a month ago
Hi Railway team,
My deployment is being blocked by your security scanner with the error:
SECURITY VULNERABILITIES DETECTED
next@15.0.0 — CRITICAL
Source: pnpm-lock.yaml
This is a false positive. Here is what is actually happening:
- The installed version of
nextin my project is15.5.15(patched, no CVEs) - Your scanner is reading the string
^15.0.0fromnext-auth@5.0.0-beta.30's peer dependency specification inpnpm-lock.yaml:
next-auth@5.0.0-beta.30:
peerDependencies:
next: ^14.0.0-0 || ^15.1.0 || ^16.0.0 # peer dep RANGE, not installed version
A peer dependency range (^15.0.0) is not an installed package — it declares what versions the package is compatible with. The actual resolved next package is 15.5.15, which you can confirm at:
next@15.5.15:
resolution: {integrity: sha512-VSqCrJwtLVGwAVE0Sb...}
next@15.5.15 satisfies all the CVEs you are flagging (patched in >=15.0.7).
Request: Please fix your scanner to read the resolution: field for the actual installed version, not the peer dependency range string. Or provide a way to mark this as a known false positive.
Repository:Heloy702/edumanager — branch develop
Thank you.
1 Replies
Status changed to Awaiting Railway Response Railway • about 1 month ago
Status changed to Open Railway • about 1 month ago
a month ago
Hello heloy702,
railway staff posted an official workaround for this in their own security alert thread , add this env variable to your service:
RAILWAY_DANGEROUSLY_SKIP_VULNERABILITY_CHECK="I_ACCEPT_THE_RISKS"
this disables the scanner and unblocks your deployment , posted by railway themselves, not a third party hack
and for the next.js patch version, this comes from the official next.js cve advisory i retrieved which explicitly lists:
"npm install next@15.5.7 # for 15.5.x" , from nextjs.org/blog/CVE-2025-66478
Hope this help you :)