14 days ago
My application is running next@14.2.35, yet railway insists that there are high security vulnerabilities that it cannot proceed with, for whatever reason and it's due to dependencies. Can anyone help me figure this out?
2 Replies
Status changed to Awaiting Railway Response Railway • 14 days ago
14 days ago
maybe railway is acting like a drama queen, anyways, in your node_modules there must be some dependencies that hadn't been updated in years, you can try adding an override to make npm know the exact version of the dependency is safe to use, and that could solve the trouble.
try adding this to your package.json
{
"overrides": {
"name-of-the-vulnerable-package": "secure-version-number"
}
}
after that, just a quick rm -rf node_modules package-lock.json followed by npm install, and the security scanner in Railway is finally happy, at least I hope so
14 days ago
Hey there,
Seems like railway is flagging those versions with CVEs which likely because next@14.2.33 had a severe security vulnerability which got fixed in .35.
Either way, my recommendation is always to upgrade to one of the latest versions.