[Security] Bump next from 14.2.3 to 14.2.10 in /ui
Bumps next from 14.2.3 to 14.2.10. This update includes a security fix.
Vulnerabilities fixed
Next.js Cache Poisoning
Impact
By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a
Cache-Control: s-maxage=1, stale-while-revalidate
header which some upstream CDNs may cache as well.To be potentially affected all of the following must apply:
- Next.js between 13.5.1 and 14.2.9
- Using pages router
- Using non-dynamic server-side rendered routes e.g.
pages/dashboard.tsx
notpages/blog/[slug].tsx
The below configurations are unaffected:
- Deployments using only app router
- Deployments on Vercel are not affected
Patches
This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.
... (truncated)
Patched versions: 14.2.10; 13.5.7 Affected versions: >= 14.0.0, = 13.5.1, < 13.5.7
Release notes
Sourced from next's releases.
v14.2.10
[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.Core Changes
- Remove invalid fallback revalidate value (vercel/next.js#69990)
- Revert server action optimization (vercel/next.js#69925)
- Add ability to customize Cache-Control (#69802)
Credits
Huge thanks to
@huozhi
and@ijjk
for helping!v14.2.9
[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.Core Changes
- Revert "Fix esm property def in flight loader (#66990)" (#69749)
- Disable experimental.optimizeServer by default to fix failed server action (#69788)
- Fix middleware fallback: false case (#69799)
- Fix status code for /_not-found route (#64058) (#69808)
- Fix metadata prop merging (#69807)
- create-next-app: fix font file corruption when using import alias (#69806)
Credits
Huge thanks to
@huozhi
,@ztanner
,@ijjk
, and@lubieowoce
for helping!v14.2.8
What's Changed
[!NOTE]
This release is backporting bug fixes and minor improvements. It does not include all pending features/changes on canary.Support
esmExternals
in app directory
- Support esm externals in app router (#65041)
- Turbopack: Allow client components from foreign code in app routes (#64751)
- Turbopack: add support for esm externals in app dir (#64918)
- other related PRs: #66990 #66727 #66286 #65519
Reading cookies set in middleware in components and actions
... (truncated)
Commits
-
937651f
v14.2.10 -
7ed7f12
Remove invalid fallback revalidate value (#69990) -
99de057
Revert server action optimization (#69925) -
24647b9
Add ability to customize Cache-Control (#69802) -
6fa8982
v14.2.9 -
7998745
test: lock ts type check (#69889) -
4bd3849
create-next-app: fix font file corruption when using import alias (#69806) -
3756801
test: check most possible combination of CNA flags -
9a72ad6
unpin CNA tests from 14.2.3 -
747d365
Fix metadata prop merging (#69807) - Additional commits viewable in compare view