Skip to content

[Snyk] Upgrade next from 14.1.1 to 14.2.28 #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade next from 14.1.1 to 14.2.28 #42

wants to merge 1 commit into from

Conversation

@nejidevelops
Copy link
Owner

@nejidevelops nejidevelops commented May 16, 2025

snyk-top-banner

Snyk has created this PR to upgrade next from 14.1.1 to 14.2.28.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 116 versions ahead of your current version.

  • The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Allocation of Resources Without Limits or Throttling
SNYK-JS-NEXT-8602067		 559 No Known Exploit
critical severity Improper Authorization
SNYK-JS-NEXT-9508709		 559 Mature
high severity Acceptance of Extraneous Untrusted Data With Trusted Data
SNYK-JS-NEXT-8025427		 559 No Known Exploit
high severity Uncontrolled Recursion
SNYK-JS-NEXT-8186172		 559 No Known Exploit
high severity Missing Authorization
SNYK-JS-NEXT-8520073		 559 No Known Exploit
Release notes
Package name: next
  • 14.2.28 - 2025-04-08

    Note

    This release is backporting bug fixes. It does not include all pending features/changes on canary.

    Core Changes

    • fix: node.js module import error when using middleware (#77945)

    Credits

    Huge thanks to @ ztanner for helping!

  • 14.2.27 - 2025-04-07

    Note

    This release is backporting bug fixes. It does not include all pending features/changes on canary.

    Core Changes

    • fix dynamic route interception not working when deployed with middleware (#64923)

    Credits

    Huge thanks to @ ztanner for helping!

  • 14.2.26 - 2025-03-24
  • 14.2.25 - 2025-03-17
  • 14.2.24 - 2025-02-11
  • 14.2.23 - 2025-01-07
  • 14.2.22 - 2024-12-26
  • 14.2.21 - 2024-12-19
  • 14.2.20 - 2024-12-04
  • 14.2.19 - 2024-12-03
  • 14.2.18 - 2024-11-13
  • 14.2.17 - 2024-11-05
  • 14.2.16 - 2024-10-23
  • 14.2.15 - 2024-10-08
  • 14.2.14 - 2024-10-01
  • 14.2.13 - 2024-09-20
  • 14.2.12 - 2024-09-17
  • 14.2.11 - 2024-09-12
  • 14.2.10 - 2024-09-11
  • 14.2.9 - 2024-09-09
  • 14.2.8 - 2024-09-04
  • 14.2.7 - 2024-08-27
  • 14.2.6 - 2024-08-21
  • 14.2.5 - 2024-07-10
  • 14.2.4 - 2024-06-11
  • 14.2.3 - 2024-04-24
  • 14.2.2 - 2024-04-18
  • 14.2.1 - 2024-04-12
  • 14.2.1-canary.7 - 2024-04-15
  • 14.2.1-canary.6 - 2024-04-15
  • 14.2.1-canary.5 - 2024-04-14
  • 14.2.1-canary.4 - 2024-04-13
  • 14.2.1-canary.3 - 2024-04-12
  • 14.2.1-canary.2 - 2024-04-12
  • 14.2.1-canary.1 - 2024-04-12
  • 14.2.1-canary.0 - 2024-04-11
  • 14.2.0 - 2024-04-11
  • 14.2.0-canary.67 - 2024-04-11
  • 14.2.0-canary.66 - 2024-04-11
  • 14.2.0-canary.65 - 2024-04-10
  • 14.2.0-canary.64 - 2024-04-09
  • 14.2.0-canary.63 - 2024-04-08
  • 14.2.0-canary.62 - 2024-04-07
  • 14.2.0-canary.61 - 2024-04-06
  • 14.2.0-canary.60 - 2024-04-05
  • 14.2.0-canary.59 - 2024-04-05
  • 14.2.0-canary.58 - 2024-04-05
  • 14.2.0-canary.57 - 2024-04-04
  • 14.2.0-canary.56 - 2024-04-04
  • 14.2.0-canary.55 - 2024-04-03
  • 14.2.0-canary.54 - 2024-04-02
  • 14.2.0-canary.53 - 2024-04-02
  • 14.2.0-canary.52 - 2024-04-01
  • 14.2.0-canary.51 - 2024-04-01
  • 14.2.0-canary.50 - 2024-03-30
  • 14.2.0-canary.49 - 2024-03-29
  • 14.2.0-canary.48 - 2024-03-28
  • 14.2.0-canary.47 - 2024-03-28
  • 14.2.0-canary.46 - 2024-03-27
  • 14.2.0-canary.45 - 2024-03-27
  • 14.2.0-canary.44 - 2024-03-26
  • 14.2.0-canary.43 - 2024-03-25
  • 14.2.0-canary.42 - 2024-03-25
  • 14.2.0-canary.41 - 2024-03-24
  • 14.2.0-canary.40 - 2024-03-23
  • 14.2.0-canary.39 - 2024-03-22
  • 14.2.0-canary.38 - 2024-03-22
  • 14.2.0-canary.37 - 2024-03-22
  • 14.2.0-canary.36 - 2024-03-21
  • 14.2.0-canary.35 - 2024-03-21
  • 14.2.0-canary.34 - 2024-03-20
  • 14.2.0-canary.33 - 2024-03-19
  • 14.2.0-canary.32 - 2024-03-19
  • 14.2.0-canary.31 - 2024-03-19
  • 14.2.0-canary.30 - 2024-03-18
  • 14.2.0-canary.29 - 2024-03-18
  • 14.2.0-canary.28 - 2024-03-18
  • 14.2.0-canary.27 - 2024-03-17
  • 14.2.0-canary.26 - 2024-03-16
  • 14.2.0-canary.25 - 2024-03-16
  • 14.2.0-canary.24 - 2024-03-15
  • 14.2.0-canary.23 - 2024-03-14
  • 14.2.0-canary.22 - 2024-03-14
  • 14.2.0-canary.21 - 2024-03-13
  • 14.2.0-canary.20 - 2024-03-13
  • 14.2.0-canary.19 - 2024-03-12
  • 14.2.0-canary.18 - 2024-03-12
  • 14.2.0-canary.17 - 2024-03-12
  • 14.2.0-canary.16 - 2024-03-11
  • 14.2.0-canary.15 - 2024-03-11
  • 14.2.0-canary.14 - 2024-03-11
  • 14.2.0-canary.13 - 2024-03-10
  • 14.2.0-canary.12 - 2024-03-09
  • 14.2.0-canary.11 - 2024-03-08
  • 14.2.0-canary.10 - 2024-03-08
  • 14.2.0-canary.9 - 2024-03-08
  • 14.2.0-canary.8 - 2024-03-07
  • 14.2.0-canary.7 - 2024-03-07
  • 14.2.0-canary.6 - 2024-03-06
  • 14.2.0-canary.5 - 2024-03-06
  • 14.2.0-canary.4 - 2024-03-06
  • 14.2.0-canary.3 - 2024-03-06
  • 14.2.0-canary.2 - 2024-03-05
  • 14.2.0-canary.1 - 2024-03-05
  • 14.2.0-canary.0 - 2024-03-05
  • 14.1.4 - 2024-03-20
  • 14.1.3 - 2024-03-06
  • 14.1.2 - 2024-03-04
  • 14.1.2-canary.7 - 2024-03-04
  • 14.1.2-canary.6 - 2024-03-04
  • 14.1.2-canary.5 - 2024-03-04
  • 14.1.2-canary.4 - 2024-03-04
  • 14.1.2-canary.3 - 2024-03-03
  • 14.1.2-canary.2 - 2024-03-02
  • 14.1.2-canary.1 - 2024-03-01
  • 14.1.2-canary.0 - 2024-03-01
  • 14.1.1 - 2024-02-29
from next GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade next from 14.1.1 to 14.2.28
96d34c3 
Snyk has created this PR to upgrade next from 14.1.1 to 14.2.28.

See this package in npm:
next

See this project in Snyk:
https://app.snyk.io/org/mohammadnewton/project/b05a7c68-b671-452c-a8b2-c318c30bf93e?utm_source=github&utm_medium=referral&page=upgrade-pr
gemini-code-assist[bot]
gemini-code-assist bot reviewed May 16, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @nejidevelops, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello team, gemini-code-assist here with a summary of this pull request. This PR, automatically generated by Snyk, aims to upgrade the next dependency from version 14.1.1 to 14.2.28. The primary motivation for this significant version jump (116 versions according to Snyk) is to address several security vulnerabilities identified in the current version, including critical, high, and medium severity issues related to authorization, resource allocation, and data handling. The changes primarily involve updating the version specification in package.json and updating the locked versions and integrity hashes for next and its related @next/swc-* and @swc/helpers dependencies in package-lock.json. A new optional dependency, @swc/counter, is also added as part of the @swc/helpers update, and @playwright/test is added as an optional peer dependency for next.

Highlights

  • Dependency Upgrade: Upgrades the next dependency from version 14.1.1 to 14.2.28.
  • Security Fixes: Addresses multiple security vulnerabilities reported by Snyk, including critical, high, and medium severity issues.
  • Dependency Tree Updates: Updates locked versions and integrity hashes for next and related @next/swc-* and @swc/helpers packages in package-lock.json.
  • New Optional Dependencies: Adds @swc/counter as a dependency of @swc/helpers and @playwright/test as an optional peer dependency of next in the lock file.

Changelog

Click here to see the changelog
  • package-lock.json
    • Updated next version from 14.1.1 to 14.2.28 (Line 17)
    • Updated @next/env version, resolved URL, and integrity hash, added license (Lines 259-262)
    • Updated @next/swc-darwin-arm64 version, resolved URL, and integrity hash, added license (Lines 274-276)
    • Updated @next/swc-darwin-x64 version, resolved URL, and integrity hash, added license (Lines 290-292)
    • Updated @next/swc-linux-arm64-gnu version, resolved URL, and integrity hash, added license (Lines 306-308)
    • Updated @next/swc-linux-arm64-musl version, resolved URL, and integrity hash, added license (Lines 322-324)
    • Updated @next/swc-linux-x64-gnu version, resolved URL, and integrity hash, added license (Lines 338-340)
    • Updated @next/swc-linux-x64-musl version, resolved URL, and integrity hash, added license (Lines 354-356)
    • Updated @next/swc-win32-arm64-msvc version, resolved URL, and integrity hash, added license (Lines 370-372)
    • Updated @next/swc-win32-ia32-msvc version, resolved URL, and integrity hash, added license (Lines 386-388)
    • Updated @next/swc-win32-x64-msvc version, resolved URL, and integrity hash, added license (Lines 402-404)
    • Added @swc/counter dependency with version, resolved URL, integrity hash, and license (Lines 624-627)
    • Updated @swc/helpers version, resolved URL, and integrity hash, added license and @swc/counter dependency (Lines 630-637)
    • Updated next entry with new version, resolved URL, integrity hash, license, and updated @next/env and @swc/helpers dependency versions (Lines 3599-3605)
    • Updated next optional dependencies to version 14.2.28 for all @next/swc-* packages (Lines 3619-3627)
    • Added @playwright/test as an optional peer dependency for next (Line 3631)
    • Added @playwright/test optional flag in next peer dependencies (Lines 3640-3642)
  • package.json
    • Updated next dependency version from 14.1.1 to 14.2.28 (Line 18)
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

A package old,
Has vulns untold.
Upgrade it fast,
Make safety last.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot suggested changes May 16, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the next dependency from version 14.1.1 to 14.2.28. This upgrade is important as it addresses several security vulnerabilities, including critical and high severity issues, as indicated by Snyk. The changes are limited to updating the version in package.json and the corresponding entries and hashes in package-lock.json.

Summary of Findings

  • Security Vulnerabilities Addressed: The primary finding is that this PR successfully upgrades the next dependency to a version that fixes several reported security vulnerabilities, including critical and high severity issues. This is a significant improvement for the project's security posture.
  • package.json vs package-lock.json Version Inconsistency: There is a minor inconsistency in how the next version is specified between package.json (exact version) and the top-level dependencies section of package-lock.json (caret version). While the actual locked version is correct, this discrepancy could potentially cause confusion or issues if the lock file is not strictly used.

Merge Readiness

This pull request is valuable for addressing known security vulnerabilities by upgrading the next dependency. However, dependency upgrades, especially across multiple patch versions, can sometimes introduce unexpected issues or require code adjustments in the application. Additionally, there is a minor inconsistency in the version specification between package.json and package-lock.json that should ideally be resolved. Therefore, I recommend thorough testing of the application with these updated dependencies before merging. I am unable to approve this pull request; please ensure other reviewers have signed off before merging.

package-lock.json
"framer-motion": "^11.0.8",
"lucide-react": "^0.344.0",
"next": "14.1.1",
"next": "^14.2.28",
Copy link

@gemini-code-assist gemini-code-assist bot May 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The package.json file specifies the next version as "14.2.28" (exact), but the top-level dependencies section in package-lock.json lists it with a caret "^14.2.28". While the main next entry later in the file correctly shows the locked version 14.2.28, this inconsistency in the top-level dependencies block of the lock file might be confusing or indicate an unexpected state. It's generally best practice for the top-level dependencies in package-lock.json to mirror the version specifiers in package.json for clarity and consistency. Could this discrepancy lead to unexpected behavior if the lock file were to be regenerated without the exact version specified in package.json?

"next": "14.2.28",

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nejidevelops @snyk-bot