Sourced from axios's releases.

v0.21.1

0.21.1 (December 21, 2020)

Fixes and Functionality:

• Hotfix: Prevent SSRF (#3410)
• Protocol not parsed when setting proxy config from env vars (#3070)
• Updating axios in types to be lower case (#2797)
• Adding a type guard for AxiosError (#2949)

Internal and Tests:

• Remove the skipping of the socket http test (#3364)
• Use different socket for Win32 test (#3375)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Daniel Lopretto [email protected]
• Jason Kwok [email protected]
• Jay [email protected]
• Jonathan Foster [email protected]
• Remco Haszing [email protected]
• Xianming Zhong [email protected]

Sourced from axios's changelog.

0.21.1 (December 21, 2020)

Fixes and Functionality:

• Hotfix: Prevent SSRF (#3410)
• Protocol not parsed when setting proxy config from env vars (#3070)
• Updating axios in types to be lower case (#2797)
• Adding a type guard for AxiosError (#2949)

Internal and Tests:

• Remove the skipping of the socket http test (#3364)
• Use different socket for Win32 test (#3375)

Huge thanks to everyone who contributed to this release via code (authors listed below) or via reviews and triaging on GitHub:

• Daniel Lopretto [email protected]
• Jason Kwok [email protected]
• Jay [email protected]
• Jonathan Foster [email protected]
• Remco Haszing [email protected]
• Xianming Zhong [email protected]

• a64050a Releasing 0.21.1
• d57cd97 Updating changelog for 0.21.1 release
• 8b0f373 Use different socket for Win32 test (#3375)
• e426910 Protocol not parsed when setting proxy config from env vars (#3070)
• c7329fe Hotfix: Prevent SSRF (#3410)
• f472e5d Adding a type guard for AxiosError (#2949)
• 7688255 Remove the skipping of the socket http test (#3364)
• 820fe6e Updating axios in types to be lower case (#2797)
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• a2c5da8 1.3.8
• af5c6bb Do not use Object.create(null)
• 8b648a1 don't test where our devdeps don't even work
• c74c8af 1.3.7
• 024b8b5 update deps, add linting
• 032fbaf Use Object.create(null) to avoid default object property hazards
• 2da9039 1.3.6
• cfea636 better git push script, before publish instead of after
• 56d2805 do not allow invalid hazardous string as section name
• See full diff in compare view

This version was pushed to npm by isaacs, a new releaser for ini since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from streamlit's releases.

1.11.1

No release notes provided.

1.11.0

No release notes provided.

1.10.0

No release notes provided.

1.9.2

No release notes provided.

1.9.1

No release notes provided.

1.9.0

No release notes provided.

1.8.1

No release notes provided.

1.8.0

No release notes provided.

1.7.0

• ❄️ Add st.snow()!

1.6.0

• 🗜 WebSocket compression is now disabled by default, which will improve CPU and latency performance for large dataframes. You can use the server.enableWebsocketCompression  configuration option to re-enable it if you find the increased network traffic more impactful.
• ☑️ 🔘 Radio and checkboxes improve focus on Keyboard navigation (#4308)

1.5.1

No release notes provided.

1.5.0

Release date: Jan 27, 2022

Notable Changes

• 🌟 Favicon defaults to a PNG to allow for transparency (#4272).
• 🚦 Select Slider Widget now has the disabled parameter that removes interactivity (completing all of our widgets) (#4314).

Other Changes

• 🔤 Improvements to our markdown library to provide better support for HTML (specifically nested HTML) (#4221).
• 📖 Expanders maintain their expanded state better when multiple expanders are present (#4290).
• 🗳 Improved file uploader and camera input to call its on_change handler only when necessary (#4270).

1.4.0

... (truncated)

• b6429b6 Fix linting
• f4b2051 Up version to 1.11.1
• 80d9979 Ignore component requests outside of the component root
• 4a04eef Replace legacy app URLs in docs with custom subdomains (#4959)
• 27c29ac Up version to 1.11.0
• 03babac Test that GitRepo can handle import failures (#4942)
• 4c39606 Fix table overflow styling (#4934)
• 26de600 Fix issue with wrongly applied colors with Pandas styler (#4940)
• ad4547f Fix widgets overwrites from short to long-hand props (#4935)
• 3809637 Add gap param to st.columns (#4887)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from numpy's releases.

v1.21.0

NumPy 1.21.0 Release Notes

The NumPy 1.21.0 release highlights are

• continued SIMD work covering more functions and platforms,
• initial work on the new dtype infrastructure and casting,
• universal2 wheels for Python 3.8 and Python 3.9 on Mac,
• improved documentation,
• improved annotations,
• new PCG64DXSM bitgenerator for random numbers.

In addition there are the usual large number of bug fixes and other improvements.

The Python versions supported for this release are 3.7-3.9. Official support for Python 3.10 will be added when it is released.

:warning: Warning: there are unresolved problems compiling NumPy 1.21.0 with gcc-11.1 .

• Optimization level -O3 results in many wrong warnings when running the tests.
• On some hardware NumPy will hang in an infinite loop.

New functions

Add PCG64DXSM BitGenerator

Uses of the PCG64 BitGenerator in a massively-parallel context have been shown to have statistical weaknesses that were not apparent at the first release in numpy 1.17. Most users will never observe this weakness and are safe to continue to use PCG64. We have introduced a new PCG64DXSM BitGenerator that will eventually become the new default BitGenerator implementation used by default_rng in future releases. PCG64DXSM solves the statistical weakness while preserving the performance and the features of PCG64.

See upgrading-pcg64 for more details.

(gh-18906)

Expired deprecations

• The shape argument numpy.unravel_index cannot be passed as dims keyword argument anymore. (Was deprecated in NumPy 1.16.)

... (truncated)

• b235f9e Merge pull request #19283 from charris/prepare-1.21.0-release
• 34aebc2 MAINT: Update 1.21.0-notes.rst
• 493b64b MAINT: Update 1.21.0-changelog.rst
• 07d7e72 MAINT: Remove accidentally created directory.
• 032fca5 Merge pull request #19280 from charris/backport-19277
• 7d25b81 BUG: Fix refcount leak in ResultType
• fa5754e BUG: Add missing DECREF in new path
• 61127bb Merge pull request #19268 from charris/backport-19264
• 143d45f Merge pull request #19269 from charris/backport-19228
• d80e473 BUG: Removed typing for == and != in dtypes
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from next's releases.

v11.1.3

See https://github.com/vercel/next.js/releases/v12.0.5 for details about this patch.

v11.1.3-canary.105

Core Changes

• Update swc-minify-enabled link: #30290
• Fix middleware header propagation: #30288
• Move outputFileTracing config up: #30295
• Track usage of swc features: #30297
• Ensure null bytes in resolved path are handled: #30313
• Improve deprecation errors for new middleware API: #30316

Documentation Changes

• Add more docs.: #30320

Example Changes

• Update image component example to use AVIF: #30294

Credits

Huge thanks to @​ijjk, @​styfle, @​padmaia, @​javivelasco, and @​leerob for helping!

v11.1.3-canary.104

Misc Changes

• Add necessary workflow job dependencies: #30291

v11.1.3-canary.103

Core Changes

• Warn when mutating res if not streaming: #30284
• Chore/publish all swc: #30289

Credits

Huge thanks to @​kara for helping!

v11.1.3-canary.102

Core Changes

• Add warning when LCP image is missing priority prop: #30221
• New Middleware API signature: #30282
• Fix trace case with tsconfig/jsconfig baseUrl: #30286

Documentation Changes

... (truncated)

• ec1a0f7 v11.1.3
• 4dc9bba Add no-verify-access for lerna
• e314019 use correct token
• 1a40e71 fix lint
• b01acc1 Update branch name to next-11
• 66de88d Use next-11 tag
• 303bc0f Allow publishing on v11-patch branch
• f59c82b Enable GitHub actions for v11-patch branch
• 4888713 Ensure invalid URLs respond with 400 correctly
• 97456e8 v11.1.2
• Additional commits viewable in compare view

This version was pushed to npm by vercel-release-bot, a new releaser for next since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from next's releases.

v11.1.1

Core Changes

• Next.js swc publish flow: #27984
• Ensure config file message is only shown once: #28017
• Add missing fields to NextConfig type: #27974
• use a shared worker pool for collecting page data and static page generation: #27924
• Use @​next scope for native packages: #28046
• Fix generateBuildId type that can be async function: #28040
• Fix image optimization encoding url: #28045
• Clean up Document in preparation for streaming: #28032
• Render as a concatenation of streams: #28082
• Add support for dynamic HTML: #28085
• Support suspense in next dynamic: #27611
• Handle blob urls in image component: #27975
• Bypass webpack compilation for precompiled @​next/polyfills-nomodule: #27596
• Update util to 0.12.4: #27939
• Remove duplicate doctypes: #28089
• Fix revalidate for initial notFound: true paths: #28097
• Add proper error when failing to load next.config.js: #28099
• Fix: wrong link error message: #28127
• Add support for Jaeger trace target: #28129
• Enable pure client suspense in blocking rendering: #28165
• Add entrypoint tracing: #25538
• Add module type to build-module trace: #28128
• Update to latest babel versions: #28174
• Improve jaeger traces: #28168
• fix development mode bug with pages with "+" and other special characters: #28122
• let loaders automatically infer source map setting: #28204
• Avoid fs write next-env.d.ts on read-only filesystems: #28206
• Document usage of suspense option of next/dynamic: #28210
• Add warning when parent styles break next/image: #28221
• Use zen-observable library: #28214
• Fix HMR when custom _app or _document is removed: #28227
• Add relationship between issuer and module to traces: #28192
• Update generating next-server dependencies: #28223
• Fix next/image blur placeholder when JS is disabled: #28269
• Ensure adding _app/_document HMRs correctly: #28279
• upgrade webpack to 5.51.1: #28291
• [ESLint] Adds process.exit to next lint success output: #28299
• Fix next env vars injection in dynamic: #28309
• Add layout to data-nimg attribute: #28312
• Add data attribute to script component: #28310
• Ensure @​babel/core is de-duped when nccing: #28384
• Fix forked NODE_OPTIONS except for inspect: #28420
• [ESLint] Enable caching by default: #28349
• Update test config to leverage swc: #28400
• Add missing typescript property to NextConfig: #28459
• next/script fix duplicate scripts : #28428
• Ensure error is shown correctly for empty headers field: #28430

... (truncated)

• 804971f v11.1.1
• 194d70f v11.1.1-canary.19
• 36d922f Add apiVersion to config (#28610)
• a60690f v11.1.1-canary.18
• 7afc97c Add CSP to Image Optimization API (#28620)
• 8711c5c Tests: Remove unnecessary await (#28594)
• d209435 Small grammar fixes (#28590)
• 04cc37f Add docs for using pageExtensions to colocate other files with page component...
• f1dbc92 Ensure dev server side errors are correct (#28520)
• 27c2937 Update with-jest packages and docs (#28209)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from next's releases.

v11.1.0

A security team from one of our partners noticed an issue in Next.js that allowed for an open redirect to occur.

Specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site.

In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

How to Upgrade

• We have released patch versions for both the stable and canary channels of Next.js.
• To upgrade run npm install next@latest --save

Impact

• Affected: Users of Next.js between 10.0.5 and 10.2.0
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
• Not affected: Deployments on Vercel (vercel.com) are not affected
• Not affected: Deployments with pages/404.js

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If you think sensitive code or data could have been exposed, you can filter logs of affected sites by // (double slash at the start of the url) followed by a domain.

What is Being Done

As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to Gabriel Benmergui from Robinhood for their investigation and discovery of the original bug and subsequent responsible disclosure.

We've landed a patch that ensures path parsing is handled properly for these paths so that the open redirect can no longer occur.

Regression tests for this attack were added to the security integration test suite

• We have notified known Next.js users in advance of this publication.
• A public CVE was released.
• We encourage responsible disclosure of future reports. Please email us at [email protected]. We are actively monitoring this mailbox.

---

Release notes

Core Changes

• Don't test image domains in test env: #26502
• Fix props not updating when changing the locale and keeping hash: #26205
• Allow user to override next-image-loader: #26548
• Add logging when a custom babelrc is loaded: #26570

... (truncated)

• ce4adfc v11.1.0
• 092a476 v11.0.2-canary.31
• ebb6a30 Revert "Add warning during next build when sharp is missing (#27933)"
• 52486ce v11.0.2-canary.30
• 8ac3254 Revert "Next swc publish flow (#27932)"
• 6014b6e v11.0.2-canary.29
• 4cd45aa Add rootDir setting to eslint-plugin-next (#27918)
• e61ea6f Add manifest check step and add missing items (#27934)
• 94fc6f0 Next swc publish flow (#27932)
• 51a2a02 Add warning during next build when sharp is missing (#27933)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from @​auth0/nextjs-auth0's releases.

v1.4.2

Fixed

• Fix reflected XSS from the callback handler's error query parameter CVE-2021-32702 (adamjmcgrath)

v1.4.0

Added

• withPageAuthRequired CSR now adds user to wrapped component props #405 (adamjmcgrath)

Fixed

• env var substitutions now means you can define AUTH0_BASE_URL from VERCEL_URL in next.config.js #404 (adamjmcgrath)

v1.3.1

Fixed

• Use window.location.toString() as the default returnTo value #370 (Widcket)
• returnTo should be encoded as it contains url unsafe chars #365 (adamjmcgrath)

v1.3.0

Added

• Organizations support #343 (adamjmcgrath)

v1.2.0

Added

• Export UserContext for overriding default hook initialisation behaviour #325 (adamjmcgrath)

Fixed

• returnTo should respect application’s basePath configuration #317 (Widcket)

Sourced from @​auth0/nextjs-auth0's changelog.

1.4.2 (2021-06-24)

Fixed

• Fix reflected XSS from the callback handler's error query parameter CVE-2021-32702 (adamjmcgrath)

1.4.0 (2021-06-03)

Added

• withPageAuthRequired CSR now adds user to wrapped component props #405 (adamjmcgrath)

Fixed

• env var substitutions now means you can define AUTH0_BASE_URL from VERCEL_URL in next.config.js #404 (adamjmcgrath)

1.3.1 (2021-05-05)

Fixed

• Use window.location.toString() as the default returnTo value #370 (Widcket)
• returnTo should be encoded as it contains url unsafe chars #365 (adamjmcgrath)

1.3.0 (2021-03-26)

Added

• Organizations support #343 (adamjmcgrath)

1.2.0 (2021-03-10)

Added

• Export UserContext for overriding default hook initialisation behaviour #325 (adamjmcgrath)

Fixed

• returnTo should respect application’s basePath configuration #317 (Widcket)

• ae4a7c6 Merge pull request #427 from auth0/release-1.4.2
• eb600d5 Release 1.4.2
• 16abf77 Release 1.4.1 (#426)
• 6996e25 Merge pull request from GHSA-954c-jjx6-cxv7
• e051d6a Wrap every handler to escape HTML, not just callback
• 7a84581 Fix reflected XSS from the callback handler's error query parameter
• 36655df Merge pull request #418 from auth0/docx/fix-snippet
• bfc0142 Add missing keyword to doc snippet
• f653967 npm audit fix (#410)
• fdbf883 update formatting (#408)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• 7efb22a 1.2.6
• ef88b93 security notice for additional prototype pollution issue
• c2b9819 isConstructorOrProto adapted from PR
• bc8ecee test from prototype pollution PR
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from next's releases.

v12.1.0

Core Changes

• Relay Support in Rust Compiler: #33702
• fix eslint link-passhref rule: #33857
• update webpack: #33831
• Flush buffered vitals metrics on page mount: #33867
• fix problem with HMR when middleware and page reference the same node_module: #33873
• Refactor page component getter in web server: #33759
• update NextResponse default redirect status to 307 to match docs: #33505
• Bug fix: dynamic page should not be interpreted as predefined page: #33808
• Group streaming experimental apis: #33878
• Encapsulate routing and initial hydration: #33875
• Optimize offline condition judgment: #33238
• Ensure external beforeFiles rewrites are handled with next/link: #33888
• Fix parsing params for i18n optional route in minimal mode: #33896
• Ensure browserslist extends works properly: #33890
• Fix image cache race condition: #33883
• Add support for Relay projects without artifactDirectory: #33918
• fix: handle jsxspreadattribute in inline-script-id eslint rule: #32421
• feat(next-swc): Update swc: #33724
• Update to latest version of amphtml-validator: #33967
• Warn in dev mode when script tags are added with next/head: #33968
• Ensure optional chaining in swc matches babel: #33995
• Use react-dom/server.browser in Node.js: #33950
• Ensure external middleware rewrite is handled correctly: #33962
• Update Terser to v5.10.0, fix minification issues: #33045
• Warn in dev mode when stylesheets are added using next/head: #34004
• Use ReadableStream in RenderResult: #34005
• Fix suffix ordering while streaming: #34011
• Don't use yarn if a package-lock.json file is found: #31926
• Do not warn when application/ld+json scripts are used with next/head: #34021
• Babel & next-swc: Fix exporting page config with AsExpression: #32702
• Detect per page runtime config for functions manifest: #33945
• Add JSDoc to config options: #32915
• Update font-stylesheet-gathering-plugin.ts: #30709
• Add decoratorMetadata flag if enabled by tsconfig: #32914
• fix: data url handling in css-loader: #34034
• Place 'charset' element at the top of : #28119
• Fix detection of anchor click events inside svg: #23272
• Allow passing nothing as custom jest config: #32328
• Fixes #31240: Adding a recursive addPackagePath function in webpack-config: #31264
• Require component rendered as child of Link to pass event to onClick handler: #27723
• Allow scroll prevention on hash change: #31921
• Add support for async fn / promise in next.config.js/.mjs: #33662
• Fix lazyRoot functionality for next/image: #33933
• Change SWC minify from beta to release candidate: #34056
• Make Router state immutable: #33925
• Stop exposing internal render and renderError methods from next/client: #34069
• Add api-utils helper for testing: #34078

... (truncated)

• 8545fd1 v12.1.0
• 1605f30 v12.0.11-canary.21
• 69aedbd Fix typo (#34480)
• f0f322c Remove deprecation for relative URL usage in middlewares (#34461)
• d4d79b2 Fix chunk buffering for server components (#34474)
• 74fa4d4 update webpack (#34477)
• b70397e Revert "Allow reading request bodies in middlewares (#34294)" (#34479)
• 4202011 Update font-optimization test snapshot (#34478)
• 1edd851 Allow reading request bodies in middlewares (#34294)
• ba78437 fix: don't wrap profile in firebase example (#34457)
• Additional commits viewable in compare view

This version was pushed to npm by vercel-release-bot, a new releaser for next since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from nanoid's changelog.

Change Log

This project adheres to Semantic Versioning.

3.2

• Added --size and --alphabet arguments to binary (by Vitaly Baev).

3.1.32

• Reduced async exports size (by Artyom Arutyunyan).
• Moved from Jest to uvu (by Vitaly Baev).

3.1.31

• Fixed collision vulnerability on object in size (by Artyom Arutyunyan).

3.1.30

• Reduced size for project with brotli compression (by Anton Khlynovskiy).

3.1.29

• Reduced npm package size.

3.1.28

• Reduced npm package size.

3.1.27

• Cleaned dependencies from development tools.

3.1.26

• Improved performance (by Eitan Har-Shoshanim).
• Reduced npm package size.

3.1.25

• Fixed browserify support.

3.1.24

• Fixed browserify support (by Artur Paikin).

3.1.23

• Fixed esbuild support.

3.1.22

• Added default and browser.default to package.exports.

3.1.21

• Reduced npm package size.

• 23b1369 Release 3.2 version
• 967788e Remove TS test tools
• 27eaa90 Simplify new binary tool
• a9d9123 Update dependencies
• 32b9bda Allows passing size or custom alphabet via cli as args (#334)
• 246d5f8 Update vite
• afdf9c9 doc: Fixed Typo (#335)
• 90a446f Update benchmark results
• 8ba2319 bench: add @​napi-rs/uuid v4 (#333)
• f425778 Release 3.1.32 version
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from @​auth0/nextjs-auth0's releases.

v1.6.2

Fixed

• Fix issue where error reporting wrong instanceof #543 (adamjmcgrath)

Security

• Enforce configured host on user supplied returnTo #557 (adamjmcgrath)

v1.6.1

Fixed

• [Snyk] Upgrade openid-client from 4.8.0 to 4.9.0 #518 (snyk-bot)

v1.6.0

Added

• SDK-2818 Export error classes #508 (adamjmcgrath)
• SDK-2529 Add ability to pass custom params to refresh grant and code exchange #507 (adamjmcgrath)
• SDK-2813 Add afterRefresh hook #506 (adamjmcgrath)

Fixed

• Fix types in server-side withPageAuthRequired #512 (Widcket)

v1.5.0

Added

• Add IE11 support #432 (Widcket)

v1.4.2

Fixed

• Fix reflected XSS from the callback handler's error query parameter CVE-2021-32702 (adamjmcgrath)

v1.4.0

Added

• withPageAuthRequired CSR now adds user to wrapped component props #405 (adamjmcgrath)

Fixed

• env var substitutions now means you can define AUTH0_BASE_URL from VERCEL_URL in next.config.js #404 (adamjmcgrath)

v1.3.1

Fixed

... (truncated)

Sourced from @​auth0/nextjs-auth0's changelog.

v1.6.2 (2021-12-16)

Full Changelog

Fixed

• Fix issue where error reporting wrong instanceof #543 (adamjmcgrath)

Security

• Enforce configured host on user supplied returnTo #557 (adamjmcgrath)

v1.6.1 (2021-10-13)

Full Changelog

Fixed

• [Snyk] Upgrade openid-client from 4.8.0 to 4.9.0 #518 (snyk-bot)

v1.6.0 (2021-10-11)

Full Changelog

Added

• [SDK-2818] Export error classes #508 (adamjmcgrath)
• [SDK-2529] Add ability to pass custom params to refresh grant and code exchange #507 (adamjmcgrath)
• [SDK-2813] Add afterRefresh hook #506 (adamjmcgrath)

Fixed

• Fix types in server-side withPageAuthRequired #512 (Widcket)

1.5.0 (2021-07-14)

Added

• Add IE11 support #432 (Widcket)

1.4.2 (2021-06-24)

Fixed

• Fix reflected XSS from the callback handler's error query parameter CVE-2021-32702 (adamjmcgrath)

1.4.0 (2021-06-03)

Added

• withPageAuthRequired CSR now adds user to wrapped component props #405 (adamjmcgrath)

Fixed

• env var substitutions now means you can define AUTH0_BASE_URL from VERCEL_URL in next.config.js #404 (adamjmcgrath)

1.3.1 (2021-05-05)

... (truncated)

• 762da1e Merge pull request #558 from auth0/release/v1.6.2
• 35f3f89 Release v1.6.2
• 0bbd9f8 Enforce configured host on user supplied returnTo (#557)
• 129650d Bump next from 11.1.2 to 11.1.3 (#556)
• c5d4fff fix: upgrade http-errors from 1.8.0 to 1.8.1 (#553)
• f7323d0 Merge pull request #543 from auth0/error-instanceof
• 1954087 Fix issue where error reporting wrong instanceof
• 3060c89 Merge pull request #531 from auth0/snyk-upgrade-fbe7e8fa031d12c55e1e6a76583750d5
• d1eea0d fix: upgrade openid-client from 4.9.0 to 4.9.1
• 994bd60 Merge pull request #530 from auth0/caching-readme
• Additional commits viewable in compare view

This version was pushed to npm by auth0-oss, a new releaser for @​auth0/nextjs-auth0 since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from glob-parent's releases.

v5.1.2

Bug Fixes

• eliminate ReDoS (#36) (f923116)

Sourced from glob-parent's changelog.

5.1.2 (2021-03-06)

Bug Fixes

• eliminate ReDoS (#36) (f923116)

6.0.0 (2021-05-03)

⚠ BREAKING CHANGES

• Correct mishandled escaped path separators (#34)
• upgrade scaffold, dropping node <10 support

Bug Fixes

• Correct mishandled escaped path separators (#34) (32f6d52), closes #32

Miscellaneous Chores

• upgrade scaffold, dropping node <10 support (e83d0c5)

• eb2c439 chore: update changelog
• 12bcb6c chore: release 5.1.2
• f923116 fix: eliminate ReDoS (#36)
• 0b014a7 chore: add JSDoc returns information (#33)
• 2b24ebd chore: generate initial changelog
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.