Bump next from 14.2.14 to 15.1.0 #4679
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [next](https://github.com/vercel/next.js) from 14.2.14 to 15.1.0. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v14.2.14...v15.1.0) --- updated-dependencies: - dependency-name: next dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
the
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Sorry, only users with push access can use that command. |
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| "node_modules/sprintf-js": { | ||
| "version": "1.0.3", | ||
| "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", | ||
| "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", | ||
| "license": "BSD-3-Clause" | ||
| }, | ||
| "node_modules/ssh2": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-26301: nodejs-ssh2: Command injection by calling vulnerable method with untrusted input) (update to 1.4.0)
The issue identified by the Trivy linter is related to a security vulnerability in the ssh2 package version 0.8.9. Specifically, this version has a known command injection vulnerability (CVE-2020-26301) that can occur when untrusted input is passed to certain methods. This can potentially allow an attacker to execute arbitrary commands on the server.
To resolve this issue, you should update the ssh2 package to a safer version, specifically to version 1.4.0 or later, which contains fixes for this vulnerability.
Here’s the code suggestion to update the dependency:
"node_modules/ssh2": {
"version": "1.4.0",This comment was generated by an experimental AI tool.
| @@ -58379,6 +67765,16 @@ | |||
| "node": ">=4.0.0" | |||
| } | |||
| }, | |||
| "node_modules/vue-template-compiler": { | |||
There was a problem hiding this comment.
The issue identified by the Trivy linter pertains to a security vulnerability in the vue-template-compiler package, specifically version 2.6.12. This version is susceptible to a Cross-Site Scripting (XSS) attack, which can allow an attacker to execute arbitrary scripts in the context of the user's session. The recommended action is to update this package to a more secure version that has addressed this vulnerability.
To fix the issue, you should update the vue-template-compiler dependency to version 3.0.0 or later, as suggested by the CVE report.
Here is the code suggestion to make this change:
"node_modules/vue-template-compiler": {
"version": "3.0.0",This single line change updates the version of vue-template-compiler to 3.0.0, which should resolve the security vulnerability.
This comment was generated by an experimental AI tool.
| "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", | ||
| "peer": true | ||
| }, | ||
| "node_modules/moment": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-24785: Moment.js: Path traversal in moment.locale) (update to 2.29.2)
The issue identified by the Trivy linter pertains to a security vulnerability in the Moment.js library, specifically version 2.29.1. This vulnerability, tracked as CVE-2022-24785, involves a path traversal flaw that could potentially allow an attacker to access files outside of the intended directory structure when using the moment.locale method.
To address this security issue, the recommended action is to update the Moment.js dependency to a secure version, specifically 2.29.2 or later, which has patched this vulnerability.
Here’s the single line change you can make to update the version of Moment.js in your package configuration:
| "node_modules/moment": { | |
| "node_modules/moment": { "version": "2.29.2", ... |
This change updates the version of Moment.js to 2.29.2, mitigating the identified security risk.
This comment was generated by an experimental AI tool.
| @@ -44899,6 +51155,146 @@ | |||
| "node": ">=10" | |||
| } | |||
| }, | |||
| "node_modules/mockery": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-37614: mockery is vulnerable to prototype pollution) (update to )
The issue identified by the Trivy linter pertains to the mockery package version 2.1.0, which is vulnerable to prototype pollution as noted in CVE-2022-37614. Prototype pollution is a security vulnerability that allows an attacker to manipulate an object's prototype, potentially leading to unexpected behavior or security breaches in applications that rely on that object.
To resolve this vulnerability, you should update the mockery package to a version that is not affected by this security issue. The latest version of the package should ideally be used, as it will contain the necessary fixes.
Here's the code suggestion to fix the issue by updating the mockery version:
"node_modules/mockery": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/mockery/-/mockery-2.1.1.tgz",
"integrity": "sha512-<new-integrity-hash>",
"peer": trueNote: Ensure to replace <new-integrity-hash> with the actual integrity hash of the updated version if you are maintaining an integrity check.
This comment was generated by an experimental AI tool.
| @@ -36079,6 +41780,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 2.0.1, 1.1.9)
The issue identified by the Trivy linter is related to a security vulnerability in the ip package, specifically version 1.1.5. The vulnerability (CVE-2023-42282) allows for arbitrary code execution through the isPublic() function. To mitigate this risk, it is recommended to update the ip package to a secure version, either 2.0.1 or 1.1.9, which have addressed this security flaw.
To fix the issue, you can update the version of the ip package in your package.json file. Here’s the suggested change:
"node_modules/ip": {
"version": "1.1.9",
...
}Alternatively, if you want to upgrade to the latest major version, you could specify:
"node_modules/ip": {
"version": "2.0.1",
...
}Make sure to run npm install after making this change to update the package.
This comment was generated by an experimental AI tool.
| @@ -57672,6 +66891,112 @@ | |||
| "integrity": "sha512-x00IRNXNy63jwGkJmzPigoySHbaqpNuzKbBOmzK+g2OdZpQ9w+sxCN+VSB3ja7IAge2OP2qpfxTjeNcyjmW1uw==", | |||
| "license": "ISC" | |||
| }, | |||
| "node_modules/utile": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (NSWG-ECO-445: Out-of-bounds Read) (no fix available)
The issue reported by the Trivy linter indicates that the utile package version 0.3.0 has a known security vulnerability classified as an "Out-of-bounds Read." This vulnerability can potentially allow an attacker to read sensitive data from memory outside the bounds of allocated buffers, which could lead to information disclosure or other security risks. Since there is no fix available for this specific version, it is advisable to remove or replace this insecure dependency.
To address this issue, you can remove the utile package from your project. This can be done by modifying the package.json file to ensure that the package is no longer included in your project.
Here’s the single line change to remove the utile package:
| "node_modules/utile": { | |
| "node_modules/utile": null, |
This change effectively removes the utile dependency from the project's dependency tree. You may also want to consider finding an alternative package that provides similar functionality without the security issues.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
The issue identified by the Trivy linter is related to a security vulnerability in the minimist package, specifically version 0.0.10. This version is affected by a prototype pollution vulnerability (CVE-2020-7598), which allows an attacker to manipulate properties of Object.prototype through malicious payloads. This can lead to unexpected behavior and security risks in applications that rely on this package.
To resolve this issue, you should update the minimist dependency to a secure version. The recommended version is 0.2.1 or higher, as it addresses the vulnerability.
Here's the code suggestion to fix the issue by updating the version of minimist:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "version": "0.2.1", |
However, since this is a nested dependency, you may need to update the parent dependency (optimist in this case) to ensure it pulls in the updated version of minimist. If optimist does not support a higher version of minimist, you may need to consider alternatives or fork the package.
This comment was generated by an experimental AI tool.
| @@ -35312,6 +40434,12 @@ | |||
| "node": ">= 0.6" | |||
| } | |||
| }, | |||
| "node_modules/http-cache-semantics": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)
The issue identified by the Trivy linter is a security vulnerability in the http-cache-semantics package, specifically version 3.8.1. This vulnerability, designated as CVE-2022-25881, is a Regular Expression Denial of Service (ReDoS) issue, which can lead to performance degradation or service unavailability when an attacker exploits the vulnerability by sending specially crafted requests.
To resolve this security issue, you should update the http-cache-semantics package to version 4.1.1 or later, where the vulnerability has been addressed.
Here’s the single line change you can make to fix the issue:
| "node_modules/http-cache-semantics": { | |
| "node_modules/http-cache-semantics": { "version": "4.1.1", ... |
Make sure to also run your package manager's install command (e.g., npm install or yarn install) to ensure the updated version is reflected in your node_modules directory.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1, 1.2.3)
The issue identified by the Trivy linter is related to a known vulnerability in the minimist package, specifically version 0.0.10. This vulnerability, outlined in CVE-2020-7598, allows for prototype pollution, which means that an attacker could potentially manipulate the properties of Object.prototype. This can lead to unexpected behavior and security risks within applications that rely on this package.
To resolve this issue, you should update the minimist dependency to a safer version, as suggested by the linter. The recommended versions are 0.2.1 or 1.2.3, which do not contain this vulnerability.
Here is the single line change you can make to fix the issue:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "node_modules/package-json-validator/node_modules/minimist": { "version": "1.2.3", ... } |
Make sure to also update the package's lock file (e.g., package-lock.json or yarn.lock) accordingly, and run your package manager's install command to ensure the changes take effect.
This comment was generated by an experimental AI tool.
| "object-assign": "^4.1.1" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/semver": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25883: nodejs-semver: Regular expression denial of service) (update to 7.5.2, 6.3.1, 5.7.2)
The issue identified by the Trivy linter pertains to a security vulnerability in the semver package version 7.3.4. The vulnerability, classified as CVE-2022-25883, relates to a Regular Expression Denial of Service (ReDoS) attack, which can be exploited to cause performance degradation or service outages by making the application consume excessive resources when processing certain inputs.
To mitigate this vulnerability, you should update the semver package to a version that is not affected by this issue. The recommended versions to upgrade to are 7.5.2, 6.3.1, or 5.7.2.
Here’s the single line change that should be made to update the semver dependency:
| "node_modules/@teambit/legacy/node_modules/semver": { | |
| "node_modules/@teambit/legacy/node_modules/semver": { "version": "7.5.2", ... |
This change specifies that the semver package should use version 7.5.2, which is not affected by the identified vulnerability.
This comment was generated by an experimental AI tool.
| @@ -36079,6 +41780,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 1.1.9)
The issue identified by the Trivy linter pertains to a security vulnerability in the ip package version 1.1.5, specifically CVE-2023-42282. This vulnerability allows for arbitrary code execution through the isPublic() function in the package. To mitigate this risk, it is recommended to update the package to a secure version, in this case, version 1.1.9 or later.
To fix this issue, you can update the version of the ip package in your package.json file. Here’s the suggested code change:
"node_modules/ip": {
"version": "1.1.9",
"resolved": "https://registry.npmjs.org/ip/-/ip-1.1.9.tgz",
"integrity": "sha512-<new-integrity-hash>",
"peer": true
}Make sure to replace <new-integrity-hash> with the actual integrity hash for version 1.1.9, which you can find from the npm registry or by running npm install [email protected] and checking the package-lock.json. After making this change, remember to run npm install to update your dependencies.
This comment was generated by an experimental AI tool.
| "node": ">=10" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/minimatch": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function) (update to 3.0.5)
The issue reported by the Trivy linter is related to a security vulnerability in the minimatch package, specifically version 3.0.4. This vulnerability (CVE-2022-3517) involves a Regular Expression Denial of Service (ReDoS) attack that can be exploited through the braceExpand function. It is recommended to upgrade to at least version 3.0.5, where the vulnerability has been addressed.
To resolve this issue, you can update the version of minimatch in your package.json or wherever the dependency is specified. The following code suggestion reflects this single line change:
| "node_modules/@teambit/legacy/node_modules/minimatch": { | |
| "node_modules/@teambit/legacy/node_modules/minimatch": { "version": "3.0.5", ... |
Make sure to run npm install after making this change to update the dependency in your project.
This comment was generated by an experimental AI tool.
|
Superseded by #4684. |
Bumps next from 14.2.14 to 15.1.0.
Release notes
Sourced from next's releases.
... (truncated)
Commits
dafcd43v15.1.02deb35dv15.0.4-canary.52f92b159test: fix type error in segment-cache-basic test (#73755)4074ededocs(turbopack): Better document the Vc type, with references to ResolvedVc a...eecc5f1[Segment Cache] Skip dynamic request if possible (#73540)3970d33v15.0.4-canary.51ef41607re-enable middleware deploy tests (#73744)16bfce6[Segment Cache] Respond with 204 on cache miss (#73649)c7d6ab7fix:warnOnce()lru (#73742)c824c18v15.0.4-canary.50Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)