Enforce nextjs peerDependency to 12.3.5, 13.5.9, 14.2.25 and 15.2.3 #1989
+1
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Marked as draft for now, to wait for v12. But if this isnt available soon, we can consider merging this, and fix v12 in a follow up. |
arpit-jn
reviewed
Mar 23, 2025
package.json
Outdated
| @@ -131,7 +131,7 @@ | |||
| "url-join": "^4.0.1" | |||
| }, | |||
| "peerDependencies": { | |||
| "next": ">=10" | |||
| "next": "^10.0.0 || ^11.0.0 || ^12.0.0 || ^13.5.9 || ^14.2.25 || ^15.2.3" | |||
There was a problem hiding this comment.
As versions between 11.1.4 and 13.5.6 are also affected, will ^11.0.0 and ^12.0.0 not pick affected versions? Removing support could be breaking change but will keeping them still make us vulnerable ?
There was a problem hiding this comment.
^ only matches minor and patch versions, meaning ^12.0.0 is saying anything in the range 12.x.x, so not 13.
|
Fix for v12 is merged and released in v12.3.2: vercel/next.js#77424 |
frederikprijck
changed the title
frederikprijck
changed the title
arpit-jn
approved these changes
Mar 24, 2025
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📋 Changes
With this PR, I am proposing to update the peerDependencies to ensure users use a version of NextJS that isn't vulnerable to GHSA-f82v-jwr5-mffw when using v3 of our SDK.
Looking at the advisory and the nextjs blog, we can see the issue is fixed in nextjs 12.3.5, 13.5.9, 14.2.25 and 15.2.3.
This would technically be a breaking change, but as this SDK relies on authorization in middleware, I think we should release this as a minor version bump.
A more in-depth write-up of the issue is available here.
📎 References
GHSA-f82v-jwr5-mffw
https://nextjs.org/blog/cve-2025-29927
https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass
🎯 Testing
N/A