Skip to content

Update dependency next to v14 [SECURITY]#101

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-next-vulnerability
Open

Update dependency next to v14 [SECURITY]#101
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-next-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Sep 25, 2024

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
next (source) 13.0.714.2.35 age confidence

Next.js missing cache-control header may lead to CDN caching empty reply

CVE-2023-46298 / GHSA-c59h-r6p8-q9wc

More information

Details

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

Severity

Low

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Denial of Service condition in Next.js image optimization

CVE-2024-47831 / GHSA-g77x-44xx-532m

More information

Details

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

  • The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
  • The Next.js application is hosted on Vercel.
Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

Severity

  • CVSS Score: 4.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js authorization bypass vulnerability

CVE-2024-51479 / GHSA-7gfc-8cq8-jh5f

More information

Details

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js Allows a Denial of Service (DoS) with Server Actions

CVE-2024-56332 / GHSA-7m27-7ghc-44w9

More information

Details

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Authorization Bypass in Next.js Middleware

CVE-2025-29927 / GHSA-f82v-jwr5-mffw

More information

Details

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches
  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js 13.x, this issue is fixed in 13.5.9
  • For Next.js 12.x, this issue is fixed in 12.3.5
  • For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits
  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Information exposure in Next.js dev server due to lack of origin verification

CVE-2025-48068 / GHSA-3h52-269p-cp9r

More information

Details

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js Affected by Cache Key Confusion for Image Optimization API Routes

CVE-2025-57752 / GHSA-g5qg-72qw-gw5v

More information

Details

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

Severity

  • CVSS Score: 6.2 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js Content Injection Vulnerability for Image Optimization

CVE-2025-55173 / GHSA-xv57-4mr9-wg8v

More information

Details

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js Improper Middleware Redirect Handling Leads to SSRF

CVE-2025-57822 / GHSA-4342-x723-ch2f

More information

Details

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

vercel/next.js (next)

v14.2.35

Compare Source

v14.2.34

Compare Source

v14.2.33

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • omit searchParam data from FlightRouterState before transport (#​80734)
Credits

Huge thanks to @​ztanner for helping!

v14.2.32

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix router handling when setting a location response header #​82588
Credits

Huge thanks to @​ztanner for helping!

v14.2.31

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix(next/image): improve and simplify detect-content-type (#​82179)
  • fix(next/image): fix image-optimizer.ts headers (#​82178)
Credits

Huge thanks to @​styfle and @​ztanner for helping!

v14.2.30

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​ijjk and @​ztanner for helping!

v14.2.29

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Only share incremental cache for edge in next start (#​79389)
Credits

Huge thanks to @​ijjk for helping!

v14.2.28

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: node.js module import error when using middleware (#​77945)
Credits

Huge thanks to @​ztanner for helping!

v14.2.27

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix dynamic route interception not working when deployed with middleware (#​64923)
Credits

Huge thanks to @​ztanner for helping!

v14.2.26

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Match subrequest handling for edge and node (#​77476)

v14.2.25

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.
This release contains a security patch for CVE-2025-29927.

Core Changes
  • Update middleware request header (#​77202)
Credits

Huge thanks to @​ijjk for helping!

v14.2.24

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​ztanner for helping!

v14.2.23

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • backport: force module format for virtual client-proxy (#​74590)
  • Backport: Use provided waitUntil for pending revalidates (#​74573)
  • Feature: next/image: add support for images.qualities in next.config (#​74500)
Credits

Huge thanks to @​styfle, @​ijjk and @​lubieowoce for helping!

v14.2.22

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Retry manifest file loading only in dev mode: #​73900
  • Ensure workers are cleaned up: #​71564
  • Use shared worker for lint & typecheck steps: #​74154
Credits

Huge thanks to @​unstubbable, @​ijjk, and @​ztanner for helping!

v14.2.21

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Misc Changes
  • chore(docs): add missing search: '' on remotePatterns: #​73927
  • chore(docs): update version history of next/image: #​73926
Credits

Huge thanks to @​unstubbable, @​ztanner, and @​styfle for helping!

v14.2.20

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​wyattjoh for helping!

v14.2.19

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • ensure worker exits bubble to parent process (#​73433)
  • Increase max cache tags to 128 (#​73125)
Misc Changes
  • Update max tag items limit in docs (#​73445)
Credits

Huge thanks to @​ztanner and @​ijjk for helping!

v14.2.18

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​huozhi and @​ijjk for helping!

v14.2.17

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: revert the bad node binary handling (#​72356)
  • Ensure pages/500 handles cache-control as expected (#​72050) (#​72110)
  • fix unhandled runtime error from generateMetadata in parallel routes (#​72153)
Credits

Huge thanks to @​huozhi, @​ztanner, and @​ijjk for helping!

v14.2.16

Compare Source

v14.2.15

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • support breadcrumb style catch-all parallel routes #​65063
  • Provide non-dynamic segments to catch-all parallel routes #​65233
  • Fix client reference access causing metadata missing #​70732
  • feat(next/image): add support for decoding prop #​70298
  • feat(next/image): add images.localPatterns config #​70529
  • fix(next/image): handle undefined images.localPatterns config in images-manifest.json
  • fix: Do not omit alt on getImgProps return type, ImgProps #​70608
  • [i18n] Routing fix #​70761
Credits

Huge thanks to @​ztanner, @​agadzik, @​huozhi, @​styfle, @​icyJoseph and @​wyattjoh for helping!

v14.2.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: clone response in first handler to prevent race (#​70082) (#​70649)
  • Respect reexports from metadata API routes (#​70508) (#​70647)
  • Externalize node binary modules for app router (#​70646)
  • Fix revalidateTag() behaviour when invoked in server components (#​70446) (#​70642)
  • Fix prefetch bailout detection for nested loading segments (#​70618)
  • Add missing node modules to externals (#​70382)
  • Feature: next/image: add support for images.remotePatterns.search (#​70302)
Credits

Huge thanks to @​styfle, @​ztanner, @​ijjk, @​huozhi and @​wyattjoh for helping!

v14.2.13

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix missing cache-control on SSR app route (#​70265)
  • feat: add polyfill of URL.canParse for browser compatibility (#​70228)
  • Fix vercel og package memory leak (#​70214)
  • Fix startTime error on Android 9 with Chrome 74 (#​67391)
Credits

Huge thanks to @​raeyoung-kim, @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

v14.2.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • update prefetching jsdoc & documentation (#​68047)
  • Ensure we chunk revalidate tag requests (#​70189)
  • (backport) fix(eslint): allow typescript-eslint v8 (#​70090)
  • [ppr] Don't mark RSC requests as /_next/data requests (backport of #​66249) (#​70083)
Credits

Huge thanks to @​alvarlagerlof, @​wyattjoh, @​delbaoliveira, and @​ijjk for helping!

v14.2.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: correct metadata url suffix (#​69959)
  • fix: setting assetPrefix to URL format breaks HMR (#​70040)
  • Update revalidateTag to batch tags in one request (#​65296)
Credits

Huge thanks to @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

v14.2.10

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Remove invalid fallback revalidate value (#​69990)
  • Revert server action optimization (#​69925)
  • Add ability to customize Cache-Control (#​69802)
Credits

Huge thanks to @​huozhi and @​ijjk for helping!

v14.2.9

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Revert "Fix esm property def in flight loader (#​66990)" (#​69749)
  • Disable experimental.optimizeServer by default to fix failed server action (#​69788)
  • Fix middleware fallback: false case (#​69799)
  • Fix status code for /_not-found route (#​64058) (#​69808)
  • Fix metadata prop merging (#​69807)
  • create-next-app: fix font file corruption when using import alias (#​69806)
Credits

Huge thanks to @​huozhi, @​ztanner, @​ijjk, and @​lubieowoce for helping!

v14.2.8

Compare Source

What's Changed

[!NOTE]
This release is backporting bug fixes and minor improvements. It does not include all pending features/changes on canary.

Support esmExternals in app directory
Reading cookies set in middleware in components and actions
  • initialize ALS with cookies in middleware (#​65008)
  • fix middleware cookie initialization (#​65820)
  • ensure cookies set in middleware can be read in a server action (#​67924)
  • fix: merged middleware cookies should preserve options (#​67956)
Metadata and icons
  • support facebook-specific metadata (fb:app_id, fb:admins) in generateMetaData (#​65713)
  • Always collect static icons for all segments (#​68712)
  • Fix favicon merging with customized icons (#​67982)
  • Warn metadataBase missing in standalone mode or non vercel deployment (#​66296)
Parallel routes fixes
  • fix missing stylesheets when parallel routes are present (#​69507)
Draft mode and edge improvements
next/image fixes
  • Allow external image urls with _next/image pathname to be rendered via Image component (#​69586)
Server actions improvements
  • optimize server actions (#​66523)
  • Apply optimization for unused actions (#​69178)
  • Improve SWC transform ID generation (#​69183)
Other changes
  • Ensure we match comment minify behavior between terser and swc (#​68372)
  • send initialCanonicalUrl in array format to prevent crawler confusion (#​69509)
Create-next-app updates

Full Changelog: vercel/next.js@v14.2.7...v14.2.8


Huge thanks to everyone who contributed to this release:
@​abhi12299, @​delbaoliveira, @​eps1lon, @​ForsakenHarmony, @​huozhi, @​ijjk, @​JoshuaKGoldberg, @​leerob, @​lubieowoce, @​Netail, @​ronanru, @​samcx, @​shuding, @​sokra, @​stylessh, @​timfuhrmann, @​wbinnssmith, @​wyattjoh, @​ypessoa, @​ztanner

v14.2.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Revert "chore: externalize undici for bundling" (#​65727)
  • Refactor internal routing headers to use request meta (#​66987)
  • fix(next): add cross origin in react dom preload (#​67423)
  • build: upgrade edge-runtime (#​67565)
  • GTM dataLayer parameter should take an object, not an array of strings (#​66339)
  • fix: properly patch lockfile against swc bindings (#​66515)
  • Add deployment id header for rsc payload if present (#​67255)
  • Update font data (#​68639)
  • fix i18n data pathname resolving (#​68947)
  • pages router: ensure x-middleware-cache is respected (#​67734)
  • Fix bad modRequest in flight entry manifest #​68888
  • Reject next image urls in image optimizer #​68628
  • Fix hmr assetPrefix escaping and reuse logic from other files #​67983
Credits

Huge thanks to @​kjugi, @​huozhi, @​ztanner, @​SukkaW, @​marlier, @​Kikobeats, @​syi0808, @​ijjk, and @​samcx for helping!

v14.2.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Ensure fetch cache TTL is updated properly (#​69164)

v14.2.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • avoid merging global css in a way that leaks into other chunk groups (#​67373)
  • Fix server action edge redirect with middleware rewrite (#​67148)
  • fix(next): reject protocol-relative URLs in image optimization (#​65752)
  • fix(next-swc): correct path interop to filepath for wasm (#​65633)
  • Use addDependency to track metadata route file changes (#​66714)
  • Fix noindex is missing on static not-found page (#​67135)
  • perf: improve retrieving versionInfo on Turbo HMR (#​67309)
  • fix(next/image): handle invalid url (#​67465)
  • fix(next): initial prefetch cache not set properly with different search params (#​65977)
  • fix: Backport class properties fix (#​67377)
  • Upgrade acorn (#​67592)
Misc
  • Log stdio for pull-turbo-cache script (#​66759)
  • Ensure turbo is setup when building in docker (#​66804)
Credits

Huge thanks to @​devjiwonchoi, @​ijjk, @​emmerich, @​huozhi, @​kdy1, @​kwonoj, @​styfle, and @​sokra for helping!

v14.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • fix: ensure route handlers properly track dynamic access (#​66446)
  • fix NextRequest proxy in edge runtime (#​66551)
  • Fix next/dynamic with babel and src dir (#​65177)
  • Use vercel deployment url for metadataBase fallbacks (#​65089)
  • fix(next/image): detect react@​19 for fetchPriority prop (#​65235)
  • Fix loading navigation with metadata and prefetch (#​66447)
  • prevent duplicate RSC fetch when action redirects (#​66620)
  • ensure router cache updates reference the latest cache values (#​66681)
  • Prevent append of trailing slash in cases where path ends with a file extension (#​66636)
  • Fix inconsistency with 404 getStaticProps cache-control (#​66674)
  • Use addDependency to track metadata route file changes (#​66714)
  • Add timeout/retry handling for fetch cache (#​66652)
  • fix: app-router prefetch crash when an invalid URL is passed to Link (#​66755)
Credits

Huge thanks to @​ztanner, @​ijjk, @​wbinnssmith, @​huozhi, and @​lubieowoce for helping!

v14.2.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: resolve mixed re-exports module as cjs (#​64681)
  • fix: mixing namespace import and named import client components (#​64809)
  • Fix mixed exports in server component with barrel optimization (#​64894)
  • Fix next/image usage in mdx(#​64875)
  • fix(fetch-cache): fix additional typo, add type & data validation (#​64799)
  • prevent erroneous route interception during lazy fetch (#​64692)
  • fix root page revalidation when redirecting in a server action (#​64730)
  • fix: remove traceparent from cachekey should not remove traceparent from original object (#​64727)
  • Clean-up fetch metrics tracking (#​64746)
Credits

Huge thanks to @​huozhi, @​samcx, @​ztanner, @​Jeffrey-Zutt, and @​ijjk for helping!

v14.2.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not i

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Asia/Manila)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Sep 25, 2024

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
Scope: all 15 workspace projects
 WARN  GET https://registry.npmjs.org/husky/-/husky-8.0.3.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/turbo/-/turbo-1.8.5.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/typescript/-/typescript-5.0.2.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@types/connect-redis/-/connect-redis-0.0.19.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@types/http-errors/-/http-errors-2.0.1.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@types/node/-/node-18.11.19.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@types/pg/-/pg-8.6.5.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@types/preview-email/-/preview-email-3.0.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@types/react/-/react-18.0.25.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vitest/coverage-c8/-/coverage-c8-0.29.7.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@vitest/ui/-/ui-0.29.7.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/esbuild/-/esbuild-0.17.14.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/esbuild-register/-/esbuild-register-3.4.1.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/class-variance-authority error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/eslint-config-turbo error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/next error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/husky/-/husky-8.0.3.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/turbo/-/turbo-1.8.5.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/typescript/-/typescript-5.0.2.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@types/connect-redis/-/connect-redis-0.0.19.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@types/http-errors/-/http-errors-2.0.1.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@types/node/-/node-18.11.19.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@types/pg/-/pg-8.6.5.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@types/preview-email/-/preview-email-3.0.0.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@types/react/-/react-18.0.25.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vitest/coverage-c8/-/coverage-c8-0.29.7.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/@vitest/ui/-/ui-0.29.7.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/esbuild/-/esbuild-0.17.14.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/esbuild-register/-/esbuild-register-3.4.1.tgz error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/class-variance-authority error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/eslint-config-turbo error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/next error (ERR_INVALID_THIS). Will retry in 1 minute. 1 retries left.
 WARN  GET https://registry.npmjs.org/eslint/-/eslint-8.27.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 ERR_INVALID_THIS  Value of "this" must be of type URLSearchParams

pnpm [ERR_INVALID_THIS]: Value of "this" must be of type URLSearchParams
    at Proxy.getAll (node:internal/url:554:13)
    at Proxy.<anonymous> (/opt/containerbase/tools/pnpm/8.2.0/24.16.0/node_modules/pnpm/dist/pnpm.cjs:60566:55)
    at /opt/containerbase/tools/pnpm/8.2.0/24.16.0/node_modules/pnpm/dist/pnpm.cjs:60628:31
    at Array.reduce (<anonymous>)
    at Proxy.raw (/opt/containerbase/tools/pnpm/8.2.0/24.16.0/node_modules/pnpm/dist/pnpm.cjs:60627:33)
    at new Headers (/opt/containerbase/tools/pnpm/8.2.0/24.16.0/node_modules/pnpm/dist/pnpm.cjs:60512:28)
    at getNodeRequestOptions (/opt/containerbase/tools/pnpm/8.2.0/24.16.0/node_modules/pnpm/dist/pnpm.cjs:60861:23)
    at /opt/containerbase/tools/pnpm/8.2.0/24.16.0/node_modules/pnpm/dist/pnpm.cjs:60918:25
    at new Promise (<anonymous>)
    at fetch (/opt/containerbase/tools/pnpm/8.2.0/24.16.0/node_modules/pnpm/dist/pnpm.cjs:60916:14)
 WARN  GET https://registry.npmjs.org/globby/-/globby-13.1.2.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/nodemon/-/nodemon-2.0.20.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/npm-run-all2/-/npm-run-all2-5.0.2.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/pino-pretty/-/pino-pretty-10.0.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/prettier/-/prettier-2.8.7.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/preview-email/-/preview-email-3.0.7.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/vite/-/vite-4.2.1.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/vite-tsconfig-paths/-/vite-tsconfig-paths-4.0.7.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/vitest/-/vitest-0.29.7.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@fastify/awilix/-/awilix-3.0.1.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@fastify/cookie/-/cookie-8.3.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@fastify/cors/-/cors-8.2.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@fastify/helmet/-/helmet-10.1.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.
 WARN  GET https://registry.npmjs.org/@fastify/rate-limit/-/rate-limit-8.0.0.tgz error (ERR_INVALID_THIS). Will retry in 10 seconds. 2 retries left.

@vercel

vercel Bot commented Sep 25, 2024

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
readit-stories Error Error Apr 27, 2026 10:05pm
readit-web Error Error Apr 27, 2026 10:05pm

@renovate renovate Bot changed the title Update dependency next to v13.5.0 [SECURITY] Update dependency next to v13.5.0 [SECURITY] - autoclosed Sep 25, 2024
@renovate renovate Bot closed this Sep 25, 2024
@renovate renovate Bot deleted the renovate/npm-next-vulnerability branch September 25, 2024 17:10
@renovate renovate Bot restored the renovate/npm-next-vulnerability branch September 26, 2024 20:02
@renovate renovate Bot changed the title Update dependency next to v13.5.0 [SECURITY] - autoclosed Update dependency next to v13.5.0 [SECURITY] Sep 26, 2024
@renovate renovate Bot reopened this Sep 26, 2024
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from 3142569 to b4498ec Compare September 26, 2024 20:08
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from b4498ec to a1a65a8 Compare October 15, 2024 08:45
@renovate renovate Bot changed the title Update dependency next to v13.5.0 [SECURITY] Update dependency next to v14 [SECURITY] Oct 15, 2024
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from a1a65a8 to 8c7ed64 Compare January 23, 2025 17:18
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from 8c7ed64 to 010c007 Compare May 17, 2025 03:12
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from 010c007 to d8ff401 Compare June 14, 2025 18:37
@socket-security

socket-security Bot commented Jun 14, 2025

Copy link
Copy Markdown

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from 6e1b599 to 8ad27ba Compare September 12, 2025 04:05
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from 8ad27ba to 47d5f5a Compare September 13, 2025 21:57
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from 47d5f5a to 2014bb1 Compare October 15, 2025 22:38
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from 2014bb1 to 8a96b74 Compare December 12, 2025 03:19
@renovate renovate Bot changed the title Update dependency next to v14 [SECURITY] Update dependency next to v14 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-next-vulnerability branch March 27, 2026 02:03
@renovate renovate Bot changed the title Update dependency next to v14 [SECURITY] - autoclosed Update dependency next to v14 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch 2 times, most recently from 8a96b74 to 1eb3354 Compare March 30, 2026 18:02
@renovate renovate Bot changed the title Update dependency next to v14 [SECURITY] Update dependency next to v14 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency next to v14 [SECURITY] - autoclosed Update dependency next to v14 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch 2 times, most recently from 1eb3354 to 5e65e3c Compare April 27, 2026 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants