Problem
Deploying RefRef on Railway fails because Railway's deployment security scanner detects vulnerable Next.js versions in pnpm-lock.yaml:
Railway requires next@>=15.1.11 and next@>=16.0.10.
Root cause
apps/webapp/package.json and apps/www/package.json specify next@16.0.7 — needs bump to >=16.0.10pnpm-lock.yaml still resolves next@15.1.2 (likely a stale transitive dependency) — needs lockfile regeneration after the bump
Suggested fix
pnpm -F @refref/webapp add next@^16.0.10
pnpm -F @refref/www add next@^16.0.10
pnpm install # regenerate lockfile, should drop stale 15.1.2
Environment
- Railway deployment (Docker-based, security scanner enabled by default)
- RefRef commit:
8895d31741b04aa77387697e095928dbc75e652b
Problem
Deploying RefRef on Railway fails because Railway's deployment security scanner detects vulnerable Next.js versions in
pnpm-lock.yaml:next@15.1.2— CRITICAL (CVE-2025-66478), plus HIGH and MEDIUM CVEsnext@16.0.7— HIGH (CVE-2025-55184, CVE-2025-67779)Railway requires
next@>=15.1.11andnext@>=16.0.10.Root cause
apps/webapp/package.jsonandapps/www/package.jsonspecifynext@16.0.7— needs bump to>=16.0.10pnpm-lock.yamlstill resolvesnext@15.1.2(likely a stale transitive dependency) — needs lockfile regeneration after the bumpSuggested fix
pnpm -F @refref/webapp add next@^16.0.10 pnpm -F @refref/www add next@^16.0.10 pnpm install # regenerate lockfile, should drop stale 15.1.2Environment
8895d31741b04aa77387697e095928dbc75e652b