Switch ^ to ~ in nextjs version checking string (#445)

annajowang · web-flow · commit f1bd8d653896 · 2025-12-03T18:17:13.000-05:00
* Update adapter-nextjs version

* switch to tilde
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/@apphosting/adapter-nextjs/package.json b/packages/@apphosting/adapter-nextjs/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@apphosting/adapter-nextjs",
-  "version": "14.0.18",
+  "version": "14.0.19",
   "main": "dist/index.js",
   "description": "Experimental addon to the Firebase CLI to add web framework support",
   "repository": {
diff --git a/packages/@apphosting/adapter-nextjs/src/utils.spec.ts b/packages/@apphosting/adapter-nextjs/src/utils.spec.ts
@@ -22,6 +22,14 @@ describe("block vulnerable nextjs versions", () => {
       checkNextJSVersion("15.0.5");
     });
 
+    assert.throws(() => {
+      checkNextJSVersion("15.4.7");
+    });
+
+    assert.doesNotThrow(() => {
+      checkNextJSVersion("15.4.8");
+    });
+
     assert.doesNotThrow(() => {
       checkNextJSVersion("14.0.12");
     });
diff --git a/packages/@apphosting/adapter-nextjs/src/utils.ts b/packages/@apphosting/adapter-nextjs/src/utils.ts
@@ -21,15 +21,15 @@ export const { copy, exists, writeFile, readJson, readdir, readFileSync, existsS
 export const { satisfies } = semVer;
 
 const SAFE_NEXTJS_VERSIONS =
-  ">=16.1.0 || ^16.0.7 || ^v15.5.7 || ^v15.4.8 || ^v15.3.6 || ^v15.2.6 || ^v15.1.9 || ^v15.0.5 || <14.3.0-canary.77";
+  ">=16.1.0 || ~16.0.7 || ~v15.5.7 || ~v15.4.8 || ~v15.3.6 || ~v15.2.6 || ~v15.1.9 || ~v15.0.5 || <14.3.0-canary.77";
 
 export function checkNextJSVersion(version: string | undefined) {
   if (!version) {
     return;
   }
   if (!satisfies(version, SAFE_NEXTJS_VERSIONS)) {
     throw new Error(
-      `CVE-2025-55182: Vulnerable Next version ${version} detected. Deployment blocked. Update your app's dependencies to a patched Next.js version and redeploy:https://nextjs.org/blog/CVE-2025-66478#fixed-versions`,
+      `CVE-2025-55182: Vulnerable Next version ${version} detected. Deployment blocked. Update your app's dependencies to a patched Next.js version and redeploy: https://nextjs.org/blog/CVE-2025-66478#fixed-versions`,
     );
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@apphosting/adapter-nextjs",`
`3`		`- "version": "14.0.18",`
	`3`	`+ "version": "14.0.19",`
`4`	`4`	`"main": "dist/index.js",`
`5`	`5`	`"description": "Experimental addon to the Firebase CLI to add web framework support",`
`6`	`6`	`"repository": {`
Original file line number	Diff line number	Diff line change
`@@ -21,15 +21,15 @@ export const { copy, exists, writeFile, readJson, readdir, readFileSync, existsS`
`21`	`21`	`export const { satisfies } = semVer;`
`22`	`22`
`23`	`23`	`const SAFE_NEXTJS_VERSIONS =`
`24`		`- ">=16.1.0 \|\| ^16.0.7 \|\| ^v15.5.7 \|\| ^v15.4.8 \|\| ^v15.3.6 \|\| ^v15.2.6 \|\| ^v15.1.9 \|\| ^v15.0.5 \|\| <14.3.0-canary.77";`
	`24`	`+ ">=16.1.0 \|\| ~16.0.7 \|\| ~v15.5.7 \|\| ~v15.4.8 \|\| ~v15.3.6 \|\| ~v15.2.6 \|\| ~v15.1.9 \|\| ~v15.0.5 \|\| <14.3.0-canary.77";`
`25`	`25`
`26`	`26`	`export function checkNextJSVersion(version: string \| undefined) {`
`27`	`27`	`if (!version) {`
`28`	`28`	`return;`
`29`	`29`	`}`
`30`	`30`	`if (!satisfies(version, SAFE_NEXTJS_VERSIONS)) {`
`31`	`31`	`throw new Error(`
`32`		- `CVE-2025-55182: Vulnerable Next version ${version} detected. Deployment blocked. Update your app's dependencies to a patched Next.js version and redeploy:https://nextjs.org/blog/CVE-2025-66478#fixed-versions`,
	`32`	+ `CVE-2025-55182: Vulnerable Next version ${version} detected. Deployment blocked. Update your app's dependencies to a patched Next.js version and redeploy: https://nextjs.org/blog/CVE-2025-66478#fixed-versions`,
`33`	`33`	`);`
`34`	`34`	`}`
`35`	`35`	`}`