-5

.changeset/brave-buses-thank.md

reviewed

··· 1 1 - --- 2 2 - '@urql/next': patch 3 3 - --- 4 4 - 5 5 - Fix `CVE-2024-24556`, addressing an XSS vulnerability, where `@urql/next` failed to escape HTML characters in JSON payloads injected into RSC hydration bodies. When an attacker is able to manipulate strings in the JSON response in RSC payloads, this could cause HTML to be evaluated via a typical XSS vulnerability (See [`GHSA-qhjf-hm5j-335w`](https://github.com/urql-graphql/urql/security/advisories/GHSA-qhjf-hm5j-335w) for details.)

+1 -1

examples/with-next/package.json

reviewed

··· 4 4 "private": true, 5 5 "dependencies": { 6 6 "@urql/core": "^4.2.3", 7 7 - "@urql/next": "^1.1.0", 7 7 + "@urql/next": "^1.1.1", 8 8 "graphql": "^16.6.0", 9 9 "next": "13.4.2", 10 10 "react": "^18.2.0",

+7

packages/next-urql/CHANGELOG.md

reviewed

··· 1 1 # Changelog 2 2 3 3 + ## 1.1.1 4 4 + 5 5 + ### Patch Changes 6 6 + 7 7 + - ⚠️ Fix `CVE-2024-24556`, addressing an XSS vulnerability, where `@urql/next` failed to escape HTML characters in JSON payloads injected into RSC hydration bodies. When an attacker is able to manipulate strings in the JSON response in RSC payloads, this could cause HTML to be evaluated via a typical XSS vulnerability (See [`GHSA-qhjf-hm5j-335w`](https://github.com/urql-graphql/urql/security/advisories/GHSA-qhjf-hm5j-335w) for details.) 8 8 + Submitted by [@JoviDeCroock](https://github.com/JoviDeCroock) (See [`4b7011b7`](https://github.com/urql-graphql/urql/commit/4b7011b70d5718728ff912d02a4dbdc7f703540d)) 9 9 + 3 10 ## 1.1.0 4 11 5 12 ### Minor Changes

+1 -1

packages/next-urql/package.json

reviewed

··· 1 1 { 2 2 "name": "@urql/next", 3 3 - "version": "1.1.0", 3 3 + "version": "1.1.1", 4 4 "description": "Convenience wrappers for using urql with NextJS.", 5 5 "sideEffects": false, 6 6 "homepage": "https://formidable.com/open-source/urql/docs/",