Bump next from 14.2.14 to 15.0.3 #4644
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Sorry, only users with push access can use that command. |
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/next-15.0.3
branch
from
16f70ef to
8bd9b22
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/next-15.0.3
branch
from
8bd9b22 to
0fd437d
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/next-15.0.3
branch
from
0fd437d to
5798ca0
Compare
Bumps [next](https://github.com/vercel/next.js) from 14.2.14 to 15.0.3. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v14.2.14...v15.0.3) --- updated-dependencies: - dependency-name: next dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/next-15.0.3
branch
from
5798ca0 to
366334b
Compare
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| @@ -35312,6 +40425,12 @@ | |||
| "node": ">= 0.6" | |||
| } | |||
| }, | |||
| "node_modules/http-cache-semantics": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)
The issue identified by the Trivy linter is a known vulnerability related to the http-cache-semantics package. Specifically, version 3.8.1 of this package has been reported to have a Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881). This type of vulnerability can allow an attacker to exploit the regular expressions used in the package, potentially leading to performance degradation or denial of service.
To resolve this issue, you should update the http-cache-semantics package to a version that is not affected by this vulnerability. The recommended version to upgrade to is 4.1.1.
Here is the single line change to update the version of http-cache-semantics:
| "node_modules/http-cache-semantics": { | |
| "node_modules/http-cache-semantics": { "version": "4.1.1", ... |
Make sure to run npm install after making this change to update the package in your project.
This comment was generated by an experimental AI tool.
| @@ -44899,6 +51146,146 @@ | |||
| "node": ">=10" | |||
| } | |||
| }, | |||
| "node_modules/mockery": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-37614: mockery is vulnerable to prototype pollution) (update to )
The issue identified by the Trivy linter is related to the mockery package version 2.1.0, which has a known vulnerability (CVE-2022-37614) associated with prototype pollution. This vulnerability can allow an attacker to modify the prototype of built-in objects, potentially leading to security issues such as Denial of Service (DoS) or data manipulation.
To resolve this issue, you should update the mockery package to a version that does not contain this vulnerability. The latest version or a version that addresses this security issue should be used.
Here's a code suggestion to update the mockery dependency to a safe version (for example, 2.1.1 or later if available):
"node_modules/mockery": {
"version": "2.1.1",Make sure to verify the latest stable version of mockery that addresses the vulnerability before applying this change.
This comment was generated by an experimental AI tool.
| @@ -57672,6 +66882,112 @@ | |||
| "integrity": "sha512-x00IRNXNy63jwGkJmzPigoySHbaqpNuzKbBOmzK+g2OdZpQ9w+sxCN+VSB3ja7IAge2OP2qpfxTjeNcyjmW1uw==", | |||
| "license": "ISC" | |||
| }, | |||
| "node_modules/utile": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (NSWG-ECO-445: Out-of-bounds Read) (no fix available)
The issue reported by the Trivy linter indicates that the utile package version 0.3.0 has a security vulnerability classified as an "Out-of-bounds Read." This type of vulnerability can potentially allow an attacker to read sensitive data outside of the intended buffer boundaries, which can lead to information disclosure or other security risks. Since there is no fix available for this version, it is advisable to remove or replace the vulnerable package.
To address this issue, one effective approach is to remove the utile package from your dependencies, especially if it is not critical to your application. If you do not have a direct dependency on utile, you can safely remove it from your project.
Here’s the code suggestion to remove the utile package:
| "node_modules/utile": { | |
| npm uninstall utile |
This command will remove the utile package from your node_modules and update your package.json and package-lock.json accordingly. If utile is a dependency of another package, consider checking if there is an updated version of that package that does not depend on utile, or look for alternative packages that provide similar functionality without the security risk.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
The issue identified by the Trivy linter pertains to a known vulnerability in the minimist package version 0.0.10. This vulnerability (CVE-2020-7598) allows for prototype pollution, which can lead to potential security risks by allowing an attacker to add or modify properties of Object.prototype using malicious payloads. This can lead to unexpected behavior and security breaches in applications that utilize this library.
To resolve this security issue, you should update the minimist dependency to a safe version. The recommended version is 0.2.1 or higher, as it addresses the vulnerability.
Here’s the single line change you can make to update the minimist dependency:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "node_modules/package-json-validator/node_modules/minimist": { "version": "0.2.1", ... |
Make sure to also check your package.json or package-lock.json files to ensure that the updated version is reflected there, and run npm install to apply the changes.
This comment was generated by an experimental AI tool.
| "concat-map": "0.0.1" | ||
| } | ||
| }, | ||
| "node_modules/npm-run-all/node_modules/cross-spawn": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2024-21538: Regular Expression Denial of Service (ReDoS) in cross-spawn) (update to 7.0.5)
The issue identified by the Trivy linter pertains to a known vulnerability in the cross-spawn package, specifically version 6.0.5, which is susceptible to a Regular Expression Denial of Service (ReDoS) attack as documented in CVE-2024-21538. This vulnerability can potentially allow an attacker to exploit the regular expressions used in the package, leading to performance degradation or application denial of service.
To resolve this issue, the suggested action is to update the cross-spawn package to a secure version, specifically 7.0.5 or higher, which has addressed the vulnerability.
Here’s the single line change you can make to fix the issue:
"node_modules/npm-run-all/node_modules/cross-spawn": {
"version": "7.0.5",This comment was generated by an experimental AI tool.
| @@ -36079,6 +41771,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 2.0.1, 1.1.9)
The issue identified by the Trivy linter is related to a security vulnerability in the ip package, specifically version 1.1.5. This version is susceptible to arbitrary code execution through the isPublic() function, as described in CVE-2023-42282. To mitigate this vulnerability, it is recommended to upgrade the ip package to a secure version, either 2.0.1 or 1.1.9.
To fix the issue, you need to update the dependency version in your package.json file. Here's the suggested change to update the ip package to a safe version:
| "node_modules/ip": { | |
| "node_modules/ip": { "version": "1.1.9", ... } |
This change ensures that your project uses a version of the ip package that is not vulnerable to the identified security issue.
This comment was generated by an experimental AI tool.
|
Superseded by #4672. |
Bumps next from 14.2.14 to 15.0.3.
Release notes
Sourced from next's releases.
... (truncated)
Commits
7dc7be2v15.0.374b4d2dv15.0.3-canary.9be40adbAdd missing closing\</AppOnly>(#72453)224447cGetting Started Docs: Improve "Project Structure" page (#72399)5f0adadchore(turbopack): Update dashmap from 5.x to 6.x (#72433)f668af2[ppr] Fixed deployment tests (#72428)856521bdocs(parallel-routes): update 11-parallel-routes.mdx example for modal closin...9d31638docs(route-handlers): add TS/JSswitchertoRoute Resolutionsection in `...200fdc1[Turbopack] remove unneeded type annotation (#72390)74a19b7docs: unify the header deps by removing # (#72391)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)