From 482952e11d312055f88affd29b4a08558db993ba Mon Sep 17 00:00:00 2001 From: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Wed, 3 Dec 2025 09:16:34 -0800 Subject: [PATCH 1/6] add deprecation workflow --- .github/workflows/deprecate_versions.yml | 135 +++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 .github/workflows/deprecate_versions.yml diff --git a/.github/workflows/deprecate_versions.yml b/.github/workflows/deprecate_versions.yml new file mode 100644 index 0000000000000..903a888f79abe --- /dev/null +++ b/.github/workflows/deprecate_versions.yml @@ -0,0 +1,135 @@ +name: Deprecate Vulnerable Versions + +on: + workflow_dispatch: + inputs: + dry_run: + description: 'Dry run (log commands without executing)' + required: true + type: boolean + default: true + message: + description: 'Deprecation message' + required: true + type: string + default: 'This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.' + +jobs: + deprecate: + if: github.repository_owner == 'vercel' + runs-on: ubuntu-latest + environment: release-stable + steps: + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 20 + registry-url: 'https://registry.npmjs.org' + + - name: Deprecate versions + shell: bash + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }} + DRY_RUN: ${{ inputs.dry_run }} + DEPRECATION_MESSAGE: ${{ inputs.message }} + run: | + # Versions to deprecate based on security advisory ranges: + # >=15.0.0 <15.0.5 + # >=15.1.0 <15.1.9 + # >=15.2.0 <15.2.6 + # >=15.3.0 <15.3.6 + # >=15.4.0 <15.4.8 + # >=15.5.0 <15.5.7 + # >=16.0.0 <16.0.7 + + VERSIONS=( + "15.0.0" + "15.0.1" + "15.0.2" + "15.0.3" + "15.0.4" + "15.1.0" + "15.1.1" + "15.1.2" + "15.1.3" + "15.1.4" + "15.1.5" + "15.1.6" + "15.1.7" + "15.1.8" + "15.2.0" + "15.2.1" + "15.2.2" + "15.2.3" + "15.2.4" + "15.2.5" + "15.3.0" + "15.3.1" + "15.3.2" + "15.3.3" + "15.3.4" + "15.3.5" + "15.4.0" + "15.4.1" + "15.4.2" + "15.4.3" + "15.4.4" + "15.4.5" + "15.4.6" + "15.4.7" + "15.5.0" + "15.5.1" + "15.5.2" + "15.5.3" + "15.5.4" + "15.5.5" + "15.5.6" + "16.0.0" + "16.0.1" + "16.0.2" + "16.0.3" + "16.0.4" + "16.0.5" + "16.0.6" + ) + + echo "=== Deprecation Summary ===" + echo "Total versions to deprecate: ${#VERSIONS[@]}" + echo "Dry run: $DRY_RUN" + echo "Message: $DEPRECATION_MESSAGE" + echo "" + + SUCCESS_COUNT=0 + FAIL_COUNT=0 + FAILED_VERSIONS="" + + for VERSION in "${VERSIONS[@]}"; do + if [ "$DRY_RUN" = "true" ]; then + echo "[DRY RUN] Would deprecate next@$VERSION" + else + echo "Deprecating next@$VERSION..." + if npm deprecate "next@$VERSION" "$DEPRECATION_MESSAGE" 2>&1; then + echo "✓ Successfully deprecated next@$VERSION" + SUCCESS_COUNT=$((SUCCESS_COUNT + 1)) + else + echo "✗ Failed to deprecate next@$VERSION" + FAIL_COUNT=$((FAIL_COUNT + 1)) + FAILED_VERSIONS="$FAILED_VERSIONS $VERSION" + fi + # Small delay to avoid potential rate limiting + sleep 1 + fi + done + + echo "" + echo "=== Results ===" + if [ "$DRY_RUN" = "true" ]; then + echo "Dry run complete. ${#VERSIONS[@]} versions would be deprecated." + else + echo "Successfully deprecated: $SUCCESS_COUNT" + echo "Failed: $FAIL_COUNT" + if [ $FAIL_COUNT -gt 0 ]; then + echo "Failed versions:$FAILED_VERSIONS" + exit 1 + fi + fi From 4053449bf6ebc2679f1738561168b87ea6feccd2 Mon Sep 17 00:00:00 2001 From: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Wed, 3 Dec 2025 09:29:03 -0800 Subject: [PATCH 2/6] add push based, hardcode dry run --- .github/workflows/deprecate_versions.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deprecate_versions.yml b/.github/workflows/deprecate_versions.yml index 903a888f79abe..2817827dae94f 100644 --- a/.github/workflows/deprecate_versions.yml +++ b/.github/workflows/deprecate_versions.yml @@ -1,6 +1,9 @@ name: Deprecate Vulnerable Versions on: + push: + branches: + - 12-03-add_deprecation_workflow workflow_dispatch: inputs: dry_run: @@ -18,7 +21,6 @@ jobs: deprecate: if: github.repository_owner == 'vercel' runs-on: ubuntu-latest - environment: release-stable steps: - name: Setup Node.js uses: actions/setup-node@v4 @@ -30,8 +32,8 @@ jobs: shell: bash env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }} - DRY_RUN: ${{ inputs.dry_run }} - DEPRECATION_MESSAGE: ${{ inputs.message }} + DRY_RUN: true + DEPRECATION_MESSAGE: ${{ inputs.message || 'This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.' }} run: | # Versions to deprecate based on security advisory ranges: # >=15.0.0 <15.0.5 From 98bd86883550e5b4645795d78d89ef82a9616f5b Mon Sep 17 00:00:00 2001 From: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Wed, 3 Dec 2025 09:34:47 -0800 Subject: [PATCH 3/6] disable dry run --- .github/workflows/deprecate_versions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deprecate_versions.yml b/.github/workflows/deprecate_versions.yml index 2817827dae94f..23e8674bf96ce 100644 --- a/.github/workflows/deprecate_versions.yml +++ b/.github/workflows/deprecate_versions.yml @@ -32,7 +32,7 @@ jobs: shell: bash env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }} - DRY_RUN: true + DRY_RUN: false DEPRECATION_MESSAGE: ${{ inputs.message || 'This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.' }} run: | # Versions to deprecate based on security advisory ranges: From d3f1264a28211b51c3d0fdfbbc6c2650dcb780fe Mon Sep 17 00:00:00 2001 From: vercel-release-bot Date: Thu, 11 Dec 2025 16:42:36 -0800 Subject: [PATCH 4/6] Revert "disable dry run" This reverts commit 98bd86883550e5b4645795d78d89ef82a9616f5b. --- .github/workflows/deprecate_versions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deprecate_versions.yml b/.github/workflows/deprecate_versions.yml index 23e8674bf96ce..2817827dae94f 100644 --- a/.github/workflows/deprecate_versions.yml +++ b/.github/workflows/deprecate_versions.yml @@ -32,7 +32,7 @@ jobs: shell: bash env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }} - DRY_RUN: false + DRY_RUN: true DEPRECATION_MESSAGE: ${{ inputs.message || 'This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.' }} run: | # Versions to deprecate based on security advisory ranges: From c23fd457f3223bf3aa6f9d1b7eb6d56efabeaf90 Mon Sep 17 00:00:00 2001 From: vercel-release-bot Date: Thu, 11 Dec 2025 16:58:25 -0800 Subject: [PATCH 5/6] update versions --- .github/workflows/deprecate_versions.yml | 153 ++++++++++++++--------- 1 file changed, 96 insertions(+), 57 deletions(-) diff --git a/.github/workflows/deprecate_versions.yml b/.github/workflows/deprecate_versions.yml index 2817827dae94f..44f98ddde8df1 100644 --- a/.github/workflows/deprecate_versions.yml +++ b/.github/workflows/deprecate_versions.yml @@ -35,64 +35,103 @@ jobs: DRY_RUN: true DEPRECATION_MESSAGE: ${{ inputs.message || 'This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.' }} run: | - # Versions to deprecate based on security advisory ranges: - # >=15.0.0 <15.0.5 - # >=15.1.0 <15.1.9 - # >=15.2.0 <15.2.6 - # >=15.3.0 <15.3.6 - # >=15.4.0 <15.4.8 - # >=15.5.0 <15.5.7 - # >=16.0.0 <16.0.7 - VERSIONS=( - "15.0.0" - "15.0.1" - "15.0.2" - "15.0.3" - "15.0.4" - "15.1.0" - "15.1.1" - "15.1.2" - "15.1.3" - "15.1.4" - "15.1.5" - "15.1.6" - "15.1.7" - "15.1.8" - "15.2.0" - "15.2.1" - "15.2.2" - "15.2.3" - "15.2.4" - "15.2.5" - "15.3.0" - "15.3.1" - "15.3.2" - "15.3.3" - "15.3.4" - "15.3.5" - "15.4.0" - "15.4.1" - "15.4.2" - "15.4.3" - "15.4.4" - "15.4.5" - "15.4.6" - "15.4.7" - "15.5.0" - "15.5.1" - "15.5.2" - "15.5.3" - "15.5.4" - "15.5.5" - "15.5.6" - "16.0.0" - "16.0.1" - "16.0.2" - "16.0.3" - "16.0.4" - "16.0.5" - "16.0.6" + "13.3.0" + "13.3.1" + "13.3.2" + "13.3.3" + "13.3.4" + "13.4.0" + "13.4.1" + "13.4.2" + "13.4.3" + "13.4.4" + "13.4.5" + "13.4.6" + "13.4.7" + "13.4.8" + "13.4.9" + "13.4.10" + "13.4.11" + "13.4.12" + "13.4.13" + "13.4.14" + "13.4.15" + "13.4.16" + "13.4.17" + "13.4.18" + "13.4.19" + "13.5.0" + "13.5.1" + "13.5.2" + "13.5.3" + "13.5.4" + "13.5.5" + "13.5.6" + "13.5.7" + "13.5.8" + "13.5.9" + "13.5.10" + "14.0.0" + "14.0.1" + "14.0.2" + "14.0.3" + "14.0.4" + "14.1.0" + "14.1.1" + "14.1.2" + "14.1.3" + "14.1.4" + "14.2.0" + "14.2.1" + "14.2.2" + "14.2.3" + "14.2.4" + "14.2.5" + "14.2.6" + "14.2.7" + "14.2.8" + "14.2.9" + "14.2.10" + "14.2.11" + "14.2.12" + "14.2.13" + "14.2.14" + "14.2.15" + "14.2.16" + "14.2.17" + "14.2.18" + "14.2.19" + "14.2.20" + "14.2.21" + "14.2.22" + "14.2.23" + "14.2.24" + "14.2.25" + "14.2.26" + "14.2.27" + "14.2.28" + "14.2.29" + "14.2.30" + "14.2.31" + "14.2.32" + "14.2.33" + "14.2.34" + "15.0.5" + "15.0.6" + "15.1.9" + "15.1.10" + "15.2.6" + "15.2.7" + "15.3.6" + "15.3.7" + "15.4.8" + "15.4.9" + "15.5.7" + "15.5.8" + "16.0.7" + "16.0.8" + "16.0.9" ) echo "=== Deprecation Summary ===" From b3b3577329c88895ddf4f09a9f88b61f6b6fbdaa Mon Sep 17 00:00:00 2001 From: vercel-release-bot Date: Thu, 11 Dec 2025 17:07:02 -0800 Subject: [PATCH 6/6] disable dry run --- .github/workflows/deprecate_versions.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deprecate_versions.yml b/.github/workflows/deprecate_versions.yml index 44f98ddde8df1..7461d87a98a3e 100644 --- a/.github/workflows/deprecate_versions.yml +++ b/.github/workflows/deprecate_versions.yml @@ -15,7 +15,7 @@ on: description: 'Deprecation message' required: true type: string - default: 'This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.' + default: 'This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/security-update-2025-12-11 for more details.' jobs: deprecate: @@ -32,8 +32,8 @@ jobs: shell: bash env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }} - DRY_RUN: true - DEPRECATION_MESSAGE: ${{ inputs.message || 'This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.' }} + DRY_RUN: false + DEPRECATION_MESSAGE: ${{ inputs.message || 'This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/security-update-2025-12-11 for more details.' }} run: | VERSIONS=( "13.3.0"