Pkgs

Version: 16.2.6

The React Framework

Install package

min add next

Tool blog browser compiler

Updated 3 days ago

Spec hash: 382ef9d3…b177
Built from: Source
Source archive: Upstream
Source archive SHA256: 119c7afb…8a85
Dependencies: 8 build · 4 runtime

Quick links

[ Docs ] [ Changelog ] [ Repo ] [ Security ] [ SBOM ]

What is next?

The React Framework

How to use this package

Quick install

Installs the package into the current environment for this session. Use --build or --runtime to persist it as a build-time or runtime dependency.

min add next

Declare as a task dependency in minimal.toml

Listing the package under tasks.<name>.packages makes it available inside that task’s sandbox.

[tasks.dev]
packages = ["next"]

Build-time vs runtime

Choose build-time for tools needed during compilation, runtime for dynamic libraries loaded at runtime.

min add --build next
min add --runtime next

Dependencies (10)

Dependencies
Name	Version	Kind
base	—	build
coreutils	9.11	runtime
glib	2.86.4	build + runtime
libvips	8.18.3	runtime
make	4.4.1	build
node	25.8.2	build + runtime
pkgconf	2.5.1	build
pnpm CVE:2	10.34.1	build
python CVE:6	3.14.5	build
toolchain	—	build

No dependants

No other packages in the registry depend on this one.

No direct advisories

This package inherits 11 transitive advisories from its dependencies.

Include transitive

Showing 11 transitive advisories via next's dependencies

Security advisories for this package
	Status	IDs	Package	Version	Severity	Published
Critical ( 0 )
High ( 9 )
	Affected: 2.42	CVE-2025-15281	glibc	`2.42`	High: 7.5	5 months ago
Summary No summary published for this advisory. Via: coreutils glibc Affected ranges `2.42` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` References Advisory: http://www.openwall.com/lists/oss-security/2026/01/20/3 Fix: https://sourceware.org/bugzilla/show_bug.cgi?id=33814
	Affected: 2.42	CVE-2026-0915	glibc	`2.42`	High: 7.5	5 months ago
Summary No summary published for this advisory. Via: coreutils glibc Affected ranges `2.42` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` References Report: https://sourceware.org/bugzilla/show_bug.cgi?id=33802 ARTICLE: http://www.openwall.com/lists/oss-security/2026/01/16/6
	Affected: 2.42	CVE-2026-0861	glibc	`2.42`	High: 8.4	5 months ago
Summary No summary published for this advisory. Via: coreutils glibc Affected ranges `2.42` CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` References Fix: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001 , http://www.openwall.com/lists/oss-security/2026/01/16/5 Evidence: https://sourceware.org/bugzilla/show_bug.cgi?id=33796
	Affected: 3.6.2	CVE-2024-6119	openssl	`3.6.0 – 3.6.2`	High: 7.5	2 years ago
Summary No summary published for this advisory. Via: node openssl Affected ranges `3.6.0 – 3.6.2` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` References Advisory: https://openssl-library.org/news/secadv/20240903.txt , https://security.netapp.com/advisory/ntap-20240912-0001/ Fix: https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6 , https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2 , https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0 , https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f ARTICLE: http://www.openwall.com/lists/oss-security/2024/09/03/4 , https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html
	Resolved in v1.48.0	GHSA-f74f-cvh7-c6q6 CVE-2024-24806	libuv	`1.24.0 – v1.48.0, fixed in v1.48.0`	High: 7.3	2 years ago
Summary Improper Domain Lookup that potentially leads to SSRF attacks in libuv Via: node libuv Affected ranges `1.24.0 – v1.48.0, fixed in v1.48.0` Fixed in: `v1.48.0` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L` References Advisory: https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24806.json , https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 , https://nvd.nist.gov/vuln/detail/CVE-2024-24806 , https://security.netapp.com/advisory/ntap-20240605-0008/ Fix: https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629 , https://github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70 , https://github.com/libuv/libuv/commit/c858a147643de38a09dd4164758ae5b685f2b488 , https://github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39 Report: https://gitlab.kitware.com/cmake/cmake/-/issues/26112 Web: http://www.openwall.com/lists/oss-security/2024/02/08/2 , http://www.openwall.com/lists/oss-security/2024/02/11/1 , http://www.openwall.com/lists/oss-security/2024/03/11/1 , https://lists.debian.org/debian-lts-announce/2024/03/msg00005.html
	Resolved in 7.9.0*	GHSA-hj9c-8jmm-8c52 CVE-2022-29244	node	`7.9.0, fixed in 7.9.0`	High: 7.5	4 years ago
Summary npm packing does not respect root-level ignore files in workspaces Via: node Affected ranges `7.9.0, fixed in 7.9.0` Fixed in: `7.9.0*` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` References Advisory: https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29244.json , https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52 , https://nvd.nist.gov/vuln/detail/CVE-2022-29244 , https://security.netapp.com/advisory/ntap-20220722-0007/ Fix: https://github.com/nodejs/node/pull/43210 Web: https://github.com/nodejs/node/releases/tag/v16.15.1 , https://github.com/nodejs/node/releases/tag/v17.9.1 , https://github.com/nodejs/node/releases/tag/v18.3.0 , https://github.com/npm/cli/releases/tag/v8.11.0 , https://github.com/npm/cli/tree/latest/workspaces/libnpmpack +1 more PACKAGE: https://github.com/npm/npm-packlist
	Resolved in 5b089951ac8e92670df03ddfaca5d5f2b7cbbebd	OSV-2021-1615	libvips	`5b089951ac8e92670df03ddfaca5d5f2b7cbbebd, fixed in 5b089951ac8e92670df03ddfaca5d5f2b7cbbebd`	High	5 years ago
Summary Heap-buffer-overflow in jxl::ModularFrameDecoder::DecodeGroup Via: libvips Affected ranges `5b089951ac8e92670df03ddfaca5d5f2b7cbbebd, fixed in 5b089951ac8e92670df03ddfaca5d5f2b7cbbebd` Fixed in: `5b089951ac8e92670df03ddfaca5d5f2b7cbbebd` References Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41283
	Resolved in 5b089951ac8e92670df03ddfaca5d5f2b7cbbebd	OSV-2021-1604	libvips	`5b089951ac8e92670df03ddfaca5d5f2b7cbbebd, fixed in 5b089951ac8e92670df03ddfaca5d5f2b7cbbebd`	High	5 years ago
Summary Heap-buffer-overflow in jxl::N_AVX2::SingleFromSingle Via: libvips Affected ranges `5b089951ac8e92670df03ddfaca5d5f2b7cbbebd, fixed in 5b089951ac8e92670df03ddfaca5d5f2b7cbbebd` Fixed in: `5b089951ac8e92670df03ddfaca5d5f2b7cbbebd` References Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41225
	Resolved in 0df65d82dbc41e8da00adb243de5918db532c8a6	OSV-2018-153	openssl	`0df65d82dbc41e8da00adb243de5918db532c8a6, fixed in 0df65d82dbc41e8da00adb243de5918db532c8a6`	High	5 years ago
Summary Heap-buffer-overflow in asn1_ex_i2c Via: node openssl Affected ranges `0df65d82dbc41e8da00adb243de5918db532c8a6, fixed in 0df65d82dbc41e8da00adb243de5918db532c8a6` Fixed in: `0df65d82dbc41e8da00adb243de5918db532c8a6` References Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7696
Medium ( 1 )
	Under investigation	CVE-2026-40930	libpng	`1.6.50 – 1.6.58`	Medium: 5.4	11 days ago
Summary LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue. Via: libvips libpng Affected ranges `1.6.50 – 1.6.58` CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L`
Low ( 1 )
	Resolved in 5b089951ac8e92670df03ddfaca5d5f2b7cbbebd	OSV-2021-1597	libvips	`5b089951ac8e92670df03ddfaca5d5f2b7cbbebd, fixed in 5b089951ac8e92670df03ddfaca5d5f2b7cbbebd`	Low	5 years ago
Summary UNKNOWN READ in void jxl::CopyImageTo<int> Via: libvips Affected ranges `5b089951ac8e92670df03ddfaca5d5f2b7cbbebd, fixed in 5b089951ac8e92670df03ddfaca5d5f2b7cbbebd` Fixed in: `5b089951ac8e92670df03ddfaca5d5f2b7cbbebd` References Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41217
Unknown ( 0 )

72 components

Software Bill of Materials — every package this build depends on
Packages	Version	Repository	Licence
next ROOT	16.2.6	github.com/vercel/next.js	MIT
acl	2.3.2	https://storage.googleapis.com/minimal-staging-archives/acl-2.3.2.tar.xz MIRROR	(GPL-2.0-only AND LGPL-2.1-only)
attr	2.5.2	https://storage.googleapis.com/minimal-staging-archives/attr-2.5.2.tar.gz MIRROR	(GPL-2.0-only AND LGPL-2.1-only)
autoconf	2.73	www.gnu.org/software/autoconf	GPL-3.0-or-later WITH Autoconf-exception-3.0
automake	1.18.1	www.gnu.org/software/automake	GPL-2.0-only
bash	5.3	www.gnu.org/software/bash	GPL-3.0-only
bash-bootstrap	5.3	https://storage.googleapis.com/minimal-staging-archives/bash-5.3.tar.gz MIRROR	GPL-3.0-only
binutils	2.46.1	www.gnu.org/software/binutils	(GPL-2.0-only AND GPL-3.0-only AND LGPL-2.0-only)
bison	3.8.2	www.gnu.org/software/bison	GPL-3.0-only
bzip2	1.0.8	github.com/libarchive/bzip2	bzip2-1.0.6
c-ares	1.34.6	github.com/c-ares/c-ares	MIT
cmake	4.2.3	github.com/Kitware/CMake	BSD-3-Clause
coreutils	9.11	www.gnu.org/software/coreutils	GPL-3.0-only
curl	8.20.0	github.com/curl/curl	curl
diffutils	3.12	www.gnu.org/software/diffutils	GPL-3.0-only
expat	2.7.5	github.com/libexpat/libexpat	MIT
file	5.47	https://storage.googleapis.com/minimal-staging-archives/file-5.47.tar.gz MIRROR	BSD-2-Clause-Darwin
findutils	4.10.0	https://storage.googleapis.com/minimal-staging-archives/findutils-4.10.0.tar.xz MIRROR	GPL-3.0-only
flex	2.6.4	github.com/westes/flex	BSD-3-Clause-flex
gawk	5.4.0	www.gnu.org/software/gawk	GPL-3.0-only
gawk-bootstrap	5.3.2	https://storage.googleapis.com/minimal-staging-archives/gawk-5.3.2.tar.xz MIRROR	GPL-3.0-only
gcc	15.2.0	www.gnu.org/software/gcc	(GPL-2.0-only AND GPL-3.0-only AND LGPL-2.1-only)
gdbm	1.26	www.gnu.org/software/gdbm	GPL-3.0-only
glib	2.86.4	https://storage.googleapis.com/minimal-staging-archives/glib-2.86.4.tar.xz MIRROR	LGPL-2.1-or-later
glibc	2.42	www.gnu.org/software/glibc	(GPL-2.0-only AND LGPL-2.1-only)
gmp	6.3.0	www.gnu.org/software/gmp	LGPL-3.0-or-later OR GPL-2.0-or-later
grep	3.12	www.gnu.org/software/grep	GPL-3.0-only
gtest	1.17.0	github.com/google/googletest	BSD-3-Clause
gzip	1.14	www.gnu.org/software/gzip	GPL-3.0-only
icu	78.3	github.com/unicode-org/icu	Unicode-3.0
lcms2	2.17	github.com/mm2/Little-CMS	MIT
libcap	2.78	https://storage.googleapis.com/minimal-staging-archives/libcap-2.78.tar.xz MIRROR	BSD-3-Clause OR GPL-2.0-only
libffi	3.5.2	github.com/libffi/libffi	MIT
libidn2	2.3.8	www.gnu.org/software/libidn2	GPL-3.0-or-later AND (GPL-2.0-or-later OR LGPL-3.0-or-later)
libjpeg-turbo	3.1.4.1	github.com/libjpeg-turbo/libjpeg-turbo	IJG AND BSD-3-Clause AND Zlib
libpng	1.6.58	github.com/pnggroup/libpng	libpng-2.0
libpsl	0.21.5	github.com/rockdaboot/libpsl	MIT
libtool	2.5.4	www.gnu.org/software/libtool	GPL-2.0-only
libunistring	1.4.1	www.gnu.org/software/libunistring	GPL-3.0-only
libuv	1.52.1	github.com/libuv/libuv	MIT
libvips	8.18.3	github.com/libvips/libvips	LGPL-2.1-or-later
libwebp	1.6.0	github.com/webmproject/libwebp	BSD-3-Clause
lief	0.17.6	github.com/lief-project/LIEF	Apache-2.0
linux_headers	6.12.43	github.com/torvalds/linux	GPL-2.0-only WITH Linux-syscall-note
lz4	1.10.0	github.com/lz4/lz4	BSD-2-Clause AND GPL-2.0-or-later
m4	1.4.21	www.gnu.org/software/m4	GPL-3.0-only
make	4.4.1	www.gnu.org/software/make	GPL-3.0-only
meson	1.10.1	github.com/mesonbuild/meson	Apache-2.0
mpc	1.4.0	www.gnu.org/software/mpc	LGPL-3.0-or-later
mpfr	4.2.2	www.gnu.org/software/mpfr	GPL-3.0-only
ncurses	6.5-20250830	www.gnu.org/software/ncurses	X11-distribute-modifications-variant
nghttp2	1.68.1	github.com/nghttp2/nghttp2	MIT
nghttp3	1.15.0	github.com/ngtcp2/nghttp3	MIT
ngtcp2	1.22.1	github.com/ngtcp2/ngtcp2	MIT
ninja	1.13.2	github.com/ninja-build/ninja	Apache-2.0
node	25.8.2	github.com/nodejs/node	MIT
node-lts	24.14.1	github.com/nodejs/node	MIT
openssl	3.6.2	github.com/openssl/openssl	Apache-2.0
pcre2	10.47	github.com/PCRE2Project/pcre2	BSD-3-Clause WITH PCRE2-exception
perl	5.42.0	github.com/Perl/perl5	Artistic-1.0-Perl OR GPL-1.0-or-later
pkgconf	2.5.1	github.com/pkgconf/pkgconf	pkgconf
pnpm	10.34.1	github.com/pnpm/pnpm	MIT
python	3.14.5	github.com/python/cpython	Python-2.0.1
readline	8.3	www.gnu.org/software/readline	GPL-3.0-only
sed	4.9	www.gnu.org/software/sed	GPL-3.0-only
setuptools	82.0.1	github.com/pypa/setuptools	MIT
sqlite	3.50.4	github.com/sqlite/sqlite	blessing
tar	1.35	www.gnu.org/software/tar	GPL-3.0-only
util-linux	2.42.1	github.com/util-linux/util-linux	GPL-2.0-or-later AND LGPL-2.1-or-later AND BSD-3-Clause
xz	5.8.3	github.com/tukaani-project/xz	(0BSD AND GPL-2.0-only AND GPL-3.0-only AND LGPL-2.1-only)
zlib	1.3.2	github.com/madler/zlib	Zlib
zstd	1.5.7	github.com/facebook/zstd	BSD-3-Clause OR GPL-2.0-only

next

Install package

Quick links

What is next?

How to use this package

Quick install

Declare as a task dependency in minimal.toml

Build-time vs runtime

Dependencies (10)

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

References

Summary

Affected ranges

Summary

Affected ranges

References

72 components