[dd] update the nextjs and axios package to the most stable version#5942
[dd] update the nextjs and axios package to the most stable version#5942dacdao1 wants to merge 2 commits intomage-ai:masterfrom
Conversation
|
@dacdao1 Upgrading NextJS (and Axios) is certainly welcome. Thank you for creating this PR. Since this is a significant upgrade for NextJS (that may cause some breaking changes), it might make sense to upgrade to the latest stable version of NextJS available, which would be v16.0.1, though that is very recent and just released last month. Otherwise, we may have to do another major upgrade for NextJS pretty soon, which could save some effort/time. Do you think you'd be able to upgrade NextJS in Mage to v16? Or does it make sense to just upgrade to v14? Regardless of whether it's v14 or v16, some things to keep in mind:
|
|
Hi, yes, I didn't know how far ahead the team wanted to update the NextJS version, since both issues had been out there for a while. However, I would look into version 16 versus 14 before providing an update, as I am unsure of the significance of such an update for the current frontend codebase. Let me conduct further research and then perform additional code updates to improve performance and address any non-backward-compatible issues. |
Description
With Mage-AI's current version (0.9.78), it utilizes the Next.js package version 12.3.4, which has some vulnerability issues, primarily GHSA-c59h-r6p8-q9wc (https://nvd.nist.gov/vuln/detail/CVE-2023-46298), #5785. I updated the package to 14.2.33, which has solved the CE-2023-46298 issue, and it is also backward compatible. Unlike version 13 of Next.js, which has a different routing method (using /api instead of /pages) and other issues. I know we were not planning to update the Next.js package last year (#5226), but I don't know if the team would still like to upgrade the package
Axios version 0.27.2 has several vulnerability issues here (https://security.snyk.io/package/npm/axios/0.27.2), and updating to 0.30.2 is the bare minimum to mitigate some of the vulnerabilities on the list.
How Has This Been Tested?
Checklist
cc:
Hi @johnson-mage , I would like to know if we can update the Next.js and Axios packages to a more secure version. I don't want to update Next.js to version 13 because I would have to change the codebase to match the new routing pattern, which might break other parts of the application. The safest version is 14.2.33, and I didn't want to update to version 15 since I haven't had a chance to build with that version yet. Axios also has some vulnerabilities, and the current package indication, ^0.27.2, might still download either version 0.27 or 0.28 (which might still have some vulnerabilities). By having version ^0.30.2, we would at least be on a safer version while not breaking anything else in the current codebase.