Commit 88d5c46
authored
security: Upgrade @clerk/nextjs to 6.39.2 (GHSA-vqx2-fgx2-5wq9) (#97)
* ci: use centralized vuln remediation workflow from infra
Made-with: Cursor
* ci: replace custom config with socket.yml
Made-with: Cursor
* ci: point vuln remediation at kernel/security-workflows
Made-with: Cursor
* Upgrade @clerk/nextjs to 6.39.2 to fix middleware route protection bypass
Addresses GHSA-vqx2-fgx2-5wq9 (CVSS 9.1): createRouteMatcher could be
bypassed via percent-encoded URLs and double-slash path manipulation.
Our middleware uses the safe allowlist (isPublicRoute) pattern so we are
not actively exploitable, but the underlying createPathMatcher now
normalizes paths with decodeURI and slash collapsing — upgrading as
recommended by Clerk.
Made-with: Cursor1 parent 864b2ee commit 88d5c46
4 files changed
Lines changed: 29 additions & 14 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
30 | 30 | | |
31 | 31 | | |
32 | 32 | | |
33 | | - | |
| 33 | + | |
34 | 34 | | |
35 | 35 | | |
36 | 36 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
0 commit comments