Release Next Security Fix #1027
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [eslint-plugin-import](https://github.com/import-js/eslint-plugin-import) from 2.31.0 to 2.32.0. - [Release notes](https://github.com/import-js/eslint-plugin-import/releases) - [Changelog](https://github.com/import-js/eslint-plugin-import/blob/main/CHANGELOG.md) - [Commits](import-js/eslint-plugin-import@v2.31.0...v2.32.0) --- updated-dependencies: - dependency-name: eslint-plugin-import dependency-version: 2.32.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.15.15 to 24.10.1. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 24.10.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@testing-library/jest-dom](https://github.com/testing-library/jest-dom) from 6.6.3 to 6.9.1. - [Release notes](https://github.com/testing-library/jest-dom/releases) - [Changelog](https://github.com/testing-library/jest-dom/blob/main/CHANGELOG.md) - [Commits](testing-library/jest-dom@v6.6.3...v6.9.1) --- updated-dependencies: - dependency-name: "@testing-library/jest-dom" dependency-version: 6.9.1 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…ns/actions/checkout-6 build(deps): bump actions/checkout from 5 to 6
…/eslint-plugin-import-2.32.0 build(deps-dev): bump eslint-plugin-import from 2.31.0 to 2.32.0
…/types/node-24.10.1 build(deps): bump @types/node from 22.15.15 to 24.10.1
Bumps [jest-environment-jsdom](https://github.com/jestjs/jest/tree/HEAD/packages/jest-environment-jsdom) from 29.7.0 to 30.2.0. - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.2.0/packages/jest-environment-jsdom) --- updated-dependencies: - dependency-name: jest-environment-jsdom dependency-version: 30.2.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…/testing-library/jest-dom-6.9.1 build(deps-dev): bump @testing-library/jest-dom from 6.6.3 to 6.9.1
…/jest-environment-jsdom-30.2.0 build(deps-dev): bump jest-environment-jsdom from 29.7.0 to 30.2.0
Bumps [eslint-import-resolver-typescript](https://github.com/import-js/eslint-import-resolver-typescript) from 3.7.0 to 4.4.4. - [Release notes](https://github.com/import-js/eslint-import-resolver-typescript/releases) - [Changelog](https://github.com/import-js/eslint-import-resolver-typescript/blob/master/CHANGELOG.md) - [Commits](import-js/eslint-import-resolver-typescript@v3.7.0...v4.4.4) --- updated-dependencies: - dependency-name: eslint-import-resolver-typescript dependency-version: 4.4.4 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…/eslint-import-resolver-typescript-4.4.4 build(deps-dev): bump eslint-import-resolver-typescript from 3.7.0 to 4.4.4
Bumps [next](https://github.com/vercel/next.js) from 16.0.7 to 16.0.10. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.0.7...v16.0.10) --- updated-dependencies: - dependency-name: next dependency-version: 16.0.10 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…/next-16.0.10 build(deps): bump next from 16.0.7 to 16.0.10
|
|
Reviewer's guide (collapsed on small PRs)Reviewer's GuideThis PR updates Next.js, Node.js type definitions, several testing/linting-related devDependencies, and GitHub Actions workflow checkout versions to the latest security/patch releases, along with refreshing the pnpm lockfile to match. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey there - I've reviewed your changes - here's some feedback:
- You’ve upgraded
jest-environment-jsdomto^30.2.0but are still onjest^29.7.0; consider aligning these major versions to avoid subtle test runner/environment incompatibilities. - With
nextbumped to16.0.10, double-check thateslint-config-nextand any Next-related tooling still match the recommended version matrix for that Next release to prevent configuration or lint/runtime mismatches.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- You’ve upgraded `jest-environment-jsdom` to `^30.2.0` but are still on `jest` `^29.7.0`; consider aligning these major versions to avoid subtle test runner/environment incompatibilities.
- With `next` bumped to `16.0.10`, double-check that `eslint-config-next` and any Next-related tooling still match the recommended version matrix for that Next release to prevent configuration or lint/runtime mismatches.
## Individual Comments
### Comment 1
<location> `package.json:57` </location>
<code_context>
"eslint-plugin-react-compiler": "19.0.0-beta-27714ef-20250124",
"jest": "^29.7.0",
- "jest-environment-jsdom": "^29.7.0",
+ "jest-environment-jsdom": "^30.2.0",
"ts-node": "^10.9.2",
"typescript-eslint": "^8.46.2"
</code_context>
<issue_to_address>
**issue (bug_risk):** Align `jest-environment-jsdom` major version with Jest core to avoid runtime incompatibilities.
`jest` is still on `^29.7.0` but `jest-environment-jsdom` is now `^30.2.0`. The environment package usually matches Jest’s major version and may rely on internals that change between majors, which can cause subtle runtime issues. Please either upgrade Jest to v30 or keep `jest-environment-jsdom` on a 29.x release.
</issue_to_address>
### Comment 2
<location> `.github/workflows/build.yml:31` </location>
<code_context>
steps:
- name: Checkout repository
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
- name: Log in to the Container registry
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Consider pinning `actions/checkout` to a specific commit SHA for supply‑chain hardening.
Using the mutable `v6` tag means the action’s behavior can change without you updating this workflow. For stronger supply‑chain security (as you’ve done with `docker/login-action`), pin `actions/checkout` to the specific commit SHA for the intended version and optionally note the version in a comment.
Suggested implementation:
```
steps:
- name: Checkout repository
# actions/checkout v4.2.2
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Log in to the Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
```
```
steps:
- name: Checkout repository
# actions/checkout v4.2.2
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Set up Kubectl
uses: azure/setup-kubectl@v4
```
</issue_to_address>
### Comment 3
<location> `.github/workflows/pr.yml:7` </location>
<code_context>
steps:
- name: Checkout repository
- uses: actions/checkout@v5
+ uses: actions/checkout@v6
- name: Log in to the Container registry
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Mirror the same SHA pinning strategy for `actions/checkout` in PR workflows.
To keep CI paths consistent and ensure we’re using an immutable version of `actions/checkout`, please pin this to the specific commit SHA, matching the strategy used in the build workflows.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| "eslint-plugin-react-compiler": "19.0.0-beta-27714ef-20250124", | ||
| "jest": "^29.7.0", | ||
| "jest-environment-jsdom": "^29.7.0", | ||
| "jest-environment-jsdom": "^30.2.0", |
There was a problem hiding this comment.
issue (bug_risk): Align jest-environment-jsdom major version with Jest core to avoid runtime incompatibilities.
jest is still on ^29.7.0 but jest-environment-jsdom is now ^30.2.0. The environment package usually matches Jest’s major version and may rely on internals that change between majors, which can cause subtle runtime issues. Please either upgrade Jest to v30 or keep jest-environment-jsdom on a 29.x release.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v5 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🚨 suggestion (security): Consider pinning actions/checkout to a specific commit SHA for supply‑chain hardening.
Using the mutable v6 tag means the action’s behavior can change without you updating this workflow. For stronger supply‑chain security (as you’ve done with docker/login-action), pin actions/checkout to the specific commit SHA for the intended version and optionally note the version in a comment.
Suggested implementation:
steps:
- name: Checkout repository
# actions/checkout v4.2.2
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Log in to the Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
steps:
- name: Checkout repository
# actions/checkout v4.2.2
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Set up Kubectl
uses: azure/setup-kubectl@v4
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
🚨 suggestion (security): Mirror the same SHA pinning strategy for actions/checkout in PR workflows.
To keep CI paths consistent and ensure we’re using an immutable version of actions/checkout, please pin this to the specific commit SHA, matching the strategy used in the build workflows.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary by Sourcery
Update dependencies and CI configuration to incorporate the latest security and maintenance patches.
Build:
CI: