[Snyk] Fix for 12 vulnerabilities

[hashim21223445]

Snyk has created this PR to fix 12 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• website/package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Authorization SNYK-JS-NEXT-9508709	705
	Server-Side Request Forgery (SSRF) SNYK-JS-NEXT-6828457	542
	Acceptance of Extraneous Untrusted Data With Trusted Data SNYK-JS-NEXT-8025427	292
	Missing Authorization SNYK-JS-NEXT-8520073	268
	Server-side Request Forgery (SSRF) SNYK-JS-NEXT-12299318	257
	Uncontrolled Recursion SNYK-JS-NEXT-8186172	134
	Race Condition SNYK-JS-NEXT-10176058	82
	Allocation of Resources Without Limits or Throttling SNYK-JS-NEXT-8602067	65
	Use of Cache Containing Sensitive Information SNYK-JS-NEXT-12301496	58
	Missing Origin Validation in WebSockets SNYK-JS-NEXT-10259370	51
	Prototype Pollution SNYK-JS-JSYAML-13961110	49
	Missing Source Correlation of Multiple Independent Data SNYK-JS-NEXT-12265451	44

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Race Condition
🦉 Server-side Request Forgery (SSRF)
🦉 More lessons are available in Snyk Learn

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
website/package.json	0% smaller

[gemini-code-assist]

Summary of Changes

Hello @hashim21223445, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, aims to significantly improve the project's security by resolving 12 identified vulnerabilities within its pnpm dependencies. The core changes involve updating critical package versions in website/package.json to their latest secure releases. Reviewers should pay close attention to the manual update required for the pnpm-lock.yaml file, which is a necessary step to complete the vulnerability remediation.

Highlights

• Vulnerability Fixes: This pull request addresses 12 security vulnerabilities identified by Snyk across various dependency packages. These include critical, high, medium, and low severity issues such as Improper Authorization, Server-Side Request Forgery (SSRF), and Prototype Pollution.
• Dependency Upgrades: Key pnpm dependencies have been upgraded to newer, more secure versions. Specifically, @svgr/webpack has been updated from ^5.5.0 to ^6.0.0, and next has been updated from ^14.0.2 to ^14.2.32.
• Manual Lockfile Update Required: Snyk was unable to automatically update the pnpm-lock.yaml file. This file will require a manual update by a developer before the pull request can be merged to ensure dependency consistency and security.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Code Review

This pull request from Snyk addresses 12 security vulnerabilities by upgrading @svgr/webpack and next. The update to @svgr/webpack is a major version bump (v5 to v6), which could introduce breaking changes, so thorough testing of SVG imports is recommended. The most critical action required is to manually update the pnpm-lock.yaml file, as Snyk failed to do so. This step is essential to ensure the security fixes are applied correctly and to maintain dependency consistency. Please run your package manager's install command to regenerate the lock file before merging.

[gemini-code-assist]

While this next update is important for security, the PR description indicates that Snyk failed to update the pnpm-lock.yaml file. This is a critical issue. Before merging, you must manually run pnpm install to regenerate the lock file. Without this step, the dependency tree will be inconsistent, and the intended security fixes may not be applied in your environments.

[gemini-code-assist]

This is a major version upgrade for @svgr/webpack from v5 to v6. Major versions can introduce breaking changes. Please test SVG imports thoroughly to ensure they still function as expected. The main breaking change in v6 is dropping support for webpack 4, which should be fine as Next.js 14 uses webpack 5.