Bump @nx/next from 19.5.7 to 20.1.4 #4662
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [@nx/next](https://github.com/nrwl/nx/tree/HEAD/packages/next) from 19.5.7 to 20.1.4. - [Release notes](https://github.com/nrwl/nx/releases) - [Commits](https://github.com/nrwl/nx/commits/20.1.4/packages/next) --- updated-dependencies: - dependency-name: "@nx/next" dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Sorry, only users with push access can use that command. |
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| "node_modules/sprintf-js": { | ||
| "version": "1.0.3", | ||
| "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", | ||
| "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", | ||
| "license": "BSD-3-Clause" | ||
| }, | ||
| "node_modules/ssh2": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-26301: nodejs-ssh2: Command injection by calling vulnerable method with untrusted input) (update to 1.4.0)
The issue identified by the Trivy linter is a security vulnerability in the ssh2 package version 0.8.9, which is associated with CVE-2020-26301. This vulnerability allows for command injection when untrusted input is passed to certain methods within the ssh2 library. To mitigate this risk, it is recommended to update the ssh2 package to a secure version, specifically version 1.4.0 or later, where this vulnerability has been addressed.
To fix the issue, you can update the ssh2 dependency in your package.json file. Here’s the single line change that you need to make:
| "node_modules/ssh2": { | |
| "ssh2": "^1.4.0", |
This change ensures that the project uses a secure version of the ssh2 package, thereby eliminating the vulnerability.
This comment was generated by an experimental AI tool.
| @@ -35312,6 +41430,12 @@ | |||
| "node": ">= 0.6" | |||
| } | |||
| }, | |||
| "node_modules/http-cache-semantics": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)
The issue identified by the Trivy linter is a security vulnerability in the http-cache-semantics package, specifically version 3.8.1. This version has a known vulnerability (CVE-2022-25881) that exposes the application to a Regular Expression Denial of Service (ReDoS) attack. A ReDoS attack can exploit certain regular expressions that take a long time to evaluate, potentially causing the application to hang or crash under certain conditions. The recommended action is to update the package to a more secure version, which in this case is 4.1.1.
To fix this issue, you should update the version of the http-cache-semantics package in your project. The change can be made in your package.json file or wherever the dependency is defined.
Here's the single line change to update the version:
"node_modules/http-cache-semantics": {
"version": "4.1.1",This comment was generated by an experimental AI tool.
| @@ -36079,6 +42775,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 1.1.9)
The issue described by the Trivy linter indicates that the ip package version 1.1.5 has a known vulnerability (CVE-2023-42282) that allows for arbitrary code execution through the isPublic() function. This vulnerability poses a significant security risk, and it is recommended to update the package to a secure version, specifically 1.1.9 or later.
To resolve this issue, you should update the version of the ip package in your package.json file. The change would involve modifying the dependency version to 1.1.9.
Here is the code suggestion to fix the issue:
| "node_modules/ip": { | |
| "node_modules/ip": { "version": "1.1.9", ... |
Make sure to run npm install after making this change to update your dependencies accordingly.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1, 1.2.3)
The issue identified by the Trivy linter is related to a security vulnerability in the minimist package, specifically version 0.0.10. This version is susceptible to prototype pollution, which is a type of vulnerability that allows an attacker to manipulate the properties of Object.prototype. This can lead to unexpected behavior in the application, including potential denial of service or data corruption.
To resolve this issue, you should update the minimist dependency to a secure version that is not affected by this vulnerability. The suggested versions to upgrade to are 0.2.1 or 1.2.3.
Here’s the single line change you can make to update the minimist dependency:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "node_modules/package-json-validator/node_modules/minimist": { "version": "1.2.3", ... |
This change updates the version of minimist to 1.2.3, which addresses the security vulnerability.
This comment was generated by an experimental AI tool.
| @@ -58379,6 +68757,16 @@ | |||
| "node": ">=4.0.0" | |||
| } | |||
| }, | |||
| "node_modules/vue-template-compiler": { | |||
There was a problem hiding this comment.
The issue reported by the Trivy linter indicates that the vue-template-compiler package version 2.6.12 has a known vulnerability (CVE-2024-6783) related to client-side Cross-Site Scripting (XSS). This vulnerability can potentially allow attackers to inject malicious scripts into web applications, posing a significant security risk.
To address this vulnerability, the recommended action is to upgrade the vue-template-compiler package to a secure version, specifically version 3.0.0 or later, which has resolved this security issue.
Here is the code suggestion to fix the issue:
"node_modules/vue-template-compiler": {
"version": "3.0.0",This comment was generated by an experimental AI tool.
| @@ -36079,6 +42775,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 2.0.1, 1.1.9)
The issue reported by the Trivy linter indicates that the ip package version 1.1.5 has a known vulnerability (CVE-2023-42282) that allows for arbitrary code execution through the isPublic() function. This vulnerability can potentially be exploited if an attacker is able to manipulate the input to this function, leading to severe security risks in applications that depend on this package.
To address this security vulnerability, you should update the ip package to a safe version. The linter suggests updating to either version 2.0.1 or 1.1.9, both of which have resolved the security issue.
The code suggestion to fix the issue would be to update the version of the ip package in your package.json file.
| "node_modules/ip": { | |
| "ip": "^1.1.9", |
This change will ensure that your project uses a version of the ip package that is not vulnerable to the reported security issue. After making this change, don't forget to run npm install to update the package in your node_modules.
This comment was generated by an experimental AI tool.
| @@ -57672,6 +67883,112 @@ | |||
| "integrity": "sha512-x00IRNXNy63jwGkJmzPigoySHbaqpNuzKbBOmzK+g2OdZpQ9w+sxCN+VSB3ja7IAge2OP2qpfxTjeNcyjmW1uw==", | |||
| "license": "ISC" | |||
| }, | |||
| "node_modules/utile": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (NSWG-ECO-445: Out-of-bounds Read) (no fix available)
The issue identified by the Trivy linter pertains to the utile package version 0.3.0, which has been flagged for an "Out-of-bounds Read" vulnerability. This type of vulnerability can lead to potential security risks such as data leakage or crashes, as it allows an attacker to read memory outside of the intended bounds of an array or buffer. Since there is no fix available for this specific version, the recommended approach is to remove the vulnerable package or upgrade to a secure alternative if possible.
To address this issue, a single line change in your package.json file can be made to remove the utile package entirely. Here’s how you can do that:
| "node_modules/utile": { | |
| "node_modules/utile": null, |
However, it's important to note that simply setting it to null in the package.json will not remove the dependency. Instead, you should either directly remove the package from your package.json file or run a command to uninstall it. If you want to ensure the package is removed, you can run:
| "node_modules/utile": { | |
| npm uninstall utile |
After uninstalling, make sure to review any other dependencies that might rely on utile and consider replacing them with safer alternatives.
This comment was generated by an experimental AI tool.
| @@ -44899,6 +52152,146 @@ | |||
| "node": ">=10" | |||
| } | |||
| }, | |||
| "node_modules/mockery": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-37614: mockery is vulnerable to prototype pollution) (update to )
The issue reported by the Trivy linter indicates that the mockery package version 2.1.0 has a known vulnerability (CVE-2022-37614) related to prototype pollution. Prototype pollution is a security vulnerability where an attacker can manipulate an object's prototype, potentially leading to unexpected behavior or security breaches in an application.
To address this issue, the recommended action is to update the mockery package to a version that does not have this vulnerability. The latest version of the package should ideally be used, assuming it resolves the security issue.
Here's the code suggestion to fix the issue by updating the mockery dependency:
| "node_modules/mockery": { | |
| "node_modules/mockery": { "version": "2.1.1", ... |
Make sure to check the latest version of mockery in the npm registry to ensure that it resolves the vulnerability before applying the change.
This comment was generated by an experimental AI tool.
| "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-4.4.1.tgz", | ||
| "integrity": "sha512-S0fuX5lDku28Au9REYUsV+hdJpW/rNW0gWlc4SXzF/kdrRaAVX9YCxKpziH7djeWT/HFAjLZcnY7NJD8xTeUEg==", | ||
| "license": "BSD-2-Clause", | ||
| "node_modules/@teambit/legacy/node_modules/minimatch": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function) (update to 3.0.5)
The issue identified by the Trivy linter is a known security vulnerability in the minimatch package version 3.0.4. Specifically, this vulnerability (CVE-2022-3517) relates to a Regular Expression Denial of Service (ReDoS) issue that can be exploited through the braceExpand function. Attackers can craft specific input that takes an excessive amount of time to process, leading to potential denial of service.
To resolve this issue, you should update the minimatch dependency to a patched version (3.0.5 or higher) that addresses the vulnerability.
Here is the code suggestion for the update:
"node_modules/@teambit/legacy/node_modules/minimatch": {
"version": "3.0.5",This change updates the version of minimatch from 3.0.4 to 3.0.5, which should mitigate the identified security risk.
This comment was generated by an experimental AI tool.
| "object-assign": "^4.1.1" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/semver": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25883: nodejs-semver: Regular expression denial of service) (update to 7.5.2, 6.3.1, 5.7.2)
The issue identified by the Trivy linter is a known vulnerability in the semver package version 7.3.4, which is susceptible to a Regular Expression Denial of Service (ReDoS) attack (CVE-2022-25883). This vulnerability can allow an attacker to exploit certain regular expressions in the package, potentially leading to performance degradation or denial of service.
To resolve this issue, you should update the semver dependency to a version that is not affected by this vulnerability. The recommended versions are 7.5.2, 6.3.1, or 5.7.2.
Here's the single line change needed to fix the issue:
| "node_modules/@teambit/legacy/node_modules/semver": { | |
| "node_modules/@teambit/legacy/node_modules/semver": { "version": "7.5.2", ... |
This change updates the semver version from 7.3.4 to 7.5.2, which is a secure version.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
The issue identified by the Trivy linter relates to a security vulnerability in the minimist package, specifically version 0.0.10. This vulnerability, documented as CVE-2020-7598, allows for prototype pollution, which can enable an attacker to add or modify properties of Object.prototype. This could lead to unexpected behavior in the application, potentially allowing for further exploits.
To resolve this issue, you should update the minimist dependency to a safer version that does not have this vulnerability. According to the recommendation, you should update it to at least version 0.2.1.
Here's the single line change needed to fix this issue:
| "node_modules/package-json-validator/node_modules/minimist": { | |
| "node_modules/package-json-validator/node_modules/minimist": { "version": "0.2.1", ... |
Make sure to also update any references or dependencies that rely on minimist to ensure compatibility with the new version.
This comment was generated by an experimental AI tool.
| "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==", | ||
| "peer": true | ||
| }, | ||
| "node_modules/moment": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-24785: Moment.js: Path traversal in moment.locale) (update to 2.29.2)
The security issue identified by Trivy relates to a vulnerability in the Moment.js library, specifically in version 2.29.1. The vulnerability (CVE-2022-24785) involves a path traversal issue in the moment.locale function, which could potentially allow an attacker to access sensitive files on the server or client. To mitigate this risk, it is recommended to update Moment.js to a secure version, specifically to 2.29.2 or later.
To address this vulnerability, you can modify the version of the Moment.js dependency in your package.json file to the recommended version. Here’s the suggested code change:
"node_modules/moment": {
"version": "2.29.2",
"resolved": "https://registry.npmjs.org/moment/-/moment-2.29.2.tgz",
"integrity": "sha512-<new-integrity-hash>",
"peer": true,
"engines": {
"node": "*"
}
}(Note: You will need to replace <new-integrity-hash> with the actual integrity hash for version 2.29.2, which can be found in the npm registry after updating the package.)
Alternatively, if you have a package.json file, you can simply run npm install [email protected] to update the dependency.
This comment was generated by an experimental AI tool.
Bumps @nx/next from 19.5.7 to 20.1.4.
Release notes
Sourced from
@nx/next's releases.... (truncated)
Commits
58f0b17fix(misc): update artifact generator option descriptions and cleanup leftover...bf24839fix(nextjs): Add support for next.config.ts for executors (#29071)316e8d2server-next-executor-examples: minor typo documentation (#28830)d4b9e0dfix(nextjs): update default next-env (#28861)39b0a6cchore(nextjs): bump Next.js version to 14.2.16 (#28782)0706c7ffix(nextjs): Formatting for pages (#28734)0ad7c6bfix(nextjs): do not generate spec files if unitTestRunner is not set programm...b89a62efix(nextjs): Fix json spread typo (#28728)c2e3112feat(core): Update plugin generators so that they are formatted by default (#...ce05a98fix(nextjs): Add deprecation message for svgr (#28705)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)