npmpackage.info

Gathering detailed insights and metrics for next

Other packages similar to next

next-tick

1.1.0

Environment agnostic nextTick polyfill

@next/env

15.1.7

Next.js dotenv file loading

@next/swc-linux-x64-gnu

15.1.7

This is the **x86_64-unknown-linux-gnu** binary for `@next/swc`

@next/swc-linux-x64-musl

15.1.7

This is the **linux-x64-musl** binary for `@next/swc`

The React Framework

15.1.7

129,247

MIT

JavaScript

114.19 MB

893,864,011 4.6

Installations

npm install next

Developer Guide

BETA

Typescript

Yes

Module System

CommonJS

Min. Node Version

^18.18.0 || ^19.8.0 || >= 20.0.0

Node Version

20.18.2

NPM Version

10.4.0 Score

71.1

Supply Chain

77.5

Quality

96.9

Maintenance

100

Vulnerability

73.7

License

Pull Requests

Open

653

Total

27,047

Closed

5,664

Merged

20,730

Issues

Open

2,818

Total

22,339

Closed

19,521

Releases

2,916

v15.2.0-canary.55

Updated on Feb 12, 2025

v15.2.0-canary.54

Updated on Feb 12, 2025

v15.2.0-canary.53

Updated on Feb 11, 2025

v15.2.0-canary.52

Updated on Feb 11, 2025

v15.2.0-canary.51

Updated on Feb 11, 2025

v15.1.7

Updated on Feb 11, 2025

View All 2,916 releases

Contributors

3,564

View All 3,564 Contributors

Languages

JavaScript

TypeScript

Rust

MDX

CSS

Shell

SCSS

Dockerfile

HTML

Sass

Batchfile

WebAssembly

Pug

JavaScript (59.2%)

TypeScript (25.77%)

Rust (13.91%)

MDX (0.56%)

CSS (0.51%)

Shell (0.02%)

SCSS (0.02%)

Dockerfile (0.01%)

HTML (0.01%)

Love this project? Help keep it running — sponsor us today! 🚀

Developer

vercel

Download Statistics

Total Downloads

893,864,011

Last Day

1,658,722

Last Week

8,731,059

Last Month

35,840,066

Last Year

354,163,511

GitHub Statistics

MIT License

129,247 Stars

27,234 Commits

27,627 Forks

1,458 Watchers

1,350 Branches

3,564 Contributors

Updated on Feb 12, 2025

Maintainers

Package Meta Information

Latest Version

15.1.7

Package Id

next@15.1.7

Unpacked Size

114.19 MB

Size

23.99 MB

File Count

6,873

NPM Version

10.4.0

Node Version

20.18.2

Published on

Feb 11, 2025

Total Downloads

Cumulative downloads

Total Downloads

893,864,011

Last Day

5.6%

1,658,722

Compared to previous day

Last Week

7.1%

8,731,059

Compared to previous week

Last Month

42.9%

35,840,066

Compared to previous month

Last Year

48%

354,163,511

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

@next/env @swc/counter @swc/helpers busboy caniuse-lite postcss styled-jsx

Peer Dependencies

@opentelemetry/api @playwright/test babel-plugin-react-compiler react react-dom sass

Dev Dependencies

202

@ampproject/toolbox-optimizer @babel/code-frame @babel/core @babel/eslint-parser @babel/generator @babel/plugin-proposal-class-properties @babel/plugin-proposal-export-namespace-from @babel/plugin-proposal-numeric-separator @babel/plugin-proposal-object-rest-spread @babel/plugin-syntax-bigint @babel/plugin-syntax-dynamic-import @babel/plugin-syntax-import-attributes @babel/plugin-syntax-jsx @babel/plugin-transform-modules-commonjs @babel/plugin-transform-runtime @babel/preset-env @babel/preset-react @babel/preset-typescript @babel/runtime @babel/traverse @babel/types @capsizecss/metrics @edge-runtime/cookies @edge-runtime/ponyfill @edge-runtime/primitives @hapi/accept @jest/transform @jest/types @mswjs/interceptors @napi-rs/triples @next/font @next/polyfill-module @next/polyfill-nomodule @next/react-refresh-utils @next/swc @opentelemetry/api @playwright/test @swc/core @swc/types @taskr/clear @taskr/esnext @types/amphtml-validator @types/babel__code-frame @types/babel__core @types/babel__generator @types/babel__template @types/babel__traverse @types/bytes @types/ci-info @types/compression @types/content-disposition @types/content-type @types/cookie @types/cross-spawn @types/debug @types/express-serve-static-core @types/fresh @types/glob @types/jsonwebtoken @types/lodash @types/lodash.curry @types/path-to-regexp @types/picomatch @types/platform @types/react @types/react-dom @types/react-is @types/semver @types/send @types/shell-quote @types/tar @types/text-table @types/ua-parser-js @types/webpack-sources1 @types/ws @vercel/ncc @vercel/nft @vercel/turbopack-ecmascript-runtime acorn amphtml-validator anser arg assert async-retry async-sema babel-plugin-react-compiler babel-plugin-transform-define babel-plugin-transform-react-remove-prop-types browserify-zlib browserslist buffer bytes ci-info cli-select client-only commander comment-json compression conf constants-browserify content-disposition content-type cookie cross-env cross-spawn crypto-browserify css.escape cssnano-preset-default data-uri-to-buffer debug devalue domain-browser edge-runtime events find-up fresh glob gzip-size http-proxy http-proxy-agent https-browserify https-proxy-agent icss-utils ignore-loader image-size is-docker is-wsl jest-worker json5 jsonwebtoken loader-runner loader-utils2 loader-utils3 lodash.curry mini-css-extract-plugin msw nanoid native-url neo-async node-html-parser ora os-browserify p-limit p-queue path-browserify path-to-regexp picomatch platform postcss-flexbugs-fixes postcss-modules-extract-imports postcss-modules-local-by-default postcss-modules-scope postcss-modules-values postcss-preset-env postcss-safe-parser postcss-scss postcss-value-parser process punycode querystring-es3 raw-body react-refresh regenerator-runtime sass-loader schema-utils2 schema-utils3 semver send server-only setimmediate shell-quote source-map source-map-loader source-map08 stacktrace-parser stream-browserify stream-http strict-event-emitter string-hash string_decoder strip-ansi superstruct tar taskr terser terser-webpack-plugin text-table timers-browserify tty-browserify typescript ua-parser-js unistore util vm-browserify watchpack web-vitals webpack webpack-sources1 webpack-sources3 ws zod zod-validation-error

Optional Dependencies

sharp @next/swc-darwin-arm64 @next/swc-darwin-x64 @next/swc-linux-arm64-gnu @next/swc-linux-arm64-musl @next/swc-linux-x64-gnu @next/swc-linux-x64-musl @next/swc-win32-arm64-msvc @next/swc-win32-x64-msvc

Next.js

Getting Started

Used by some of the world's largest companies, Next.js enables you to create full-stack web applications by extending the latest React features, and integrating powerful Rust-based JavaScript tooling for the fastest builds.

Visit our Learn Next.js course to get started with Next.js.
Visit the Next.js Showcase to see more sites built with Next.js.

Documentation

Visit https://nextjs.org/docs to view the full documentation.

Community

The Next.js community can be found on GitHub Discussions where you can ask questions, voice ideas, and share your projects with other people.

To chat with other community members you can join the Next.js Discord server.

Do note that our Code of Conduct applies to all Next.js community channels. Users are highly encouraged to read and adhere to them to avoid repercussions.

Contributing

Contributions to Next.js are welcome and highly appreciated. However, before you jump right into it, we would like you to review our Contribution Guidelines to make sure you have a smooth experience contributing to Next.js.

Good First Issues:

We have a list of good first issues that contain bugs that have a relatively limited scope. This is a great place for newcomers and beginners alike to get started, gain experience, and get familiar with our contribution process.

Authors

A list of the original co-authors of Next.js that helped bring this amazing framework to life!

Tim Neutkens (@timneutkens)
Naoyuki Kanezawa (@nkzawa)
Guillermo Rauch (@rauchg)
Arunoda Susiripala (@arunoda)
Tony Kovanen (@tonykovanen)
Dan Zajdband (@impronunciable)

Security

If you believe you have found a security vulnerability in Next.js, we encourage you to responsibly disclose this and NOT open a public issue. We will investigate all legitimate reports. Email security@vercel.com to disclose any security vulnerabilities. Alternatively, you can visit this link to know more about Vercel's security and report any security vulnerabilities.

Stable Version

15.1.7

High

7.5/10

Summary

Next.js authorization bypass vulnerability

Affected Versions

>= 9.5.5, < 14.2.15

Patched Versions

14.2.15

High

7.5/10

Summary

Next.js Denial of Service (DoS) condition

Affected Versions

>= 13.3.1, < 13.5.0

Patched Versions

13.5.0

High

7.5/10

Summary

Next.js Cache Poisoning

Affected Versions

>= 14.0.0, < 14.2.10

Patched Versions

14.2.10

High

7.5/10

Summary

Next.js Cache Poisoning

Affected Versions

>= 13.5.1, < 13.5.7

Patched Versions

13.5.7

High

7.5/10

Summary

Next.js Server-Side Request Forgery in Server Actions

Affected Versions

>= 13.4.0, < 14.1.1

Patched Versions

14.1.1

High

7.5/10

Summary

Next.js Vulnerable to HTTP Request Smuggling

Affected Versions

>= 13.4.0, < 13.5.1

Patched Versions

13.5.1

High

7.5/10

Summary

Unexpected server crash in Next.js.

Affected Versions

>= 0.9.9, < 11.1.3

Patched Versions

11.1.3

High

7.5/10

Summary

Unexpected server crash in Next.js.

Affected Versions

>= 12.0.0, < 12.0.5

Patched Versions

12.0.5

High

7.5/10

Summary

Next.js Directory Traversal Vulnerability

Affected Versions

>= 1.0.0, < 2.4.1

Patched Versions

2.4.1

High

0/10

Summary

Remote Code Execution in next

Affected Versions

>= 0.9.9, < 5.1.0

Patched Versions

5.1.0

High

7.5/10

Summary

XSS in Image Optimization API for Next.js

Affected Versions

>= 10.0.0, < 11.1.1

Patched Versions

11.1.1

High

7.5/10

Summary

Directory traversal vulnerability in Next.js

Affected Versions

>= 1.0.0, < 4.2.3

Patched Versions

4.2.3

Moderate

5.3/10

Summary

Next.js Allows a Denial of Service (DoS) with Server Actions

Affected Versions

>= 15.0.0, < 15.1.2

Patched Versions

15.1.2

Moderate

5.3/10

Summary

Next.js Allows a Denial of Service (DoS) with Server Actions

Affected Versions

>= 14.0.0, < 14.2.21

Patched Versions

14.2.21

Moderate

5.3/10

Summary

Next.js Allows a Denial of Service (DoS) with Server Actions

Affected Versions

>= 13.0.0, < 13.5.8

Patched Versions

13.5.8

Moderate

5.9/10

Summary

Denial of Service condition in Next.js image optimization

Affected Versions

>= 10.0.0, < 14.2.7

Patched Versions

14.2.7

Moderate

5.3/10

Summary

Unexpected server crash in Next.js

Affected Versions

= 12.2.3

Patched Versions

12.2.4

Moderate

6.9/10

Summary

Open Redirect in Next.js

Affected Versions

>= 0.9.9, < 11.1.0

Patched Versions

11.1.0

Moderate

5.9/10

Summary

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Affected Versions

>= 10.0.0, < 12.1.0

Patched Versions

12.1.0

Moderate

5.9/10

Summary

Denial of Service Vulnerability in next.js

Affected Versions

>= 12.0.0, < 12.0.9

Patched Versions

12.0.9

Moderate

4.7/10

Summary

Open Redirect in Next.js versions

Affected Versions

>= 9.5.0, < 9.5.4

Patched Versions

9.5.4

Moderate

4.4/10

Summary

Directory Traversal in Next.js

Affected Versions

< 9.3.2

Patched Versions

9.3.2

Moderate

6.1/10

Summary

Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page

Affected Versions

>= 7.0.0, < 7.0.2

Patched Versions

7.0.2

Low

0/10

Summary

Next.js missing cache-control header may lead to CDN caching empty reply

Affected Versions

>= 0.9.9, < 13.4.20-canary.13

Patched Versions

13.4.20-canary.13

10

Maintained

Determines if the project is "actively maintained".

10

License

Determines if the project has defined a license.

10

Security-Policy

Determines if the project has published a security policy.

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

Packaging

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

8

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

Reason

detected GitHub workflow tokens with excessive permissions

Details

Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build_and_deploy.yml:522
Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build_and_deploy.yml:584
Info: jobLevel 'contents' permission set to 'read': .github/workflows/build_and_test.yml:40
Warn: no topLevel permission defined: .github/workflows/build_and_deploy.yml:1
Warn: no topLevel permission defined: .github/workflows/build_and_test.yml:1
Warn: no topLevel permission defined: .github/workflows/build_reusable.yml:1
Warn: no topLevel permission defined: .github/workflows/cancel.yml:1
Warn: no topLevel permission defined: .github/workflows/code_freeze.yml:1
Warn: no topLevel permission defined: .github/workflows/graphite_ci_optimizer.yml:1
Warn: no topLevel permission defined: .github/workflows/issue_bankrupt.yml:1
Warn: no topLevel permission defined: .github/workflows/issue_stale.yml:1
Warn: no topLevel permission defined: .github/workflows/issue_version.yml:1
Warn: no topLevel permission defined: .github/workflows/issue_wrong_template.yml:1
Warn: no topLevel permission defined: .github/workflows/notify_release.yml:1
Warn: no topLevel permission defined: .github/workflows/popular.yml:1
Warn: no topLevel permission defined: .github/workflows/pull_request_stats.yml:1
Warn: topLevel 'actions' permission set to 'write': .github/workflows/retry_deploy_test.yml:13
Warn: topLevel 'actions' permission set to 'write': .github/workflows/retry_test.yml:14
Warn: no topLevel permission defined: .github/workflows/rspack-nextjs-build-integration-tests.yml:1
Warn: no topLevel permission defined: .github/workflows/rspack-nextjs-dev-integration-tests.yml:1
Warn: no topLevel permission defined: .github/workflows/rspack-update-tests-manifest.yml:1
Warn: no topLevel permission defined: .github/workflows/setup-nextjs-build.yml:1
Warn: no topLevel permission defined: .github/workflows/test-turbopack-rust-bench-test.yml:1
Warn: no topLevel permission defined: .github/workflows/test_e2e_deploy_release.yml:1
Warn: no topLevel permission defined: .github/workflows/test_examples.yml:1
Warn: no topLevel permission defined: .github/workflows/triage_with_ai.yml:1
Warn: no topLevel permission defined: .github/workflows/trigger_release.yml:1
Warn: no topLevel permission defined: .github/workflows/turbopack-nextjs-build-integration-tests.yml:1
Warn: no topLevel permission defined: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:1
Warn: no topLevel permission defined: .github/workflows/turbopack-update-tests-manifest.yml:1
Warn: no topLevel permission defined: .github/workflows/turbopack-upload-tests-manifest.yml:1
Warn: no topLevel permission defined: .github/workflows/update_fonts_data.yml:1
Warn: no topLevel permission defined: .github/workflows/update_react.yml:1

0

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

0

SAST

Determines if the project uses static code analysis.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:299: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:302: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:323: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:380: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:386: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:392: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:412: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:415: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:443: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:449: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:465: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:478: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:490: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:496: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:506: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:587: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:589: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:648: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:652: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:675: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:528: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:541: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:553: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:559: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:573: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:620: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:186: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:188: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:641: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:147: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:201: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:233: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:240: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:247: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:259: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/cancel.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/cancel.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code_freeze.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/code_freeze.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/graphite_ci_optimizer.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/graphite_ci_optimizer.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_bankrupt.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_bankrupt.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_bankrupt.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_bankrupt.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue_lock.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_lock.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_version.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_version.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_version.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_version.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_wrong_template.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_wrong_template.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_wrong_template.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_wrong_template.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify_release.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/notify_release.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify_release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/notify_release.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify_release.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/notify_release.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/popular.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/popular.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/popular.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/popular.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request_stats.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/pull_request_stats.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request_stats.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/pull_request_stats.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/retry_deploy_test.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/retry_deploy_test.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/retry_test.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/retry_test.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-build-integration-tests.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-build-integration-tests.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-build-integration-tests.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-build-integration-tests.yml:122: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-build-integration-tests.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-build-integration-tests.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-build-integration-tests.yml:171: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-build-integration-tests.yml:179: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-build-integration-tests.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-dev-integration-tests.yml:122: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-dev-integration-tests.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-dev-integration-tests.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-dev-integration-tests.yml:171: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-dev-integration-tests.yml:179: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-dev-integration-tests.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-dev-integration-tests.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-dev-integration-tests.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-nextjs-dev-integration-tests.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:120: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-turbopack-rust-bench-test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test-turbopack-rust-bench-test.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-turbopack-rust-bench-test.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test-turbopack-rust-bench-test.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_examples.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_examples.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_examples.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_examples.yml/canary?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/triage.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/triage.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/triage_with_ai.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/triage_with_ai.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/triage_with_ai.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/triage_with_ai.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-build-integration-tests.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-build-integration-tests.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-build-integration-tests.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-build-integration-tests.yml:122: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-build-integration-tests.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-build-integration-tests.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-build-integration-tests.yml:171: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-build-integration-tests.yml:179: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-build-integration-tests.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-build-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:171: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:179: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:122: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-nextjs-dev-integration-tests.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-upload-tests-manifest.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-upload-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-upload-tests-manifest.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-upload-tests-manifest.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_fonts_data.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_fonts_data.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_fonts_data.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_fonts_data.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_react.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_react.yml/canary?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_react.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_react.yml/canary?enable=pin
Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:5
Warn: containerImage not pinned by hash: .devcontainer/base.Dockerfile:5
Warn: containerImage not pinned by hash: .github/actions/next-stats-action/Dockerfile:3: pin your Docker image by updating ubuntu:22.04 to ubuntu:22.04@sha256:ed1544e454989078f5dec1bfdabd8c5cc9c48e0705d07b678ab6ae3fb61952d2
Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/dev.Dockerfile:3: pin your Docker image by updating node:18-alpine to node:18-alpine@sha256:974afb6cbc0314dc6502b14243b8a39fbb2d04d975e9059dd066be3e274fbb25
Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod-without-multistage.Dockerfile:3: pin your Docker image by updating node:18-alpine to node:18-alpine@sha256:974afb6cbc0314dc6502b14243b8a39fbb2d04d975e9059dd066be3e274fbb25
Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod.Dockerfile:3
Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod.Dockerfile:6
Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod.Dockerfile:48
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:3
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:6
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:22
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:31
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:3
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:6
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:23
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:32
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:3
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:6
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:23
Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:32
Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:3
Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:6
Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:22
Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:40
Warn: npmCommand not pinned by hash: .devcontainer/base.Dockerfile:22-47
Warn: downloadThenRun not pinned by hash: .github/actions/next-stats-action/Dockerfile:14
Warn: npmCommand not pinned by hash: .github/actions/next-stats-action/Dockerfile:15
Warn: downloadThenRun not pinned by hash: scripts/setup-node.sh:5
Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:34
Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:595
Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:625
Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:534
Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:566
Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:78
Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:427
Warn: downloadThenRun not pinned by hash: .github/workflows/build_and_deploy.yml:430
Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:471
Warn: npmCommand not pinned by hash: .github/workflows/build_and_test.yml:113
Warn: npmCommand not pinned by hash: .github/workflows/code_freeze.yml:36
Warn: npmCommand not pinned by hash: .github/workflows/issue_wrong_template.yml:16
Warn: npmCommand not pinned by hash: .github/workflows/popular.yml:17
Warn: npmCommand not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:31
Warn: npmCommand not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:67
Warn: npmCommand not pinned by hash: .github/workflows/setup-nextjs-build.yml:85
Warn: downloadThenRun not pinned by hash: .github/workflows/setup-nextjs-build.yml:109
Warn: npmCommand not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:29
Warn: npmCommand not pinned by hash: .github/workflows/test_examples.yml:44
Warn: npmCommand not pinned by hash: .github/workflows/triage_with_ai.yml:15
Warn: npmCommand not pinned by hash: .github/workflows/trigger_release.yml:87
Warn: npmCommand not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:31
Warn: npmCommand not pinned by hash: .github/workflows/turbopack-upload-tests-manifest.yml:32
Warn: npmCommand not pinned by hash: .github/workflows/update_fonts_data.yml:33
Warn: npmCommand not pinned by hash: .github/workflows/update_react.yml:44
Info: 0 out of 128 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 12 third-party GitHubAction dependencies pinned
Info: 0 out of 24 containerImage dependencies pinned
Info: 7 out of 32 npmCommand dependencies pinned
Info: 0 out of 4 downloadThenRun dependencies pinned

0

Fuzzing

Determines if the project uses fuzzing.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

195 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3
Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672
Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7
Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975
Warn: Project is vulnerable to: RUSTSEC-2021-0139
Warn: Project is vulnerable to: RUSTSEC-2024-0388
Warn: Project is vulnerable to: RUSTSEC-2020-0095
Warn: Project is vulnerable to: RUSTSEC-2024-0332 / GHSA-q6cp-qfwq-4gcv
Warn: Project is vulnerable to: RUSTSEC-2024-0384
Warn: Project is vulnerable to: RUSTSEC-2022-0081
Warn: Project is vulnerable to: RUSTSEC-2023-0055 / GHSA-c2hm-mjxv-89r4
Warn: Project is vulnerable to: GHSA-2326-pfpj-vx3h
Warn: Project is vulnerable to: RUSTSEC-2023-0086
Warn: Project is vulnerable to: RUSTSEC-2021-0095 / GHSA-2gxj-qrp2-53jv / GHSA-8mv5-7x95-7wcf
Warn: Project is vulnerable to: RUSTSEC-2023-0022 / GHSA-3gxf-9r58-2ghg
Warn: Project is vulnerable to: RUSTSEC-2023-0024 / GHSA-6hcf-g6gr-hhcr
Warn: Project is vulnerable to: RUSTSEC-2023-0023 / GHSA-9qwg-crg9-m2vc
Warn: Project is vulnerable to: RUSTSEC-2023-0044 / GHSA-xcf7-rvmh-g6q4
Warn: Project is vulnerable to: RUSTSEC-2023-0072 / GHSA-xphf-cx8h-7q9g
Warn: Project is vulnerable to: GHSA-q445-7m23-qrmw
Warn: Project is vulnerable to: RUSTSEC-2024-0357
Warn: Project is vulnerable to: RUSTSEC-2025-0004 / GHSA-rpmj-rpgj-qmpm
Warn: Project is vulnerable to: RUSTSEC-2024-0370
Warn: Project is vulnerable to: RUSTSEC-2024-0336
Warn: Project is vulnerable to: RUSTSEC-2023-0065 / GHSA-9mcr-873m-xcxp
Warn: Project is vulnerable to: RUSTSEC-2023-0052 / GHSA-8qv2-5vq6-g2g7
Warn: Project is vulnerable to: GHSA-7m27-7ghc-44w9
Warn: Project is vulnerable to: GHSA-prr3-c3m5-p7q2
Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
Warn: Project is vulnerable to: GHSA-7q7g-4xm8-89cq
Warn: Project is vulnerable to: GHSA-fpm5-vv97-jfwg
Warn: Project is vulnerable to: GHSA-pp75-xfpw-37g9
Warn: Project is vulnerable to: GHSA-7v5v-9h63-cj86
Warn: Project is vulnerable to: GHSA-hxwm-x553-x359
Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
Warn: Project is vulnerable to: GHSA-h452-7996-h45h
Warn: Project is vulnerable to: GHSA-7gc6-qh9x-w6h8
Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Warn: Project is vulnerable to: GHSA-q8pj-2vqx-8ggc
Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
Warn: Project is vulnerable to: GHSA-ff7x-qrg7-qggm
Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
Warn: Project is vulnerable to: GHSA-r9p9-mrjm-926w
Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
Warn: Project is vulnerable to: GHSA-3wf4-68gx-mph8
Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
Warn: Project is vulnerable to: GHSA-7r28-3m3f-r2pr
Warn: Project is vulnerable to: GHSA-r8j5-h5cx-65gg
Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
Warn: Project is vulnerable to: GHSA-282f-qqgm-c34q
Warn: Project is vulnerable to: GHSA-cg87-wmx4-v546
Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
Warn: Project is vulnerable to: GHSA-m4gq-x24j-jpmf
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Warn: Project is vulnerable to: GHSA-8hfj-j24r-96c4
Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g
Warn: Project is vulnerable to: GHSA-qrpm-p2h7-hrv2
Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
Warn: Project is vulnerable to: GHSA-px4h-xg32-q955
Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
Warn: Project is vulnerable to: GHSA-pwfr-8pq7-x9qv
Warn: Project is vulnerable to: GHSA-3j8f-xvm3-ffx4
Warn: Project is vulnerable to: GHSA-4p35-cfcx-8653
Warn: Project is vulnerable to: GHSA-7f3x-x4pr-wqhj
Warn: Project is vulnerable to: GHSA-jpp7-7chh-cf67
Warn: Project is vulnerable to: GHSA-q6wq-5p59-983w
Warn: Project is vulnerable to: GHSA-j9fq-vwqv-2fm2
Warn: Project is vulnerable to: GHSA-pqw5-jmp5-px4v
Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3
Warn: Project is vulnerable to: GHSA-g954-5hwp-pp24
Warn: Project is vulnerable to: GHSA-h755-8qp9-cq85
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6
Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj
Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw
Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
Warn: Project is vulnerable to: GHSA-38fc-wpqx-33j7
Warn: Project is vulnerable to: GHSA-fhg7-m89q-25r3
Warn: Project is vulnerable to: GHSA-9crc-q9x8-hgqq
Warn: Project is vulnerable to: GHSA-g78m-2chm-r7qv
Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
Warn: Project is vulnerable to: RUSTSEC-2023-0034 / GHSA-f8vr-r385-rh5r
Warn: Project is vulnerable to: RUSTSEC-2024-0003 / GHSA-8r5v-vm4m-4g25
Warn: Project is vulnerable to: RUSTSEC-2024-0421 / GHSA-h97m-ww89-6jmq
Warn: Project is vulnerable to: RUSTSEC-2024-0019 / GHSA-r8w9-5wcg-vfj7
Warn: Project is vulnerable to: RUSTSEC-2023-0018 / GHSA-mc8h-8q98-g5hr
Warn: Project is vulnerable to: RUSTSEC-2021-0124 / GHSA-fg7r-2g4j-5cgr
Warn: Project is vulnerable to: RUSTSEC-2023-0001 / GHSA-7rrj-xr53-82p7
Warn: Project is vulnerable to: RUSTSEC-2023-0005 / GHSA-4q83-7cq4-p6wg
Warn: Project is vulnerable to: GHSA-4g6q-77j7-vvjc
Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
Warn: Project is vulnerable to: GHSA-gp2j-mg4w-2rh5
Warn: Project is vulnerable to: GHSA-xwcq-pm8m-c4vf
Warn: Project is vulnerable to: GHSA-wm7h-9275-46v2
Warn: Project is vulnerable to: GHSA-4gxf-g5gf-22h4
Warn: Project is vulnerable to: GHSA-phwq-j96m-2c2q
Warn: Project is vulnerable to: GHSA-r7qp-cfhv-p84w
Warn: Project is vulnerable to: GHSA-hhhv-q57g-882q
Warn: Project is vulnerable to: GHSA-w7q9-p3jq-fmhm
Warn: Project is vulnerable to: GHSA-xvf7-4v9q-58w6
Warn: Project is vulnerable to: GHSA-wgfq-7857-4jcc
Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33
Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959
Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6
Warn: Project is vulnerable to: GHSA-3xq5-wjfh-ppjc
Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-9m93-w8w6-76hh
Warn: Project is vulnerable to: GHSA-m7xq-9374-9rvx
Warn: Project is vulnerable to: GHSA-vg7j-7cwx-8wgw
Warn: Project is vulnerable to: GHSA-7hpj-7hhx-2fgx
Warn: Project is vulnerable to: GHSA-5rrq-pxf6-6jx5
Warn: Project is vulnerable to: GHSA-8fr3-hfg3-gpgp
Warn: Project is vulnerable to: GHSA-gf8q-jrpm-jvxq
Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr
Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765
Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g
Warn: Project is vulnerable to: GHSA-9h6g-pr28-7cqp
Warn: Project is vulnerable to: GHSA-6fx8-h7jm-663j
Warn: Project is vulnerable to: GHSA-v923-w3x8-wh69
Warn: Project is vulnerable to: GHSA-x565-32qp-m3vf
Warn: Project is vulnerable to: GHSA-3965-hpx2-q597
Warn: Project is vulnerable to: GHSA-wrh9-cjv3-2hpw
Warn: Project is vulnerable to: GHSA-8c25-f3mj-v6h8
Warn: Project is vulnerable to: GHSA-vqfx-gj96-3w95
Warn: Project is vulnerable to: GHSA-f598-mfpv-gmfx
Warn: Project is vulnerable to: GHSA-54xq-cgqr-rpm3
Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
Warn: Project is vulnerable to: GHSA-qm95-pgcg-qqfq
Warn: Project is vulnerable to: GHSA-cqmj-92xf-r6r9
Warn: Project is vulnerable to: GHSA-jqv5-7xpx-qj74
Warn: Project is vulnerable to: GHSA-2rq5-699j-x7p6
Warn: Project is vulnerable to: GHSA-c9f4-xj24-8jqx
Warn: Project is vulnerable to: GHSA-cf4h-3jhx-xvhq
Warn: Project is vulnerable to: GHSA-7jxr-cg7f-gpgv
Warn: Project is vulnerable to: GHSA-xj72-wvfv-8985
Warn: Project is vulnerable to: GHSA-ch3r-j5x3-6q2m
Warn: Project is vulnerable to: GHSA-p5gc-c584-jj6v
Warn: Project is vulnerable to: GHSA-whpj-8f3w-67p5
Warn: Project is vulnerable to: GHSA-cchq-frgv-rjh5
Warn: Project is vulnerable to: GHSA-g644-9gfx-q4q4
Warn: Project is vulnerable to: GHSA-5j4c-8p2g-v4jx
Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
Warn: Project is vulnerable to: GHSA-h6q6-9hqw-rwfv
Warn: Project is vulnerable to: GHSA-5fg8-2547-mr8q
Warn: Project is vulnerable to: GHSA-crh6-fp67-6883

Score

4.6

/10

Last Scanned on 2025-02-03

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More