This warning appearing in the error message may appear to be a "helpful" reminder to devs
but it is problematic in a high security environment because in order to know that there's a newer version of Next.js
needs to Phone Home either to NPM for the version number or to Vercel ... either way it's making an external network request. 💭
To be clear: I'm a proponent of keeping software/systems up-to-date in terms of security patches/updates. ⬆️
And to some people who aren't security conscious having Next.js making network requests might be convenient ...
But if you work in a high security environment and need to know what all outbound network requests are doing,
this is a no-go! 🙅
While doing a routine update to the
/docsI got the following compilation error in theNextraproject:Next.js (14.2.4) out of date (learn more)
This warning appearing in the error message may appear to be a "helpful" reminder to devs but it is problematic in a high security environment because in order to know that there's a newer version of
Next.jsneeds to Phone Home either toNPMfor the version number or toVercel... either way it's making an external network request. 💭the is the page the "learn more" links to: https://nextjs.org/docs/messages/version-staleness
To be clear: I'm a proponent of keeping software/systems up-to-date in terms of security patches/updates. ⬆️ And to some people who aren't security conscious having
Next.jsmaking network requests might be convenient ... But if you work in a high security environment and need to know what all outbound network requests are doing, this is a no-go! 🙅At the time of writing the version of
Next.jsin ourNextraproject is14.2.4and the most recent version onNPMis14.2.5: https://www.npmjs.com/package/next?activeTab=versionsThey have published
2,665 versions... 😮How maintainable is a project that has an update every day ...? 🤷♂️ https://github.com/dwyl/learn-nextjs/issues/12