fix(adapter-nextjs): allow Next.js preview/prerelease version tags#660
fix(adapter-nextjs): allow Next.js preview/prerelease version tags#660soleo wants to merge 2 commits into
Conversation
Next.js now ships builds under a preview tag (e.g. next@preview),
which resolves to prerelease versions like "16.3.0-preview". semver's
satisfies() excludes prerelease versions from a range unless a matching
prerelease comparator already exists for the same [major, minor, patch]
tuple, so these safe preview builds were wrongly flagged as vulnerable
and blocked by checkNextJSVersion.
Pass { includePrerelease: true } so preview/canary builds are matched
against SAFE_NEXTJS_VERSIONS. All existing canary boundary checks
(e.g. <14.3.0-canary.77) still behave identically.
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
There was a problem hiding this comment.
Code Review
This pull request updates the Next.js version check to allow prerelease versions (such as 16.3.0-preview) by passing { includePrerelease: true } to the semver satisfies check, and adds a corresponding test case. However, the reviewer points out that applying this option globally across all safe ranges introduces a security vulnerability, as it would incorrectly allow vulnerable prerelease versions (e.g., 16.1.0-canary.2) to satisfy bounded ranges. The reviewer suggests splitting the ranges to only apply includePrerelease to the open-ended safe range, and adding test cases to verify that vulnerable prerelease versions are correctly blocked.
Per review: applying { includePrerelease: true } to the whole
SAFE_NEXTJS_VERSIONS range relies on semver's prerelease-aware tilde
bounds and loosens the bounded `~`/`<` comparators of older lines.
Instead, run the default strict check (stable versions + canary
boundary) and only enable includePrerelease for the open-ended
>=16.1.0 range, where every prerelease is guaranteed to be on the
patched line.
Adds regression tests asserting prereleases of unpatched minors
(16.1.0-canary.2, 15.1.0-canary.2) stay blocked.
|
Good catch — applying const SAFE_NEXTJS_PRERELEASE_RANGE = ">=16.1.0";
if (
!satisfies(version, SAFE_NEXTJS_VERSIONS) && // strict: stable + canary boundary
!satisfies(version, SAFE_NEXTJS_PRERELEASE_RANGE, { includePrerelease: true }) // prereleases of the patched line only
) {
throw ...
}This keeps strict prerelease matching for the bounded One nuance I verified against That said, your underlying point stands: the global flag relied on that subtle tilde behavior and did loosen the bounded windows in general (e.g. it would admit |
bc96b48 to
a85a9e9
Compare
|
@jamesdaniels would you be able to review this PR? just wondering if we can get it merged since it is a very straightforward fix for a version check issue here. |
Closes #661
Problem
Next.js now ships builds under a
previewtag (e.g.next@preview), which resolves to prerelease versions like16.3.0-preview. The version guard incheckNextJSVersionuses semver'ssatisfies(version, SAFE_NEXTJS_VERSIONS), but by default semver excludes prerelease versions from a range unless a matching prerelease comparator already exists for the same[major, minor, patch]tuple.Since
SAFE_NEXTJS_VERSIONSonly contains one prerelease comparator (<14.3.0-canary.77), a safe preview build such as16.3.0-previewdoes not satisfy>=16.1.0and is wrongly flagged as vulnerable, blocking deployment with theCVE-2025-55182error.Fix
Pass
{ includePrerelease: true }tosatisfiesso preview/canary builds are matched against the safe-version range.I verified against
semver@7.7.3(the pinned version) that this is purely additive for the safe set and changes nothing for the existing canary boundary checks:16.3.0-preview14.3.0-canary.7614.3.0-canary.7714.3.0-canary.7815.0.0-canary.216.0.616.0.7/15.4.8/15.0.5/14.0.12All vulnerable versions remain blocked.
Testing
Added a
16.3.0-previewcase to the existingblock vulnerable nextjs versionsunit test. Built@apphosting/common+@apphosting/adapter-nextjsand ran the suite:🤖 Generated with Claude Code