Skip to content

chore: Upgrade next dev and test dependency for security patch #16724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 25, 2025
Merged

chore: Upgrade next dev and test dependency for security patch #16724

merged 3 commits into from
Jun 25, 2025

Conversation

@AbhiPrasad
Copy link
Member

resolves https://github.com/getsentry/sentry-javascript/security/dependabot/538
resolves https://github.com/getsentry/sentry-javascript/security/dependabot/534
resolves https://github.com/getsentry/sentry-javascript/security/dependabot/533

Next.js dependencies were upgraded to address a security vulnerability concerning authorization bypass in middleware.

  • The next dependency in packages/nextjs/package.json was updated from 13.2.0 to 13.5.9.
  • Test applications were also patched:
    • dev-packages/e2e-tests/test-applications/create-next-app/package.json had next upgraded from 14.0.0 to 14.2.25.
    • dev-packages/e2e-tests/test-applications/nextjs-13/package.json had next upgraded from 13.5.7 to 13.5.9.
  • The yarn.lock file was subsequently updated by running yarn install to reflect these new dependency versions and their transitive updates, including @swc/helpers and postcss.
  • Code formatting issues were resolved with yarn fix. Validation checks were run, confirming the upgrades while noting pre-existing, unrelated failures in other packages.

This directly addresses the vulnerability, ensuring the codebase uses patched Next.js versions.

@AbhiPrasad AbhiPrasad requested a review from a team June 24, 2025 20:12
@AbhiPrasad AbhiPrasad self-assigned this Jun 24, 2025
@AbhiPrasad AbhiPrasad requested review from s1gr1d and stephanie-anderson and removed request for a team June 24, 2025 20:12
@AbhiPrasad AbhiPrasad changed the title Upgrade next dependency for security patch chore: Upgrade next dev and test dependency for security patch Jun 24, 2025
@github-actions
Copy link
Contributor

⚠️ This PR is opened against master. You probably want to open it against develop.

@stephanie-anderson stephanie-anderson removed their request for review June 24, 2025 20:14
@AbhiPrasad AbhiPrasad changed the base branch from master to develop June 24, 2025 20:20
@github-actions
Copy link
Contributor

github-actions bot commented Jun 24, 2025
edited
Loading

size-limit report 📦

Path Size % Change Change
@sentry/browser 23.99 kB - -
@sentry/browser - with treeshaking flags 23.76 kB - -
@sentry/browser (incl. Tracing) 38.84 kB - -
@sentry/browser (incl. Tracing, Replay) 76.98 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 70.07 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 81.74 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 93.83 kB - -
@sentry/browser (incl. Feedback) 40.75 kB - -
@sentry/browser (incl. sendFeedback) 28.7 kB - -
@sentry/browser (incl. FeedbackAsync) 33.59 kB - -
@sentry/react 25.76 kB - -
@sentry/react (incl. Tracing) 40.84 kB - -
@sentry/vue 28.36 kB - -
@sentry/vue (incl. Tracing) 40.7 kB - -
@sentry/svelte 24.01 kB - -
CDN Bundle 25.5 kB - -
CDN Bundle (incl. Tracing) 38.92 kB - -
CDN Bundle (incl. Tracing, Replay) 74.83 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 80.29 kB - -
CDN Bundle - uncompressed 74.5 kB - -
CDN Bundle (incl. Tracing) - uncompressed 115.42 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 229.47 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 242.3 kB - -
@sentry/nextjs (client) 42.47 kB - -
@sentry/sveltekit (client) 39.33 kB - -
@sentry/node 150.87 kB - -
@sentry/node - without tracing 98.64 kB +0.01% +1 B 🔺
@sentry/aws-serverless 124.4 kB +0.01% +1 B 🔺

View base workflow run

@AbhiPrasad AbhiPrasad force-pushed the cursor/upgrade-next-dependency-for-security-patch-204d branch from e572f31 to b54a4e2 Compare June 24, 2025 20:22
@rohan-at-sentry
Copy link

@sentry review

1 similar comment
@suejung-sentry
Copy link
Member

@sentry review

@seer-by-sentry
Copy link

On it! We are reviewing the PR and will provide feedback shortly.

@seer-by-sentry
Copy link

PR Description

This pull request upgrades the Next.js version used in the Sentry Next.js SDK's test applications and development dependencies. The goal is to ensure compatibility and leverage the latest features and bug fixes provided by Next.js.

Click to see more

Key Technical Changes

The core changes involve updating the next dependency version in three package.json files: dev-packages/e2e-tests/test-applications/create-next-app/package.json (from 14.0.0 to 14.2.25), dev-packages/e2e-tests/test-applications/nextjs-13/package.json (from 13.5.7 to 13.5.9), and packages/nextjs/package.json (from 13.2.0 to 13.5.9 in devDependencies). The yarn.lock file is updated to reflect these dependency changes, including updates to @next/env, @swc/helpers, platform-specific SWC binaries, busboy, and watchpack.

Architecture Decisions

No significant architectural decisions were made. The changes primarily involve dependency updates. The selection of specific Next.js versions (14.2.25 and 13.5.9) likely reflects a balance between stability, feature set, and compatibility with the existing Sentry Next.js SDK.

Dependencies and Interactions

This change directly impacts the test applications used for end-to-end testing of the Sentry Next.js SDK. It also affects the development environment for the SDK itself. The updated dependencies, particularly @swc/helpers, busboy, and watchpack, could potentially interact with the SDK's build process, runtime behavior, and file watching capabilities. The peer dependency range for next in packages/nextjs/package.json is important for ensuring compatibility with different Next.js versions.

Risk Considerations

The primary risk is potential breaking changes introduced by the Next.js upgrades, especially the minor version jump from 14.0.0 to 14.2.25. Thorough testing of the test applications is crucial to identify any regressions or compatibility issues. The updated SWC helpers and other dependencies could also introduce unexpected behavior. It's important to verify that the Sentry Next.js SDK continues to function correctly across all supported Next.js versions after these changes.

Notable Implementation Details

The test:build-13 script in create-next-app/package.json uses a specific Next.js version (13.4.19) that is different from the upgraded version in the nextjs-13 test application. This inconsistency should be addressed to ensure accurate testing. The yarn.lock changes include updates to platform-specific SWC binaries, which require testing on different platforms to prevent build failures.

@AbhiPrasad AbhiPrasad enabled auto-merge (squash) June 25, 2025 13:05
@AbhiPrasad AbhiPrasad merged commit 2c4cb5c into develop Jun 25, 2025
162 of 163 checks passed
@AbhiPrasad AbhiPrasad deleted the cursor/upgrade-next-dependency-for-security-patch-204d branch June 25, 2025 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@s1gr1d s1gr1d s1gr1d approved these changes

Assignees

@AbhiPrasad AbhiPrasad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@AbhiPrasad @rohan-at-sentry @suejung-sentry @s1gr1d @cursoragent