Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The 'next' npm package is a popular framework for building server-side rendered and statically generated React applications. It provides a set of features that simplify the development of modern web applications, including page-based routing, pre-rendering, automatic code splitting, and API routes.
Page-based routing
Next.js provides a file-system-based router built on the concept of pages. When a file is added to the pages directory, it's automatically available as a route.
export default function Home() {
return <div>Welcome to Next.js!</div>
}
API Routes
Next.js allows you to create API endpoints as part of your Next.js application. These are server-side functions that you can deploy alongside your application.
export default function handler(req, res) {
res.status(200).json({ message: 'Hello from Next.js!' })
}
Static Generation and Server-Side Rendering
Next.js supports two forms of pre-rendering: Static Generation and Server-Side Rendering. This feature allows you to generate HTML in advance for optimal performance.
export async function getStaticProps() {
const data = await fetchData();
return { props: { data } };
}
Built-in CSS and Sass Support
Next.js allows you to import CSS and Sass files directly within your JavaScript components, providing a streamlined development experience.
import '../styles/globals.css';
export default function App({ Component, pageProps }) {
return <Component {...pageProps} />
}
Automatic Code Splitting
Next.js automatically splits your code into small bundles that are loaded as needed, improving load times and performance.
import dynamic from 'next/dynamic';
const DynamicComponent = dynamic(() => import('../components/hello'));
export default function Home() {
return <DynamicComponent />
}
Gatsby is a React-based static site generator that provides similar functionalities to Next.js, such as pre-rendering and code splitting. However, Gatsby is more focused on static site generation, whereas Next.js offers a hybrid approach with both static generation and server-side rendering.
Nuxt.js is a framework based on Vue.js that offers functionalities similar to Next.js but for Vue.js applications. It provides server-side rendering, static site generation, and automatic code splitting, much like Next.js does for React applications.
Create React App is a boilerplate to create single-page React applications. It sets up a development environment and builds scripts but does not offer server-side rendering or static site generation out of the box like Next.js does.
Sapper is a framework for building web applications using Svelte, offering server-side rendering and static site generation. It's similar to Next.js in terms of goals but is designed for Svelte instead of React.
Used by some of the world's largest companies, Next.js enables you to create full-stack web applications by extending the latest React features, and integrating powerful Rust-based JavaScript tooling for the fastest builds.
Visit https://nextjs.org/docs to view the full documentation.
The Next.js community can be found on GitHub Discussions where you can ask questions, voice ideas, and share your projects with other people.
To chat with other community members you can join the Next.js Discord server.
Do note that our Code of Conduct applies to all Next.js community channels. Users are highly encouraged to read and adhere to them to avoid repercussions.
Contributions to Next.js are welcome and highly appreciated. However, before you jump right into it, we would like you to review our Contribution Guidelines to make sure you have a smooth experience contributing to Next.js.
We have a list of good first issues that contain bugs that have a relatively limited scope. This is a great place for newcomers and beginners alike to get started, gain experience, and get familiar with our contribution process.
A list of the original co-authors of Next.js that helped bring this amazing framework to life!
If you believe you have found a security vulnerability in Next.js, we encourage you to responsibly disclose this and NOT open a public issue. We will investigate all legitimate reports. Email security@vercel.com
to disclose any security vulnerabilities. Alternatively, you can visit this link to know more about Vercel's security and report any security vulnerabilities.
FAQs
The React Framework
We found that next demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.