Gathering detailed insights and metrics for next
Gathering detailed insights and metrics for next
Installations
npm install nextDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Min. Node Version
^18.18.0 || ^19.8.0 || >= 20.0.0
Node Version
20.19.3
NPM Version
10.4.0
Releases
3,161
v15.4.0-canary.126
v15.4.0-canary.126
Updated on Jul 11, 2025
v15.4.0-canary.123
v15.4.0-canary.123
Updated on Jul 09, 2025
v15.4.0-canary.122
v15.4.0-canary.122
Updated on Jul 09, 2025
v15.4.0-canary.121
v15.4.0-canary.121
Updated on Jul 09, 2025
v15.4.0-canary.120
v15.4.0-canary.120
Updated on Jul 09, 2025
v15.4.0-canary.119
v15.4.0-canary.119
Updated on Jul 08, 2025
Languages
13
JavaScript
TypeScript
Rust
CSS
MDX
Shell
SCSS
Dockerfile
HTML
Sass
Batchfile
WebAssembly
Pug
JavaScript (59.17%)
TypeScript (25.66%)
Rust (13.64%)
CSS (0.92%)
MDX (0.56%)
Shell (0.02%)
SCSS (0.01%)
Dockerfile (0.01%)
HTML (0.01%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
133,071 Stars
29,767 Commits
28,797 Forks
1,482 Watchers
1,936 Branches
3,649 Contributors
Updated on Jul 11, 2025
Maintainers
3
Package Meta Information
Latest Version
15.3.5
Package Id
next@15.3.5
Unpacked Size
121.57 MB
Size
26.50 MB
File Count
7,342
NPM Version
10.4.0
Node Version
20.19.3
Published on
Jul 03, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
213
@ampproject/toolbox-optimizer@babel/code-frame@babel/core@babel/eslint-parser@babel/generator@babel/plugin-proposal-class-properties@babel/plugin-proposal-export-namespace-from@babel/plugin-proposal-numeric-separator@babel/plugin-proposal-object-rest-spread@babel/plugin-syntax-bigint@babel/plugin-syntax-dynamic-import@babel/plugin-syntax-import-attributes@babel/plugin-syntax-jsx@babel/plugin-transform-modules-commonjs@babel/plugin-transform-runtime@babel/preset-env@babel/preset-react@babel/preset-typescript@babel/runtime@babel/traverse@babel/types@capsizecss/metrics@edge-runtime/cookies@edge-runtime/ponyfill@edge-runtime/primitives@hapi/accept@jest/transform@jest/types@mswjs/interceptors@napi-rs/triples@next/font@next/polyfill-module@next/polyfill-nomodule@next/react-refresh-utils@next/swc@opentelemetry/api@playwright/test@storybook/addon-a11y@storybook/addon-essentials@storybook/addon-interactions@storybook/addon-webpack5-compiler-swc@storybook/blocks@storybook/react@storybook/react-webpack5@storybook/test@storybook/test-runner@swc/core@swc/types@taskr/clear@taskr/esnext@types/amphtml-validator@types/babel__code-frame@types/babel__core@types/babel__generator@types/babel__template@types/babel__traverse@types/bytes@types/ci-info@types/compression@types/content-disposition@types/content-type@types/cookie@types/cross-spawn@types/debug@types/express-serve-static-core@types/fresh@types/glob@types/jsonwebtoken@types/lodash@types/lodash.curry@types/path-to-regexp@types/picomatch@types/platform@types/react@types/react-dom@types/react-is@types/semver@types/send@types/shell-quote@types/tar@types/text-table@types/ua-parser-js@types/webpack-sources1@types/ws@typescript/vfs@vercel/ncc@vercel/nft@vercel/turbopack-ecmascript-runtimeacornamphtml-validatoranserargassertasync-retryasync-semaaxe-playwrightbabel-plugin-react-compilerbabel-plugin-transform-definebabel-plugin-transform-react-remove-prop-typesbrowserify-zlibbrowserslistbufferbytesci-infocli-selectclient-onlycommandercomment-jsoncompressionconfconstants-browserifycontent-dispositioncontent-typecookiecross-envcross-spawncrypto-browserifycss.escapecssnano-preset-defaultdata-uri-to-bufferdebugdevaluedomain-browseredge-runtimeeventsfind-upfreshglobgzip-sizehttp-proxyhttp-proxy-agenthttps-browserifyhttps-proxy-agenticss-utilsignore-loaderimage-sizeis-dockeris-wsljest-workerjson5jsonwebtokenloader-runnerloader-utils2loader-utils3lodash.currymini-css-extract-pluginmswnanoidnative-urlneo-asyncnode-html-parseroraos-browserifyp-limitp-queuepath-browserifypath-to-regexppicomatchpostcss-flexbugs-fixespostcss-modules-extract-importspostcss-modules-local-by-defaultpostcss-modules-scopepostcss-modules-valuespostcss-preset-envpostcss-safe-parserpostcss-scsspostcss-value-parserprocesspunycodequerystring-es3raw-bodyreact-refreshregenerator-runtimesass-loaderschema-utils2schema-utils3semversendserver-onlysetimmediateshell-quotesource-mapsource-map-loadersource-map08stacktrace-parserstorybookstream-browserifystream-httpstrict-event-emitterstring-hashstring_decoderstrip-ansisuperstructtartaskrterserterser-webpack-plugintext-tabletimers-browserifytty-browserifytypescriptua-parser-jsunistoreutilvm-browserifywatchpackweb-vitalswebpackwebpack-sources1webpack-sources3wszodzod-validation-error
Next.js
Getting Started
Used by some of the world's largest companies, Next.js enables you to create full-stack web applications by extending the latest React features, and integrating powerful Rust-based JavaScript tooling for the fastest builds.
- Visit our Learn Next.js course to get started with Next.js.
- Visit the Next.js Showcase to see more sites built with Next.js.
Documentation
Visit https://nextjs.org/docs to view the full documentation.
Community
The Next.js community can be found on GitHub Discussions where you can ask questions, voice ideas, and share your projects with other people.
To chat with other community members you can join the Next.js Discord server.
Do note that our Code of Conduct applies to all Next.js community channels. Users are highly encouraged to read and adhere to them to avoid repercussions.
Contributing
Contributions to Next.js are welcome and highly appreciated. However, before you jump right into it, we would like you to review our Contribution Guidelines to make sure you have a smooth experience contributing to Next.js.
Good First Issues:
We have a list of good first issues that contain bugs that have a relatively limited scope. This is a great place for newcomers and beginners alike to get started, gain experience, and get familiar with our contribution process.
Security
If you believe you have found a security vulnerability in Next.js, we encourage you to responsibly disclose this and NOT open a public issue. We will investigate all legitimate reports.
Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our Open Source Software. To do this, please visit https://github.com/vercel/next.js/security and click the "Report a vulnerability" button.
Critical
9.1/10
Summary
Authorization Bypass in Next.js Middleware
Affected Versions
>= 11.1.4, < 12.3.5
Patched Versions
12.3.5
Critical
9.1/10
Summary
Authorization Bypass in Next.js Middleware
Affected Versions
>= 15.0.0, < 15.2.3
Patched Versions
15.2.3
Critical
9.1/10
Summary
Authorization Bypass in Next.js Middleware
Affected Versions
>= 14.0.0, < 14.2.25
Patched Versions
14.2.25
Critical
9.1/10
Summary
Authorization Bypass in Next.js Middleware
Affected Versions
>= 13.0.0, < 13.5.9
Patched Versions
13.5.9
High
7.5/10
Summary
Next.JS vulnerability can lead to DoS via cache poisoning
Affected Versions
>= 15.0.4-canary.51, < 15.1.8
Patched Versions
15.1.8
High
7.5/10
Summary
Next.js authorization bypass vulnerability
Affected Versions
>= 9.5.5, < 14.2.15
Patched Versions
14.2.15
High
7.5/10
Summary
Next.js Denial of Service (DoS) condition
Affected Versions
>= 13.3.1, < 13.5.0
Patched Versions
13.5.0
High
7.5/10
Summary
Next.js Cache Poisoning
Affected Versions
>= 14.0.0, < 14.2.10
Patched Versions
14.2.10
High
7.5/10
Summary
Next.js Cache Poisoning
Affected Versions
>= 13.5.1, < 13.5.7
Patched Versions
13.5.7
High
7.5/10
Summary
Next.js Server-Side Request Forgery in Server Actions
Affected Versions
>= 13.4.0, < 14.1.1
Patched Versions
14.1.1
High
7.5/10
Summary
Next.js Vulnerable to HTTP Request Smuggling
Affected Versions
>= 13.4.0, < 13.5.1
Patched Versions
13.5.1
High
7.5/10
Summary
Unexpected server crash in Next.js.
Affected Versions
>= 0.9.9, < 11.1.3
Patched Versions
11.1.3
High
7.5/10
Summary
Unexpected server crash in Next.js.
Affected Versions
>= 12.0.0, < 12.0.5
Patched Versions
12.0.5
High
7.5/10
Summary
Next.js Directory Traversal Vulnerability
Affected Versions
>= 1.0.0, < 2.4.1
Patched Versions
2.4.1
High
0/10
Summary
Remote Code Execution in next
Affected Versions
>= 0.9.9, < 5.1.0
Patched Versions
5.1.0
High
7.5/10
Summary
XSS in Image Optimization API for Next.js
Affected Versions
>= 10.0.0, < 11.1.1
Patched Versions
11.1.1
High
7.5/10
Summary
Directory traversal vulnerability in Next.js
Affected Versions
>= 1.0.0, < 4.2.3
Patched Versions
4.2.3
Moderate
5.3/10
Summary
Next.js Allows a Denial of Service (DoS) with Server Actions
Affected Versions
>= 15.0.0, < 15.1.2
Patched Versions
15.1.2
Moderate
5.3/10
Summary
Next.js Allows a Denial of Service (DoS) with Server Actions
Affected Versions
>= 14.0.0, < 14.2.21
Patched Versions
14.2.21
Moderate
5.3/10
Summary
Next.js Allows a Denial of Service (DoS) with Server Actions
Affected Versions
>= 13.0.0, < 13.5.8
Patched Versions
13.5.8
Moderate
5.9/10
Summary
Denial of Service condition in Next.js image optimization
Affected Versions
>= 10.0.0, < 14.2.7
Patched Versions
14.2.7
Moderate
5.3/10
Summary
Unexpected server crash in Next.js
Affected Versions
= 12.2.3
Patched Versions
12.2.4
Moderate
6.9/10
Summary
Open Redirect in Next.js
Affected Versions
>= 0.9.9, < 11.1.0
Patched Versions
11.1.0
Moderate
5.9/10
Summary
Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0
Affected Versions
>= 10.0.0, < 12.1.0
Patched Versions
12.1.0
Moderate
5.9/10
Summary
Denial of Service Vulnerability in next.js
Affected Versions
>= 12.0.0, < 12.0.9
Patched Versions
12.0.9
Moderate
4.7/10
Summary
Open Redirect in Next.js versions
Affected Versions
>= 9.5.0, < 9.5.4
Patched Versions
9.5.4
Moderate
4.4/10
Summary
Directory Traversal in Next.js
Affected Versions
< 9.3.2
Patched Versions
9.3.2
Moderate
6.1/10
Summary
Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page
Affected Versions
>= 7.0.0, < 7.0.2
Patched Versions
7.0.2
Low
3.7/10
Summary
Next.js has a Cache poisoning vulnerability due to omission of the Vary header
Affected Versions
>= 15.3.0, < 15.3.3
Patched Versions
15.3.3
Low
0/10
Summary
Information exposure in Next.js dev server due to lack of origin verification
Affected Versions
>= 13.0, < 14.2.30
Patched Versions
14.2.30
Low
0/10
Summary
Information exposure in Next.js dev server due to lack of origin verification
Affected Versions
>= 15.0.0, < 15.2.2
Patched Versions
15.2.2
Low
3.7/10
Summary
Next.js Race Condition to Cache Poisoning
Affected Versions
>= 15.0.0, < 15.1.6
Patched Versions
15.1.6
Low
3.7/10
Summary
Next.js Race Condition to Cache Poisoning
Affected Versions
< 14.2.24
Patched Versions
14.2.24
Low
0/10
Summary
Next.js may leak x-middleware-subrequest-id to external hosts
Affected Versions
= 15.2.3
Patched Versions
15.2.4
Low
0/10
Summary
Next.js may leak x-middleware-subrequest-id to external hosts
Affected Versions
= 14.2.25
Patched Versions
14.2.26
Low
0/10
Summary
Next.js may leak x-middleware-subrequest-id to external hosts
Affected Versions
= 13.5.9
Patched Versions
13.5.10
Low
0/10
Summary
Next.js may leak x-middleware-subrequest-id to external hosts
Affected Versions
= 12.3.5
Patched Versions
12.3.6
Low
0/10
Summary
Next.js missing cache-control header may lead to CDN caching empty reply
Affected Versions
>= 0.9.9, < 13.4.20-canary.13
Patched Versions
13.4.20-canary.13
Reason
30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
- Info: project has a license file: license.md:0
- Info: FSF or OSI recognized license: MIT License: license.md:0
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/vercel/.github/SECURITY.md:1
- Info: Found linked content: github.com/vercel/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/vercel/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/vercel/.github/SECURITY.md:1
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build_and_deploy.yml:641
Reason
project is fuzzed
Details
- Info: RustCargoFuzzer integration found: turbopack/crates/turbo-tasks-backend/fuzz/fuzz_targets/graph.rs:4
Reason
Found 27/30 approved changesets -- score normalized to 9
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build_and_deploy.yml:560
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build_and_deploy.yml:646
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/build_and_test.yml:26
- Warn: no topLevel permission defined: .github/workflows/build_and_deploy.yml:1
- Warn: no topLevel permission defined: .github/workflows/build_and_test.yml:1
- Warn: no topLevel permission defined: .github/workflows/build_reusable.yml:1
- Warn: no topLevel permission defined: .github/workflows/cancel.yml:1
- Warn: no topLevel permission defined: .github/workflows/code_freeze.yml:1
- Warn: no topLevel permission defined: .github/workflows/graphite_ci_optimizer.yml:1
- Warn: no topLevel permission defined: .github/workflows/integration_tests_reusable.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue_bankrupt.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue_stale.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue_version.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue_wrong_template.yml:1
- Warn: no topLevel permission defined: .github/workflows/popular.yml:1
- Warn: no topLevel permission defined: .github/workflows/pull_request_stats.yml:1
- Warn: topLevel 'actions' permission set to 'write': .github/workflows/retry_deploy_test.yml:13
- Warn: topLevel 'actions' permission set to 'write': .github/workflows/retry_test.yml:14
- Warn: no topLevel permission defined: .github/workflows/rspack-nextjs-build-integration-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/rspack-nextjs-dev-integration-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/rspack-update-tests-manifest.yml:1
- Warn: no topLevel permission defined: .github/workflows/setup-nextjs-build.yml:1
- Warn: no topLevel permission defined: .github/workflows/test-turbopack-rust-bench-test.yml:1
- Warn: no topLevel permission defined: .github/workflows/test_e2e_deploy_release.yml:1
- Warn: no topLevel permission defined: .github/workflows/test_examples.yml:1
- Warn: no topLevel permission defined: .github/workflows/triage_with_ai.yml:1
- Warn: no topLevel permission defined: .github/workflows/trigger_release.yml:1
- Warn: no topLevel permission defined: .github/workflows/turbopack-benchmark.yml:1
- Warn: no topLevel permission defined: .github/workflows/turbopack-nextjs-build-integration-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/turbopack-update-tests-manifest.yml:1
- Warn: no topLevel permission defined: .github/workflows/update_fonts_data.yml:1
- Warn: no topLevel permission defined: .github/workflows/update_react.yml:1
- Warn: no topLevel permission defined: .github/workflows/upload-tests-manifest.yml:1
Reason
binaries present in source code
Details
- Warn: binary detected: examples/with-webassembly/add.wasm:1
- Warn: binary detected: packages/next/next_error_code_swc_plugin.wasm:1
- Warn: binary detected: packages/next/src/compiled/@vercel/og/resvg.wasm:1
- Warn: binary detected: packages/next/src/compiled/@vercel/og/yoga.wasm:1
- Warn: binary detected: packages/next/src/compiled/source-map08/mappings.wasm:1
- Warn: binary detected: test/e2e/edge-can-use-wasm-files/add.wasm:1
- Warn: binary detected: test/integration/edge-runtime-dynamic-code/lib/square.wasm:1
- Warn: binary detected: test/production/app-dir-edge-runtime-with-wasm/add.wasm:1
- Warn: binary detected: turbopack/crates/turbopack-tests/tests/execution/turbopack/wasm/module/input/add.wasm:1
- Warn: binary detected: turbopack/crates/turbopack-tests/tests/execution/turbopack/wasm/simple/input/add.wasm:1
- Warn: binary detected: turbopack/crates/turbopack-tests/tests/execution/turbopack/wasm/simple/input/factorial.wasm:1
- Warn: binary detected: turbopack/crates/turbopack-tests/tests/execution/turbopack/wasm/simple/input/fibonacci.wasm:1
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 27 are checked with a SAST tool
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:450: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:453: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:479: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:485: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:501: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:514: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:526: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:532: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:544: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:649: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:651: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:682: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:122: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:319: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:326: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:351: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:418: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:424: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:430: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:566: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:579: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:591: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:597: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:617: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:636: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:719: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:723: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:746: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:186: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:188: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:156: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:182: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:210: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:258: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:265: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:292: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/cancel.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/cancel.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code_freeze.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/code_freeze.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/graphite_ci_optimizer.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/graphite_ci_optimizer.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_tests_reusable.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/integration_tests_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_tests_reusable.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/integration_tests_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_bankrupt.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_bankrupt.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_bankrupt.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_bankrupt.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue_lock.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_lock.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_version.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_version.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_version.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_version.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_wrong_template.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_wrong_template.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_wrong_template.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_wrong_template.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/popular.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/popular.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/popular.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/popular.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request_stats.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/pull_request_stats.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request_stats.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/pull_request_stats.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/retry_deploy_test.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/retry_deploy_test.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/retry_test.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/retry_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:120: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-turbopack-rust-bench-test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test-turbopack-rust-bench-test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-turbopack-rust-bench-test.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test-turbopack-rust-bench-test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_examples.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_examples.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_examples.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_examples.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/triage.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/triage.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/triage_with_ai.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/triage_with_ai.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/triage_with_ai.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/triage_with_ai.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release_new.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release_new.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release_new.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release_new.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/trigger_release_new.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release_new.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/turbopack-benchmark.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-benchmark.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_fonts_data.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_fonts_data.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_fonts_data.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_fonts_data.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_react.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_react.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_react.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_react.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/upload-tests-manifest.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/upload-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/upload-tests-manifest.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/upload-tests-manifest.yml/canary?enable=pin
- Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:5
- Warn: containerImage not pinned by hash: .devcontainer/base.Dockerfile:5
- Warn: containerImage not pinned by hash: .github/actions/next-stats-action/Dockerfile:3: pin your Docker image by updating ubuntu:22.04 to ubuntu:22.04@sha256:3c61d3759c2639d4b836d32a2d3c83fa0214e36f195a3421018dbaaf79cbe37f
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/dev.Dockerfile:3: pin your Docker image by updating node:18-alpine to node:18-alpine@sha256:8d6421d663b4c28fd3ebc498332f249011d118945588d0a35cb9bc4b8ca09d9e
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod-without-multistage.Dockerfile:3: pin your Docker image by updating node:18-alpine to node:18-alpine@sha256:8d6421d663b4c28fd3ebc498332f249011d118945588d0a35cb9bc4b8ca09d9e
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod.Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod.Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod.Dockerfile:48
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:22
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:31
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:23
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:32
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:23
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:32
- Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:22
- Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:40
- Warn: npmCommand not pinned by hash: .devcontainer/base.Dockerfile:22-47
- Warn: downloadThenRun not pinned by hash: .github/actions/next-stats-action/Dockerfile:14
- Warn: npmCommand not pinned by hash: .github/actions/next-stats-action/Dockerfile:15
- Warn: downloadThenRun not pinned by hash: scripts/setup-node.sh:5
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:687
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:48
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:98
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:507
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:572
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:604
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:657
- Warn: downloadThenRun not pinned by hash: .github/workflows/build_and_deploy.yml:466
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_test.yml:113
- Warn: npmCommand not pinned by hash: .github/workflows/code_freeze.yml:36
- Warn: npmCommand not pinned by hash: .github/workflows/issue_wrong_template.yml:16
- Warn: npmCommand not pinned by hash: .github/workflows/popular.yml:17
- Warn: npmCommand not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:31
- Warn: npmCommand not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:71
- Warn: npmCommand not pinned by hash: .github/workflows/setup-nextjs-build.yml:85
- Warn: downloadThenRun not pinned by hash: .github/workflows/setup-nextjs-build.yml:109
- Warn: npmCommand not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:40
- Warn: npmCommand not pinned by hash: .github/workflows/test_examples.yml:44
- Warn: npmCommand not pinned by hash: .github/workflows/triage_with_ai.yml:15
- Warn: npmCommand not pinned by hash: .github/workflows/trigger_release.yml:87
- Warn: npmCommand not pinned by hash: .github/workflows/trigger_release_new.yml:89
- Warn: npmCommand not pinned by hash: .github/workflows/turbopack-benchmark.yml:77
- Warn: npmCommand not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:67
- Warn: npmCommand not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:31
- Warn: npmCommand not pinned by hash: .github/workflows/update_fonts_data.yml:33
- Warn: npmCommand not pinned by hash: .github/workflows/update_react.yml:44
- Warn: npmCommand not pinned by hash: .github/workflows/upload-tests-manifest.yml:32
- Info: 0 out of 96 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 21 third-party GitHubAction dependencies pinned
- Info: 0 out of 24 containerImage dependencies pinned
- Info: 7 out of 34 npmCommand dependencies pinned
- Info: 0 out of 4 downloadThenRun dependencies pinned
Reason
224 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3
- Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672
- Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7
- Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975
- Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3
- Warn: Project is vulnerable to: RUSTSEC-2021-0139
- Warn: Project is vulnerable to: RUSTSEC-2023-0089
- Warn: Project is vulnerable to: RUSTSEC-2020-0095
- Warn: Project is vulnerable to: RUSTSEC-2024-0332 / GHSA-q6cp-qfwq-4gcv
- Warn: Project is vulnerable to: RUSTSEC-2023-0055 / GHSA-c2hm-mjxv-89r4
- Warn: Project is vulnerable to: GHSA-2326-pfpj-vx3h
- Warn: Project is vulnerable to: RUSTSEC-2023-0086
- Warn: Project is vulnerable to: RUSTSEC-2021-0095 / GHSA-2gxj-qrp2-53jv / GHSA-8mv5-7x95-7wcf
- Warn: Project is vulnerable to: RUSTSEC-2023-0022 / GHSA-3gxf-9r58-2ghg
- Warn: Project is vulnerable to: RUSTSEC-2023-0024 / GHSA-6hcf-g6gr-hhcr
- Warn: Project is vulnerable to: RUSTSEC-2023-0023 / GHSA-9qwg-crg9-m2vc
- Warn: Project is vulnerable to: RUSTSEC-2023-0044 / GHSA-xcf7-rvmh-g6q4
- Warn: Project is vulnerable to: RUSTSEC-2023-0072 / GHSA-xphf-cx8h-7q9g
- Warn: Project is vulnerable to: GHSA-q445-7m23-qrmw
- Warn: Project is vulnerable to: RUSTSEC-2024-0357
- Warn: Project is vulnerable to: RUSTSEC-2025-0004 / GHSA-rpmj-rpgj-qmpm
- Warn: Project is vulnerable to: GHSA-4fcv-w3qc-ppgg
- Warn: Project is vulnerable to: RUSTSEC-2025-0022
- Warn: Project is vulnerable to: RUSTSEC-2024-0436
- Warn: Project is vulnerable to: RUSTSEC-2024-0370
- Warn: Project is vulnerable to: GHSA-4p46-pwfr-66x6
- Warn: Project is vulnerable to: RUSTSEC-2025-0009
- Warn: Project is vulnerable to: GHSA-c86p-w88r-qvqr
- Warn: Project is vulnerable to: GHSA-rr8g-9fpq-6wmg
- Warn: Project is vulnerable to: RUSTSEC-2025-0023
- Warn: Project is vulnerable to: RUSTSEC-2023-0065 / GHSA-9mcr-873m-xcxp
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-7m27-7ghc-44w9
- Warn: Project is vulnerable to: GHSA-qpjv-v59x-3qc4
- Warn: Project is vulnerable to: GHSA-3h52-269p-cp9r
- Warn: Project is vulnerable to: GHSA-f82v-jwr5-mffw
- Warn: Project is vulnerable to: GHSA-prr3-c3m5-p7q2
- Warn: Project is vulnerable to: GHSA-7q7g-4xm8-89cq
- Warn: Project is vulnerable to: GHSA-fpm5-vv97-jfwg
- Warn: Project is vulnerable to: GHSA-pp75-xfpw-37g9
- Warn: Project is vulnerable to: GHSA-7v5v-9h63-cj86
- Warn: Project is vulnerable to: GHSA-hxwm-x553-x359
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-h452-7996-h45h
- Warn: Project is vulnerable to: GHSA-7gc6-qh9x-w6h8
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-q8pj-2vqx-8ggc
- Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
- Warn: Project is vulnerable to: GHSA-vhxf-7vqr-mrjg
- Warn: Project is vulnerable to: GHSA-ff7x-qrg7-qggm
- Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
- Warn: Project is vulnerable to: GHSA-r9p9-mrjm-926w
- Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
- Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
- Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
- Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-3wf4-68gx-mph8
- Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
- Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-7r28-3m3f-r2pr
- Warn: Project is vulnerable to: GHSA-r8j5-h5cx-65gg
- Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
- Warn: Project is vulnerable to: GHSA-282f-qqgm-c34q
- Warn: Project is vulnerable to: GHSA-cg87-wmx4-v546
- Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
- Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
- Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-m4gq-x24j-jpmf
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-8hfj-j24r-96c4
- Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g
- Warn: Project is vulnerable to: GHSA-qrpm-p2h7-hrv2
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
- Warn: Project is vulnerable to: GHSA-px4h-xg32-q955
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-pwfr-8pq7-x9qv
- Warn: Project is vulnerable to: GHSA-8g77-54rh-46hx
- Warn: Project is vulnerable to: GHSA-3j8f-xvm3-ffx4
- Warn: Project is vulnerable to: GHSA-4p35-cfcx-8653
- Warn: Project is vulnerable to: GHSA-7f3x-x4pr-wqhj
- Warn: Project is vulnerable to: GHSA-jpp7-7chh-cf67
- Warn: Project is vulnerable to: GHSA-q6wq-5p59-983w
- Warn: Project is vulnerable to: GHSA-j9fq-vwqv-2fm2
- Warn: Project is vulnerable to: GHSA-pqw5-jmp5-px4v
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6
- Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3
- Warn: Project is vulnerable to: GHSA-g954-5hwp-pp24
- Warn: Project is vulnerable to: GHSA-h755-8qp9-cq85
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6
- Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj
- Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
- Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw
- Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
- Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
- Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
- Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
- Warn: Project is vulnerable to: GHSA-38fc-wpqx-33j7
- Warn: Project is vulnerable to: GHSA-fhg7-m89q-25r3
- Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
- Warn: Project is vulnerable to: GHSA-9crc-q9x8-hgqq
- Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
- Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
- Warn: Project is vulnerable to: GHSA-g78m-2chm-r7qv
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
- Warn: Project is vulnerable to: RUSTSEC-2023-0034 / GHSA-f8vr-r385-rh5r
- Warn: Project is vulnerable to: RUSTSEC-2024-0003 / GHSA-8r5v-vm4m-4g25
- Warn: Project is vulnerable to: RUSTSEC-2024-0421 / GHSA-h97m-ww89-6jmq
- Warn: Project is vulnerable to: RUSTSEC-2024-0019 / GHSA-r8w9-5wcg-vfj7
- Warn: Project is vulnerable to: RUSTSEC-2023-0018 / GHSA-mc8h-8q98-g5hr
- Warn: Project is vulnerable to: RUSTSEC-2021-0124 / GHSA-fg7r-2g4j-5cgr
- Warn: Project is vulnerable to: RUSTSEC-2023-0001 / GHSA-7rrj-xr53-82p7
- Warn: Project is vulnerable to: RUSTSEC-2023-0005 / GHSA-4q83-7cq4-p6wg
- Warn: Project is vulnerable to: GHSA-cpj6-fhp6-mr6j
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-4g6q-77j7-vvjc
- Warn: Project is vulnerable to: GHSA-gp2j-mg4w-2rh5
- Warn: Project is vulnerable to: GHSA-xwcq-pm8m-c4vf
- Warn: Project is vulnerable to: GHSA-wm7h-9275-46v2
- Warn: Project is vulnerable to: GHSA-4gxf-g5gf-22h4
- Warn: Project is vulnerable to: GHSA-phwq-j96m-2c2q
- Warn: Project is vulnerable to: GHSA-r7qp-cfhv-p84w
- Warn: Project is vulnerable to: GHSA-hhhv-q57g-882q
- Warn: Project is vulnerable to: GHSA-w7q9-p3jq-fmhm
- Warn: Project is vulnerable to: GHSA-xvf7-4v9q-58w6
- Warn: Project is vulnerable to: GHSA-wgfq-7857-4jcc
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33
- Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959
- Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6
- Warn: Project is vulnerable to: GHSA-593f-38f6-jp5m
- Warn: Project is vulnerable to: GHSA-x2rg-q646-7m2v
- Warn: Project is vulnerable to: GHSA-3xq5-wjfh-ppjc
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-9m93-w8w6-76hh
- Warn: Project is vulnerable to: GHSA-m7xq-9374-9rvx
- Warn: Project is vulnerable to: GHSA-vg7j-7cwx-8wgw
- Warn: Project is vulnerable to: GHSA-7hpj-7hhx-2fgx
- Warn: Project is vulnerable to: GHSA-5rrq-pxf6-6jx5
- Warn: Project is vulnerable to: GHSA-8fr3-hfg3-gpgp
- Warn: Project is vulnerable to: GHSA-gf8q-jrpm-jvxq
- Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr
- Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765
- Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g
- Warn: Project is vulnerable to: GHSA-9h6g-pr28-7cqp
- Warn: Project is vulnerable to: GHSA-6fx8-h7jm-663j
- Warn: Project is vulnerable to: GHSA-v923-w3x8-wh69
- Warn: Project is vulnerable to: GHSA-x565-32qp-m3vf
- Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
- Warn: Project is vulnerable to: GHSA-3965-hpx2-q597
- Warn: Project is vulnerable to: GHSA-wrh9-cjv3-2hpw
- Warn: Project is vulnerable to: GHSA-8c25-f3mj-v6h8
- Warn: Project is vulnerable to: GHSA-vqfx-gj96-3w95
- Warn: Project is vulnerable to: GHSA-f598-mfpv-gmfx
- Warn: Project is vulnerable to: GHSA-54xq-cgqr-rpm3
- Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
- Warn: Project is vulnerable to: GHSA-qm95-pgcg-qqfq
- Warn: Project is vulnerable to: GHSA-cqmj-92xf-r6r9
- Warn: Project is vulnerable to: GHSA-jqv5-7xpx-qj74
- Warn: Project is vulnerable to: GHSA-2rq5-699j-x7p6
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-c9f4-xj24-8jqx
- Warn: Project is vulnerable to: GHSA-cf4h-3jhx-xvhq
- Warn: Project is vulnerable to: GHSA-7jxr-cg7f-gpgv
- Warn: Project is vulnerable to: GHSA-xj72-wvfv-8985
- Warn: Project is vulnerable to: GHSA-ch3r-j5x3-6q2m
- Warn: Project is vulnerable to: GHSA-p5gc-c584-jj6v
- Warn: Project is vulnerable to: GHSA-whpj-8f3w-67p5
- Warn: Project is vulnerable to: GHSA-cchq-frgv-rjh5
- Warn: Project is vulnerable to: GHSA-g644-9gfx-q4q4
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
Score
5.4
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More