[Snyk] Security upgrade next from 13.5.3 to 14.2.32#1194
[Snyk] Security upgrade next from 13.5.3 to 14.2.32#1194
Conversation
## Related Issues ## Related PRs | branch | PR | | ------------ | ---------- | | service a PR | Link to PR | | service b PR | Link to PR | ## Description Made it clear in the README that we don't support React 16. ## Must - [ ] Tests - [ ] Documentation (if applicable)
## Related Issues Fixes descope/etc#11105
## Description Reverted message back to show support for React 16 with React SDK. ## Must - [ ] Tests - [ ] Documentation (if applicable)
## Related Issues related descope/etc#11081 descope/etc#7945 descope/content#1134 ## Description - update flow scripts version to 1.0.9
## Related Issues Fixes descope/etc#11222 Added a retry mechanism for handling specific HTTP status codes (`521` and `524`) by retrying the request once
## Related Issues Fixes descope/etc#11294 ## Description some context the `getGlobalSdk` is used in 2 places - in middleware - for session validation - in `session` function - for session validation as well we want to enable developer to pass different global sdks in this context noting that at the moment, we don't let changing the base URL, I don't think there is such use case at the moment, but we can add this easily after this this PR is still missing: - tests - maybe add a note in readme
## Related Issues Fixes descope/etc#11209
## Related Issues Fixes descope/etc#10798 improving how we managing loading and disabled states during user interactions and screen transitions In addition to set loading state on the submitter we are also disable other enabled elements during requests It now also restores states only when staying on the same screen, ensuring a smoother user experience
…ckages/sdks/nextjs-sdk/examples/pages-router/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NEXT-12299318 - https://snyk.io/vuln/SNYK-JS-NEXT-12301496 - https://snyk.io/vuln/SNYK-JS-NEXT-12265451
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades the Next.js dependency from version 13.5.3 to 14.2.32 to fix three security vulnerabilities: Server-side Request Forgery (SSRF), Use of Cache Containing Sensitive Information, and Missing Source Correlation of Multiple Independent Data.
- Upgrades Next.js dependency to address security vulnerabilities
- Updates package.json and package-lock.json for the pages-router example
- Includes a major version upgrade with potential breaking changes
Files not reviewed (1)
- packages/sdks/nextjs-sdk/examples/pages-router/package-lock.json: Language not supported
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
omercnet
force-pushed
the
snyk-fix-2aecc1719641f372cb85688c4cd34b30
branch
from
26c94b9 to
aa9d2cb
Compare
Wiz Scan SummaryDisplaying only findings that violated a policy
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
![wiz-d45ab51820[bot]](https://avatars.githubusercontent.com/b/12521?s=60&v=4){kind=small}
There was a problem hiding this comment.
Financial
More Details
| Attribute | Value |
|---|---|
| Data Classifier | Financial/Financial Metrics |
| Data Classifier ID | BUILTIN-413 |
Sampled Examples
| Key | Value |
|---|---|
| budgets.maximumError | *** |
| budgets.maximumError | *** |
| budgets.maximumWarning | *** |
| budgets.maximumWarning | *** |
| budgets.type | *** |
Rule ID: BUILTIN-413
To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason
If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Release Next | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Get token | ||
| id: get_token | ||
| uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 | ||
| with: | ||
| private_key: ${{ secrets.RELEASE_APP_PEM }} | ||
| app_id: ${{ secrets.RELEASE_APP_ID }} | ||
| - name: Checkout code | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| fetch-depth: 0 | ||
| # persist-credentials: false | ||
| token: ${{ steps.get_token.outputs.token }} | ||
| ref: ${{ github.ref }} | ||
| - name: Run git config | ||
| run: | | ||
| git config user.name github-actions | ||
| git config user.email github-actions@github.com | ||
| - name: Use Latest Corepack | ||
| run: | | ||
| echo "Before: corepack version => $(corepack --version || echo 'not installed')" | ||
| npm install -g corepack@latest | ||
| echo "After : corepack version => $(corepack --version)" | ||
| corepack enable | ||
| pnpm --version | ||
| - name: Setup Node | ||
| uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | ||
| with: | ||
| cache: 'pnpm' | ||
| node-version-file: package.json | ||
| registry-url: https://registry.npmjs.org/ | ||
| - name: Install dependencies | ||
| run: pnpm install --frozen-lockfile --ignore-scripts | ||
| env: | ||
| CI: true | ||
| - name: Set Next Version | ||
| run: | | ||
| SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8) | ||
| CURRENT_DATE=$(date +'%Y%m%d') | ||
| echo "NEXT_VERSION=0.0.0-next-${SHORT_SHA}-${CURRENT_DATE}" >> $GITHUB_ENV | ||
| - name: Build | ||
| run: pnpm run build:ci | ||
| - name: Bump version | ||
| run: pnpm print-affected:ci | xargs -I {} pnpm --filter={} exec npm version "${NEXT_VERSION}" --git-tag-version=false | ||
| - name: Publish | ||
| run: pnpm -r publish --access=public --no-git-checks --tag=next | ||
| env: | ||
| CI: true | ||
| NODE_AUTH_TOKEN: ${{ secrets.CI_NPM_REGISTRY }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To resolve this issue, you should add a permissions: block to the workflow file, explicitly restricting the default permissions of GITHUB_TOKEN. This can be done at the root level (to apply to all jobs), or within the release job specifically. Since only one job is present (release), setting it at the root is simplest and most future-proof. The minimal recommended permission is contents: read. If you later identify the need for additional permissions (e.g., on pull requests or packages), you can add them.
Steps:
- Add the following beneath the
name: Release nextat the top of the workflow:permissions: contents: read
- No changes to imports or other code are required.
| @@ -1,4 +1,6 @@ | ||
| name: Release next | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_run: |
Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
packages/sdks/nextjs-sdk/examples/pages-router/package.jsonpackages/sdks/nextjs-sdk/examples/pages-router/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-NEXT-12299318
SNYK-JS-NEXT-12301496
SNYK-JS-NEXT-12265451
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Server-side Request Forgery (SSRF)