Gathering detailed insights and metrics for next
Gathering detailed insights and metrics for next
Installations
npm install nextDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Min. Node Version
^18.18.0 || ^19.8.0 || >= 20.0.0
Node Version
20.19.2
NPM Version
10.4.0
Score
71.4
Supply Chain
75.2
Quality
96.9
Maintenance
100
Vulnerability
72.9
License
Releases
3,094
v15.4.0-canary.59
v15.4.0-canary.59
Updated on May 30, 2025
v15.4.0-canary.57
v15.4.0-canary.57
Updated on May 29, 2025
v15.3.3
v15.3.3
Updated on May 29, 2025
v15.4.0-canary.56
v15.4.0-canary.56
Updated on May 28, 2025
v15.4.0-canary.55
v15.4.0-canary.55
Updated on May 27, 2025
v15.4.0-canary.54
v15.4.0-canary.54
Updated on May 27, 2025
Languages
13
JavaScript
TypeScript
Rust
CSS
MDX
Shell
SCSS
Dockerfile
HTML
Sass
Batchfile
WebAssembly
Pug
JavaScript (58.77%)
TypeScript (25.94%)
Rust (13.74%)
CSS (0.93%)
MDX (0.56%)
Shell (0.02%)
SCSS (0.02%)
Dockerfile (0.01%)
HTML (0.01%)
Developer
Download Statistics
Total Downloads
1,044,199,703
Last Day
1,664,536
Last Week
10,131,654
Last Month
43,611,962
Last Year
408,597,247
GitHub Statistics
MIT License
132,198 Stars
28,985 Commits
28,482 Forks
1,480 Watchers
1,762 Branches
3,618 Contributors
Updated on May 31, 2025
Maintainers
3
Package Meta Information
Latest Version
15.3.3
Package Id
next@15.3.3
Unpacked Size
121.55 MB
Size
26.50 MB
File Count
7,342
NPM Version
10.4.0
Node Version
20.19.2
Published on
May 29, 2025
Total Downloads
Cumulative downloads
Total Downloads
1,044,199,703
Last Day
-0.5%
1,664,536
Compared to previous day
Last Week
-4.2%
10,131,654
Compared to previous week
Last Month
-7.1%
43,611,962
Compared to previous month
Last Year
51.1%
408,597,247
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
213
@ampproject/toolbox-optimizer@babel/code-frame@babel/core@babel/eslint-parser@babel/generator@babel/plugin-proposal-class-properties@babel/plugin-proposal-export-namespace-from@babel/plugin-proposal-numeric-separator@babel/plugin-proposal-object-rest-spread@babel/plugin-syntax-bigint@babel/plugin-syntax-dynamic-import@babel/plugin-syntax-import-attributes@babel/plugin-syntax-jsx@babel/plugin-transform-modules-commonjs@babel/plugin-transform-runtime@babel/preset-env@babel/preset-react@babel/preset-typescript@babel/runtime@babel/traverse@babel/types@capsizecss/metrics@edge-runtime/cookies@edge-runtime/ponyfill@edge-runtime/primitives@hapi/accept@jest/transform@jest/types@mswjs/interceptors@napi-rs/triples@next/font@next/polyfill-module@next/polyfill-nomodule@next/react-refresh-utils@next/swc@opentelemetry/api@playwright/test@storybook/addon-a11y@storybook/addon-essentials@storybook/addon-interactions@storybook/addon-webpack5-compiler-swc@storybook/blocks@storybook/react@storybook/react-webpack5@storybook/test@storybook/test-runner@swc/core@swc/types@taskr/clear@taskr/esnext@types/amphtml-validator@types/babel__code-frame@types/babel__core@types/babel__generator@types/babel__template@types/babel__traverse@types/bytes@types/ci-info@types/compression@types/content-disposition@types/content-type@types/cookie@types/cross-spawn@types/debug@types/express-serve-static-core@types/fresh@types/glob@types/jsonwebtoken@types/lodash@types/lodash.curry@types/path-to-regexp@types/picomatch@types/platform@types/react@types/react-dom@types/react-is@types/semver@types/send@types/shell-quote@types/tar@types/text-table@types/ua-parser-js@types/webpack-sources1@types/ws@typescript/vfs@vercel/ncc@vercel/nft@vercel/turbopack-ecmascript-runtimeacornamphtml-validatoranserargassertasync-retryasync-semaaxe-playwrightbabel-plugin-react-compilerbabel-plugin-transform-definebabel-plugin-transform-react-remove-prop-typesbrowserify-zlibbrowserslistbufferbytesci-infocli-selectclient-onlycommandercomment-jsoncompressionconfconstants-browserifycontent-dispositioncontent-typecookiecross-envcross-spawncrypto-browserifycss.escapecssnano-preset-defaultdata-uri-to-bufferdebugdevaluedomain-browseredge-runtimeeventsfind-upfreshglobgzip-sizehttp-proxyhttp-proxy-agenthttps-browserifyhttps-proxy-agenticss-utilsignore-loaderimage-sizeis-dockeris-wsljest-workerjson5jsonwebtokenloader-runnerloader-utils2loader-utils3lodash.currymini-css-extract-pluginmswnanoidnative-urlneo-asyncnode-html-parseroraos-browserifyp-limitp-queuepath-browserifypath-to-regexppicomatchpostcss-flexbugs-fixespostcss-modules-extract-importspostcss-modules-local-by-defaultpostcss-modules-scopepostcss-modules-valuespostcss-preset-envpostcss-safe-parserpostcss-scsspostcss-value-parserprocesspunycodequerystring-es3raw-bodyreact-refreshregenerator-runtimesass-loaderschema-utils2schema-utils3semversendserver-onlysetimmediateshell-quotesource-mapsource-map-loadersource-map08stacktrace-parserstorybookstream-browserifystream-httpstrict-event-emitterstring-hashstring_decoderstrip-ansisuperstructtartaskrterserterser-webpack-plugintext-tabletimers-browserifytty-browserifytypescriptua-parser-jsunistoreutilvm-browserifywatchpackweb-vitalswebpackwebpack-sources1webpack-sources3wszodzod-validation-error
Next.js
Getting Started
Used by some of the world's largest companies, Next.js enables you to create full-stack web applications by extending the latest React features, and integrating powerful Rust-based JavaScript tooling for the fastest builds.
- Visit our Learn Next.js course to get started with Next.js.
- Visit the Next.js Showcase to see more sites built with Next.js.
Documentation
Visit https://nextjs.org/docs to view the full documentation.
Community
The Next.js community can be found on GitHub Discussions where you can ask questions, voice ideas, and share your projects with other people.
To chat with other community members you can join the Next.js Discord server.
Do note that our Code of Conduct applies to all Next.js community channels. Users are highly encouraged to read and adhere to them to avoid repercussions.
Contributing
Contributions to Next.js are welcome and highly appreciated. However, before you jump right into it, we would like you to review our Contribution Guidelines to make sure you have a smooth experience contributing to Next.js.
Good First Issues:
We have a list of good first issues that contain bugs that have a relatively limited scope. This is a great place for newcomers and beginners alike to get started, gain experience, and get familiar with our contribution process.
Security
If you believe you have found a security vulnerability in Next.js, we encourage you to responsibly disclose this and NOT open a public issue. We will investigate all legitimate reports.
Our preference is that you make use of GitHub's private vulnerability reporting feature to disclose potential security vulnerabilities in our Open Source Software. To do this, please visit https://github.com/vercel/next.js/security and click the "Report a vulnerability" button.
Critical
9.1/10
Summary
Authorization Bypass in Next.js Middleware
Affected Versions
>= 11.1.4, < 12.3.5
Patched Versions
12.3.5
Critical
9.1/10
Summary
Authorization Bypass in Next.js Middleware
Affected Versions
>= 15.0.0, < 15.2.3
Patched Versions
15.2.3
Critical
9.1/10
Summary
Authorization Bypass in Next.js Middleware
Affected Versions
>= 14.0.0, < 14.2.25
Patched Versions
14.2.25
Critical
9.1/10
Summary
Authorization Bypass in Next.js Middleware
Affected Versions
>= 13.0.0, < 13.5.9
Patched Versions
13.5.9
High
7.5/10
Summary
Next.js authorization bypass vulnerability
Affected Versions
>= 9.5.5, < 14.2.15
Patched Versions
14.2.15
High
7.5/10
Summary
Next.js Denial of Service (DoS) condition
Affected Versions
>= 13.3.1, < 13.5.0
Patched Versions
13.5.0
High
7.5/10
Summary
Next.js Cache Poisoning
Affected Versions
>= 14.0.0, < 14.2.10
Patched Versions
14.2.10
High
7.5/10
Summary
Next.js Cache Poisoning
Affected Versions
>= 13.5.1, < 13.5.7
Patched Versions
13.5.7
High
7.5/10
Summary
Next.js Server-Side Request Forgery in Server Actions
Affected Versions
>= 13.4.0, < 14.1.1
Patched Versions
14.1.1
High
7.5/10
Summary
Next.js Vulnerable to HTTP Request Smuggling
Affected Versions
>= 13.4.0, < 13.5.1
Patched Versions
13.5.1
High
7.5/10
Summary
Unexpected server crash in Next.js.
Affected Versions
>= 0.9.9, < 11.1.3
Patched Versions
11.1.3
High
7.5/10
Summary
Unexpected server crash in Next.js.
Affected Versions
>= 12.0.0, < 12.0.5
Patched Versions
12.0.5
High
7.5/10
Summary
Next.js Directory Traversal Vulnerability
Affected Versions
>= 1.0.0, < 2.4.1
Patched Versions
2.4.1
High
0/10
Summary
Remote Code Execution in next
Affected Versions
>= 0.9.9, < 5.1.0
Patched Versions
5.1.0
High
7.5/10
Summary
XSS in Image Optimization API for Next.js
Affected Versions
>= 10.0.0, < 11.1.1
Patched Versions
11.1.1
High
7.5/10
Summary
Directory traversal vulnerability in Next.js
Affected Versions
>= 1.0.0, < 4.2.3
Patched Versions
4.2.3
Moderate
5.3/10
Summary
Next.js Allows a Denial of Service (DoS) with Server Actions
Affected Versions
>= 15.0.0, < 15.1.2
Patched Versions
15.1.2
Moderate
5.3/10
Summary
Next.js Allows a Denial of Service (DoS) with Server Actions
Affected Versions
>= 14.0.0, < 14.2.21
Patched Versions
14.2.21
Moderate
5.3/10
Summary
Next.js Allows a Denial of Service (DoS) with Server Actions
Affected Versions
>= 13.0.0, < 13.5.8
Patched Versions
13.5.8
Moderate
5.9/10
Summary
Denial of Service condition in Next.js image optimization
Affected Versions
>= 10.0.0, < 14.2.7
Patched Versions
14.2.7
Moderate
5.3/10
Summary
Unexpected server crash in Next.js
Affected Versions
= 12.2.3
Patched Versions
12.2.4
Moderate
6.9/10
Summary
Open Redirect in Next.js
Affected Versions
>= 0.9.9, < 11.1.0
Patched Versions
11.1.0
Moderate
5.9/10
Summary
Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0
Affected Versions
>= 10.0.0, < 12.1.0
Patched Versions
12.1.0
Moderate
5.9/10
Summary
Denial of Service Vulnerability in next.js
Affected Versions
>= 12.0.0, < 12.0.9
Patched Versions
12.0.9
Moderate
4.7/10
Summary
Open Redirect in Next.js versions
Affected Versions
>= 9.5.0, < 9.5.4
Patched Versions
9.5.4
Moderate
4.4/10
Summary
Directory Traversal in Next.js
Affected Versions
< 9.3.2
Patched Versions
9.3.2
Moderate
6.1/10
Summary
Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page
Affected Versions
>= 7.0.0, < 7.0.2
Patched Versions
7.0.2
Low
0/10
Summary
Information exposure in Next.js dev server due to lack of origin verification
Affected Versions
>= 13.0, < 15.2.2
Patched Versions
15.2.2
Low
3.7/10
Summary
Next.js Race Condition to Cache Poisoning
Affected Versions
>= 15.0.0, < 15.1.6
Patched Versions
15.1.6
Low
3.7/10
Summary
Next.js Race Condition to Cache Poisoning
Affected Versions
< 14.2.24
Patched Versions
14.2.24
Low
0/10
Summary
Next.js may leak x-middleware-subrequest-id to external hosts
Affected Versions
= 15.2.3
Patched Versions
15.2.4
Low
0/10
Summary
Next.js may leak x-middleware-subrequest-id to external hosts
Affected Versions
= 14.2.25
Patched Versions
14.2.26
Low
0/10
Summary
Next.js may leak x-middleware-subrequest-id to external hosts
Affected Versions
= 13.5.9
Patched Versions
13.5.10
Low
0/10
Summary
Next.js may leak x-middleware-subrequest-id to external hosts
Affected Versions
= 12.3.5
Patched Versions
12.3.6
Low
0/10
Summary
Next.js missing cache-control header may lead to CDN caching empty reply
Affected Versions
>= 0.9.9, < 13.4.20-canary.13
Patched Versions
13.4.20-canary.13
Reason
30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Reason
license file detected
Details
- Info: project has a license file: license.md:0
- Info: FSF or OSI recognized license: MIT License: license.md:0
Reason
no dangerous workflow patterns detected
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build_and_deploy.yml:638
Reason
Found 27/30 approved changesets -- score normalized to 9
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/vercel/.github/SECURITY.md:1
- Warn: no linked content found
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/vercel/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/vercel/.github/SECURITY.md:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build_and_deploy.yml:552
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build_and_deploy.yml:643
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/build_and_test.yml:26
- Warn: no topLevel permission defined: .github/workflows/bench.yml:1
- Warn: no topLevel permission defined: .github/workflows/build_and_deploy.yml:1
- Warn: no topLevel permission defined: .github/workflows/build_and_test.yml:1
- Warn: no topLevel permission defined: .github/workflows/build_reusable.yml:1
- Warn: no topLevel permission defined: .github/workflows/cancel.yml:1
- Warn: no topLevel permission defined: .github/workflows/code_freeze.yml:1
- Warn: no topLevel permission defined: .github/workflows/graphite_ci_optimizer.yml:1
- Warn: no topLevel permission defined: .github/workflows/integration_tests_reusable.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue_bankrupt.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue_stale.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue_version.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue_wrong_template.yml:1
- Warn: no topLevel permission defined: .github/workflows/notify_release.yml:1
- Warn: no topLevel permission defined: .github/workflows/popular.yml:1
- Warn: no topLevel permission defined: .github/workflows/pull_request_stats.yml:1
- Warn: topLevel 'actions' permission set to 'write': .github/workflows/retry_deploy_test.yml:13
- Warn: topLevel 'actions' permission set to 'write': .github/workflows/retry_test.yml:14
- Warn: no topLevel permission defined: .github/workflows/rspack-nextjs-build-integration-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/rspack-nextjs-dev-integration-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/rspack-update-tests-manifest.yml:1
- Warn: no topLevel permission defined: .github/workflows/setup-nextjs-build.yml:1
- Warn: no topLevel permission defined: .github/workflows/test-turbopack-rust-bench-test.yml:1
- Warn: no topLevel permission defined: .github/workflows/test_e2e_deploy_release.yml:1
- Warn: no topLevel permission defined: .github/workflows/test_examples.yml:1
- Warn: no topLevel permission defined: .github/workflows/triage_with_ai.yml:1
- Warn: no topLevel permission defined: .github/workflows/trigger_release.yml:1
- Warn: no topLevel permission defined: .github/workflows/turbopack-nextjs-build-integration-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/turbopack-nextjs-dev-integration-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/turbopack-update-tests-manifest.yml:1
- Warn: no topLevel permission defined: .github/workflows/update_fonts_data.yml:1
- Warn: no topLevel permission defined: .github/workflows/update_react.yml:1
- Warn: no topLevel permission defined: .github/workflows/upload-tests-manifest.yml:1
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 27 are checked with a SAST tool
Reason
binaries present in source code
Details
- Warn: binary detected: examples/with-webassembly/add.wasm:1
- Warn: binary detected: packages/next/next_error_code_swc_plugin.wasm:1
- Warn: binary detected: packages/next/src/compiled/@vercel/og/resvg.wasm:1
- Warn: binary detected: packages/next/src/compiled/@vercel/og/yoga.wasm:1
- Warn: binary detected: packages/next/src/compiled/source-map08/mappings.wasm:1
- Warn: binary detected: test/e2e/edge-can-use-wasm-files/add.wasm:1
- Warn: binary detected: test/integration/edge-runtime-dynamic-code/lib/square.wasm:1
- Warn: binary detected: test/production/app-dir-edge-runtime-with-wasm/add.wasm:1
- Warn: binary detected: turbopack/crates/turbopack-tests/tests/execution/turbopack/wasm/module/input/add.wasm:1
- Warn: binary detected: turbopack/crates/turbopack-tests/tests/execution/turbopack/wasm/simple/input/add.wasm:1
- Warn: binary detected: turbopack/crates/turbopack-tests/tests/execution/turbopack/wasm/simple/input/factorial.wasm:1
- Warn: binary detected: turbopack/crates/turbopack-tests/tests/execution/turbopack/wasm/simple/input/fibonacci.wasm:1
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bench.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/bench.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bench.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/bench.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/bench.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/bench.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/bench.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/bench.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/bench.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/bench.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:716: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:720: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:743: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:495: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:508: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:520: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:526: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:536: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:679: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:313: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:320: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:345: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:412: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:418: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:424: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:444: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:447: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:473: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:479: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:558: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:571: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:583: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:589: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:608: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:633: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:646: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_deploy.yml:648: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_deploy.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:185: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_and_test.yml:187: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_and_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:133: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:151: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:169: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:177: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:205: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:253: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:260: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_reusable.yml:287: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/build_reusable.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/cancel.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/cancel.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code_freeze.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/code_freeze.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/graphite_ci_optimizer.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/graphite_ci_optimizer.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_tests_reusable.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/integration_tests_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_tests_reusable.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/integration_tests_reusable.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_bankrupt.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_bankrupt.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_bankrupt.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_bankrupt.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue_lock.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_lock.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_stale.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_stale.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_version.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_version.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_version.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_version.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_wrong_template.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_wrong_template.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue_wrong_template.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/issue_wrong_template.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify_release.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/notify_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify_release.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/notify_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify_release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/notify_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/popular.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/popular.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/popular.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/popular.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request_stats.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/pull_request_stats.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request_stats.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/pull_request_stats.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/retry_deploy_test.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/retry_deploy_test.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/retry_test.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/retry_test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/rspack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/setup-nextjs-build.yml:120: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/setup-nextjs-build.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-turbopack-rust-bench-test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test-turbopack-rust-bench-test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-turbopack-rust-bench-test.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test-turbopack-rust-bench-test.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_e2e_deploy_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_examples.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_examples.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test_examples.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/test_examples.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/triage.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/triage.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/triage_with_ai.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/triage_with_ai.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/triage_with_ai.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/triage_with_ai.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release_new.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release_new.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger_release_new.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release_new.yml/canary?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/trigger_release_new.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/trigger_release_new.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/turbopack-update-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_fonts_data.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_fonts_data.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_fonts_data.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_fonts_data.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_react.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_react.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update_react.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/update_react.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/upload-tests-manifest.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/upload-tests-manifest.yml/canary?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/upload-tests-manifest.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/vercel/next.js/upload-tests-manifest.yml/canary?enable=pin
- Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:5
- Warn: containerImage not pinned by hash: .devcontainer/base.Dockerfile:5
- Warn: containerImage not pinned by hash: .github/actions/next-stats-action/Dockerfile:3: pin your Docker image by updating ubuntu:22.04 to ubuntu:22.04@sha256:67cadaff1dca187079fce41360d5a7eb6f7dcd3745e53c79ad5efd8563118240
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/dev.Dockerfile:3: pin your Docker image by updating node:18-alpine to node:18-alpine@sha256:8d6421d663b4c28fd3ebc498332f249011d118945588d0a35cb9bc4b8ca09d9e
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod-without-multistage.Dockerfile:3: pin your Docker image by updating node:18-alpine to node:18-alpine@sha256:8d6421d663b4c28fd3ebc498332f249011d118945588d0a35cb9bc4b8ca09d9e
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod.Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod.Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker-compose/next-app/prod.Dockerfile:48
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:22
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/development/Dockerfile:31
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:23
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/production/Dockerfile:32
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:23
- Warn: containerImage not pinned by hash: examples/with-docker-multi-env/docker/staging/Dockerfile:32
- Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:3
- Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:6
- Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:22
- Warn: containerImage not pinned by hash: examples/with-docker/Dockerfile:40
- Warn: npmCommand not pinned by hash: .devcontainer/base.Dockerfile:22-47
- Warn: downloadThenRun not pinned by hash: .github/actions/next-stats-action/Dockerfile:14
- Warn: npmCommand not pinned by hash: .github/actions/next-stats-action/Dockerfile:15
- Warn: downloadThenRun not pinned by hash: scripts/setup-node.sh:5
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:43
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:92
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:684
- Warn: downloadThenRun not pinned by hash: .github/workflows/build_and_deploy.yml:460
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:501
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:564
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:596
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_deploy.yml:654
- Warn: npmCommand not pinned by hash: .github/workflows/build_and_test.yml:112
- Warn: npmCommand not pinned by hash: .github/workflows/code_freeze.yml:36
- Warn: npmCommand not pinned by hash: .github/workflows/issue_wrong_template.yml:16
- Warn: npmCommand not pinned by hash: .github/workflows/popular.yml:17
- Warn: npmCommand not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:71
- Warn: npmCommand not pinned by hash: .github/workflows/rspack-update-tests-manifest.yml:31
- Warn: npmCommand not pinned by hash: .github/workflows/setup-nextjs-build.yml:85
- Warn: downloadThenRun not pinned by hash: .github/workflows/setup-nextjs-build.yml:109
- Warn: npmCommand not pinned by hash: .github/workflows/test_e2e_deploy_release.yml:38
- Warn: npmCommand not pinned by hash: .github/workflows/test_examples.yml:44
- Warn: npmCommand not pinned by hash: .github/workflows/triage_with_ai.yml:15
- Warn: npmCommand not pinned by hash: .github/workflows/trigger_release.yml:87
- Warn: npmCommand not pinned by hash: .github/workflows/trigger_release_new.yml:89
- Warn: npmCommand not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:31
- Warn: npmCommand not pinned by hash: .github/workflows/turbopack-update-tests-manifest.yml:67
- Warn: npmCommand not pinned by hash: .github/workflows/update_fonts_data.yml:33
- Warn: npmCommand not pinned by hash: .github/workflows/update_react.yml:44
- Warn: npmCommand not pinned by hash: .github/workflows/upload-tests-manifest.yml:32
- Info: 0 out of 96 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 17 third-party GitHubAction dependencies pinned
- Info: 0 out of 24 containerImage dependencies pinned
- Info: 7 out of 33 npmCommand dependencies pinned
- Info: 0 out of 4 downloadThenRun dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
226 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3
- Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672
- Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7
- Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975
- Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3
- Warn: Project is vulnerable to: RUSTSEC-2021-0139
- Warn: Project is vulnerable to: RUSTSEC-2023-0089
- Warn: Project is vulnerable to: RUSTSEC-2024-0388
- Warn: Project is vulnerable to: RUSTSEC-2020-0095
- Warn: Project is vulnerable to: RUSTSEC-2024-0332 / GHSA-q6cp-qfwq-4gcv
- Warn: Project is vulnerable to: RUSTSEC-2024-0384
- Warn: Project is vulnerable to: RUSTSEC-2022-0081
- Warn: Project is vulnerable to: RUSTSEC-2023-0055 / GHSA-c2hm-mjxv-89r4
- Warn: Project is vulnerable to: GHSA-2326-pfpj-vx3h
- Warn: Project is vulnerable to: RUSTSEC-2023-0086
- Warn: Project is vulnerable to: RUSTSEC-2021-0095 / GHSA-2gxj-qrp2-53jv / GHSA-8mv5-7x95-7wcf
- Warn: Project is vulnerable to: RUSTSEC-2023-0022 / GHSA-3gxf-9r58-2ghg
- Warn: Project is vulnerable to: RUSTSEC-2023-0024 / GHSA-6hcf-g6gr-hhcr
- Warn: Project is vulnerable to: RUSTSEC-2023-0023 / GHSA-9qwg-crg9-m2vc
- Warn: Project is vulnerable to: RUSTSEC-2023-0044 / GHSA-xcf7-rvmh-g6q4
- Warn: Project is vulnerable to: RUSTSEC-2023-0072 / GHSA-xphf-cx8h-7q9g
- Warn: Project is vulnerable to: GHSA-q445-7m23-qrmw
- Warn: Project is vulnerable to: RUSTSEC-2024-0357
- Warn: Project is vulnerable to: RUSTSEC-2025-0004 / GHSA-rpmj-rpgj-qmpm
- Warn: Project is vulnerable to: GHSA-4fcv-w3qc-ppgg
- Warn: Project is vulnerable to: RUSTSEC-2025-0022
- Warn: Project is vulnerable to: RUSTSEC-2024-0436
- Warn: Project is vulnerable to: RUSTSEC-2024-0370
- Warn: Project is vulnerable to: RUSTSEC-2025-0010
- Warn: Project is vulnerable to: GHSA-4p46-pwfr-66x6
- Warn: Project is vulnerable to: RUSTSEC-2025-0009
- Warn: Project is vulnerable to: GHSA-c86p-w88r-qvqr
- Warn: Project is vulnerable to: RUSTSEC-2024-0336
- Warn: Project is vulnerable to: GHSA-rr8g-9fpq-6wmg
- Warn: Project is vulnerable to: RUSTSEC-2025-0023
- Warn: Project is vulnerable to: RUSTSEC-2023-0065 / GHSA-9mcr-873m-xcxp
- Warn: Project is vulnerable to: RUSTSEC-2023-0052 / GHSA-8qv2-5vq6-g2g7
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-7m27-7ghc-44w9
- Warn: Project is vulnerable to: GHSA-qpjv-v59x-3qc4
- Warn: Project is vulnerable to: GHSA-f82v-jwr5-mffw
- Warn: Project is vulnerable to: GHSA-prr3-c3m5-p7q2
- Warn: Project is vulnerable to: GHSA-7q7g-4xm8-89cq
- Warn: Project is vulnerable to: GHSA-fpm5-vv97-jfwg
- Warn: Project is vulnerable to: GHSA-pp75-xfpw-37g9
- Warn: Project is vulnerable to: GHSA-7v5v-9h63-cj86
- Warn: Project is vulnerable to: GHSA-hxwm-x553-x359
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-h452-7996-h45h
- Warn: Project is vulnerable to: GHSA-7gc6-qh9x-w6h8
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-q8pj-2vqx-8ggc
- Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
- Warn: Project is vulnerable to: GHSA-vhxf-7vqr-mrjg
- Warn: Project is vulnerable to: GHSA-ff7x-qrg7-qggm
- Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
- Warn: Project is vulnerable to: GHSA-r9p9-mrjm-926w
- Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
- Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
- Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
- Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-3wf4-68gx-mph8
- Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
- Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-7r28-3m3f-r2pr
- Warn: Project is vulnerable to: GHSA-r8j5-h5cx-65gg
- Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
- Warn: Project is vulnerable to: GHSA-282f-qqgm-c34q
- Warn: Project is vulnerable to: GHSA-cg87-wmx4-v546
- Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
- Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
- Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-m4gq-x24j-jpmf
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-8hfj-j24r-96c4
- Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g
- Warn: Project is vulnerable to: GHSA-qrpm-p2h7-hrv2
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g
- Warn: Project is vulnerable to: GHSA-px4h-xg32-q955
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-pwfr-8pq7-x9qv
- Warn: Project is vulnerable to: GHSA-8g77-54rh-46hx
- Warn: Project is vulnerable to: GHSA-3j8f-xvm3-ffx4
- Warn: Project is vulnerable to: GHSA-4p35-cfcx-8653
- Warn: Project is vulnerable to: GHSA-7f3x-x4pr-wqhj
- Warn: Project is vulnerable to: GHSA-jpp7-7chh-cf67
- Warn: Project is vulnerable to: GHSA-q6wq-5p59-983w
- Warn: Project is vulnerable to: GHSA-j9fq-vwqv-2fm2
- Warn: Project is vulnerable to: GHSA-pqw5-jmp5-px4v
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3
- Warn: Project is vulnerable to: GHSA-g954-5hwp-pp24
- Warn: Project is vulnerable to: GHSA-h755-8qp9-cq85
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6
- Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj
- Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
- Warn: Project is vulnerable to: GHSA-r628-mhmh-qjhw
- Warn: Project is vulnerable to: GHSA-9r2w-394v-53qc
- Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
- Warn: Project is vulnerable to: GHSA-qq89-hq3f-393p
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
- Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
- Warn: Project is vulnerable to: GHSA-38fc-wpqx-33j7
- Warn: Project is vulnerable to: GHSA-fhg7-m89q-25r3
- Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
- Warn: Project is vulnerable to: GHSA-9crc-q9x8-hgqq
- Warn: Project is vulnerable to: GHSA-g78m-2chm-r7qv
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
- Warn: Project is vulnerable to: RUSTSEC-2023-0034 / GHSA-f8vr-r385-rh5r
- Warn: Project is vulnerable to: RUSTSEC-2024-0003 / GHSA-8r5v-vm4m-4g25
- Warn: Project is vulnerable to: RUSTSEC-2024-0421 / GHSA-h97m-ww89-6jmq
- Warn: Project is vulnerable to: RUSTSEC-2024-0019 / GHSA-r8w9-5wcg-vfj7
- Warn: Project is vulnerable to: RUSTSEC-2023-0018 / GHSA-mc8h-8q98-g5hr
- Warn: Project is vulnerable to: RUSTSEC-2021-0124 / GHSA-fg7r-2g4j-5cgr
- Warn: Project is vulnerable to: RUSTSEC-2023-0001 / GHSA-7rrj-xr53-82p7
- Warn: Project is vulnerable to: RUSTSEC-2023-0005 / GHSA-4q83-7cq4-p6wg
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-4g6q-77j7-vvjc
- Warn: Project is vulnerable to: GHSA-gp2j-mg4w-2rh5
- Warn: Project is vulnerable to: GHSA-xwcq-pm8m-c4vf
- Warn: Project is vulnerable to: GHSA-wm7h-9275-46v2
- Warn: Project is vulnerable to: GHSA-4gxf-g5gf-22h4
- Warn: Project is vulnerable to: GHSA-phwq-j96m-2c2q
- Warn: Project is vulnerable to: GHSA-r7qp-cfhv-p84w
- Warn: Project is vulnerable to: GHSA-hhhv-q57g-882q
- Warn: Project is vulnerable to: GHSA-w7q9-p3jq-fmhm
- Warn: Project is vulnerable to: GHSA-xvf7-4v9q-58w6
- Warn: Project is vulnerable to: GHSA-wgfq-7857-4jcc
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33
- Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959
- Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6
- Warn: Project is vulnerable to: GHSA-593f-38f6-jp5m
- Warn: Project is vulnerable to: GHSA-x2rg-q646-7m2v
- Warn: Project is vulnerable to: GHSA-3xq5-wjfh-ppjc
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-9m93-w8w6-76hh
- Warn: Project is vulnerable to: GHSA-m7xq-9374-9rvx
- Warn: Project is vulnerable to: GHSA-vg7j-7cwx-8wgw
- Warn: Project is vulnerable to: GHSA-7hpj-7hhx-2fgx
- Warn: Project is vulnerable to: GHSA-5rrq-pxf6-6jx5
- Warn: Project is vulnerable to: GHSA-8fr3-hfg3-gpgp
- Warn: Project is vulnerable to: GHSA-gf8q-jrpm-jvxq
- Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr
- Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765
- Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g
- Warn: Project is vulnerable to: GHSA-9h6g-pr28-7cqp
- Warn: Project is vulnerable to: GHSA-6fx8-h7jm-663j
- Warn: Project is vulnerable to: GHSA-v923-w3x8-wh69
- Warn: Project is vulnerable to: GHSA-x565-32qp-m3vf
- Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
- Warn: Project is vulnerable to: GHSA-3965-hpx2-q597
- Warn: Project is vulnerable to: GHSA-wrh9-cjv3-2hpw
- Warn: Project is vulnerable to: GHSA-8c25-f3mj-v6h8
- Warn: Project is vulnerable to: GHSA-vqfx-gj96-3w95
- Warn: Project is vulnerable to: GHSA-f598-mfpv-gmfx
- Warn: Project is vulnerable to: GHSA-54xq-cgqr-rpm3
- Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
- Warn: Project is vulnerable to: GHSA-qm95-pgcg-qqfq
- Warn: Project is vulnerable to: GHSA-cqmj-92xf-r6r9
- Warn: Project is vulnerable to: GHSA-jqv5-7xpx-qj74
- Warn: Project is vulnerable to: GHSA-2rq5-699j-x7p6
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-c9f4-xj24-8jqx
- Warn: Project is vulnerable to: GHSA-cf4h-3jhx-xvhq
- Warn: Project is vulnerable to: GHSA-7jxr-cg7f-gpgv
- Warn: Project is vulnerable to: GHSA-xj72-wvfv-8985
- Warn: Project is vulnerable to: GHSA-ch3r-j5x3-6q2m
- Warn: Project is vulnerable to: GHSA-p5gc-c584-jj6v
- Warn: Project is vulnerable to: GHSA-whpj-8f3w-67p5
- Warn: Project is vulnerable to: GHSA-cchq-frgv-rjh5
- Warn: Project is vulnerable to: GHSA-g644-9gfx-q4q4
- Warn: Project is vulnerable to: GHSA-5j4c-8p2g-v4jx
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
- Warn: Project is vulnerable to: GHSA-h6q6-9hqw-rwfv
- Warn: Project is vulnerable to: GHSA-5fg8-2547-mr8q
- Warn: Project is vulnerable to: GHSA-crh6-fp67-6883
Score
4.4
/10
Last Scanned on 2025-05-19
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More