Can't bump version to patch CVE
Answered
Dogo Guatemalteco posted this in #help-forum
Dogo GuatemaltecoOP
I have a somewhat stale Next.js project with the following (relevant) deps:
I am trying to bump next
I've tried many different versions, and to bump react and react-dom as well, and to bump other deps in general, to no avail.
How do I even go about debugging this?
"next": "15.0.3",
"react": "19.0.0-rc-66855b96-20241106",
"react-dom": "19.0.0-rc-66855b96-20241106",I am trying to bump next
15.0.3 to 15.0.5 as instructed at https://nextjs.org/blog/CVE-2025-66478. However, when I try to run the dev server next dev with the patched version, the server gets stuck at: ○ Compiling /I've tried many different versions, and to bump react and react-dom as well, and to bump other deps in general, to no avail.
next build doesn't work either, getting stuck in compilation as well. Can confirm that the dependency bump is causing the problem, because on 15.0.3 both dev and build works.How do I even go about debugging this?
Answered by Dogo Guatemalteco
After trying several dozen different versions I eventually put a debugger on the build and found out that it's something related to tailwind that's getting stuck. After bumping tailwind itself, in the new version they had the decency to include an error message that uncovered the problem: The tailwind config was setup in such a way that it was scanning the entire node_modules directory, due to a nonsensical path therein. The volume of
node_modules was high enough to crash my desktop environment during compilation.2 Replies
Great-tailed Grackle
yeah that can happen when next hits a compile dead-lock after a version bump.
first thing i’d check is if there’s anything hanging in the route tree or a bad import loop.
you can run NEXT_DEBUG_COMPILATION=1 next dev to see where it stalls that usually points to the file that’s locking the compiler.
also try blowing out .next, node_modules, and the lockfile, then reinstall clean. stale react rc builds can get weird with minor next bumps.
if you can repro it in a small repo, even better that narrows it fast.
happy to take a look if you wanna share a snippet or a minimal repo.
first thing i’d check is if there’s anything hanging in the route tree or a bad import loop.
you can run NEXT_DEBUG_COMPILATION=1 next dev to see where it stalls that usually points to the file that’s locking the compiler.
also try blowing out .next, node_modules, and the lockfile, then reinstall clean. stale react rc builds can get weird with minor next bumps.
if you can repro it in a small repo, even better that narrows it fast.
happy to take a look if you wanna share a snippet or a minimal repo.
Dogo GuatemaltecoOP
After trying several dozen different versions I eventually put a debugger on the build and found out that it's something related to tailwind that's getting stuck. After bumping tailwind itself, in the new version they had the decency to include an error message that uncovered the problem: The tailwind config was setup in such a way that it was scanning the entire node_modules directory, due to a nonsensical path therein. The volume of
node_modules was high enough to crash my desktop environment during compilation.Answer