Skip to content

fix(deps): update dependency next to v15.2.3 [security]#52

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-next-vulnerability
Mar 21, 2025
Merged

fix(deps): update dependency next to v15.2.3 [security]#52
renovate[bot] merged 1 commit intomainfrom
renovate/npm-next-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 21, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next (source) 15.2.2 -> 15.2.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js versions 11.1.4 thru 13.5.6, consult the below workaround.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)

Release Notes

vercel/next.js (next)

v15.2.3

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - "after 3am and before 6am on monday" in timezone Asia/Tokyo.

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from Okabe-Junya as a code owner March 21, 2025 17:27
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Mar 21, 2025
edited
Loading

Deploying roulette with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3c8e379
Status: ✅  Deploy successful!
Preview URL: https://343d5c5d.roulette-4ia.pages.dev
Branch Preview URL: https://renovate-npm-next-vulnerabil.roulette-4ia.pages.dev

View logs

@renovate renovate bot enabled auto-merge March 21, 2025 17:27
@renovate renovate bot added this pull request to the merge queue Mar 21, 2025
Merged via the queue into main with commit 547a236 Mar 21, 2025
7 checks passed
@renovate renovate bot deleted the renovate/npm-next-vulnerability branch March 21, 2025 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@Okabe-Junya Okabe-Junya Awaiting requested review from Okabe-Junya Okabe-Junya is a code owner

Assignees

No one assigned

Labels

area/configurations renovate/patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants