How to track bug fixes and Next.js releases

[xendren]

Summary

We are struggling to follow how and when bugs are being fixed for this project. We encountered security vulnerabilities due to the @babel version Next was dependent on back in April along with several others.

The PR was closed and merged into the canary branch months ago, but we are not seeing any official version releases that include it. There are many pre-releases, and we see a recent back-port of some issues, but it does not appear this fix made it.

What is the recommended way for users of the framework to plan for migrating to newer version of Next.js?

Reporting Issue: #77879
Closed PR: #77037
PR with Fix: #78673

Additional information

No response

Example

No response

[icyJoseph]

I think, right now, the simplest way to check what you want to check, a dependency change, could be to go to:

• https://github.com/vercel/next.js/blob/v15.4.1/package.json#L90

Notice that the v15.4.1 is in the URL - the Github UI allows you to see the file contents at a given git tag. Each canary and major release is tagged. That way you can tell that the Babel update has been there since 15.4.1

Typically minor releases, 15.3 -> 15.4, have a blog post attached to it, which communicates what's changing, https://nextjs.org/blog/next-15-4

For backport fixes, the GitHub page of the patch is a good place to go to. https://github.com/vercel/next.js/releases/tag/v15.4.5 - notice there's a Note indicating that this release backports fixes, and the fixes are listed.

[xendren]

Ok thanks for the info. This is what we have been doing to try and check if the important fix we need is included, so we will plan to just check back every month to see if there is a new release. We ignore the pre-releases since we can't use those in our production deployments.

[icyJoseph]

In your other comment you say:

We have been able to override the babel@core version to get the new one added to our application runtime image, but the problem is we are not able to successfully remove the old version from the final image. This is causing the vulnerability failures from our security scanners, and we are not allowed to deploy the runtime image.

Is this even with 15.4? Sorry that the LLM answers decay quick and just re-iterate the same, even if you are telling them that you have already done their suggestion.

Next.js does vendor/compile dependencies, for example this PR, https://github.com/vercel/next.js/pull/78673/files - changes not only the package.json but the contents of the babel compiled dependency at, https://github.com/vercel/next.js/tree/canary/packages/next/src/compiled - it is weird if you are using a version that has the fix, and you still see vulnerability scanner issues.

[Dev-axay18]

Since the official stable version of Next.js doesn’t include the fix yet, you have two options:

• Option 1: Use overrides in package.json (npm v8+)

"overrides": {
  "@babel/core": "^7.24.0"
}

This forces your project to use a newer (safe) version of @babel/core.

• Option 2: Use resolutions (if you're using Yarn)

"resolutions": {
  "@babel/core": "^7.24.0"
}

Then Run

yarn run

---

Important

• After adding this, delete node_modules and package-lock.json or yarn.lock, then reinstall:

rm -rf node_modules package-lock.json   # or yarn.lock
npm install                             # or yarn install

and then Test your app properly after doing this.

[xendren]

We have been able to override the babel@core version to get the new one added to our application runtime image, but the problem is we are not able to successfully remove the old version from the final image. This is causing the vulnerability failures from our security scanners, and we are not allowed to deploy the runtime image.

[Dev-axay18]

so for solving this issue of the old vulnerable @babel/core version still appearing in the runtime

1. Use resolutions in package.json (if you're using Yarn):

   "resolutions": {
     "@babel/core": "^7.28.0"       
   }

Latest version of babel/core above

2. If using npm, run:

   npm install @babel/core@latest --force

3. Delete and clean everything before building:

   rm -rf node_modules package-lock.json
   npm cache clean --force
   npm install

4. In your Dockerfile, make sure:

   • You're installing cleanly in each build layer.
   • You’re not copying old node_modules from earlier layers.

5. After rebuilding the Docker image, run:

   npm ls @babel/core

   to verify only the new version is present.

This ensures the old version is fully removed from the runtime image and passes security scans.

Hope This May Help you Solve Your Problem

[xendren]

Thank you @Dev-axay18! That solution did work for removing the old version from the image. We can proceed with this workaround for now, and we will plan to upgrade Next once the official release is available.

[icyJoseph]

In what Next.js version did you apply this? As said above, this is patched on the framework - could it be that another dependency is causing this issue?