Update dependency next to v12 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	^10.0.0 → ^12.0.0

---

XSS in Image Optimization API for Next.js

CVE-2021-39178 / GHSA-9gr3-7897-pp7m

More information

Details

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 11.1.0
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default
• Not affected: Deployments on Vercel are not affected

Patches

Next.js v11.1.1

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m
• https://github.com/vercel/next.js/releases/tag/v11.1.1
• https://nvd.nist.gov/vuln/detail/CVE-2021-39178
• https://github.com/vercel/next.js/pull/28620
• https://github.com/vercel/next.js/commit/7afc97c5744b38bdf36aa7f87625f438224688aa
• https://github.com/advisories/GHSA-9gr3-7897-pp7m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Unexpected server crash in Next.js.

CVE-2021-43803 / GHSA-25mp-g6fv-mqxx

More information

Details

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx
• https://github.com/vercel/next.js/pull/32080
• https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264
• https://github.com/vercel/next.js/releases/v12.0.5
• https://nvd.nist.gov/vuln/detail/CVE-2021-43803
• https://github.com/vercel/next.js/releases/tag/v11.1.3
• https://github.com/advisories/GHSA-25mp-g6fv-mqxx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

CVE-2022-23646 / GHSA-fmvm-x8mv-47mj

More information

Details

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 12.0.10
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
• https://github.com/vercel/next.js/releases/tag/v12.1.0
• https://nvd.nist.gov/vuln/detail/CVE-2022-23646
• https://github.com/vercel/next.js/pull/34075
• https://github.com/advisories/GHSA-fmvm-x8mv-47mj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Open Redirect in Next.js

CVE-2021-37699 / GHSA-vxf5-wxwp-m7g9

More information

Details

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.

Impact

• Affected: Users of Next.js between 10.0.5 and 10.2.0
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
• Not affected: Deployments on Vercel (vercel.com) are not affected
• Not affected: Deployments with pages/404.js
• Note that versions prior to 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

Patches

https://github.com/vercel/next.js/releases/tag/v11.1.0

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

References

• https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9
• https://nvd.nist.gov/vuln/detail/CVE-2021-37699
• https://github.com/vercel/next.js/releases/tag/v11.1.0
• https://github.com/advisories/GHSA-vxf5-wxwp-m7g9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/next.js (next)

v12.1.0

Compare Source

Core Changes

• Relay Support in Rust Compiler: #​33702
• fix eslint link-passhref rule: #​33857
• update webpack: #​33831
• Flush buffered vitals metrics on page mount: #​33867
• fix problem with HMR when middleware and page reference the same node_module: #​33873
• Refactor page component getter in web server: #​33759
• update NextResponse default redirect status to 307 to match docs: #​33505
• Bug fix: dynamic page should not be interpreted as predefined page: #​33808
• Group streaming experimental apis: #​33878
• Encapsulate routing and initial hydration: #​33875
• Optimize offline condition judgment: #​33238
• Ensure external beforeFiles rewrites are handled with next/link: #​33888
• Fix parsing params for i18n optional route in minimal mode: #​33896
• Ensure browserslist extends works properly: #​33890
• Fix image cache race condition: #​33883
• Add support for Relay projects without artifactDirectory: #​33918
• fix: handle jsxspreadattribute in inline-script-id eslint rule: #​32421
• feat(next-swc): Update swc: #​33724
• Update to latest version of amphtml-validator: #​33967
• Warn in dev mode when script tags are added with next/head: #​33968
• Ensure optional chaining in swc matches babel: #​33995
• Use react-dom/server.browser in Node.js: #​33950
• Ensure external middleware rewrite is handled correctly: #​33962
• Update Terser to v5.10.0, fix minification issues: #​33045
• Warn in dev mode when stylesheets are added using next/head: #​34004
• Use ReadableStream in RenderResult: #​34005
• Fix suffix ordering while streaming: #​34011
• Don't use yarn if a package-lock.json file is found: #​31926
• Do not warn when application/ld+json scripts are used with next/head: #​34021
• Babel & next-swc: Fix exporting page config with AsExpression: #​32702
• Detect per page runtime config for functions manifest: #​33945
• Add JSDoc to config options: #​32915
• Update font-stylesheet-gathering-plugin.ts: #​30709
• Add decoratorMetadata flag if enabled by tsconfig: #​32914
• fix: data url handling in css-loader: #​34034
• Place 'charset' element at the top of : #​28119
• Fix detection of anchor click events inside svg: #​23272
• Allow passing nothing as custom jest config: #​32328
• Fixes #​31240: Adding a recursive addPackagePath function in webpack-config: #​31264
• Require component rendered as child of Link to pass event to onClick handler: #​27723
• Allow scroll prevention on hash change: #​31921
• Add support for async fn / promise in next.config.js/.mjs: #​33662
• Fix lazyRoot functionality for next/image: #​33933
• Change SWC minify from beta to release candidate: #​34056
• Make Router state immutable: #​33925
• Stop exposing internal render and renderError methods from next/client: #​34069
• Add api-utils helper for testing: #​34078
• feat(next-swc): Update swc: #​34045
• Deprecate concurrentFeatures with runtime: #​34068
• Add check for resolveWeak to next/dynamic: #​33908
• remove unneeded and broken plugin: #​34087
• Remove experimental warning from next/jest: #​34096
• fix: arrow function export in rsc client component: #​34105
• Use renderToStream with React 18: #​34106
• Fix static result being piped: #​34111
• Polyfill pipeTo and pipeThrough: #​34112
• Update to leverage response-cache for image-optimizer: #​34075
• fix: next/image usage from node_modules: #​33559
• Fix included flight manifest on node runtime: #​34113
• Fix: Use react-dom/server.browser when reactRoot: true: #​34116
• Fix image-optimizer requires in next-server: #​34141
• Fix required files matching in rsc: #​34137
• Throw error when ts file contains css.resolve: #​34149
• Chore/stable swc compiler options: #​34074
• Fix bug with "Circular Structure" error: #​23905
• Add _document and _app pre-import: #​23261
• Ensure standalone server handles SIGTERM: #​34151
• Bump nft to 0.17.5: #​34190
• feat: copy .env file in standalone mode: #​34143
• Fix reuse of inline flight response and 404 for RSC in node runtime: #​34202
• Use updated recursive rm fs method for image-optimizer: #​34210
• Fix link for "Delete Query Params in Middleware" error message in next-server.ts: #​34230
• Enable dynamic HTML in minimal mode: #​34222
• Fix uncaught error in getInitialProps when runtime is set to nodejs: #​34228
• Optimize the web server size: #​34242
• feat: allow node-sass@7 as peer dependency: #​34107
• Adding step to build the app with docker in existing projects: #​34083
• Changed all occurrences of etc to match: #​34280
• Align reactRoot config between server and webpack config: #​34328
• Fix <RouteAnnouncer/> shouldn't announce initial path under strict mode and React 18: #​34338
• Fix flight root failed to hydrate in strict mode: #​34333
• Allow dismissing full refresh warning for session: #​33868
• Remove experimental image optimization feature: #​34349
• Add support for "type": "module" in package.json: #​33637
• feat(next-swc): Update swc: #​34355
• Ensure invalid request to static page is handled correctly: #​34346
• Add Error Handing section for ISR: #​34360
• feat(next-swc): Update swc: #​34408
• feat: improve opening a new issue flow: #​34434
• Ensure we don't poll page in development when notFound: true is returned: #​34352
• Add image config for dangerouslyAllowSVG and contentSecurityPolicy: #​34431
• Revert swc css bump temporarily: #​34440
• update webpack: #​34444
• Update server-only changes HMR handling: #​34298
• Fix .svg image optimization with a loader prop: #​34452
• Allow reading request bodies in middlewares: #​34294
• Revert "Allow reading request bodies in middlewares": #​34479
• update webpack: #​34477
• Fix chunk buffering for server components: #​34474
• Remove deprecation for relative URL usage in middlewares: #​34461

Documentation Changes

• Building web forms with Next.js and Vercel: #​32525
• Add Clarity About Downloading and Self-Hosting a Font File: #​33760
• Correct pluralization in newly added Relay documentation: #​33880
• Update MDX document: #​33916
• Update info on how to process webhooks by disabling bodyParser: #​33909
• Update deployment docs to fix oversized image.: #​33934
• docs: recommend .end instead of .send when no body is being sent: #​33611
• Update custom document docs to prepare for React 18.: #​33814
• Fix typo in new experimental Relay support docs: #​33963
• docs(isr): add missing key prop in jsx loop: #​33984
• docs: use function for components in general: #​33990
• Updated going-to-production with loading performance: #​33179
• docs: fix variable name from profileData to data in CSR page: #​34018
• Improve Form Guide Contents: #​33913
• Add async to middleware docs.: #​31356
• (docs): update i18n-routing.md: #​33123
• Fix redirect url for prefixing the default locale: #​33762
• Add note about dns-prefetch as fallback: #​30385
• Update custom server docs for async methods: #​30521
• Update multiple docs pages to follow Docs Content style guide: #​33855
• fix: Change url to nextUrl inside delete-query-params-in-middlewa…: #​33796
• Changing GitHub Actions cache documentation: #​28228
• [docs] Add env var load order: #​32350
• docs: add Ory vercel example to auth page: #​33029
• Add note about crawlers and fallback: true: #​34114
• docs(api-routes): fix node docs links: #​34125
• add note to clarify use of Link when clearing preview cookies (issue #​34129): #​34142
• Re-render details if rewrites are used: #​34049
• Add heading to invalid-api-status-body error: #​34150
• Ensure /index route is redirected correctly for docs: #​34206
• Update docs for image lazyRoot prop: #​34241
• Update link for includeFiles glob reference: #​34269
• Update Preview Mode docs.: #​34278
• Update frequently asked questions in documentation: #​34252
• Alphabetize auth docs providers.: #​34281
• Replace babel with SWC & minor changes in getting started: #​34282
• Update Middleware docs to add version history.: #​34302
• Fix typo on getInitialProps: #​34309
• Update missing curly brace in image.md: #​34307
• docs: Add link to pageExtensions config in page-without-valid-component.md: #​34285
• Add an example to Write server-side code directly section: #​34319
• Few touch-ups to the docs on web forms in Next: #​34286
• Update MDX Custom Elements setup: #​34175
• Update image.md: #​34374
• Updated failed to load error page to include info about node versions: #​34362
• docs: react 18, streaming SSR, rsc with new apis: #​33986
• Update MDX Guide config example: #​34405
• Remove hello world RSC example.: #​34456
• Fix typo: #​34480

Example Changes

• Update npm comment in Docker example: #​33881
• Update Contentful example to add validations to solve graphql complexity errors.: #​33958
• Update all CMS examples dependencies.: #​33580
• Fix warning unknown prettier option when running yarn lint.: #​34019
• [New Example] with docker - multiple deployment environments: #​34015
• Fix ambiguous flags in Dockerfile example: #​33417
• fix(examples/with-docker): update env comments: #​29972
• Remove unused "start" script from with-docker/package.json: #​31053
• Update remark in blog-starter-typescript: #​31393
• Update _document.js: #​29930
• Docs: use the nextv12 example from the storybook-addon-next repo as the with-storybook example: #​33891
• examples, update with new URL: #​34035
• [with-typescript-graphql] fixes breaking changes in graphql-let v0.18.0: #​32681
• fix(example): with-typescript-graphql graphql-let package migrate: #​29996
• feat: update firebase in with-firebase: #​29581
• progressive web app example converted to typescript : #​33100
• Make adjustment to cache config of with-apollo example: #​32733
• Fix error thrown by next/image in the Sanity example: #​34203
• Update examples/active-class-name: #​34205
• chore(example): update preact links in examples: #​34233
• fix: don't wrap profile in firebase example: #​34457

Misc Changes

• Fix flakey image-optimizer test: #​33957
• Update azure config: #​33999
• Add types to nextConfig in default template : #​34029
• docs(contributing): Search GitHub for an open or closed PR that relates to your submission: #​22533
• fix(create-next-app): add default version: #​33006
• chore: do not run lock/stale actions on forks: #​34053
• Fix functions manifest test: #​34092
• add pnpm debug file in gitignore templates: #​34091
• Update failing tests from upstream resource: #​34110
• Update version number in next.config.js API reference
• chore: log lock bot output: #​34168
• chore: decrease lock action runs #​34180
• Allow listening for page requests in tests: #​34204
• Update code of conduct from v1.4 to v2.1: #​34208
• Update contributing.md to link to walkthrough video.: #​34299
• fix: typo in gitignore in typescript template: #​34372
• test: add inline flight response reuse test: #​34364
• Update 2.example_bug_report.yml
• Update 1.bug_report.yml
• Update 2.example_bug_report.yml
• Update font-optimization test snapshot: #​34478

Credits

Huge thanks to @​MaedahBatool, @​mutebg, @​sokra, @​huozhi, @​hanford, @​shuding, @​sean6bucks, @​jameshfisher, @​devknoll, @​yuta-ike, @​zh-lx, @​amandeepmittal, @​alunyov, @​stefanprobst, @​leerob, @​balazsorban44, @​kdy1, @​brittanyrw, @​jord1e, @​kara, @​vvo, @​ismaelrumzan, @​dlindenkreuz, @​MohammadxAli, @​nguyenyou, @​thibautsabot, @​hanneslund, @​vertti, @​KateKate, @​stefee, @​mikinovation, @​Leticijak, @​mohsen1, @​ncphillips, @​ehowey, @​lancechentw, @​krychaxp, @​fmacherey, @​pklawansky, @​RyanClementsHax, @​lakbychance, @​sannajammeh, @​oliviertassinari, @​alexander-akait, @​u-yas, @​Cheprer, @​msp5382, @​chrispat, @​getspooky, @​Ryz0nd, @​klaasman, @​midgleyc, @​kumard3, @​jesstelford, @​neeraj3029, @​glenngijsberts, @​pie6k, @​wouterraateland, @​timneutkens, @​11koukou, @​thesyedbasim, @​aeneasr, @​ijjk, @​lfades, @​JuniorTour, @​xavhan, @​mattyocode, @​padmaia, @​Skn0tt, @​gwer, @​Nutlope, @​styfle, @​stipsan, @​xhoantran, @​eolme, @​sespinosa, @​zenorocha, @​hjaber, @​benmvp, @​T-O-R-U-S, @​dburrows, @​atcastle, @​kiriny, @​molebox, @​kitayoshi, and @​Schniz for helping!

v12.0.10

Compare Source

Core Changes

• fix: image optimizer hangs when invalid image is requested: #​33719
• feat: make compress configurable in standalone mode: #​33717
• fix: allow certain variable names in development: #​33638
• Use swc parse for flight server and client loaders: #​33713
• Properly support custom 500 page in the web server: #​33729
• chore: deprecate process.browser: #​32862
• Improve tests for streaming and server components: #​33740
• fix: fixes #​33314 move is-plain-object for es5 compilation: #​33690
• Add stale-while-revalidate pattern to Image Optimization API: #​33735
• Allow to delete URL search params in middleware rewrites: #​33725
• Ensure all CSS files are included for experimental critical CSS: #​33752
• Ensure non-error thrown in getStaticPaths shows correctly: #​33753
• Fix encoding error with location and refresh headers: #​33763
• Fix duplicate image src causing canceled request: #​33776
• Generate functions manifest: #​33770
• Enable jest hoist transform when using next/jest: #​33731
• fix typo: #​33840
• fix(next/image): render valid html according to W3C: #​33825

Documentation Changes

• Update Time to First Byte (TTFB) link: #​33715
• Changed data fetching file name to overview to fix meta data title: #​33232
• Correct misspelling in testing documentation #​33754: #​33755
• Move custom server note from middleware doc: #​33744
• Fixed duplicate data fetching overview page + links: #​33774
• [docs] Mention SWC in TypeScript documentation.: #​33801
• Testing docs: Comment out optional config that points to a file: #​33827
• Update Content-Security-Policy header usage explanation: #​33833

Example Changes

• Fix with-docker example dockerfile: #​33695
• Added next.config.js with datocms-assets domain in allow list: #​33647
• Fix: broken npm install: #​33767
• [example] Upgrade the with-stripe-typescript example app: #​33761
• Upgrade to @​stitches/react 1.2.6: #​33817
• Doc: fix broken link to api routes doc: #​33836

Misc Changes

• run stale 20 minutes earlier
• fix: use github action instead of bot: #​33718
• fix syntax error in lock.yml
• fix rsc test suite runner: #​33745

Credits

Huge thanks to @​Vienio99, @​balazsorban44, @​kyliau, @​molebox, @​huozhi, @​shuding, @​PepijnSenders, @​krystofex, @​PizzaPete, @​souljuse, @​styfle, @​Schniz, @​Nelsonfrank, @​ijjk, @​Mhmdrza, @​timneutkens, @​hideokamoto-stripe, @​Emrin, @​gr-qft, @​delbaoliveira, @​redbar0n, @​amandeepmittal, @​lxy-yz, and @​Divlo for helping!

v12.0.9

Compare Source

This upgrade is completely backward-compatible and recommended for all users on versions below 12.0.9

Vulnerable code could allow a bad actor to trigger a denial of service attack via the /${locale}/_next/ route for anyone running a Next.js app at version >= 12.0.0, and using built-in i18n routing functionality.

How to Upgrade

• We have released patch versions for both the stable and canary channels of Next.js.
• To upgrade run npm install next@latest --save

Impact

• Affected: All of the following must be true to be affected by this CVE
  • Next.js versions between v12.0.0 and v12.0.9
  • Using next start or a custom server
  • Using the built-in i18n support
• Not affected:
  • Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If your server has seen requests to any route under the prefix /${locale}/_next/ that have triggered a heap overflow error, this was caused by the patched issue.

What is Being Done

As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to our users for their investigation and responsible disclosure of the original bug.

We've landed a patch that ensures this is handled properly so the requested route no longer crashes and triggers a heap overflow.

Regression tests for this attack were added to the i18n integration test suite

• A public CVE was released.
• We encourage responsible disclosure of future reports. Please email us at security@vercel.com. We are actively monitoring this mailbox.

Core Changes

• middlewares: limit process.env to inferred usage: #​33186
• update webpack: #​33207
• Abstract out native filesystem usage from the base server: #​33226
• use text data url instead of base64 for shorter encoding: #​33218
• chore(deps): upgrade postcss: #​33142
• Fix global process testing for the process polyfill: #​33220
• Update swc: #​33201
• improve full refresh overlay: #​33301
• Custom app for server components: #​33149
• Update yarn PnP tests and disable swc file reading for PnP: #​33236
• Base Http for BaseServer: #​32999
• Update swc: #​33342
• Update check for fallback pages during export: #​33323
• Pre-compile more dependencies: #​32742
• Remove node fetch polyfill from base server: #​33395
• Replace regexp to plain string for optimization render HTML: #​33306
• Fix broken html on streaming render for error page: #​33399
• Disable cache for rsc pages: #​33438
• Fix pre-compiled check from copying react-refresh-utils: #​33442
• fix(next-swc): Update swc: #​33427
• Move middleware handling to node server: #​33448
• Enforce absolute URLs in Edge Functions runtime: #​33410
• feat(next-swc): Update swc: #​33461
• Update main field for nccd jest-worker: #​33465
• chore(deps): upgrade node-fetch: #​33466
• Move static serving to next server: #​33475
• feat(next-swc): Update swc: #​33485
• Fix multiple calls to image onLoadingComplete(): #​33474
• Refactor base server to remove native dependencies: #​33499
• Update swc: #​33514
• Implement abstract methods to get manifest files in the base server: #​33537
• Simplify getMiddlewareInfo calls: #​33542
• Fix static file check with i18n: #​33503
• Bump styled-jsx: #​33546
• Ensure optional value normalizing is correct for index: #​33547
• Bump nft to 0.17.4: #​33548
• Add next-multilingual example: #​29386
• Removed the s from NextConfig: #​33560
• feat(next-swc): Update swc: #​33595
• Fix rsc export component name detection: #​33608
• upgrade webpack: #​33549
• Ensure fetch polyfill is loaded in next-server: #​33616
• feat(next-swc): Update swc: #​33628
• Add lazyRoot optional property to next/image component : #​33290
• feat(next-swc): Update swc: #​33675
• Implement web server as the request handler for edge SSR: #​33635
• Relay Support in Rust Compiler: #​33240
• Revert "Relay Support in Rust Compiler": #​33699

Documentation Changes

• Fixed broken link related to the recently merged Data fetching docs refactor: #​33209
• Removed backticks on data fetching api titles: #​33216
• Added links to data fetching api refs, fixed title: #​33221
• Remove outdated & possibly confusing statement about redirects: #​33224
• [examples] Add a statically generated blog example using Next.js and Builder.io: #​22094
• Typo Fix: #​33252
• Update font-optimization.md: #​33266
• Fixed broken links in data fetching docs: #​33250
• docs: Mention middleware for getStaticProps: #​33273
• Add sections for Remove React Properties and Remove Console to compiler docs: #​33311
• Update links in next export + next/image error message: #​33317
• Add onLoad gottcha note to next/script docs: #​33097
• Update security-headers.md: fix path does not match homepage: #​33137
• fix minor typo in SWR: #​33378
• ReferenceError in authentication.md example fixed: #​33411
• docs: fix url: #​33409
• fix(docs): Fix typo in Custom Build Id docs: #​33515
• [docs] Update authentication docs to fix iron-session link.: #​33483
• docs(authentication): fix iron-session example link: #​33502
• Update middleware documentation for custom server: #​33535
• Removed unrequired path in docs' manifest: #​33579
• Update next/server documentation for geo: #​33609
• Clarify next/image usage with next export based on feedback.: #​33555
• Clarify headers config option description: #​33484
• fix(errors/no-cache): netlify-plugin-cache-nextjs has been deprecated: #​33629
• Updated docs for getServerSideProps and getStaticProps return values: #​33577
• Use relative path for example: #​33565
• chore(docs): update security headers specification: #​33673
• REMOVE: duplicate key in docs/testing.md: #​33681

Example Changes

• [examples] Update remark dependency for blog-starter: #​33313
• Update package.json for examples/with-supabase-auth-realtime-db: #​33321
• Working example for building forms with Next.js: #​32669
• Updates dependency version of frontend SDK in with-supertokens example: #​33393
• docs: add skynexui to examples: #​33326
• Update with-linaria

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: nextjs-blog/package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: learn-starter@0.1.0
npm ERR! Found: react@16.14.0
npm ERR! node_modules/react
npm ERR!   react@"16.14.0" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer react@"^17.0.2 || ^18.0.0-0" from next@12.3.7
npm ERR! node_modules/next
npm ERR!   next@"^12.0.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-05-18T09_55_56_329Z-debug-0.log