3 months ago
Hi Railway Support,
Our service is blocked by the vulnerability scanner flagging @next/swc-*@15.5.7 as “Next.js 15.5.7 vulnerable”.
However, our actual Next.js dependency is next@15.5.9, which is the patched release for CVE-2025-55183 / CVE-2025-55184 and the follow-up CVE-2025-67779. (Next.js security update: Dec 11, 2025). Next.js
The flagged packages are @next/swc-*platform SWC compiler binaries, not the Next.js routing/RSC runtime code. The npm package explicitly states: “This is the x86_64-unknown-linux-gnu binary for @next/swc.” npm
Could you please review/override this detection or update the rule to map the CVEs to the next package (App Router) version rather than @next/swc-*?
Evidence we can provide:
node -p "require('./apps/web/node_modules/next/package.json').version"→15.5.9pnpm-lock.yamlentry showing@next/swc-linux-x64-gnu@15.5.7is present as a compiler binary
Thanks!
1 Replies
Status changed to Awaiting User Response Railway • 3 months ago
3 months ago
This thread has been marked as solved automatically due to a lack of recent activity. Please re-open this thread or create a new one if you require further assistance. Thank you!
Status changed to Solved Railway • 3 months ago