[Snyk] Security upgrade next from 10.2.0 to 13.5.4

[jydmyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	551/1000 Why? Recently disclosed, Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: next

The new version differs by 250 commits.

• 1e8dca4 v13.5.4
• 9e24d6f v13.5.4-canary.11
• 281ae41 Fix build output logging order (#56335)
• d7626ff Revert "misc: shortcut styled-jsx in external resolution (#56291)" (#56334)
• db48052 v13.5.4-canary.10
• 7df92b8 test: add flaky turbopack integration tests to manifest (#56309)
• eeb9b33 fix: Invalid URL (404) provided on server actions error (#56323)
• 3172cfe fix: support both decoded and encoded url requests of conventioned files (#56187)
• a2f9ef5 fix(next/client): keep hash when navigating from app to pages router (#56223)
• a970f28 Add code freeze GitHub actions for releasing (#56325)
• 5fbc23e misc: fix instrumentation with bundled server (#56318)
• 98432a4 Remove buildId test as it's no longer relevant (#56316)
• 86274e6 fix(#53190): add missing crossOrigin to assetsPrefix resources (#56311)
• e970e05 Reland static prefetches & fix prefetch bailout behavior (#56228)
• be952fb fix: typo in `with-stripe-typescript` example (#56274)
• 7f60cc8 Support serverRuntimeConfig and publicRuntimeConfig in Turbopack (#56310)
• 8d18ad6 update webp crate (#56307)
• ac95a20 Fix flaky test for size output (#56303)
• dba978f misc: shortcut styled-jsx in external resolution (#56291)
• 458dab8 misc: update code owners (#56290)
• 5254aae Update image.mdx (#56266)
• 0d4859b Update image.mdx (#56269)
• 59bda2d More Turbopack fixes (#56299)
• ecd94c1 misc: enable source maps for bundled runtime (#56289)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Input Validation

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
classnames	2.3.2	None	+0	18.8 kB	dcousens
domwaiter	1.1.0...1.4.0	network	+36/-30	7.17 MB	zeke
jest-github-actions-reporter	1.0.2...1.0.3	None	+0/-1	284 kB	cschleiden
next	10.2.0...13.5.4	filesystem	+30/-236	1.11 GB	vercel-release-bot
npm-merge-driver-install	2.0.0...2.0.2	None	+2/-0	55.4 kB	brandonocasey
github-slugger	1.2.1...1.5.0	None	+0/-1	13.5 kB	wooorm
@babel/plugin-proposal-class-properties	7.12.13...7.18.6	filesystem	+29/-26	8.01 MB	nicolo-ribaudo
@primer/components	28.0.1...28.5.0	None	+40/-38	20.6 MB	primer-css
strip-ansi	6.0.0...6.0.1	None	+1/-1	9.64 kB	sindresorhus
lunr-languages	1.4.0...1.13.0	None	+0/-0	2.16 MB	mihaivalentin
semver	5.7.1...5.7.2	None	+0/-0	63.3 kB	lukekarrys
pa11y-ci	2.4.0...2.4.2	None	+37/-28	9.36 MB	joseluisbolos
@babel/preset-react	7.12.13...7.22.15	filesystem	+33/-31	8.05 MB	nicolo-ribaudo
husky	4.2.1...4.3.8	None	+19/-21	804 kB	typicode
glob	7.1.6...7.2.3	None	+2/-3	96.9 kB	isaacs
@graphql-tools/load	6.2.5...6.2.8	None	+27/-23	6.7 MB	ardatan
express-timeout-handler	2.2.0...2.2.2	None	+0/-0	6.84 kB	hilleer
@babel/plugin-transform-modules-amd	7.12.13...7.23.0	filesystem	+29/-32	8.03 MB	nicolo-ribaudo
babel-plugin-styled-components	1.12.0...1.13.3	None	+29/-25	12.7 MB	probablyup
js-yaml	3.14.0...3.14.1	None	+0/-0	291 kB	vitaly
@babel/preset-env	7.12.13...7.22.20	shell	+112/-110	13.6 MB	nicolo-ribaudo
csv-parse	4.8.8...4.16.3	environment	+0/-0	668 kB	david
@types/react-dom	17.0.3...17.0.21	None	+4/-4	1.42 MB	types
mockdate	3.0.2...3.0.5	None	+0/-0	13.8 kB	boblauer
@babel/plugin-transform-modules-commonjs	7.12.13...7.23.0	filesystem	+29/-32	8.05 MB	nicolo-ribaudo
rss-parser	3.12.0...3.13.0	None	+2/-2	2.09 MB	bobby-brennan
website-scraper	4.2.0...4.2.3	None	+23/-21	2.05 MB	s0ph1e
html-entities	1.2.1...1.4.0	None	+0/-0	68.6 kB	mdevils
@types/lodash	4.14.168...4.14.199	None	+0/-0	863 kB	types
react	17.0.1...17.0.2	None	+0/-0	291 kB	gaearon
@babel/core	7.12.13...7.23.0	filesystem	+27/-23	8 MB	nicolo-ribaudo
@types/react	17.0.4...17.0.67	None	+3/-3	1.4 MB	types
date-fns	2.21.3...2.30.0	None	+2/-0	6.96 MB	kossnocorp
nodemon	2.0.4...2.0.22	None	+11/-46	616 kB	remy
async	3.2.0...3.2.4	None	+0/-0	821 kB	hargasinski
express	4.17.1...4.18.2	None	+29/-18	1.23 MB	dougwilson
styled-components	5.3.0...5.3.11	None	+29/-25	12.7 MB	probablyup
@babel/runtime	7.11.2...7.23.1	None	+1/-1	275 kB	nicolo-ribaudo
cross-env	7.0.2...7.0.3	None	+0/-1	29.1 kB	kentcdodds
hot-shots	8.2.0...8.5.2	None	+1/-2	108 kB	bdeitte
resolve-url-loader	3.1.2...3.1.5	None	+14/-15	1.66 MB	bholloway
replace	1.2.0...1.2.2	None	+8/-10	95.1 kB	almaclaine
morgan	1.9.1...1.10.0	None	+0/-1	29.7 kB	dougwilson
helmet	3.21.2...3.23.3	None	+2/-6	329 kB	evanhahn
jest-expect-message	1.0.2...1.1.3	None	+0/-0	12.7 kB	mattphillips
webpack-cli	4.6.0...4.10.0	shell, environment	+68/-75	14.8 MB	evilebottnawi
directory-tree	2.2.6...2.4.0	None	+0/-0	11.2 kB	mihneadb
object-hash	2.0.1...2.2.0	None	+0/-0	59 kB	addaleax
robots-parser	2.1.1...2.4.0	None	+0/-0	19.4 kB	samclarke
webpack	5.30.0...5.88.2	network, shell, environment	+50/-51	14.1 MB	thelarkinn
cheerio	1.0.0-rc.3...1.0.0-rc.12	network	+12/-4	2.63 MB	feedic
start-server-and-test	1.12.0...1.15.5	environment	+21/-27	6.27 MB	bahmutov
cookie-parser	1.4.5...1.4.6	None	+1/-0	30.2 kB	dougwilson
copy-webpack-plugin	6.0.3...6.4.1	shell	+80/-87	15.4 MB	evilebottnawi
nock	13.0.4...13.3.3	None	+1/-1	222 kB	nockbot
gray-matter	4.0.2...4.0.3	None	+1/-1	330 kB	rmassaioli
react-dom	17.0.1...17.0.2	None	+2/-2	3.39 MB	gaearon
linkinator	2.13.6...2.16.2	network	+62/-79	2.22 MB	justinbeckwith
csv-parser	2.3.3...2.3.5	None	+2/-3	206 kB	trysound
sass-loader	9.0.2...9.0.3	shell, environment	+60/-66	20 MB	evilebottnawi
style-loader	1.2.1...1.3.0	shell, environment	+53/-57	14.4 MB	evilebottnawi
eslint-config-standard	16.0.1...16.0.3	None	+64/-111	10.2 MB	linusu
chalk	4.1.0...4.1.2	None	+0/-3	35 kB	sindresorhus
commander	6.2.0...6.2.1	None	+0/-0	113 kB	abetomo
webpack-dev-middleware	4.1.0...4.3.0	shell, environment	+55/-55	14.4 MB	evilebottnawi
mini-css-extract-plugin	1.4.1...1.6.2	shell, environment	+53/-55	14.4 MB	evilebottnawi
uuid	8.3.0...8.3.2	None	+0/-0	116 kB	ctavan
babel-loader	8.1.0...8.3.0	shell	+80/-91	21.9 MB	nicolo-ribaudo
mime	2.5.2...2.6.0	None	+0/-0	60.1 kB	broofa
@graphql-inspector/core	2.3.0...2.9.0	None	+4/-2	2.45 MB	kamilkisiela
javascript-stringify	2.0.1...2.1.0	None	+0/-0	71.9 kB	blakeembrey
prettier	2.1.2...2.8.8	environment	+0/-0	11.2 MB	prettier-bot
jimp	0.16.1...0.16.13	None	+54/-46	17.2 MB	alisowski
@primer/css	16.2.0...16.3.0	None	+1/-2	7.56 MB	primer-css
liquidjs	9.22.1...9.43.0	None	+0/-0	1.29 MB	harttle
flat	5.0.0...5.0.2	None	+0/-1	26.6 kB	timoxley
eslint	7.13.0...7.32.0	eval	+46/-54	8.04 MB	eslintbot
eslint-plugin-promise	4.2.1...4.3.1	None	+0/-0	40.2 kB	xjamundx
redis	3.1.1...3.1.2	None	+1/-1	198 kB	leibale
dotenv	8.2.0...8.6.0	None	+0/-0	23.9 kB	motdotla
eslint-plugin-import	2.22.1...2.28.1	None	+61/-107	10.1 MB	ljharb
express-rate-limit	5.1.3...5.5.1	None	+0/-0	22.1 kB	nfriedly
graphql	14.6.0...14.7.0	None	+0/-0	1.83 MB	i1g
typescript	4.2.4...4.9.5	None	+0/-0	66.8 MB	typescript-bot
sass	1.26.3...1.68.0	filesystem	+5/-7	5.48 MB	sassbot
aws-sdk	2.610.0...2.1469.0	environment	+18/-6	88.6 MB	aws-sdk-bot

🚮 Removed packages: @actions/[email protected], @babel/[email protected], @babel/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Protestware/Troll package	styled-components	5.3.11	Note: This package prints a protestware console message regarding Ukraine for users with Russian language locale	@primer/[email protected], [email protected] via package.json package.json

Next steps

What is protestware and troll packages?

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Consider that consuming this package my come along with functionality unrelated to its primary purpose.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore [email protected]