fix(deps): update dependency next to v12.3.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	12.2.5 -> 12.3.5

GitHub Vulnerability Alerts

CVE-2023-46298

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

• The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
• The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

CVE-2024-51479

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

---

Release Notes

vercel/next.js (next)

v12.3.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.
This release contains a security patch for CVE-2025-29927.

Core Changes

• [backport] middleware subrequest patch (#​77424)

v12.3.4

Compare Source

v12.3.3

Compare Source

v12.3.2

Compare Source

v12.3.1

Compare Source

Core Changes

• Update react-server-dom-webpack: #​40356
• Fix flight manifest to include all chunks: #​40365
• docs: fix typos: #​40342
• Fix page url for edge routes in app dir: #​40361
• Subresource Integrity for App Directory: #​39729
• Stop build warning about experimental: { esmExternals: 'loose' }: #​40377
• Add template and error file types: #​39808
• Bump styled-jsx for showing displayName: #​40411
• fix(#​40388): next/dynamic should only add default loading without suspense: #​40397
• Add missing trace for full reload event: #​40393
• feat(ts): expose AppType: #​40391
• Update dev watcher to ignore more accurately: #​40412
• Add failing case for location throw: #​40445
• Drop legacy RSC handling in client for pages: #​40472
• fix: eslint no-script-component-in-head error url: #​40422
• chore: Update swc: #​40292
• feat(edge): allows configuring Dynamic code execution guard: #​39539
• Rename allowDynamic to unstable_allowDynamic: #​40496
• Don't execute prefetches for bot user agents: #​40435
• Update semver of eslint-plugin-react: #​40246
• Clean up startTransition in Link: #​40505
• docs(README): next.js logo with dark mode: #​40223
• Passing down original sourcemap for flight client loader: #​40508
• next/script: make onLoad concurrent rendering resilient: #​40191
• chore: Update swc: #​40520
• Add missing feature in next-swc: #​40550
• Mask Flight Parameters from Middleware: #​39939
• Unwrap promise with experimental_use: #​40575
• fix(next/router): Prevent query delete in routing when next.config basePath option is truthy: #​40566
• fix(image): handle image imports with high aspect ratio: #​40563
• fix: loosen webpack compilation with fallbackNodePolyfills: false: #​40612
• Adding experimentalAdjustFallback feature to font optimization: #​40185
• fix: handle notFound: true in / with next export: #​40592
• refactor: split up CONTRIBUTING.md: #​40515
• Implement SWC transformer for server and client graphs: #​40603
• Fix edge wasm handling during deploy: #​40625
• Client directive: #​40415
• Remove internal client next api detection: #​40646
• Attach module trace for RSC related errors: #​40652
• Use createFromFetch instead of createFromReadableStream to fetch Flight: #​40656
• Change Flight response content type to application/octet-stream: #​40665
• Send web vitals to Vercel analytics in app: #​40669
• Refactor fetchServerResponse: #​40674
• Port page and layout level API assertions to SWC transform: #​40653
• Ensure smooth scroll is disabled for navigation in new and existing router: #​40642
• Upgrade to latest React experimental: #​40672
• Refine error messages: #​40661
• Incldue styled-jsx in swc compiling: #​40679
• misc: update caniuse-lite to latest: #​40680
• Remove non existed exports and files: #​40685
• fix(image): preload should respect crossOrigin: #​40676
• Add handling for static generation in app: #​40561
• Avoid direct React client API imports in the server graph: #​40686
• Drop legacy RSC server and client extension: #​40692

Documentation Changes

• docs: fix middleware path: #​40340
• Fix mdx docs: #​40402
• Update Server Components documentation.: #​40452
• docs: move swcMinify: true out of "Experimental features" section: #​40394
• Clarify use of loading property: #​40488
• docs(errors/large-page-data): how to see data being passed to page: #​40491
• docs(basic-features/script): update script version history: #​40263
• Added "negative matcher" documentation: #​40282
• Fix a typo in docs: #​40501

Example Changes

• chore: fix examples: #​40395
• chore(examples): update turborepo examples link: #​40487
• update(examples): Emotion modules: #​40242
• Added comments to middleware-matcher example: #​40273
• Remove legacy mobx example: #​40304
• Update cms-makeswift example: #​40560
• Fixed typo: #​40608
• Revert "Fixed typo": #​40623
• chore: Migrate with-prefetching example to typescript: #​40671
• chore: Refactor active-class-name example: #​40670
• docs(examples): fix error connection handling: #​40633

Misc Changes

• Temporarily disable unstable app test: #​40408
• docs(middleware): fix broken link
• chore: use link: instead of file: in CONTRIBUTING.md: #​40510
• add Balázs as codeowner to /errors/ directory
• fix(cli): tune filter for extracting example .tar: #​40513
• Add additional tests for prefetch and trailingSlash: #​40517
• Wrap parallel routes tests in describe: #​40546
• fix(#​40025): run next/script beforeInteractive test in both dev & prod: #​40541

Credits

Huge thanks to @​huozhi, @​shuding, @​ijjk, @​jasham, @​Kikobeats, @​wyattjoh, @​rubytree33, @​timneutkens, @​balazsorban44, @​andrewrjohn, @​SukkaW, @​hanneslund, @​leerob, @​Djo1e, @​kdy1, @​msafi, @​tknickman, @​feugy, @​cramforce, @​ryparker, @​victorboucher, @​steven-tey, @​JDansercoer, @​janklimo, @​hiro0218, @​HaNdTriX, @​migueloller, @​flex-kyunghwa, @​saalimzafar, @​alxhotel, @​janicklas-ralph, @​feedthejim, and @​chornos13 for helping!

v12.3.0

Compare Source

Core Changes

• Refactor client entry plugin to separate methods.: #​39162
• Eliminate path polyfill and incremental-cache from base server: #​39548
• Remove precopied styled-jsx: #​39520
• Refactor handling of addPageEntry promise: #​39547
• Support multiple flush effects: #​39559
• Eliminate Amp in Edge runtime: #​39560
• Rename page -> entry in on-demand-entry-handler: #​39564
• Update .env HMR handling: #​39566
• Fix failing switchable runtime deploy test: #​39579
• Fix Edge SSR routes: #​39594
• Support tsconfig paths without baseurl: #​34926
• Enable @​typescript-eslint/no-use-before-define for functions: #​39602
• Remove minify: false for webpack5 bundle: #​39620
• Next Server code refactoring: #​39591
• Eliminate path and utils from base server: #​39622
• Remove webpack4 types: #​39631
• Enable additional TypeScript ESLint rules: #​39640
• fix(next/dynamic): handle template literal import path: #​39623
• Add comment on slash normalizing in server: #​39653
• Refactor base server: #​39649
• Add separate entry per layout/page.: #​39611
• fix(next-server): Fix priority for edge routes : #​39462
• Add todo for dependsOn: #​39677
• Improved server CSS handling: #​39664
• feat(next-swc): Update swc: #​39499
• fix next-app-loader on windows: #​39657
• fix(swc/emotion): Correct the SPACE_AROUND_COLON regex: #​39710
• fix(#​39609): warns about suspense and ssr: #​39676
• Use realpath when emitting traced package.json: #​39683
• fix(#​39706): add avif support for node serve static: #​39733
• fix(next): Do not display message when middleware is removed on dev mode: #​39604
• refactor(portal): remove useRef from portal component: #​39792
• refactor(use-intersection): remove useRef usage: #​39791
• allow Edge Functions to stream a compressed fetch response: #​39608
• fix meaninglessFileNames type in compiler options schema: #​39698
• build: upgrade edge-runtime: #​39749
• Update stalled ensure log to use debug instead: #​39826
• Skip building /500 in dev mode: #​39828
• Fix onError handling in next/future/image: #​39824
• Improve error message on next/future/image when objectFit or objectPosition: #​39614
• Refactor client CSS imports: #​39758
• Ensure moduleResolution is written correctly: #​39836
• Fix disposing active entries in dev compilers: #​39845
• fix(#​39807): ignore width/height from webpack with "fill": #​39849
• Add handling for auto installing TypeScript deps and HMRing tsconfig: #​39838
• Remove eslint warning when no eslint config is present: #​39872
• feat(next/swc): enable wasm first binding load for the platforms: #​38883
• Fix next/future/image blur-up placeholder : #​39785
• Fix runLintCheck during build: #​39883
• Skip auto-install for missing deps in CI: #​39882
• Remove un-necessary internal jest-worker error during ts/lint error: #​39886
• Bump @vercel/[email protected]: #​39906
• Handle edge runtime for app: #​39910
• build: upgrade edge-runtime: #​39898
• HMR for client CSS imports: #​39916
• fix(ts): use AppProps's generic for pageProps: #​38867
• Treat non page file as non route under app dir: #​39976
• Fix next/future/image incorrectly warning for fill + blur: #​39986
• Ensure prefetch heuristic matches with and without middleware: #​39920
• feat: add experimental.fallbackNodePolyfills flag: #​39248
• Fix incorrect build log for moduleResolution: #​39991
• fix(#​39993): avoid race condition for next/script onReady: #​40002
• Avoid bundling next/script in the server build by default: #​40013
• Handle async module for client components: #​39953
• Upgrade typescript to 4.8.2: #​39979
• Remove Unused SQLite file: #​40056
• Update next/future/image to use svg blur placeholder during next dev: #​39992
• Remove <noscript> from next/future/image: #​40075
• Fix filePath being wrongly stringified: #​40070
• Refactor Server Router: #​39902
• Update to detect GSSP with edge runtime during build: #​40076
• Fix handling with custom _error and pages/500: #​40110
• Fix edge rewrite handling: #​40115
• Error for ssg and ssr exports from client components in build time: #​40106
• feat(next): Support has match and locale option on middleware config: #​39257
• Change alt to required in next/future/image: #​40136
• Allow port 0 in next dev and next start: #​40118
• Update to stable: next/future/image, remotePatterns, unoptimized: #​40142
• fix(#​40066): preserve error status code from serveStatic: #​40128
• fix: detect ESLint config in package.json: #​40158
• ignore EEXIST errors when creating symlinks for output standalone: #​40150
• Bump @vercel/[email protected]: #​40164
• Bump styled-jsx: #​40165
• Match data fetch and busting cache key when path URI encodes: #​39568
• Updating the Next.js Logo: #​40181
• next/script: simplify logic and update tests: #​40026
• Bypass empty pages folder for layouts: #​40132
• chore: Update swc: #​39965
• Fix styled-jsx macro imports: #​40234
• Ensure path can be specified for clearPreviewData: #​40238
• fix: apply default export interop to next/config: #​40224
• Improved route resolution in next-app-loader: #​40109
• Add prefetch to new router: #​39866
• Update next/future/image to support only width or only height: #​40278
• Add experimental proxy timeout option: #​40289
• Fix static info parsing when export data fetching method as variable: #​40317
• fix(switchable-runtime): make dev server not break when wrong runtime config is exported: #​40312
• Revert "Refactor Server Router": #​40328
• fix(switchable-runtime): Make it possible to switch between edge and server runtime in dev: #​39327
• Revert "Revert "Refactor Server Router" (#​40328)" : #​40333
• refactor(next/swc): remove unnecessary field in RemoveConsole: #​40296
• [edge] fix URLSearchParams lacking data from rewrite: #​40260
• fix(lint): disable react/no-unknown-property: #​40331
• Update onLoadingComplete for next/future/image to receive reference to <img>: #​40326
• Remove warning for swcMinify being enabled: #​40359

Documentation Changes

• docs: Rename API middlewares title in sidebar: #​39534
• [docs] Avoid next config validation warning: #​39554
• Update strategies count to 4: #​39610
• Change the React Server Components CTA to the router/layout RFC: #​39724
• Add section to next/future/image docs about Known Browser Bugs: #​39759
• Update next.js.configs line number: #​39802
• Add note about using the /_error page directly to custom error page article: #​39671
• Typescript Documentation Improvement for Persistent Layouts: #​33659
• Add clarity in docs for using exportPathMap with getStaticPaths: #​39813
• Update links to point to more accurate docs: #​39818
• Update docs next/future/image with details about computed aspect ratio: #​39829
• Mention router.isPreview on Preview Mode page: #​39830
• doc: improve a word client side rendering: #​39771
• Docs: Updated note about using next/head in basic-features/font-optimization: #​39863
• [docs] Fixed 404 links to Layouts RFC blog post: #​39937
• Adds note about custom server requirements: #​39931
• fix hash-link: #​39929
• Mention largePageDataBytes in warning docs: #​39941
• Update Font Optimization docs: #​39950
• [docs] Update UTM params of some links: #​39951
• Revert "Adds note about custom server requirements": #​39956
• Update image.md: #​39984
• Update script.md: #​40017
• [docs] Add precision about pageExtensions: #​40016
• Update debugging.md (--dev -> --save-dev for npm): #​39998
• docs(testing): add JSDoc typing in jest.config.js: #​40090
• docs(image): Use hook inside of function component: #​40096
• docs(security-headers): interest-cohort has been replaced by browsing-topics: #​40113
• [docs] Functional syntax for _document example in Basic Features: Font Optimization: #​40140
• Fix typo in error/middleware-upgrade-guide.md: #​40176
• docs: documents middleware matcher: #​40180
• docs: update get-static-paths.md: #​40205
• Change image sizes docs to use em instead of px: #​40288
• Change sizes docs to use max-width in media query: #​40290
• docs: fix numbering in middleware docs: #​40276
• Update docs for remotePatterns image config: #​40350
• docs: fix typo: #​40354

Example Changes

• docs(examples): use vercel integration in cms-sanity: #​39323
• Typo : #​39596
• Update Convex Example: #​39562
• Update with-loading example: #​39646
• [Docs] Update with-slate example: #​39639
• Tweak Convex example: #​39739
• examples/with-redux-thunk , update README (#​39555): #​39712
• [Docs] Update mongodb example: #​39658
• Convert with-goober example to TS: #​39761
• [docs] Migrate dynamic routing example to typescript: #​39806
• Remove unnecessary type reference in Vitest example: #​39819
• Update cms-makeswift example: #​39834
• Migrate data-fetch example to typescript: #​39852
• [Docs] Update examples to favour functional _document: #​39871
• chore(with-docker): don't copy package.json twice: #​39896
• Prefer function _app component in examples: #​39967
• Migrate with-xstate to typescript: #​39974
• Use Font Optimization in examples: #​39977
• Add local setup info in the with-supabase-auth-realtime-db example's README: #​40030
• Remove semi in Convex example: #​40052
• Refactored the with-supertokens example to use typescript: #​39987
• Add config types to all examples: #​40083
• adding with-axiom example: #​38300
• Update Convex example to convex 0.1.9: #​40162
• Remove extra "d" in comment: #​40212
• fix(examples/with-styled-components-babel): list should have unique key: #​40215
• Migrate image-component example to typescript: #​40204
• ref(with-sentry example): Explicitly set hideSourceMaps: #​40079
• Update next-forms example: #​40284
• Migrate with-context-api example to typescript: #​40297
• Migrate with-react-jss to typescript: #​40308
• Update react-remove-properties example: #​40307
• Migrate using-preact example to typescript: #​40295
• added type to clientPromise in with-mongodb/lib: #​40339
• Remove babel from custom-server-typescript example: #​40309
• Merge with-mobx-state-tree with with-mobx-state-tree-typescript example: #​40306
• Fix image-component example types: #​40352

Misc Changes

• Fix preinstall failed in [email protected] on FreeBSD with npm@​8.17: #​39529
• Add edge ssr to pr stats: #​39621
• Update test failure logging : #​39655
• Update image tests files from *.js to *.ts: #​39663
• fix(create-app): support github url has trailing slash: #​39665
• Update contributing.md : #​39767
• Update ubuntu CI version due to deprecation: #​39817
• Leverage VERCEL_CLI_VERSION env for deploy tests: #​39823
• Update flakey relay analytics test: #​39877
• Added tests for next/router in app directory: #​39867
• Fix failing e2e getServerSideProps test: #​39885
• Add path to export-page: #​39893
• Fix rsc basic e2e test on deploy: #​39905
• test: merge edge ssr tests: #​39924
• chore: check against npm version in issue validator: #​38915
• Increase test concurrency: #​39922
• Fix passing VERCEL_CLI_VERSION env for deploy tests: #​39946
• test: pin typescript version to 4.7: #​39978
• (next/mdx) set providerImportSource to react by default: #​39954
• Add test for server CSS imports: #​40019
• Update docker image for stats action: #​40032
• Update flakey tsconfig test: #​40105
• fix: scripts comment typos: #​40207
• fix(cli): do not throw error when extracting examples in Node 18+: #​40182
• Update to use specific swc version for PR stats: #​40237
• fix(cli): delete temp file after extraction: #​40259
• Fix test hydration check in Safari 10.1: #​40285
• chore: turn off debug mode on issue validator: #​40301
• Update README.md

Credits

Huge thanks to @​stipsan, @​ijjk, @​timneutkens, @​bennettdams, @​shuding, @​cherniavskii, @​huozhi, @​Brooooooklyn, @​thatbeautifuldream, @​Janpot, @​MoosaSaadat, @​alexcole, @​HaNdTriX, @​magic-akari, @​balazsorban44, @​styfle, @​SukkaW, @​kdy1, @​sokra, @​delbaoliveira, @​puneetkathar1, @​nkzawa, @​Schniz, @​greebl3, @​kasperaamodt, @​chaseignited, @​masad-frost, @​Kikobeats, @​davewelsh, @​MaedahBatool, @​adrianbienias, @​michaeloliverx, @​arthurdenner, @​sumiren, @​migueloller, @​hanneslund, @​wyattjoh, @​kwonoj, @​boredland, @​simongavelin, @​esbenam, @​theMosaad, @​jleclanche, @​leerob, @​AdilAmanat, @​souporserious, @​ykdojo, @​sanjaiyan-dev, @​yoannmoinet, @​thomasballinger, @​titusdmoore, @​jferrettiboke, @​Dueen, @​dunglas, @​KenAKAFrosty, @​wbinnssmith, @​schehata, @​remorses, @​visnup, @​Nutlope, @​yhay81, @​hiro0218, @​avigoldman, @​feugy, @​jeferson-sb, @​lobsterkatie, @​atcastle, @​bcheidemann, @​Will956, @​orionmiz, @​S0UPernova, @​cvbuelow, and @​leonzalion for helping!

v12.2.6

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.