fix(security): patch SSRF + high-severity CVEs in next + OpenNext#44
Merged
Conversation
Audit (/m:audit --security) flagged 51 npm vulns, 2 hitting the production runtime: - @opennextjs/cloudflare 1.14.4 → 1.19.11: SSRF via /cdn-cgi/ path-normalization bypass (GHSA-c7mq-gh6q-6q7c). This is the live Cloudflare Workers server adapter — the built worker ships its runtime shim, so even though it's a devDependency the vuln reaches production. Highest-priority fix. - next 16.0.10 → 16.2.6: high-severity set (Server-Actions CSRF via null origin, middleware/proxy bypass, RSC cache poisoning, image-optimizer DoS). Several target the middleware GPC/AB surface. Also bumped eslint-config-next to match (16.2.6) and ran npm audit fix for transitive criticals (fast-xml-parser, serialize-javascript, minimatch, etc.). Result: 51 → 4 vulns. The remaining 4 are all moderate build-chain transitives (postcss XSS via next, @opennextjs/aws) whose only "fix" npm offers is a catastrophic downgrade — next→9.3.3 (destroys the app) or @opennextjs→1.14.1 (reintroduces the SSRF just fixed). They are build-time only (PostCSS never serves user content) with no real runtime exposure and no forward fix available, so they are left intentionally. Do NOT run `npm audit fix --force`. Verified: lint + typecheck clean, 80 tests pass, `next build` + `opennextjs-cloudflare build` both succeed (worker.js produced). Note: 16.3.x is canary-only; 16.2.6 is the latest stable 16.x. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
The @opennextjs/cloudflare 1.19.11 upgrade in this PR pulls a newer transitive wrangler that requires Node.js >= 22. CI's setup-node was pinned to node-version 20, so `wrangler dev` aborted on startup with "Wrangler requires at least Node.js v22.0.0" — the wrangler-smoke job's worker never came up and the readiness probe timed out. Bumps node-version 20 → 22 in both ci.yml (Lint+Tests, wrangler-smoke) and deploy.yml. This is distinct from the earlier Actions-runtime bump (PR #38: checkout/setup-node action versions) — that was the action's own Node runtime; this is the Node the action provisions for the project toolchain. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the critical finding from `/m:audit --security`: 51 → 4 npm vulnerabilities, eliminating both production-runtime CVEs.
Plus `npm audit fix` for transitive criticals (fast-xml-parser, serialize-javascript, minimatch, etc.).
Why the OpenNext SSRF matters even as a devDependency
`@opennextjs/cloudflare` is a build tool (`opennextjs-cloudflare build`), so npm classifies it as dev. But the built worker bundle ships its runtime shim — the SSRF reaches production. This was the audit's single 🔴 critical, prioritized accordingly.
The 4 remaining vulns are intentionally left
All moderate, all build-chain transitives (`postcss` XSS via next, `@opennextjs/aws`). npm's only offered "fix" is a catastrophic downgrade:
They're build-time only (PostCSS never serves user content), no real runtime exposure, no forward fix available. Do NOT run `npm audit fix --force` — it would downgrade into the vulnerabilities we just patched.
Verification
Note on version ceiling
16.3.x is canary-only right now; 16.2.6 is the latest stable 16.x, so that's the target. When 16.3.x goes stable with further fixes, a follow-up bump is worth it.
Follow-up (separate, not in this PR): waitlist rate limiting (SEC-02)
The audit also flagged `/api/waitlist` has no rate limiting — an unauthenticated POST that writes a Notion row + spends quota per call. Now that the splash is down and the site is live, this is worth doing. Best handled as a Cloudflare WAF rate-limit rule (dashboard, keyed on `CF-Connecting-IP`) rather than code, since there's no KV/DO binding wired up. Flagging for @MP2EZ to add in the Cloudflare dashboard — not blocking this PR.
🤖 Generated with Claude Code