/vercel/next.js/issues/76787)
- \[test] Fix flaky error-recovery test:
[#​76789](https://redirect.github.com/vercel/next.js/issues/76789)
- \[test] Use new Redbox matchers in pages/ gssp-ssr-change-reloading:
[#​76788](https://redirect.github.com/vercel/next.js/issues/76788)
- \[docs] update Tailwind CSS installation and configuration
instructions:
[#​76259](https://redirect.github.com/vercel/next.js/issues/76259)
- docs: Tailwind v4:
[#​76801](https://redirect.github.com/vercel/next.js/issues/76801)
- chore(docs): update minimumCacheTTL example to 31 days:
[#​76796](https://redirect.github.com/vercel/next.js/issues/76796)
- Turbopack: improve sectioned source maps:
[#​76627](https://redirect.github.com/vercel/next.js/issues/76627)
- \[test] Use new Redbox matchers in pages/ middleware-errors:
[#​76797](https://redirect.github.com/vercel/next.js/issues/76797)
- doc: use `redirect` in client components:
[#​76332](https://redirect.github.com/vercel/next.js/issues/76332)
- \[docs] document experimental viewTransition flag:
[#​76832](https://redirect.github.com/vercel/next.js/issues/76832)
- docs(errors): remove confusing good-to-know since global-errors.tsx
also show in dev as of 15.2:
[#​76825](https://redirect.github.com/vercel/next.js/issues/76825)
- Turbopack: don't use HashMap in manifests:
[#​76833](https://redirect.github.com/vercel/next.js/issues/76833)
- Update `labeler.json`:
[#​76828](https://redirect.github.com/vercel/next.js/issues/76828)
- Fix missing turbo command for rust-check:
[#​76851](https://redirect.github.com/vercel/next.js/issues/76851)
- fix(turbopack): Use correct `SyntaxContext` for `__turbopack_esm__`:
[#​73544](https://redirect.github.com/vercel/next.js/issues/73544)
- Cleanup pure span handling:
[#​76846](https://redirect.github.com/vercel/next.js/issues/76846)
- Turbopack: remove unused IncludeModulesModule:
[#​76868](https://redirect.github.com/vercel/next.js/issues/76868)
- Update test snapshots for alternative bundler \[5/n]:
[#​76617](https://redirect.github.com/vercel/next.js/issues/76617)
- Update test snapshots for alternative bundler \[6/n]:
[#​76768](https://redirect.github.com/vercel/next.js/issues/76768)
- \[test] Use `next.browser` instead of `webdriver` in pages/
client-navigation:
[#​76867](https://redirect.github.com/vercel/next.js/issues/76867)
- fix(turbopack): Use vergen-git2 instead of shadow-rs for napi and
next-api crates to fix stale git lock files:
[#​76773](https://redirect.github.com/vercel/next.js/issues/76773)
- Revert "fix(turbopack): Use vergen-git2 instead of shadow-rs for napi
and next-api crates to fix stale git lock files":
[#​76879](https://redirect.github.com/vercel/next.js/issues/76879)
- build: Update `swc_core` to `v16.4.0`:
[#​76596](https://redirect.github.com/vercel/next.js/issues/76596)
- docs: update Turbopack docs:
[#​76799](https://redirect.github.com/vercel/next.js/issues/76799)
- build: Update lightningcss to `v1.0.0-alpha.64`:
[#​76856](https://redirect.github.com/vercel/next.js/issues/76856)
- build: Fix warning:
[#​76890](https://redirect.github.com/vercel/next.js/issues/76890)
- Turbopack: fix `__dirname`:
[#​76902](https://redirect.github.com/vercel/next.js/issues/76902)
- Turbopack: deterministic server action order:
[#​76905](https://redirect.github.com/vercel/next.js/issues/76905)
- docs: reword the docs of veiw transition flag:
[#​76841](https://redirect.github.com/vercel/next.js/issues/76841)
- fix(turbopack): Use vergen-gitcl instead of shadow-rs (or vergen-git2)
for napi and next-api crates to fix stale git lock files:
[#​76889](https://redirect.github.com/vercel/next.js/issues/76889)
- Turbopack: ensure default layout is provided in default not-found
entrypoint:
[#​76912](https://redirect.github.com/vercel/next.js/issues/76912)
- chore(github): add moar labels:
[#​76922](https://redirect.github.com/vercel/next.js/issues/76922)
- \[test] Use new Redbox matchers in pages/ client-navigation/rendering:
[#​76798](https://redirect.github.com/vercel/next.js/issues/76798)
- docs: fix create-next-app cli title:
[#​76908](https://redirect.github.com/vercel/next.js/issues/76908)
##### Credits
Huge thanks to
[@​pranathip](https://redirect.github.com/pranathip),
[@​gaojude](https://redirect.github.com/gaojude),
[@​ijjk](https://redirect.github.com/ijjk),
[@​eps1lon](https://redirect.github.com/eps1lon),
[@​Nayeem-XTREME](https://redirect.github.com/Nayeem-XTREME),
[@​leerob](https://redirect.github.com/leerob),
[@​styfle](https://redirect.github.com/styfle),
[@​samcx](https://redirect.github.com/samcx),
[@​sokra](https://redirect.github.com/sokra),
[@​huozhi](https://redirect.github.com/huozhi),
[@​raunofreiberg](https://redirect.github.com/raunofreiberg),
[@​mischnic](https://redirect.github.com/mischnic),
[@​lubieowoce](https://redirect.github.com/lubieowoce),
[@​unstubbable](https://redirect.github.com/unstubbable),
[@​ztanner](https://redirect.github.com/ztanner),
[@​kdy1](https://redirect.github.com/kdy1),
[@​timneutkens](https://redirect.github.com/timneutkens),
[@​wbinnssmith](https://redirect.github.com/wbinnssmith),
[@​bgw](https://redirect.github.com/bgw), and
[@​oscr](https://redirect.github.com/oscr) for helping!
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - "every weekday"
(UTC).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTkuMCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19-->
Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>1 parent c155163 commit 1830db4Copy full SHA for 1830db4
1 file changed
+1
-1
lines changedaws-ts-nextjs/demoapp/package.json
Copy file name to clipboardExpand all lines: aws-ts-nextjs/demoapp/package.json+1-1
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
20 | | - | |
| 20 | + | |
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
| |||
0 commit comments