2 months ago
React2Shell security build failure kicked in for dependency versions that aren't in the package json. Most of my dependencies are near the latest version, ironically because of the recent security issues. Here is my package json for my repository:
{
"name": "client",
"version": "0.1.0",
"private": true,
"packageManager": "pnpm@9.1.1",
"scripts": {
"dev": "next dev",
"build": "next build",
"start": "next start",
"lint": "next lint"
},
"dependencies": {
"@hookform/resolvers": "^5.2.2",
"@mantine/core": "^8.3.10",
"@mantine/hooks": "^8.3.10",
"@next/third-parties": "^16.0.10",
"@radix-ui/react-accordion": "^1.2.12",
"@radix-ui/react-alert-dialog": "^1.1.15",
"@radix-ui/react-dialog": "^1.1.15",
"@radix-ui/react-dropdown-menu": "^2.1.16",
"@radix-ui/react-hover-card": "^1.1.15",
"@radix-ui/react-popover": "^1.1.15",
"@radix-ui/react-progress": "^1.1.8",
"@radix-ui/react-scroll-area": "^1.2.10",
"@radix-ui/react-select": "^2.2.6",
"@radix-ui/react-slider": "^1.3.6",
"@radix-ui/react-slot": "^1.2.4",
"@radix-ui/react-tabs": "^1.1.13",
"@stripe/react-stripe-js": "^5.4.1",
"@stripe/stripe-js": "^8.5.3",
"@tabler/icons-react": "^3.36.0",
"@tanstack/react-query": "^5.90.12",
"@tanstack/react-query-devtools": "^5.91.1",
"axios": "^1.13.2",
"boring-avatars": "^2.0.4",
"class-transformer": "^0.5.1",
"class-validator": "^0.14.3",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"cmdk": "^1.1.1",
"embla-carousel-autoplay": "8.6.0",
"embla-carousel-react": "8.6.0",
"framer-motion": "^12.23.26",
"html-react-parser": "^5.2.10",
"next": "16.0.10",
"next-auth": "^4.24.13",
"next-themes": "^0.4.6",
"qs": "^6.14.0",
"react": "19.2.3",
"react-dom": "19.2.3",
"react-dropzone": "^14.3.8",
"react-fast-marquee": "^1.6.5",
"react-highlight-words": "^0.21.0",
"react-hook-form": "^7.68.0",
"react-responsive": "^10.0.1",
"react-turnstile": "^1.1.4",
"react-wrap-balancer": "^1.1.1",
"sanitize-html": "^2.17.0",
"sharp": "^0.34.5",
"tailwind-merge": "^3.4.0",
"vaul": "^1.1.2",
"zustand": "^5.0.9",
"jose": "^5.9.6"
},
"devDependencies": {
"@tailwindcss/forms": "^0.5.10",
"@tailwindcss/typography": "^0.5.19",
"@types/node": "25.0.2",
"@types/qs": "^6.14.0",
"@types/react": "^19.2.7",
"@types/react-dom": "^19.2.3",
"@types/react-highlight-words": "^0.20.0",
"@types/sanitize-html": "^2.16.0",
"@typescript-eslint/eslint-plugin": "^8.50.0",
"autoprefixer": "^10.4.23",
"eslint": "^9.39.2",
"eslint-config-next": "^16.0.10",
"eslint-config-prettier": "^10.1.8",
"orval": "^7.17.0",
"postcss": "^8.5.6",
"prettier": "^3.7.4",
"prettier-plugin-tailwindcss": "^0.7.2",
"sass": "^1.96.0",
"tailwindcss": "^3.4.17",
"typescript": "^5.9.3"
}
}3 Replies
2 months ago
Hey there! We've found the following might help you get unblocked faster:
🧵 Subject: Build logs truncated - cannot see pip install error
🧵 Persistent SIGTERM Error 502 on Next.js Application Deployment
🧵 Puppeteer/WPPConnect app deploys successfully but hangs on initialization
If you find the answer from one of these, please let us know by solving the thread!
2 months ago
I have identified the cause to be a redundant (we're using pnpm not npm) and out of date package-lock.json that had the compromised version listed, which was being tracked in the project. I have removed this file and added to the gitignore.
Hope this post helps anyone in a similar situation.
occultus73
I have identified the cause to be a redundant (we're using pnpm not npm) and out of date package-lock.json that had the compromised version listed, which was being tracked in the project. I have removed this file and added to the gitignore.Hope this post helps anyone in a similar situation.
2 months ago
Thank you for sharing this!
To confirm: yes, we consider peer dependencies and any references to the vulnerable versions in dependency specifications to be a positive match.
Going to mark this as solved so others can see it 🫡
Status changed to Awaiting User Response Railway • 2 months ago
Status changed to Solved ray-chen • 2 months ago