Deployment blocked by Next.js vulnerability, but Next is not in dependencies
koala-gentil
PROOP

a month ago

Hi,

My deployments are intermittently failing due to a security vulnerability warning for next@14.2.3, even though my project does not use Next.js.

This is the error I receive:

============================================================================== SECURITY VULNERABILITIES DETECTED ==============================================================================
Railway cannot proceed with deployment due to security vulnerabilities in your project's dependencies.

Found 1 vulnerable package(s):

  next@14.2.3
     Source: yarn.lock
     Severity: HIGH
     Upgrade to 14.2.35: yarn add next@^14.2.35

     Vulnerabilities:
     - CVE-2025-55184 (HIGH): https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
     - CVE-2025-67779 (HIGH): https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4

However:

  • next is not listed in my package.json.

  • I’ve searched my yarn.lock and cannot find any reference to next.

What’s confusing is that deployments sometimes succeed and sometimes fail with this message, which makes it feel random.

$10 Bounty

6 Replies

ray-chen
EMPLOYEE

a month ago

Do you have the reported versions as a peer dependency anywhere?

Status changed to Awaiting User Response Railway 28 days ago

pksunkara
PRO

a month ago

I am getting the same issue. I have next in my pnpm-lock.yaml (of monorepo) but it's not being used in the service that is being deploying.

Why are you guys even checking CVEs and blocking deployments? That's not the job of infra hosts.

Status changed to Awaiting Railway Response Railway 28 days ago

ray-chen

Do you have the reported versions as a peer dependency anywhere?

koala-gentil
PROOP

a month ago

No, I don't use it, neither this version nor any other version of next.

➜ inprocess git:(main) ✗ yarn why next

yarn why v1.22.22

[1/4] thinking emoji Why do we have the module "next"...?

[2/4] truck emoji Initialising dependency graph...

[3/4] mag emoji Finding dependency...

error We couldn't find a match!

sparkles emoji Done in 0.49s.

I made a commit recently that cannot possibly impact this, and for some reason, the deployment is working today. As I mentioned earlier, it seems very random, and I don't believe the issue is with my code.

pksunkara
PRO

20 days ago

@ray-chen Can you please give guidance?

startupminer
HOBBY

7 days ago

Run npm install next@^14.2.35  or yarn add next@^14.2.35 in your terminal. Should fix the issue

pksunkara
PRO

7 days ago

I know that fixes the issue. But why is it even being checked when not in dependencies?

Loading...