mirror of
https://github.com/tailwindlabs/tailwindcss.git
synced 2025-12-08 21:36:08 +00:00
fed6c6ab72
<hr> 🚨 <b>Your current dependencies have known security vulnerabilities</b> 🚨 This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible! <hr> Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request. ### What changed? #### ✳️ eslint-config-next (15.4.4 → 15.4.7) Sorry, we couldn't find anything useful about this release. #### ✳️ next (15.4.4 → 15.4.7) · [Repo](https://github.com/vercel/next.js) <details> <summary>Security Advisories 🚨</summary> <h4><a href="https://bounce.depfu.com/github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v">🚨 Next.js Content Injection Vulnerability for Image Optimization</a></h4> <blockquote><p dir="auto">A vulnerability in <strong>Next.js Image Optimization</strong> has been fixed in <strong>v15.4.5</strong> and <strong>v14.2.31</strong>. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.</p> <p dir="auto">All users relying on <code class="notranslate">images.domains</code> or <code class="notranslate">images.remotePatterns</code> are encouraged to upgrade and verify that external image sources are strictly validated.</p> <p dir="auto">More details at <a href="https://vercel.com/changelog/cve-2025-55173">Vercel Changelog</a></p></blockquote> <h4><a href="https://bounce.depfu.com/github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v">🚨 Next.js Affected by Cache Key Confusion for Image Optimization API Routes</a></h4> <blockquote><p dir="auto">A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as <code class="notranslate">Cookie</code> or <code class="notranslate">Authorization</code>), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.</p> <p dir="auto">All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.</p> <p dir="auto">More details at <a href="https://vercel.com/changelog/cve-2025-57752">Vercel Changelog</a></p></blockquote> <h4><a href="https://bounce.depfu.com/github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f">🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF</a></h4> <blockquote><p dir="auto">A vulnerability in <strong>Next.js Middleware</strong> has been fixed in <strong>v14.2.32</strong> and <strong>v15.4.7</strong>. The issue occurred when request headers were directly passed into <code class="notranslate">NextResponse.next()</code>. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.</p> <p dir="auto">All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the <code class="notranslate">next()</code> function.</p> <p dir="auto">More details at <a href="https://vercel.com/changelog/cve-2025-57822">Vercel Changelog</a></p></blockquote> </details> <details> <summary>Release Notes</summary> <h4><a href="https://github.com/vercel/next.js/releases/tag/v15.4.7">15.4.7</a></h4> <blockquote><div class="markdown-alert markdown-alert-note" dir="auto"> <p class="markdown-alert-title" dir="auto"><svg class="octicon octicon-info mr-2" viewbox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</p> <p dir="auto">This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </div> <h3 dir="auto">Core Changes</h3> <ul dir="auto"> <li>fix router handling when setting a location response header <a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82588">#82588</a> </li> </ul> <h3 dir="auto">Credits</h3> <p dir="auto">Huge thanks to <a href="https://bounce.depfu.com/github.com/ztanner">@ztanner</a> for helping!</p></blockquote> <h4><a href="https://github.com/vercel/next.js/releases/tag/v15.4.6">15.4.6</a></h4> <blockquote><div class="markdown-alert markdown-alert-note" dir="auto"> <p class="markdown-alert-title" dir="auto"><svg class="octicon octicon-info mr-2" viewbox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</p> <p dir="auto">This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </div> <h3 dir="auto">Core Changes</h3> <ul dir="auto"> <li>fix: <code class="notranslate">_error</code> page's <code class="notranslate">req.url</code> can be overwritten to dynamic param on minimal mode (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82347">#82347</a>)</li> <li>fix: add <code class="notranslate">?dpl</code> to fonts in <code class="notranslate">/_next/static/media</code> (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82384">#82384</a>)</li> </ul> <h3 dir="auto">Credits</h3> <p dir="auto">Huge thanks to <a href="https://bounce.depfu.com/github.com/devjiwonchoi">@devjiwonchoi</a>, <a href="https://bounce.depfu.com/github.com/ijjk">@ijjk</a>, and <a href="https://bounce.depfu.com/github.com/styfle">@styfle</a> for helping!</p></blockquote> <h4><a href="https://github.com/vercel/next.js/releases/tag/v15.4.5">15.4.5</a></h4> <blockquote><div class="markdown-alert markdown-alert-note" dir="auto"> <p class="markdown-alert-title" dir="auto"><svg class="octicon octicon-info mr-2" viewbox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</p> <p dir="auto">This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </div> <h3 dir="auto">Core Changes</h3> <ul dir="auto"> <li>Fix API stripping JSON incorrectly (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82062">#82062</a>)</li> <li>Fix i18n fallback: false collision (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82158">#82158</a>)</li> <li>Revert "Fix tracing of server actions imported by client components (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82167">#82167</a>)</li> <li>Ensure setAssetPrefix updates config instance (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82165">#82165</a>)</li> <li>Turbopack: update mimalloc (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82166">#82166</a>)</li> <li>fix(next/image): fix image-optimizer.ts headers (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82175">#82175</a>)</li> <li>fix(next/image): improve and simplify detect-content-type (<a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/82174">#82174</a>)</li> </ul> <h3 dir="auto">Credits</h3> <p dir="auto">Huge thanks to <a href="https://bounce.depfu.com/github.com/ijjk">@ijjk</a>, <a href="https://bounce.depfu.com/github.com/sokra">@sokra</a>, and <a href="https://bounce.depfu.com/github.com/styfle">@styfle</a> for helping!</p></blockquote> <p><em>Does any of this look wrong? <a href="https://depfu.com/packages/npm/next/feedback">Please let us know.</a></em></p> </details> <details> <summary>Commits</summary> <p><a href="fe5db65859...f30d815859">See the full diff on Github</a>. The new version differs by 14 commits:</p> <ul> <li><a href="f30d815859"><code>v15.4.7</code></a></li> <li><a href="1a026e338d"><code>fix router handling when setting a location response header (#82588)</code></a></li> <li><a href="be4aafd4b7"><code>v15.4.6</code></a></li> <li><a href="91e5b6b84f"><code>Backport "fix: add `?dpl` to fonts in `/_next/static/media` (#82384)" (#82421)</code></a></li> <li><a href="f1629d9395"><code>Backport "[Pages] fix: `_error` page's `req.url` can be overwritten t… (#82377)</code></a></li> <li><a href="b9aab5dbe9"><code>v15.4.5</code></a></li> <li><a href="a8c93c49dd"><code>Disable test new tests jobs</code></a></li> <li><a href="ed2a6c7548"><code>[backport]: fix(next/image): improve and simplify detect-content-type (#82118) (#82174)</code></a></li> <li><a href="f00fcc9011"><code>[backport]: fix(next/image): fix image-optimizer.ts headers (#82114) (#82175)</code></a></li> <li><a href="55a7568e9d"><code>Backport: Turbopack: update mimalloc (#81993) (#82166)</code></a></li> <li><a href="5bc4b368e5"><code>[backport] Ensure setAssetPrefix updates config instance (#82165)</code></a></li> <li><a href="717dfb6ec9"><code>[Backport] Revert "Fix tracing of server actions imported by client components (#78968) (#82167)</code></a></li> <li><a href="6372ba03e8"><code>[backport] Fix i18n fallback: false collision (#82158)</code></a></li> <li><a href="1e2c3792f8"><code>Fix API stripping JSON incorrectly (#82062)</code></a></li> </ul> </details> ---  [Depfu](https://depfu.com) will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`. <details><summary>All Depfu comment commands</summary> <blockquote><dl> <dt>@depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd> <dt>@depfu recreate</dt><dd>Recreates this PR, overwriting any edits that you've made to it</dd> <dt>@depfu merge</dt><dd>Merges this PR once your tests are passing and conflicts are resolved</dd> <dt>@depfu cancel merge</dt><dd>Cancels automatic merging of this PR</dd> <dt>@depfu close</dt><dd>Closes this PR and deletes the branch</dd> <dt>@depfu reopen</dt><dd>Restores the branch and reopens this PR (if it's closed)</dd> <dt>@depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd> <dt>@depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd> <dt>@depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd> </dl></blockquote> </details> Co-authored-by: depfu[bot] <23717796+depfu[bot]@users.noreply.github.com>
