github vercel/next.js v12.0.5
on GitHub

latest releases: v14.3.0-canary.23, v14.3.0-canary.22, v14.2.3...
2 years ago

This upgrade is completely backward-compatible and recommended for all users on versions below 12.0.5. A backport of the patch to Next.js 11 is available as 11.1.3.

When a URL is provided to next-server that cannot be parsed, an unhandledPromiseRejection could occur. On Node.js versions < v15.0.0 this isn't a fatal issue as only a warning is shown. However, in Node.js versions > v15.0.0, this causes the server process to exit, which can result in unexpected server crashes.

How to Upgrade

  • We have released patch versions for both the stable and canary channels of Next.js.
  • To upgrade run npm install next@latest --save

Impact

  • Affected: All of the following must be true to be affected
    • Next.js versions above v11.1.0 and below v12.0.5
    • Node.js above v15.0.0 being used
    • Using next start or a custom server
  • Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If you are running Node.js > v15.0.0 with Next.js, you can filter any server error logs for ERR_INVALID_URL.

What is Being Done

As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to GitHub user hopeless-programmer-online for their investigation and discovery of the original bug.

We've landed a patch that ensures this is handled properly so the unhandledPromiseRejection issue no longer occurs.

Regression tests for this attack were added to the security integration test suite

  • A public CVE is requested.
  • We encourage responsible disclosure of future reports. Please email us at security@vercel.com. We are actively monitoring this mailbox.

Core Changes

  • Add a swc transform for removal of console.* calls.: #31449
  • Support ESLint v8: #29865
  • fix: allow next lint without eslint-config-next installed: #29823
  • Remove TextEncoder and TextDecoder wrappers: #31490
  • simplify output messages: #31454
  • update webpack: #31455
  • NextResponse: add .json static method: #31483
  • Use _error for development in streaming: #31466
  • Refactor the middleware SSR loader: #31508
  • Add detection for Google-PageRenderer bot: #31521
  • Click-to-open error state for development overlay #14461: #21819
  • Ensure only one doctype is rendered: #31534
  • Update swc: #31540
  • Add/wasm build: #31470
  • telemetry: track usage of 'optimizeFonts': #31522
  • Make missing Document components an error: #31505
  • Adjust AVIF size so that its smaller than WebP size: #31494
  • Fix unhandled rejection on route change in dev: #31554
  • Re-add native package folders and ensure wasm artifacts are downloaded: #31561
  • Fix HMR for middleware #30791: #31548
  • Minor simplifications to renderToWebStream: #31553
  • Fix accessing router before ready for HMR ping: #31588
  • Implement SWC port of next-page-disallow-re-export-all-exports: #31582
  • [ESLint] Prevent no-html-link-for-pages from warning for static files: #31495
  • Move root div to an app wrapper: #31596
  • Add types for geo lat and long: #31624
  • Fix non-concurrent function _document: #31628
  • Remove outdated comment about string children being deprecated in next/link: #30606
  • fix(middleware): consider localhost variations: #31603
  • Update swc: #31639
  • Extract next-swc Rust code into its own package: #31635
  • Fix dev router usage before router initializing: #31632
  • avoid mutating response.cookie options: #31679
  • Add cookies and headers for request using in RSC: #31623
  • Remove trace_target env var in favor of .next/trace: #31697
  • Add error link when hydration error occurs: #31519
  • Fix initial compile timing incorrect measurement: #31733
  • Lazily init getStaticPathsWorker: #31760
  • Remove noop import: #31722
  • update webpack: #31759
  • Fix wasm loading: #31772
  • Remove some watcher hacks and update version: #31768
  • Improve and refactor some types: #31704
  • read file in swc when no loaders follow the next-swc-loader: #31682
  • Lazy-load postcss: #31762
  • update webpack: #31798
  • Ensure middleware order is preserved: #31801
  • Refactor sandbox module cache: #31822
  • Fix hydration middleware effects: #31800
  • fix: support function components in _document in no-page-custom-font: #31560
  • Add support for removing React properties.: #31606
  • Include submodules in exported type definition: #28316
  • Move require.resolve into the module scope: #31799
  • fix amp validator message format: #31018
  • Fix auto export condition in edge SSR: #31845
  • bugfix: href value is not defined when typing out the href: #31813
  • Do not load external binding if local was found: #31853
  • fix: rsc headers: #31854
  • Add port and hostname options to Next Server: #31858
  • Fix: Cannot assign to read only property 'children': #31784
  • Fix disabling of built-in CSS support if there is a custom loader: #31078
  • include no-document-import-in-page rule in plugin index: #31890
  • Account for platform/arch not supported by napi-rs: #31938
  • Removng prop writable checking in prod: #31929
  • Enable default functional document when concurrentFeatures is enabled: #31954
  • Stop using environment variables in pages/_document: #31946
  • Fix image related link prop warning with react 18 beta: #31895
  • Escape string when converting to regexp: #31791
  • Add TS types for NextMiddleware: #30578
  • fix(types): add missing ua type for NextRequest: #31901
  • Ensure that external modules are not bundled into the client for RSC: #31968
  • Resolve streaming data for flight requests: #32010
  • Allow pre-release React 18 as peer: #31991
  • fix(Link): Do not ignore onMouseEnter prop with absolute href: #32012
  • add experimental.swcFileReading flag to disable file reading in swc: #31995
  • Fix middleware types with skipLibCheck: false: #32025
  • Include page for export errors for easier debugging: #32013
  • avoid retaining webpack config too long: #32053
  • Skip warnings for Image not rendered to the dom: #32049
  • Improve exported root definitions: #32077
  • Fix running server with Polyfilled fetch: #31935
  • Ensure invalid URLs respond with 400 correctly: #32092
  • Remove future.strictPostcssConfiguration config: #32098
  • Revert "Fix running server with Polyfilled fetch (#31935)": #32100

Documentation Changes

  • Update react-18.md: #31476
  • Add docs for the Rust Compiler (SWC).: #31467
  • Script examples: #31181
  • Fix type declaration for API Routes response: #31486
  • Update environment-variables.md: #31525
  • Add middleware examples to custom page extensions: #31545
  • Added guide for setting up Next.js with MDX: #30869
  • Fix typo in MDX guide: #31709
  • Added note on env vars: #31237
  • docs(next-config): extend phase lines reference: #31711
  • [Docs][Fix] Broken Link to API Reference: #31820
  • Docs(router): Add type for url parameter: #31737
  • SWC: Add error checks and tests to next-dynamic: #31683
  • Docs(React 18): add missing Suspense import: #31897
  • Docs(React 18): remove unnecessary React import: #31900
  • IMPROVE: Middlerware Set Cookie API Ref: #31707
  • Update next export documentation.: #31465
  • Update Jest examples and docs: #31633
  • Add note to docs about sharp memory usage on default Linux setup: #31919
  • docs(Testing): Remove duplicate link: #32071

Example Changes

  • Replace old static path by public | typo: #31573
  • Update README of cms-cosmic example: #31701
  • 'imgix.cosmicjs.com' image domain in cms-cosmic example: #31703
  • Fix pwa demo: #31734
  • docs(examples): add secure flag explanation to with-iron-session: #31896
  • [WIP] Add tracing to with-sentry example: #30401
  • Fix with-mongo example by removing deprecated function: #30675
  • grammatical error in alert.js: #32062

Misc Changes

  • Revert "Add docs for the Rust Compiler (SWC).": #31484
  • Ensure wasm package.json is written before publish: #31568
  • Update labeler.json
  • Update labeler.json
  • Update send-to-jaeger URL output: #31563
  • Fixing typo in Documentation about Testing: #31653
  • Add docs for the Next.js Compiler written in Rust (leveraging SWC): #31485
  • Fix prettier linting
  • Fix labels for release sections
  • Fix musl build
  • Enable require for swc_bundler: #31663
  • add test case: #31691
  • Update swc: #31816
  • docs(middleware): file extension consistency: #31879
  • Remove unpurpose test: #31898
  • Remove unnecessary workflow step : #31943
  • Update swc: #31963
  • docs(NextRequest): req.cookie => req.cookies: #31975
  • Add next-swc to labeler
  • Add Rich, Maedah, and Ismael to the docs label
  • Updated Maedahs name in label gen config: #32005
  • Fix copying swc binary for isolated tests locally: #32026
  • Lock node version for CI: #32057
  • Make CI build cache key more specific: #32059
  • Remove "yarn jest" from Next.js repo scripts: #32042
  • Fix the testall npm script: #32081

Credits

Huge thanks to @mzaien, @losfair, @ykzts, @leerob, @timneutkens, @stefanprobst, @javivelasco, @sokra, @goncy, @knezevicdev, @Kikobeats, @huozhi, @shuding, @styfle, @yang-feng-yfeng, @kdy1, @xuchaobei, @elkevinwolf, @padmaia, @kyliau, @devknoll, @fabienheureux, @hanneslund, @nilskaspersson, @Andarist, @mathcrln, @ijjk, @dferber90, @molebox, @FranciscoMoretti, @benschwarz, @wendellhu95, @gazdagergo, @imabp, @ljosberinn, @samuliasmala, @lfades, @ka2jun8, @monsonjeremy, @pqt, @vvo, @leoortizz, @michel-kraemer, @thibautsabot, @MaedahBatool, @lobsterkatie, @ntkoopman, @delbaoliveira, @iicdii, @j-mendez, @chentsulin, @ericmatthys, @lennym, @balogunkeji, and @wnr for helping!

Check out latest releases or
releases around vercel/next.js v12.0.5

Don't miss a new next.js release

NewReleases is sending notifications on new releases.

Get notifications