Update next in / from 4.1.4 to 5.0.0

[dependencies]

Dependencies.io has updated next (a npm dependency in /) from "4.1.4" to "5.0.0".

5.0.0

Read more here: https://zeit.co/blog/next5

Major Changes

• Universal Webpack: #3578
• Zones: #3578

Minor Changes

• A11y: Set focus back to body after link was clicked: #3545
• Fix server not closing properly in dev mode (issue #2540): #3540
• Check if headers are sent: #3642
• Don’t finish request when it’s already finished: #3660
• Set assetPrefix dynamically: #3661
• Improved next/asset support: #3664
• Upgrade react-hot-loader: #3665
• Upgrade source-map-support: 0da17ca4fcc0cfcd80ec1912404da9c327b3f88a
• Do not use window.history if inside iframe: #3437
• Add update notifier: #3678
• [Example] with-polyfills : show how to load polyfills: #3568

Patches

• Move security related test cases into a its own file.: 33f8f282099cb34db2c405aabb883af836d6dc2a
• Removes the unused renderScript function: 77c10b24c5e2d31d86bc4eebbae35563b0f285d7
• Add a nerv example.: #3573
• Extend with-data-prefetch to handle advanced use cases: #3525
• Fix(store): product env cannot find module 'redux-devtools-extension'.: #3618
• Fix Doc in with-firebase-authentication: #3626
• Upgraded flow version and updated code to use of React.Node (#3635): User not able to log in #2
• Update Next.js version on examples: 9a82ca4029151754097c7b4c77e125516c97171e
• Don’t externalize css/sass/scss/less/svg: 5818e6f781a9062381c916b7f0b8c9d1e36650ca
• Make sure dynamic imports works on Windows: #3641
• Added IoC example: #3595
• Ignore _document.js on windows and expand symlinks when using next export: #3637
• Match .js instead of not css: 8a4a9a10c217aa9907ba6b0d0b5a40f80e71730b
• Update custom-server-micro example to latest version: #3594
• Add Polka server example: #3588
• Add an example using analytics: #3580
• [with-portals] Remove dynamic import, add : #3571
• [fix] apollo-redux: Separate out entire example #3463: #3629
• Deprecate css examples: 6db44f8058270973e3072271c10bf0a5b96273af
• Update preact example: f0703f8e13123d549fabc12ae53167c7f78f18f5
• Fix __route error when importing a page inside a page: #3644
• (custom-server-express) avoid a 404 when navigating to a custom route: #3645
• Handle page 404 properly in production.: #3648
• Don’t exclude webpack: #3646
• Upgrade styled-jsx: #3657
• Use a latest version of path-to-regexp for path-match: #3655
• [DOC] typo in readme: double negation is probably unintended: #3658
• Fixed the example with-react-intl, cannot read property 'locale' of undefined: #3392
• Fix typos in gh-pages example README: #3669
• Example: Passing data from server through API: #2594
• Handle empty assetPrefix scenario properly.: #3667
• Format subhead in gh-pages README example: #3670
• [with-apollo] Use getDataFromTree in browser: #3457
• Refactor redux observable example: #3495
• Make sure externals logic works on Windows.: #3677
• Indicate how to import fonts: #3676
• Use correct port in with-zones example: #3679
• Make links text: 70295f2e873d7a5504505378d54fd4a5ab87a405
• Add tests for universal webpack: #3680

Credits

Huge thanks to connor-baer, lucleray, arunoda, hankmander, malixsys, Shalzz, Gavin1995, sarovin, impronunciable, alexindigo, lfades, sergiodxa, mcansh, stephenmathieson, brikou, JeromeFitz, shogunsea, soulmachine, johnpolacek, unregistered, jonespen, mpacer, timhuff and tomaswitek for helping!

4.2.3

Release notes

This upgrade is completely backwards compatible and recommended for all users
For future security related communications of our OSS projects, please join this mailing list.

We were notified of a directory traversal issue under the /_next request namespace.
An attacker can craft a request that accesses potentially sensitive information in your filesystem.

How to upgrade

• We have released patch versions of the stable and beta releases.
• The following versions fix this bug and include precautions to avoid
  similar problems in the future
• Run npm install next@latest --save
• When using canary release channel use npm install next@canary --save

Impact

• Affected: Users of Next.js prior to this release
• Not affected: Deployments on https://now.sh (like https://zeit.co) are mitigated. A platform wide mitigation was implemented immediately after the report was received.
• Not affected: Static deployments via next export

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

Container-based deployments, chroot environments and virtualization users are at significantly less risk of sensitive data exposure. In most scenarios, an attacker would only be able to access frontend JavaScript components exclusively.

How to assess impact

If you think sensitive code or data could have been exposed, please filter logs of affected sites by .. (excluding quotes in all cases) and check for 200 responses.

What is being done

As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Orange Tsai from DEVCORE for his investigation and discovery of the original bug and subsequent responsible disclosure.

6 months ago there was a similar, but different, path traversal possible on paths under the /static directory. To prevent future regressions regarding path traversal we have separated all security related tests to a common file called security.js so that any future commit will be verified against these known fixed vulnerabilities.

• We have notified known Next.js users in advance of this publication.
• A public CVE was released
• If you want to stay on top of our security related news impacting Next.js or other projects, please join this mailing list.
• We encourage responsible disclosure of future issues. Please email us at [email protected]. We are actively monitoring this mailbox.

4.2.2

No content found. Please open an issue at https://github.com/dependencies-io/support if you think this content could have been found.

4.2.1

Patches

• Add markdown-in-js example: #3410
• Downgrade strip-ansi to support IE11/Google Fetch: #3403
• Remove webpack-stats.json: 66e3a6c5eaa7b4306b483d79d9ed2ba4e6c4728b

Credits

Huge thanks to i8ramin for helping!

4.2.0

Minor Changes

• Always load pages with ".js" extension: #3393
• Pulled encoding to top of head: #3214

Patches

• Remove next.d.ts to use types/next: #3297
• Add with-mobx-state-tree example: #3179

Credits

Huge thanks to brikou, dargue3, arunoda and yashha for helping!