mirror of
https://github.com/tailwindlabs/tailwindcss.git
synced 2025-12-08 21:36:08 +00:00
cd15caa846
<hr> 🚨 <b>Your current dependencies have known security vulnerabilities</b> 🚨 This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible! <hr> Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request. ### What changed? #### ✳️ eslint-config-next (15.1.0 → 15.1.3) Sorry, we couldn't find anything useful about this release. #### ✳️ next (15.1.0 → 15.1.3) · [Repo](https://github.com/vercel/next.js) <details> <summary>Security Advisories 🚨</summary> <h4><a href="https://bounce.depfu.com/github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9">🚨 Next.js Allows a Denial of Service (DoS) with Server Actions</a></h4> <blockquote><h3 dir="auto">Impact</h3> <p dir="auto">A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.</p> <p dir="auto"><em>Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.</em></p> <p dir="auto">Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.</p> <p dir="auto">This is the same issue as if the incoming HTTP request has an invalid <code class="notranslate">Content-Length</code> header or never closes. If the host has no other mitigations to those then this vulnerability is novel.</p> <p dir="auto">This vulnerability affects only Next.js deployments using Server Actions.</p> <h3 dir="auto">Patches</h3> <p dir="auto">This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.</p> <h3 dir="auto">Workarounds</h3> <p dir="auto">There are no official workarounds for this vulnerability.</p> <h3 dir="auto">Credits</h3> <p dir="auto">Thanks to the PackDraw team for responsibly disclosing this vulnerability.</p></blockquote> </details> <details> <summary>Release Notes</summary> <h4><a href="https://github.com/vercel/next.js/releases/tag/v15.1.3">15.1.3</a></h4> <blockquote><div class="markdown-alert markdown-alert-note" dir="auto"> <p class="markdown-alert-title" dir="auto"><svg class="octicon octicon-info mr-2" viewbox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</p> <p dir="auto">This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </div> <h3 dir="auto">Core Changes</h3> <ul dir="auto"> <li>Retry manifest file loading only in dev mode: <a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/73900">#73900</a> </li> <li>Use shared worker for lint & typecheck steps: <a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/74154">#74154</a> </li> </ul> <h3 dir="auto">Credits</h3> <p dir="auto">Huge thanks to <a href="https://bounce.depfu.com/github.com/unstubbable">@unstubbable</a> and <a href="https://bounce.depfu.com/github.com/ztanner">@ztanner</a> for helping!</p></blockquote> <h4><a href="https://github.com/vercel/next.js/releases/tag/v15.1.2">15.1.2</a></h4> <blockquote><div class="markdown-alert markdown-alert-note" dir="auto"> <p class="markdown-alert-title" dir="auto"><svg class="octicon octicon-info mr-2" viewbox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</p> <p dir="auto">This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </div> <h3 dir="auto">Core Changes</h3> <ul dir="auto"> <li>Update React from 7283a213-20241206 to 65e06cb7-20241218: <a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/74117">#74117</a> </li> </ul> <h3 dir="auto">Credits</h3> <p dir="auto">Huge thanks to <a href="https://bounce.depfu.com/github.com/ztanner">@ztanner</a> for helping!</p></blockquote> <h4><a href="https://github.com/vercel/next.js/releases/tag/v15.1.1">15.1.1</a></h4> <blockquote><div class="markdown-alert markdown-alert-note" dir="auto"> <p class="markdown-alert-title" dir="auto"><svg class="octicon octicon-info mr-2" viewbox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg>Note</p> <p dir="auto">This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </div> <h3 dir="auto">Core Changes</h3> <ul dir="auto"> <li>fix(turbo): sassOptions silenceDeprecations was not overwritten with user options: <a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/73937">#73937</a> </li> <li>refactor collectAppPageSegments: <a href="https://bounce.depfu.com/github.com/vercel/next.js/pull/73908">#73908</a> </li> </ul> <h3 dir="auto">Credits</h3> <p dir="auto">Huge thanks to <a href="https://bounce.depfu.com/github.com/devjiwonchoi">@devjiwonchoi</a> and <a href="https://bounce.depfu.com/github.com/ztanner">@ztanner</a> for helping!</p></blockquote> <p><em>Does any of this look wrong? <a href="https://depfu.com/packages/npm/next/feedback">Please let us know.</a></em></p> </details> <details> <summary>Commits</summary> <p><a href="dafcd43fac...4cbaaa118d">See the full diff on Github</a>. The new version differs by 11 commits:</p> <ul> <li><a href="4cbaaa118d"><code>v15.1.3</code></a></li> <li><a href="221d18ba18"><code>Backport v15: used shared worker for lint & typecheck steps (#74154) (#74285)</code></a></li> <li><a href="7d880a3b5b"><code>Backport v15: Retry manifest file loading only in dev mode (#73900) (#74283)</code></a></li> <li><a href="df392a1b97"><code>v15.1.2</code></a></li> <li><a href="40c9424beb"><code>Backport (v15): Update React from 7283a213-20241206 to 65e06cb7-20241218 (#74117)</code></a></li> <li><a href="4384c6834a"><code>v15.1.1</code></a></li> <li><a href="d137863475"><code>run build_and_test workflow on backport branch</code></a></li> <li><a href="d27bb14b68"><code>backport: fix(turbo): sassOptions silenceDeprecations was not overwritten with user options (#74005)</code></a></li> <li><a href="0c8187a312"><code>Add NEXT_PRIVATE_SKIP_CANARY_CHECK env for bench job (#73763)</code></a></li> <li><a href="e83ab18c4c"><code>backport: refactor collectAppPageSegments (#73996)</code></a></li> <li><a href="ada25fc25e"><code>Designate as backport branch</code></a></li> </ul> </details> ---  [Depfu](https://depfu.com) will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`. <details><summary>All Depfu comment commands</summary> <blockquote><dl> <dt>@depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd> <dt>@depfu recreate</dt><dd>Recreates this PR, overwriting any edits that you've made to it</dd> <dt>@depfu merge</dt><dd>Merges this PR once your tests are passing and conflicts are resolved</dd> <dt>@depfu cancel merge</dt><dd>Cancels automatic merging of this PR</dd> <dt>@depfu close</dt><dd>Closes this PR and deletes the branch</dd> <dt>@depfu reopen</dt><dd>Restores the branch and reopens this PR (if it's closed)</dd> <dt>@depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd> <dt>@depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd> <dt>@depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd> </dl></blockquote> </details> Co-authored-by: depfu[bot] <23717796+depfu[bot]@users.noreply.github.com>
