Update dependency @opennextjs/cloudflare to v1.17.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@opennextjs/cloudflare (source)	1.6.2 → 1.17.1

---

opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass

CVE-2026-3125 / GHSA-c7mq-gh6q-6q7c

More information

Details

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @​opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.

The @​opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetch of arbitrary remote URLs.

For example: https://victim-site.com/cdn-cgi\image/aaaa/https://attacker.com

In this example, attacker-controlled content from attacker.com is served through the victim site's domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.

Note: This bypass only works via HTTP clients that preserve backslashes in paths (e.g., curl --path-as-is). Browsers normalize backslashes to forward slashes before sending requests.

Additionally, Cloudflare Workers with Assets and Cloudflare Pages suffer from a similar vulnerability. Assets stored under /cdn-cgi/ paths are not publicly accessible under normal conditions. However, using the same backslash bypass (/cdn-cgi... instead of /cdn-cgi/...), these assets become publicly accessible. This could be used to retrieve private data. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.

Impact

• SSRF via path normalization bypass of Cloudflare edge interception
• Arbitrary remote content loading under the victim site's domain
• Same-origin policy bypass
• Potential for infrastructure abuse (scanning from Cloudflare IP space, worker resource exhaustion)
• Exposure of private assets stored under /cdn-cgi/ paths. For example, Open Next projects store incremental cache data under /cdn-cgi/_next_cache, which could be exposed via this bypass.

Credits

Disclosed responsibly by security researcher @​Ezzer17.

Mitigations

The following mitigations have been put in place:

Server-side updates to Cloudflare's Workers platform to block backslash path normalization bypasses for /cdn-cgi requests. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare Workers.

In addition to the platform level fix, Root cause fix has been implemented to the Cloudflare adapter for Open Next. The patched version of the adapter is found at @​opennextjs/cloudflare@1.17.1 (https://www.npmjs.com/package/@​opennextjs/cloudflare)

Dependency update to the Next.js template used with create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. Despite the automatic mitigation deployed on Cloudflare's platform, we encourage affected users to upgrade to the patched version of @​opennextjs/cloudflare.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N

References

• https://github.com/opennextjs/opennextjs-cloudflare/security/advisories/GHSA-c7mq-gh6q-6q7c
• https://nvd.nist.gov/vuln/detail/CVE-2026-3125
• https://github.com/opennextjs/opennextjs-cloudflare/pull/1147
• https://github.com/opennextjs/opennextjs-cloudflare/commit/f5bd138fd3c77e02f2aa4b9c76d55681e59e98b4
• https://github.com/advisories/GHSA-rvpw-p7vw-wj3m
• https://www.cve.org/cverecord?id=CVE-2025-6087
• https://www.npmjs.com/package/@​opennextjs/cloudflare/v/1.17.1
• https://github.com/advisories/GHSA-c7mq-gh6q-6q7c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

opennextjs/opennextjs-cloudflare (@​opennextjs/cloudflare)

v1.17.1

Compare Source

Patch Changes

• #​1147 f5bd138 Thanks @​vicb! - make dev /cdn-cgi/image behaves like prod for consistency

v1.17.0

Compare Source

Minor Changes

• #​1133 25d5835 Thanks @​dario-piotrowicz! - Update the migrate command to attempt to create an R2 bucket for caching, if that is not possible an application without caching enabled will be generated instead.

v1.16.6

Compare Source

Patch Changes

• #​1138 4487f1f Thanks @​james-elicx! - Fix the CLI potentially setting a future compatibility date in the wrangler config when workerd has published a version matching a future date, by capping to the current date.

v1.16.5

Compare Source

Patch Changes

• #​1127 2b437f1 Thanks @​dario-piotrowicz! - In the migrate command, add an initial step to create a Next.js config file (required by open-next) if it doesn't exist

• #​1126 8c3a36e Thanks @​alex-all3dp! - fix: prevent Worker hang on HEAD requests to static assets

v1.16.4

Compare Source

Patch Changes

• #​1122 6c94a4a Thanks @​dario-piotrowicz! - In migrate command, avoid adding unnecessary newlines when creating files

• #​1122 6c94a4a Thanks @​dario-piotrowicz! - fix migrate command incorrectly erroring if the target application doesn't have a public directory

• #​1122 6c94a4a Thanks @​dario-piotrowicz! - Bump @opennextjs/aws to 3.9.16

  • Fix migrate command not updating Next.js config files
  • Fixes #​1062, #​1115

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.16

• #​1097 fea645f Thanks @​dario-piotrowicz! - Add --help and --version to the opennextjs-cloudflare CLI

  Improve the opennextjs-cloudflare CLI by:

  • ensuring that unknown commands (e.g., opennextjs-cloudflare foo) display a clear and helpful error message
  • adding a -h|--help flag to display the CLI's help message
  • adding a -v|--version flag to display the package's version

v1.16.3

Compare Source

Patch Changes

• #​1113 09c41f1 Thanks @​anonrig! - bump @opennextjs/aws to 3.9.15

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.15

v1.16.2

Compare Source

Patch Changes

• #​1105 e6938a0 Thanks @​vicb! - allow using a regional cache with KV

v1.16.1

Compare Source

Patch Changes

• #​1100 8676c78 Thanks @​vicb! - Empty NextNodeServer#handleNextImageRequest to avoid pulling unneeded deps (in #​1098)

v1.16.0

Compare Source

Minor Changes

• #​1083 b062597 Thanks @​dario-piotrowicz! - feature: add migrate command to set up OpenNext for Cloudflare adapter

  This command helps users migrate existing Next.js applications to the OpenNext Cloudflare adapter by automatically setting up all necessary configuration files, dependencies, and scripts.

  To use the command simply run: npx opennextjs-cloudflare migrate

Patch Changes

• #​1092 4279043 Thanks @​vicb! - Check for supported Next version

  The build will now error for unsupported Next version which may contain unpatched security vulnerabilities.
  You can bypass the check using the --dangerouslyUseUnsupportedNextVersion flag.

v1.15.1

Compare Source

Patch Changes

• #​1085 74302ec Thanks @​vicb! - fix the detection of the runtime (webpack vs turbopack)

v1.15.0

Compare Source

Minor Changes

• #​1081 ae3d43d Thanks @​vicb! - Next 16 is now supported

Patch Changes

• #​1076 c99eefd Thanks @​vicb! - fix: do not bundle og when not used

  This saves ~500kB when og is not used

• #​1079 6ac789a Thanks @​vicb! - fix: use the correct runtime (i.e. webpack or turbopack)

• #​1078 249f738 Thanks @​vicb! - drop unused react-dom modules

  This saves ~500kB on the output bundle

v1.14.10

Compare Source

Patch Changes

• #​1071 886c742 Thanks @​vicb! - fix: patch Next config for missing fields.

  There was a regression in Next 16.1.0 (vercel/next.js#86830) and some fields were missing in the config.
  The Next team fixed that in 16.1.4 (vercel/next.js#88733).

  This PR introduce a patch for 16.1.0-16.1.3

v1.14.9

Compare Source

Patch Changes

• #​1070 f7c6b3a Thanks @​vicb! - bump @opennextjs/aws to 3.9.8

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.8

• #​1057 0230cbe Thanks @​vicb! - Do not inject setImmediate/clearImmediate in the global scope

• #​1069 4ee4ba3 Thanks @​vicb! - Check that wrangler is >= 4.59.2 when building Next 16.1+.

  To ensure workerd has a required fix to setImmediate

v1.14.8

Compare Source

Patch Changes

• #​1064 9222070 Thanks @​vicb! - fix r2 bulk put to respect bucket jurisdiction

v1.14.7

Compare Source

Patch Changes

• #​1053 d447125 Thanks @​vicb! - Support composable cache in Next 16

v1.14.6

Compare Source

Patch Changes

• #​1043 c83cb83 Thanks @​vicb! - fix for CVE-2025-67779

  See https://nextjs.org/blog/security-update-2025-12-11

v1.14.5

Compare Source

Patch Changes

• #​1042 763c4ec Thanks @​vicb! - Bump Next, React, and @​opennextjs/aws to fix vulnerabilities (CVE-2025-55184 and CVE-2025-55183)

  See https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  See https://nextjs.org/blog/security-update-2025-12-11
  See https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.5

• #​1034 721bff0 Thanks @​james-elicx! - output more wrangler command logs when the command fails

• #​1023 a4a2f02 Thanks @​dario-piotrowicz! - When running wrangler deploy add a OPEN_NEXT_DEPLOY environment variable to let wrangler know that it is being run by open-next

v1.14.4

Compare Source

Patch Changes

• #​1020 07919d8 Thanks @​dario-piotrowicz! - Add missing WORKER_SELF_REFERENCE service binding in the wrangler.jsonc that the CLI creates

• #​1032 1de4899 Thanks @​vicb! - fix(images): allow any local path when no localPatterns are specified

v1.14.3

Compare Source

Patch Changes

• #​1025 c3aba94 Thanks @​vicb! - bump @opennextjs/aws to 3.9.4

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.4

• #​1025 c3aba94 Thanks @​vicb! - Bump Next

v1.14.2

Compare Source

Patch Changes

• #​1021 250aba2 Thanks @​vicb! - bump @opennextjs/aws to 3.9.3

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.3

• #​1021 250aba2 Thanks @​vicb! - Bump Next

v1.14.1

Compare Source

Patch Changes

• #​1016 2200b4b Thanks @​vicb! - Update e2e tests to Next 16 (webpack)

• #​1015 e8971cd Thanks @​vicb! - memory queue: retrieve the preview ID from process.env

• #​1012 5f6c0a6 Thanks @​pilcrowonpaper! - Add image binding to Wrangler configuration template file

• #​1017 a6904a4 Thanks @​vicb! - fix: response.validate with the turbo pages runtime

• #​1014 f4b53b9 Thanks @​vicb! - bump @opennextjs/aws to 3.9.1

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.1

• #​1019 2a3ee86 Thanks @​vicb! - await headers()

v1.14.0

Compare Source

Minor Changes

• #​999 50d7427 Thanks @​pilcrowonpaper! - feat: support image optimization using the image binding

v1.13.1

Compare Source

Patch Changes

• #​1001 fdf61b4 Thanks @​vicb! - Bump wrangler to ^4.49.1

• #​998 f69787c Thanks @​vicb! - Warn when using Next 16

v1.13.0

Compare Source

Minor Changes

• #​991 b95e7ca Thanks @​vicb! - use wrangler r2 bulk put for R2 cache population

Patch Changes

• #​994 ab2d805 Thanks @​vicb! - bump @opennextjs/aws to 3.9.0

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.9.0

v1.12.0

Compare Source

Minor Changes

• #​973 8cb7669 Thanks @​petebacondarwin! - Add standard Next template generated from create-next-app that will be used by create-cloudflare going forward

• #​983 68aed26 Thanks @​vicb! - feat: turbopack support

v1.11.1

Compare Source

Patch Changes

• #​968 ddb0589 Thanks @​rgembalik! - fix: Compiled config is now imported using pathToFileURL to avoid crashes on Windows.

• #​958 7edf91c Thanks @​vicb! - fix: add missing awaits

• #​978 d7ad53e Thanks @​vicb! - error early when a node middleware is detected

• #​976 93f4c8a Thanks @​rgembalik! - fix: shell quoting on windows machines to avoid upload errors for routes with [...path] segments

v1.11.0

Compare Source

Minor Changes

• #​925 62fee71 Thanks @​krzysztof-palka-monogo! - feature: optional batch upload for faster R2 cache population

  This update adds optional batch upload support for R2 cache population, significantly improving upload performance for large caches when enabled via .env or environment variables.

  Key Changes:

  1. Optional Batch Upload: Configure R2 credentials via .env or environment variables to enable faster batch uploads:

     • R2_ACCESS_KEY_ID
     • R2_SECRET_ACCESS_KEY
     • CF_ACCOUNT_ID

  2. Automatic Detection: When credentials are detected, batch upload is automatically used for better performance

  3. Smart Fallback: If credentials are not configured, the CLI falls back to standard Wrangler uploads with a helpful message about enabling batch upload for better performance

  All deployment commands support batch upload:

  • populateCache - Explicit cache population
  • deploy - Deploy with cache population
  • upload - Upload version with cache population
  • preview - Preview with cache population

  Performance Benefits (when batch upload is enabled):

  • Parallel transfer capabilities (32 concurrent transfers)
  • Significantly faster for large caches
  • Reduced API calls to Cloudflare

  Usage:

  Add the credentials in a .env/.dev.vars file in your project root:

  R2_ACCESS_KEY_ID=your_key
  R2_SECRET_ACCESS_KEY=your_secret
  CF_ACCOUNT_ID=your_account

  You can also set the environment variables for CI builds.

  Note:

  You can follow documentation https://developers.cloudflare.com/r2/api/tokens/ for creating API tokens with appropriate permissions for R2 access.

Patch Changes

• #​951 e3aba83 Thanks @​vicb! - bump @opennextjs/aws to 3.8.5

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.8.5

• #​948 0c655c3 Thanks @​vicb! - refactor: do not create a wrangler config when a custom one is passed

v1.10.1

Compare Source

Patch Changes

• #​945 f73ac0f Thanks @​vicb! - bump @opennextjs/aws to 3.8.4

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.8.4

v1.10.0

Compare Source

Minor Changes

• #​937 32ba91a Thanks @​vicb! - feat: retrieve CLI environment variables from process.env and .env* files

  Recommended usage on CI:

  • Add your secrets to process.env (i.e. CF_ACCOUNT_ID)
  • Add public values to the wrangler config wrangler.jsonc (i.e. R2_CACHE_PREFIX_ENV_NAME)

  Recommended usage for local dev:

  • Add your secrets to either a .dev.vars* or .env* file (i.e. CF_ACCOUNT_ID)
  • Add public values to the wrangler config wrangler.jsonc (i.e. R2_CACHE_PREFIX_ENV_NAME)

Patch Changes

• #​941 59f52e0 Thanks @​vicb! - bump @opennextjs/aws to 3.8.2

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.8.2

• #​939 54c47e5 Thanks @​vicb! - perf: low-hanging fruits

v1.9.2

Compare Source

Patch Changes

• #​932 0c7d1ae Thanks @​vicb! - bump @opennextjs/aws to 3.8.1

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.8.1

v1.9.1

Compare Source

Patch Changes

• #​918 eeb18bb Thanks @​vicb! - refactor: account for empty tag list in tag cache

• #​921 07487a4 Thanks @​vicb! - bump @opennextjs/aws to 3.8.0

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.8.0

v1.9.0

Compare Source

Minor Changes

• #​906 dcc864d Thanks @​vicb! - feat: add an experimental KV based tag cache

Patch Changes

• #​907 ba4cac5 Thanks @​vicb! - refactor: only try to purge the cache when invalidation is configured

v1.8.5

Compare Source

Patch Changes

• #​901 17a4bea Thanks @​vicb! - chore: bump wrangler to ^4.38.0

• #​903 7fced0f Thanks @​vicb! - fix: enable using workerd process v2

  process v2 is an updated version of node:process active by default after 2025-09-15

v1.8.4

Compare Source

Patch Changes

• #​888 51322a8 Thanks @​james-elicx! - fix: remote flag not working for preview command's cache population

  Previously, passing the --remote flag when running opennextjs-cloudflare preview --remote would not result in the remote preview binding being populated, and would throw errors due to a missing preview flag when populating Workers KV. The remote flag is now supported for the cache popoulation step when running the preview command.

  • opennextjs-cloudflare preview --remote will populate the remote binding for the preview ID specified in your Wrangler config.
  • opennextjs-cloudflare preview will continue to populate the local binding in your Wrangler config.

v1.8.3

Compare Source

Patch Changes

• #​892 1ee505f Thanks @​vicb! - Bump @​opennextjs/aws to 3.7.7

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.7.7

v1.8.2

Compare Source

Patch Changes

• #​883 bf1a6f6 Thanks @​vicb! - fix: type error during build

v1.8.1

Compare Source

Patch Changes

• #​878 23b67ce Thanks @​sommeeeer! - fix: Respect trailing slash config for _next/image route in worker

• #​882 a6283af Thanks @​vicb! - perf: skip lazy update on cache hit when cache purge is enabled

• #​881 9a746d2 Thanks @​vicb! - fix: detection of cache purge

v1.8.0

Compare Source

Minor Changes

• #​862 728ad99 Thanks @​james-elicx! - feat: support for a custom OpenNext config path with the --openNextConfigPath flag

Patch Changes

• #​872 dc76d6e Thanks @​alex-all3dp! - Fix check for missing CACHE_PURGE_ZONE_ID

• #​862 728ad99 Thanks @​james-elicx! - refactor: deprecate usage of the --configPath flag for the Wrangler config, in favour of the --config flag.

v1.7.1

Compare Source

Patch Changes

• #​865 f1e9457 Thanks @​sommeeeer! - fix: Ensure request.url reflects the actual host protocol in route handlers

• #​867 2c1de0b Thanks @​vicb! - Log cache purge errors as errors

v1.7.0

Compare Source

Minor Changes

• #​848 f80c801 Thanks @​sommeeeer! - Ensure that the initial request.signal is passed to the wrapper

  request.signal.onabort is now supported in route handlers. It requires that the signal from the original worker's request is passed to the handler. It will then pass along that AbortSignal through the streamCreator in the wrapper. This signal will destroy the response sent to NextServer when a client aborts, thus triggering the signal in the route handler.

  See the changelog in Cloudflare here.

  Note:
  If you have a custom worker, you must update your code to pass the original request.signal to the handler. You also need to enable the compatibility flag enable_request_signal to use this feature.

  For example:

  // Before:
  return handler(reqOrResp, env, ctx);
  
  // After:
  return handler(reqOrResp, env, ctx, request.signal);

• #​850 ce5c7b4 Thanks @​dario-piotrowicz! - Add option for regional cache to skip tagCache on cache hits

  When the tag regional cache finds a value in the incremental cache, checking such value in the tagCache can be skipped, this helps reducing response times at the tradeoff that the user needs to either use the automatic cache purging or manually purge the cache when appropriate. For this the bypassTagCacheOnCacheHit option is being added to the RegionalCache class.

  Example:

  import { defineCloudflareConfig } from "@​opennextjs/cloudflare";
  import d1NextTagCache from "@​opennextjs/cloudflare/overrides/tag-cache/d1-next-tag-cache";
  import memoryQueue from "@​opennextjs/cloudflare/overrides/queue/memory-queue";
  import r2IncrementalCache from "@​opennextjs/cloudflare/overrides/incremental-cache/r2-incremental-cache";
  import { withRegionalCache } from "@​opennextjs/cloudflare/overrides/incremental-cache/regional-cache";
  
  export default defineCloudflareConfig({
  	incrementalCache: withRegionalCache(r2IncrementalCache, {
  		mode: "long-lived",
  		bypassTagCacheOnCacheHit: true,
  	}),
  	tagCache: d1NextTagCache,
  	queue: memoryQueue,
  });

Patch Changes

• #​858 7233c03 Thanks @​vicb! - bump @​opennextjs/aws to 3.7.6

  See the changes at opennextjs/opennextjs-aws@v3.7.4...v3.7.6

• #​857 b8b38ee Thanks @​vicb! - Clean output directory before next build

v1.6.5

Compare Source

Patch Changes

• #​843 10fc603 Thanks @​vicb! - perf: drop the babel dependency

v1.6.4

Compare Source

Patch Changes

• #​838 90f451d Thanks @​conico974! - bump @​opennextjs/aws to 3.7.4

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.7.4

• #​833 c9705e5 Thanks @​sommeeeer! - Update the patches to support Next.js 15.4"

v1.6.3

Compare Source

Patch Changes

• #​828 d00b3a1 Thanks @​vicb! - bump @​opennextjs/aws to 3.7.2

  See details at https://github.com/opennextjs/opennextjs-aws/releases/tag/v3.7.2

• #​830 daf36fa Thanks @​vicb! - detect more image types

  Sync of vercel/next.js#82118

• #​832 67e71b9 Thanks @​vicb! - fix: --noMinify stop minifying the bundle

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​opennextjs/​cloudflare@​1.6.2 ⏵ 1.17.1		+16	+2

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Trivial package: npm @aws-sdk/middleware-host-header has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@aws-sdk/middleware-host-header@3.972.12 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/middleware-host-header@3.972.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @aws-sdk/middleware-logger has 7 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@aws-sdk/middleware-logger@3.972.11 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/middleware-logger@3.972.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @aws-sdk/middleware-recursion-detection has 7 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@aws-sdk/middleware-recursion-detection@3.972.13 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/middleware-recursion-detection@3.972.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @aws-sdk/middleware-user-agent has 10 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@aws-sdk/middleware-user-agent@3.972.41 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/middleware-user-agent@3.972.41. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @aws-sdk/util-user-agent-browser has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@aws-sdk/util-user-agent-browser@3.972.12 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/util-user-agent-browser@3.972.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/eventstream-serde-config-resolver has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/eventstream-serde-config-resolver@4.4.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/eventstream-serde-config-resolver@4.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/eventstream-serde-node has 10 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/eventstream-serde-node@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/eventstream-serde-node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/hash-blob-browser has 8 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/hash-blob-browser@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/hash-blob-browser@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/hash-node has 8 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/hash-node@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/hash-node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/hash-stream-node has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/hash-stream-node@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/hash-stream-node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/invalid-dependency has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/invalid-dependency@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/invalid-dependency@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/md5-js has 8 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/md5-js@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/md5-js@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/middleware-content-length has 10 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/middleware-content-length@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/middleware-content-length@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/middleware-stack has 8 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/middleware-stack@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/middleware-stack@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/node-config-provider has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/node-config-provider@4.4.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/node-config-provider@4.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/url-parser has 8 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/url-parser@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/url-parser@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/util-base64 has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/util-base64@4.4.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/util-base64@4.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/util-body-length-browser has 8 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/util-body-length-browser@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/util-body-length-browser@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/util-body-length-node has 8 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/util-body-length-node@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/util-body-length-node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/util-defaults-mode-browser has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/util-defaults-mode-browser@4.4.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/util-defaults-mode-browser@4.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/util-defaults-mode-node has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/util-defaults-mode-node@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/util-defaults-mode-node@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Trivial package: npm @smithy/util-middleware has 9 lines of code Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@smithy/util-middleware@4.3.3 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/util-middleware@4.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm content-type is now published by blakeembrey Author: blakeembrey From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/content-type@2.0.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/content-type@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm type-is is now published by blakeembrey Author: blakeembrey From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/type-is@2.1.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/type-is@2.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm @ast-grep/napi in module child_process Module: child_process Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@ast-grep/napi@0.40.5 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ast-grep/napi@0.40.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm @dotenvx/dotenvx in module child_process Module: child_process Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@dotenvx/dotenvx@1.31.0 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dotenvx/dotenvx@1.31.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential vulnerability: npm @dotenvx/dotenvx with risk level "medium" Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/@dotenvx/dotenvx@1.31.0 ℹ Read more on: This package | This alert | Navigating potential vulnerabilities Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: It is advisable to proceed with caution. Engage in a review of the package's security aspects and consider reaching out to the package maintainer for the latest information or patches. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dotenvx/dotenvx@1.31.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm cross-spawn in module child_process Module: child_process Location: Package overview From: ? → npm/@opennextjs/cloudflare@1.17.1 → npm/cross-spawn@7.0.6 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cross-spawn@7.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 41 more rows in the dashboard

View full report