From 86755f4384715c62e205511827c333999c23a705 Mon Sep 17 00:00:00 2001 From: Nelson Melina Date: Wed, 4 Mar 2026 13:58:34 +0000 Subject: [PATCH 1/6] fix: bump Next.js to 16.0.10 to resolve critical CVEs - CVE-2025-66478 (CRITICAL): next@15.1.2 in lockfile - CVE-2025-55184 (HIGH): next@16.0.7 - CVE-2025-67779 (HIGH): next@16.0.7 Bumps all apps (webapp, www, acme) to next@16.0.10. Adds pnpm.overrides to prevent stale next@15 lockfile entries. Regenerates pnpm-lock.yaml to drop vulnerable versions. Ref: https://github.com/refrefhq/refref/issues/55 --- apps/acme/package.json | 2 +- apps/webapp/package.json | 2 +- apps/www/package.json | 2 +- package.json | 3 +- pnpm-lock.yaml | 287 +++++++++++---------------------------- 5 files changed, 82 insertions(+), 214 deletions(-) diff --git a/apps/acme/package.json b/apps/acme/package.json index 2c85353..9d2c19f 100644 --- a/apps/acme/package.json +++ b/apps/acme/package.json @@ -10,7 +10,7 @@ }, "dependencies": { "jose": "^6.1.1", - "next": "16.0.7", + "next": "16.0.10", "react": "^19.2.3", "react-dom": "^19.2.0" }, diff --git a/apps/webapp/package.json b/apps/webapp/package.json index 9d05e7c..ff7baa9 100644 --- a/apps/webapp/package.json +++ b/apps/webapp/package.json @@ -87,7 +87,7 @@ "input-otp": "^1.4.2", "jose": "^6.0.10", "lucide-react": "^0.483.0", - "next": "16.0.7", + "next": "16.0.10", "next-themes": "^0.4.6", "nuqs": "2.8.5", "plugins": "link:better-auth/client/plugins", diff --git a/apps/www/package.json b/apps/www/package.json index 9b2e3f5..0b516cb 100644 --- a/apps/www/package.json +++ b/apps/www/package.json @@ -37,7 +37,7 @@ "globby": "^14.1.0", "hast-util-to-jsx-runtime": "^2.3.2", "lucide-react": "^0.476.0", - "next": "16.0.7", + "next": "16.0.10", "next-plausible": "^3.12.4", "react": "^19.2.3", "react-dom": "^19.2.0", diff --git a/package.json b/package.json index 6626c3e..7b76a45 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,8 @@ }, "pnpm": { "overrides": { - "@babel/core": "7.28.5" + "@babel/core": "7.28.5", + "next": ">=16.0.10" } }, "dependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 73eccfb..003ca12 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,6 +6,7 @@ settings: overrides: '@babel/core': 7.28.5 + next: '>=16.0.10' importers: @@ -34,8 +35,8 @@ importers: specifier: ^6.1.1 version: 6.1.1 next: - specifier: 16.0.7 - version: 16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + specifier: '>=16.0.10' + version: 16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) react: specifier: ^19.2.3 version: 19.2.3 @@ -252,7 +253,7 @@ importers: dependencies: '@daveyplate/better-auth-ui': specifier: ^3.2.9 - version: 3.2.9(c53bb6bc3789aead8bb1736ab30ebb89) + version: 3.2.9(4dca55f03f153c990b03cb2a74d4b27c) '@dnd-kit/core': specifier: ^6.3.1 version: 6.3.1(react-dom@19.2.0(react@19.2.3))(react@19.2.3) @@ -399,7 +400,7 @@ importers: version: 2.4.1(react-dom@19.2.0(react@19.2.3))(react@19.2.3) better-auth: specifier: ^1.3.34 - version: 1.3.34(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + version: 1.3.34(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) class-variance-authority: specifier: ^0.7.1 version: 0.7.1 @@ -426,7 +427,7 @@ importers: version: 12.23.24(react-dom@19.2.0(react@19.2.3))(react@19.2.3) geist: specifier: ^1.3.0 - version: 1.5.1(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3)) + version: 1.5.1(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3)) input-otp: specifier: ^1.4.2 version: 1.4.2(react-dom@19.2.0(react@19.2.3))(react@19.2.3) @@ -437,14 +438,14 @@ importers: specifier: ^0.483.0 version: 0.483.0(react@19.2.3) next: - specifier: 16.0.7 - version: 16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + specifier: '>=16.0.10' + version: 16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) next-themes: specifier: ^0.4.6 version: 0.4.6(react-dom@19.2.0(react@19.2.3))(react@19.2.3) nuqs: specifier: 2.8.5 - version: 2.8.5(next@16.0.7(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react@19.2.3) + version: 2.8.5(next@16.0.10(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react@19.2.3) plugins: specifier: link:better-auth/client/plugins version: link:better-auth/client/plugins @@ -508,7 +509,7 @@ importers: devDependencies: '@better-auth/cli': specifier: ^1.3.5 - version: 1.3.34(@cloudflare/workers-types@4.20251113.0)(@types/react@19.2.4)(kysely@0.28.8)(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(postgres@3.4.7)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + version: 1.3.34(@cloudflare/workers-types@4.20251113.0)(@types/react@19.2.4)(kysely@0.28.8)(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(postgres@3.4.7)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) '@refref/attribution-script': specifier: workspace:* version: link:../../packages/attribution-script @@ -613,7 +614,7 @@ importers: version: link:../utils better-auth: specifier: ^1.3.34 - version: 1.3.34(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + version: 1.3.34(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) drizzle-orm: specifier: 0.44.7 version: 0.44.7(@cloudflare/workers-types@4.20251113.0)(@prisma/client@5.22.0(prisma@5.22.0))(@types/better-sqlite3@7.6.13)(better-sqlite3@12.4.1)(kysely@0.28.8)(postgres@3.4.7)(prisma@5.22.0) @@ -779,7 +780,7 @@ importers: dependencies: better-auth: specifier: ^1.0.29 - version: 1.3.34(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + version: 1.3.34(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) zod: specifier: ^3.23.8 version: 3.25.76 @@ -953,14 +954,14 @@ importers: specifier: ^5.1.5 version: 5.1.6 next: - specifier: '>=16.0.7' - version: 16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + specifier: '>=16.0.10' + version: 16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) next-themes: specifier: ^0.4.6 version: 0.4.6(react-dom@19.2.0(react@19.2.3))(react@19.2.3) nuqs: specifier: 2.8.5 - version: 2.8.5(next@16.0.7(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react@19.2.3) + version: 2.8.5(next@16.0.10(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react@19.2.3) radix-ui: specifier: ^1.4.3 version: 1.4.3(@types/react-dom@19.2.3(@types/react@19.2.4))(@types/react@19.2.4)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) @@ -3174,11 +3175,8 @@ packages: '@napi-rs/wasm-runtime@0.2.12': resolution: {integrity: sha512-ZVWUcfwY4E/yPitQJl481FjFo3K22D6qF0DuFH6Y/nbnE11GY5uguDxZMGXPQ8WQ0128MXQD7TnfHyK4oWoIJQ==} - '@next/env@15.1.2': - resolution: {integrity: sha512-Hm3jIGsoUl6RLB1vzY+dZeqb+/kWPZ+h34yiWxW0dV87l8Im/eMOwpOA+a0L78U0HM04syEjXuRlCozqpwuojQ==} - - '@next/env@16.0.7': - resolution: {integrity: sha512-gpaNgUh5nftFKRkRQGnVi5dpcYSKGcZZkQffZ172OrG/XkrnS7UBTQ648YY+8ME92cC4IojpI2LqTC8sTDhAaw==} + '@next/env@16.0.10': + resolution: {integrity: sha512-8tuaQkyDVgeONQ1MeT9Mkk8pQmZapMKFh5B+OrFUlG3rVmYTXcXlBetBgTurKXGaIZvkoqRT9JL5K3phXcgang==} '@next/eslint-plugin-next@15.5.6': resolution: {integrity: sha512-YxDvsT2fwy1j5gMqk3ppXlsgDopHnkM4BoxSVASbvvgh5zgsK8lvWerDzPip8k3WVzsTZ1O7A7si1KNfN4OZfQ==} @@ -3186,98 +3184,50 @@ packages: '@next/eslint-plugin-next@16.0.3': resolution: {integrity: sha512-6sPWmZetzFWMsz7Dhuxsdmbu3fK+/AxKRtj7OB0/3OZAI2MHB/v2FeYh271LZ9abvnM1WIwWc/5umYjx0jo5sQ==} - '@next/swc-darwin-arm64@15.1.2': - resolution: {integrity: sha512-b9TN7q+j5/7+rGLhFAVZiKJGIASuo8tWvInGfAd8wsULjB1uNGRCj1z1WZwwPWzVQbIKWFYqc+9L7W09qwt52w==} - engines: {node: '>= 10'} - cpu: [arm64] - os: [darwin] - - '@next/swc-darwin-arm64@16.0.7': - resolution: {integrity: sha512-LlDtCYOEj/rfSnEn/Idi+j1QKHxY9BJFmxx7108A6D8K0SB+bNgfYQATPk/4LqOl4C0Wo3LACg2ie6s7xqMpJg==} + '@next/swc-darwin-arm64@16.0.10': + resolution: {integrity: sha512-4XgdKtdVsaflErz+B5XeG0T5PeXKDdruDf3CRpnhN+8UebNa5N2H58+3GDgpn/9GBurrQ1uWW768FfscwYkJRg==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] - '@next/swc-darwin-x64@15.1.2': - resolution: {integrity: sha512-caR62jNDUCU+qobStO6YJ05p9E+LR0EoXh1EEmyU69cYydsAy7drMcOlUlRtQihM6K6QfvNwJuLhsHcCzNpqtA==} + '@next/swc-darwin-x64@16.0.10': + resolution: {integrity: sha512-spbEObMvRKkQ3CkYVOME+ocPDFo5UqHb8EMTS78/0mQ+O1nqE8toHJVioZo4TvebATxgA8XMTHHrScPrn68OGw==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] - '@next/swc-darwin-x64@16.0.7': - resolution: {integrity: sha512-rtZ7BhnVvO1ICf3QzfW9H3aPz7GhBrnSIMZyr4Qy6boXF0b5E3QLs+cvJmg3PsTCG2M1PBoC+DANUi4wCOKXpA==} - engines: {node: '>= 10'} - cpu: [x64] - os: [darwin] - - '@next/swc-linux-arm64-gnu@15.1.2': - resolution: {integrity: sha512-fHHXBusURjBmN6VBUtu6/5s7cCeEkuGAb/ZZiGHBLVBXMBy4D5QpM8P33Or8JD1nlOjm/ZT9sEE5HouQ0F+hUA==} - engines: {node: '>= 10'} - cpu: [arm64] - os: [linux] - - '@next/swc-linux-arm64-gnu@16.0.7': - resolution: {integrity: sha512-mloD5WcPIeIeeZqAIP5c2kdaTa6StwP4/2EGy1mUw8HiexSHGK/jcM7lFuS3u3i2zn+xH9+wXJs6njO7VrAqww==} - engines: {node: '>= 10'} - cpu: [arm64] - os: [linux] - - '@next/swc-linux-arm64-musl@15.1.2': - resolution: {integrity: sha512-9CF1Pnivij7+M3G74lxr+e9h6o2YNIe7QtExWq1KUK4hsOLTBv6FJikEwCaC3NeYTflzrm69E5UfwEAbV2U9/g==} + '@next/swc-linux-arm64-gnu@16.0.10': + resolution: {integrity: sha512-uQtWE3X0iGB8apTIskOMi2w/MKONrPOUCi5yLO+v3O8Mb5c7K4Q5KD1jvTpTF5gJKa3VH/ijKjKUq9O9UhwOYw==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] - '@next/swc-linux-arm64-musl@16.0.7': - resolution: {integrity: sha512-+ksWNrZrthisXuo9gd1XnjHRowCbMtl/YgMpbRvFeDEqEBd523YHPWpBuDjomod88U8Xliw5DHhekBC3EOOd9g==} + '@next/swc-linux-arm64-musl@16.0.10': + resolution: {integrity: sha512-llA+hiDTrYvyWI21Z0L1GiXwjQaanPVQQwru5peOgtooeJ8qx3tlqRV2P7uH2pKQaUfHxI/WVarvI5oYgGxaTw==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] - '@next/swc-linux-x64-gnu@15.1.2': - resolution: {integrity: sha512-tINV7WmcTUf4oM/eN3Yuu/f8jQ5C6AkueZPKeALs/qfdfX57eNv4Ij7rt0SA6iZ8+fMobVfcFVv664Op0caCCg==} - engines: {node: '>= 10'} - cpu: [x64] - os: [linux] - - '@next/swc-linux-x64-gnu@16.0.7': - resolution: {integrity: sha512-4WtJU5cRDxpEE44Ana2Xro1284hnyVpBb62lIpU5k85D8xXxatT+rXxBgPkc7C1XwkZMWpK5rXLXTh9PFipWsA==} - engines: {node: '>= 10'} - cpu: [x64] - os: [linux] - - '@next/swc-linux-x64-musl@15.1.2': - resolution: {integrity: sha512-jf2IseC4WRsGkzeUw/cK3wci9pxR53GlLAt30+y+B+2qAQxMw6WAC3QrANIKxkcoPU3JFh/10uFfmoMDF9JXKg==} + '@next/swc-linux-x64-gnu@16.0.10': + resolution: {integrity: sha512-AK2q5H0+a9nsXbeZ3FZdMtbtu9jxW4R/NgzZ6+lrTm3d6Zb7jYrWcgjcpM1k8uuqlSy4xIyPR2YiuUr+wXsavA==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - '@next/swc-linux-x64-musl@16.0.7': - resolution: {integrity: sha512-HYlhqIP6kBPXalW2dbMTSuB4+8fe+j9juyxwfMwCe9kQPPeiyFn7NMjNfoFOfJ2eXkeQsoUGXg+O2SE3m4Qg2w==} + '@next/swc-linux-x64-musl@16.0.10': + resolution: {integrity: sha512-1TDG9PDKivNw5550S111gsO4RGennLVl9cipPhtkXIFVwo31YZ73nEbLjNC8qG3SgTz/QZyYyaFYMeY4BKZR/g==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - '@next/swc-win32-arm64-msvc@15.1.2': - resolution: {integrity: sha512-wvg7MlfnaociP7k8lxLX4s2iBJm4BrNiNFhVUY+Yur5yhAJHfkS8qPPeDEUH8rQiY0PX3u/P7Q/wcg6Mv6GSAA==} + '@next/swc-win32-arm64-msvc@16.0.10': + resolution: {integrity: sha512-aEZIS4Hh32xdJQbHz121pyuVZniSNoqDVx1yIr2hy+ZwJGipeqnMZBJHyMxv2tiuAXGx6/xpTcQJ6btIiBjgmg==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] - '@next/swc-win32-arm64-msvc@16.0.7': - resolution: {integrity: sha512-EviG+43iOoBRZg9deGauXExjRphhuYmIOJ12b9sAPy0eQ6iwcPxfED2asb/s2/yiLYOdm37kPaiZu8uXSYPs0Q==} - engines: {node: '>= 10'} - cpu: [arm64] - os: [win32] - - '@next/swc-win32-x64-msvc@15.1.2': - resolution: {integrity: sha512-D3cNA8NoT3aWISWmo7HF5Eyko/0OdOO+VagkoJuiTk7pyX3P/b+n8XA/MYvyR+xSVcbKn68B1rY9fgqjNISqzQ==} - engines: {node: '>= 10'} - cpu: [x64] - os: [win32] - - '@next/swc-win32-x64-msvc@16.0.7': - resolution: {integrity: sha512-gniPjy55zp5Eg0896qSrf3yB1dw4F/3s8VK1ephdsZZ129j2n6e1WqCbE2YgcKhW9hPB9TVZENugquWJD5x0ug==} + '@next/swc-win32-x64-msvc@16.0.10': + resolution: {integrity: sha512-E+njfCoFLb01RAFEnGZn6ERoOqhK1Gl3Lfz1Kjnj0Ulfu7oJbuMyvBKNj/bw8XZnenHDASlygTjZICQW+rYW1Q==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -6375,6 +6325,7 @@ packages: basic-ftp@5.0.5: resolution: {integrity: sha512-4Bcg1P8xhUuqcii/S0Z9wiHIrQVPMermM1any+MX5GeGD7faD3/msQUDGLol9wOcz4/jbg/WJnGqoJF6LiBdtg==} engines: {node: '>=10.0.0'} + deprecated: Security vulnerability fixed in 5.2.0, please upgrade better-auth@1.3.34: resolution: {integrity: sha512-LWA52SlvnUBJRbN8VLSTLILPomZY3zZAiLxVJCeSQ5uVmaIKkMBhERitkfJcXB9RJcfl4uP+3EqKkb6hX1/uiw==} @@ -6468,10 +6419,6 @@ packages: peerDependencies: esbuild: '>=0.18' - busboy@1.6.0: - resolution: {integrity: sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==} - engines: {node: '>=10.16.0'} - c12@3.3.2: resolution: {integrity: sha512-QkikB2X5voO1okL3QsES0N690Sn/K9WokXqUsDQsWy5SnYb+psYQFGA10iy1bZHj3fjISKsI67Q90gruvWWM3A==} peerDependencies: @@ -7843,7 +7790,7 @@ packages: geist@1.5.1: resolution: {integrity: sha512-mAHZxIsL2o3ZITFaBVFBnwyDOw+zNLYum6A6nIjpzCGIO8QtC3V76XF2RnZTyLx1wlDTmMDy8jg3Ib52MIjGvQ==} peerDependencies: - next: '>=13.2.0' + next: '>=16.0.10' generator-function@2.0.1: resolution: {integrity: sha512-SFdFmIJi+ybC0vjlHN0ZGVGHc3lgE0DxPAT0djjVg+kjOnSqclqmj0KQ7ykTOLP6YxoqOvuAODGdcHJn+43q3g==} @@ -7909,20 +7856,22 @@ packages: glob@10.3.4: resolution: {integrity: sha512-6LFElP3A+i/Q8XQKEvZjkEWEOTgAIALR9AO2rwT8bgPhDd1anmqDJDZ6lLddI4ehxxxR1S5RIqKe1uapMQfYaQ==} engines: {node: '>=16 || 14 >=14.17'} + deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me hasBin: true glob@10.4.5: resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==} + deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me hasBin: true glob@7.2.3: resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==} - deprecated: Glob versions prior to v9 are no longer supported + deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me glob@8.1.0: resolution: {integrity: sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ==} engines: {node: '>=12'} - deprecated: Glob versions prior to v9 are no longer supported + deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me globals@14.0.0: resolution: {integrity: sha512-oahGvuMGQlPw/ivIYBjVSrWAfWLBeku5tpPE2fOPLi+WHffIWbuh2tCjhyQhTBPMf5E9jDEH4FOmTYgYwbKwtQ==} @@ -8822,30 +8771,8 @@ packages: react: ^16.8 || ^17 || ^18 || ^19 || ^19.0.0-rc react-dom: ^16.8 || ^17 || ^18 || ^19 || ^19.0.0-rc - next@15.1.2: - resolution: {integrity: sha512-nLJDV7peNy+0oHlmY2JZjzMfJ8Aj0/dd3jCwSZS8ZiO5nkQfcZRqDrRN3U5rJtqVTQneIOGZzb6LCNrk7trMCQ==} - engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0} - deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details. - hasBin: true - peerDependencies: - '@opentelemetry/api': ^1.1.0 - '@playwright/test': ^1.41.2 - babel-plugin-react-compiler: '*' - react: ^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0 - react-dom: ^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0 - sass: ^1.3.0 - peerDependenciesMeta: - '@opentelemetry/api': - optional: true - '@playwright/test': - optional: true - babel-plugin-react-compiler: - optional: true - sass: - optional: true - - next@16.0.7: - resolution: {integrity: sha512-3mBRJyPxT4LOxAJI6IsXeFtKfiJUbjCLgvXO02fV8Wy/lIhPvP94Fe7dGhUgHXcQy4sSuYwQNcOLhIfOm0rL0A==} + next@16.0.10: + resolution: {integrity: sha512-RtWh5PUgI+vxlV3HdR+IfWA1UUHu0+Ram/JBO4vWB54cVPentCD0e+lxyAYEsDTqGGMg7qpjhKh6dc6aW7W/sA==} engines: {node: '>=20.9.0'} hasBin: true peerDependencies: @@ -8906,7 +8833,7 @@ packages: peerDependencies: '@remix-run/react': '>=2' '@tanstack/react-router': ^1 - next: '>=14.2.0' + next: '>=16.0.10' react: '>=18.2.0 || ^19.0.0-0' react-router: ^5 || ^6 || ^7 react-router-dom: ^5 || ^6 || ^7 @@ -9375,6 +9302,7 @@ packages: prebuild-install@7.1.3: resolution: {integrity: sha512-8Mf2cbV7x1cXPUILADGI3wuhfqWvtiLA1iclTDbFRZkgRQS0NqsPZphna9V+HyTEadheuPmjaJMsbzKQFOzLug==} engines: {node: '>=10'} + deprecated: No longer maintained. Please contact the author of the relevant native addon; alternatives are available. hasBin: true prelude-ls@1.2.1: @@ -10027,10 +9955,6 @@ packages: resolution: {integrity: sha512-KXDYZ9dszj6bzvnEMRYvxgeTHU74QBFL54XKtP3nyMuJ81CFYtABZ3bAzL2EdFUaEwJOBOgENyFj3R7oTzDyyw==} engines: {node: '>=4', npm: '>=6'} - streamsearch@1.1.0: - resolution: {integrity: sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==} - engines: {node: '>=10.0.0'} - string-argv@0.3.2: resolution: {integrity: sha512-aqD2Q0144Z+/RqG52NeHEkZauTAUWJO8c6yTftGJKO3Tja5tUgIfmIl6kExvhtxSDP7fXB6DvzkfMpCd/F3G+Q==} engines: {node: '>=0.6.19'} @@ -10794,6 +10718,7 @@ packages: whatwg-encoding@3.1.1: resolution: {integrity: sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==} engines: {node: '>=18'} + deprecated: Use @exodus/bytes instead for a more spec-conformant and faster implementation whatwg-mimetype@3.0.0: resolution: {integrity: sha512-nt+N2dzIutVRxARx1nghPKGv1xHikU7HKdfafKkLNLindmPU/ch3U31NOCGGA/dmPcmb1VlofO0vnKAcsm0o/Q==} @@ -11253,7 +11178,7 @@ snapshots: '@babel/helper-string-parser': 7.27.1 '@babel/helper-validator-identifier': 7.28.5 - '@better-auth/cli@1.3.34(@cloudflare/workers-types@4.20251113.0)(@types/react@19.2.4)(kysely@0.28.8)(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(postgres@3.4.7)(react-dom@19.2.0(react@19.2.3))(react@19.2.3)': + '@better-auth/cli@1.3.34(@cloudflare/workers-types@4.20251113.0)(@types/react@19.2.4)(kysely@0.28.8)(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(postgres@3.4.7)(react-dom@19.2.0(react@19.2.3))(react@19.2.3)': dependencies: '@babel/core': 7.28.5 '@babel/preset-react': 7.28.5(@babel/core@7.28.5) @@ -11264,7 +11189,7 @@ snapshots: '@prisma/client': 5.22.0(prisma@5.22.0) '@types/better-sqlite3': 7.6.13 '@types/prompts': 2.4.9 - better-auth: 1.3.34(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + better-auth: 1.3.34(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) better-sqlite3: 12.4.1 c12: 3.3.2 chalk: 5.6.2 @@ -11436,19 +11361,19 @@ snapshots: '@date-fns/tz@1.4.1': {} - '@daveyplate/better-auth-tanstack@1.3.6(@tanstack/query-core@5.90.8)(@tanstack/react-query@5.90.8(react@19.2.3))(better-auth@1.3.34(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3)': + '@daveyplate/better-auth-tanstack@1.3.6(@tanstack/query-core@5.90.8)(@tanstack/react-query@5.90.8(react@19.2.3))(better-auth@1.3.34(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3)': dependencies: '@tanstack/query-core': 5.90.8 '@tanstack/react-query': 5.90.8(react@19.2.3) - better-auth: 1.3.34(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + better-auth: 1.3.34(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) react: 19.2.3 react-dom: 19.2.0(react@19.2.3) - '@daveyplate/better-auth-ui@3.2.9(c53bb6bc3789aead8bb1736ab30ebb89)': + '@daveyplate/better-auth-ui@3.2.9(4dca55f03f153c990b03cb2a74d4b27c)': dependencies: '@better-fetch/fetch': 1.1.18 '@captchafox/react': 1.10.0(react-dom@19.2.0(react@19.2.3))(react@19.2.3) - '@daveyplate/better-auth-tanstack': 1.3.6(@tanstack/query-core@5.90.8)(@tanstack/react-query@5.90.8(react@19.2.3))(better-auth@1.3.34(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + '@daveyplate/better-auth-tanstack': 1.3.6(@tanstack/query-core@5.90.8)(@tanstack/react-query@5.90.8(react@19.2.3))(better-auth@1.3.34(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) '@hcaptcha/react-hcaptcha': 1.14.0(react-dom@19.2.0(react@19.2.3))(react@19.2.3) '@hookform/resolvers': 5.2.0(react-hook-form@7.66.0(react@19.2.3)) '@instantdb/react': 0.22.51(react@19.2.3) @@ -11472,7 +11397,7 @@ snapshots: '@triplit/client': 1.0.50(better-sqlite3@12.4.1)(typescript@5.9.2) '@triplit/react': 1.0.51(better-sqlite3@12.4.1)(react@19.2.3)(typescript@5.9.2) '@wojtekmaj/react-recaptcha-v3': 0.1.4(@types/react@19.2.4)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) - better-auth: 1.3.34(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + better-auth: 1.3.34(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3) class-variance-authority: 0.7.1 clsx: 2.1.1 input-otp: 1.4.2(react-dom@19.2.0(react@19.2.3))(react@19.2.3) @@ -12598,9 +12523,7 @@ snapshots: '@tybys/wasm-util': 0.10.1 optional: true - '@next/env@15.1.2': {} - - '@next/env@16.0.7': {} + '@next/env@16.0.10': {} '@next/eslint-plugin-next@15.5.6': dependencies: @@ -12610,52 +12533,28 @@ snapshots: dependencies: fast-glob: 3.3.1 - '@next/swc-darwin-arm64@15.1.2': - optional: true - - '@next/swc-darwin-arm64@16.0.7': - optional: true - - '@next/swc-darwin-x64@15.1.2': - optional: true - - '@next/swc-darwin-x64@16.0.7': - optional: true - - '@next/swc-linux-arm64-gnu@15.1.2': - optional: true - - '@next/swc-linux-arm64-gnu@16.0.7': - optional: true - - '@next/swc-linux-arm64-musl@15.1.2': + '@next/swc-darwin-arm64@16.0.10': optional: true - '@next/swc-linux-arm64-musl@16.0.7': + '@next/swc-darwin-x64@16.0.10': optional: true - '@next/swc-linux-x64-gnu@15.1.2': + '@next/swc-linux-arm64-gnu@16.0.10': optional: true - '@next/swc-linux-x64-gnu@16.0.7': + '@next/swc-linux-arm64-musl@16.0.10': optional: true - '@next/swc-linux-x64-musl@15.1.2': + '@next/swc-linux-x64-gnu@16.0.10': optional: true - '@next/swc-linux-x64-musl@16.0.7': + '@next/swc-linux-x64-musl@16.0.10': optional: true - '@next/swc-win32-arm64-msvc@15.1.2': + '@next/swc-win32-arm64-msvc@16.0.10': optional: true - '@next/swc-win32-arm64-msvc@16.0.7': - optional: true - - '@next/swc-win32-x64-msvc@15.1.2': - optional: true - - '@next/swc-win32-x64-msvc@16.0.7': + '@next/swc-win32-x64-msvc@16.0.10': optional: true '@noble/ciphers@2.0.1': {} @@ -16345,7 +16244,7 @@ snapshots: basic-ftp@5.0.5: {} - better-auth@1.3.34(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3): + better-auth@1.3.34(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react-dom@19.2.0(react@19.2.3))(react@19.2.3): dependencies: '@better-auth/core': 1.3.34(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.18)(better-call@1.0.19)(jose@6.1.1)(kysely@0.28.8)(nanostores@1.0.1) '@better-auth/telemetry': 1.3.34(better-call@1.0.19)(jose@6.1.1)(kysely@0.28.8)(nanostores@1.0.1) @@ -16362,7 +16261,7 @@ snapshots: nanostores: 1.0.1 zod: 4.1.12 optionalDependencies: - next: 16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + next: 16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) react: 19.2.3 react-dom: 19.2.0(react@19.2.3) @@ -16482,10 +16381,6 @@ snapshots: esbuild: 0.27.0 load-tsconfig: 0.2.5 - busboy@1.6.0: - dependencies: - streamsearch: 1.1.0 - c12@3.3.2: dependencies: chokidar: 4.0.3 @@ -17975,9 +17870,9 @@ snapshots: functions-have-names@1.2.3: {} - geist@1.5.1(next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3)): + geist@1.5.1(next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3)): dependencies: - next: 16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + next: 16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) generator-function@2.0.1: {} @@ -18939,35 +18834,9 @@ snapshots: react: 19.2.3 react-dom: 19.2.0(react@19.2.3) - next@15.1.2(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3): - dependencies: - '@next/env': 15.1.2 - '@swc/counter': 0.1.3 - '@swc/helpers': 0.5.15 - busboy: 1.6.0 - caniuse-lite: 1.0.30001754 - postcss: 8.4.31 - react: 19.2.3 - react-dom: 19.2.0(react@19.2.3) - styled-jsx: 5.1.6(@babel/core@7.28.5)(react@19.2.3) - optionalDependencies: - '@next/swc-darwin-arm64': 15.1.2 - '@next/swc-darwin-x64': 15.1.2 - '@next/swc-linux-arm64-gnu': 15.1.2 - '@next/swc-linux-arm64-musl': 15.1.2 - '@next/swc-linux-x64-gnu': 15.1.2 - '@next/swc-linux-x64-musl': 15.1.2 - '@next/swc-win32-arm64-msvc': 15.1.2 - '@next/swc-win32-x64-msvc': 15.1.2 - '@playwright/test': 1.56.1 - sharp: 0.33.5 - transitivePeerDependencies: - - '@babel/core' - - babel-plugin-macros - - next@16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3): + next@16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3): dependencies: - '@next/env': 16.0.7 + '@next/env': 16.0.10 '@swc/helpers': 0.5.15 caniuse-lite: 1.0.30001754 postcss: 8.4.31 @@ -18975,14 +18844,14 @@ snapshots: react-dom: 19.2.0(react@19.2.3) styled-jsx: 5.1.6(@babel/core@7.28.5)(react@19.2.3) optionalDependencies: - '@next/swc-darwin-arm64': 16.0.7 - '@next/swc-darwin-x64': 16.0.7 - '@next/swc-linux-arm64-gnu': 16.0.7 - '@next/swc-linux-arm64-musl': 16.0.7 - '@next/swc-linux-x64-gnu': 16.0.7 - '@next/swc-linux-x64-musl': 16.0.7 - '@next/swc-win32-arm64-msvc': 16.0.7 - '@next/swc-win32-x64-msvc': 16.0.7 + '@next/swc-darwin-arm64': 16.0.10 + '@next/swc-darwin-x64': 16.0.10 + '@next/swc-linux-arm64-gnu': 16.0.10 + '@next/swc-linux-arm64-musl': 16.0.10 + '@next/swc-linux-x64-gnu': 16.0.10 + '@next/swc-linux-x64-musl': 16.0.10 + '@next/swc-win32-arm64-msvc': 16.0.10 + '@next/swc-win32-x64-msvc': 16.0.10 '@playwright/test': 1.56.1 sharp: 0.34.5 transitivePeerDependencies: @@ -19032,12 +18901,12 @@ snapshots: dependencies: boolbase: 1.0.0 - nuqs@2.8.5(next@16.0.7(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react@19.2.3): + nuqs@2.8.5(next@16.0.10(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3))(react@19.2.3): dependencies: '@standard-schema/spec': 1.0.0 react: 19.2.3 optionalDependencies: - next: 16.0.7(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + next: 16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) nwsapi@2.2.22: {} @@ -19806,7 +19675,7 @@ snapshots: glob: 10.3.4 log-symbols: 4.1.0 mime-types: 2.1.35 - next: 15.1.2(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) + next: 16.0.10(@babel/core@7.28.5)(@playwright/test@1.56.1)(react-dom@19.2.0(react@19.2.3))(react@19.2.3) normalize-path: 3.0.0 ora: 5.4.1 socket.io: 4.8.1 @@ -20462,8 +20331,6 @@ snapshots: stoppable@1.1.0: {} - streamsearch@1.1.0: {} - string-argv@0.3.2: {} string-width@4.2.3: From 66d7b7a6c082e7d275ff4febf1bb07c2e66e304a Mon Sep 17 00:00:00 2001 From: Nelson Melina Date: Wed, 4 Mar 2026 14:21:19 +0000 Subject: [PATCH 2/6] fix(docker): copy built package artifacts after pnpm install in API Dockerfile pnpm install --prod in the runner stage overwrites the built dist/ directories of workspace packages, causing ERR_MODULE_NOT_FOUND at runtime for @refref/coredb/dist/schema. Fix by copying built artifacts after the install step. --- Dockerfile.api | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Dockerfile.api b/Dockerfile.api index 5e692b2..0bea0b0 100644 --- a/Dockerfile.api +++ b/Dockerfile.api @@ -51,9 +51,8 @@ COPY pnpm-workspace.yaml ./ COPY package.json ./ COPY pnpm-lock.yaml ./ -# Copy built packages +# Copy package source (needed for workspace linking) COPY --from=base /app/packages/ ./packages/ -COPY --from=base /app/apps/api/dist/ ./apps/api/dist/ COPY --from=base /app/apps/api/package.json ./apps/api/package.json # Copy ca-certificates from build stage @@ -62,6 +61,10 @@ COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ # Install only production dependencies RUN pnpm install --frozen-lockfile --prod +# Copy built artifacts AFTER install to prevent pnpm from overwriting them +COPY --from=base /app/packages/ ./packages/ +COPY --from=base /app/apps/api/dist/ ./apps/api/dist/ + # Set working directory to api app WORKDIR /app/apps/api From 7b54f54ba05eed096d6b38cda97375961d23e2b8 Mon Sep 17 00:00:00 2001 From: Nelson Melina Date: Wed, 4 Mar 2026 14:29:29 +0000 Subject: [PATCH 3/6] fix(docker): use tsx for API runtime to handle extensionless ESM imports Dockerfile.api's production stage uses `node dist/index.js` but the compiled TypeScript output has extensionless imports (e.g. `from "../schema"`) because tsconfig uses `moduleResolution: "bundler"`. Node.js ESM strict resolution rejects these at runtime with ERR_MODULE_NOT_FOUND. Fix: copy the full builder output (including devDeps) and use tsx to run the compiled output, matching how the dev server works. Also removes the separate pnpm install --prod step which was overwriting built workspace package artifacts. Ref: https://github.com/refrefhq/refref/issues/57 --- Dockerfile.api | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/Dockerfile.api b/Dockerfile.api index 0bea0b0..2980271 100644 --- a/Dockerfile.api +++ b/Dockerfile.api @@ -51,25 +51,21 @@ COPY pnpm-workspace.yaml ./ COPY package.json ./ COPY pnpm-lock.yaml ./ -# Copy package source (needed for workspace linking) -COPY --from=base /app/packages/ ./packages/ -COPY --from=base /app/apps/api/package.json ./apps/api/package.json +# Copy everything from builder (node_modules, built packages, built api) +# Using full install (not --prod) because tsx is needed at runtime to handle +# extensionless ESM imports in compiled workspace packages +COPY --from=base /app/ ./ # Copy ca-certificates from build stage COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -# Install only production dependencies -RUN pnpm install --frozen-lockfile --prod - -# Copy built artifacts AFTER install to prevent pnpm from overwriting them -COPY --from=base /app/packages/ ./packages/ -COPY --from=base /app/apps/api/dist/ ./apps/api/dist/ - # Set working directory to api app WORKDIR /app/apps/api # Expose port EXPOSE 3000 -# Start the application -CMD ["pnpm", "start"] +# Start with tsx to handle extensionless ESM imports in workspace packages +# (tsc compiles with moduleResolution:"bundler" which emits extensionless +# imports, but Node.js ESM strict resolution rejects them) +CMD ["pnpm", "tsx", "dist/index.js"] From a28a2242628f5ee0cbcb04399051fe1cce692dc9 Mon Sep 17 00:00:00 2001 From: Nelson Melina Date: Wed, 4 Mar 2026 14:36:10 +0000 Subject: [PATCH 4/6] chore: trigger Railway rebuild with Dockerfile fixes From 19f58dda4e80d1d820d8f9a782815d393f331fac Mon Sep 17 00:00:00 2001 From: Nelson Melina Date: Wed, 4 Mar 2026 14:43:10 +0000 Subject: [PATCH 5/6] fix(docker): pass NEXT_PUBLIC_APP_URL as build arg for client bundle Next.js NEXT_PUBLIC_* vars are embedded at build time. Without this, the client-side auth requests go to localhost:3000 instead of the deployed URL, causing ERR_CONNECTION_REFUSED in the browser. --- Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index be3af23..dfb09a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,6 +31,11 @@ RUN pnpm install --frozen-lockfile --filter @refref/webapp... # Build the webapp application (with placeholder env vars for build time) ENV DATABASE_URL="postgresql://placeholder" ENV BETTER_AUTH_SECRET="placeholder-secret-for-build" + +# NEXT_PUBLIC_* vars must be available at build time for Next.js client bundle +ARG NEXT_PUBLIC_APP_URL +ENV NEXT_PUBLIC_APP_URL=${NEXT_PUBLIC_APP_URL:-http://localhost:3000} + RUN pnpm build --filter @refref/webapp... # Production stage From 647ae9a6f7fb7a406220bb0beeac81414811cc88 Mon Sep 17 00:00:00 2001 From: Nelson Melina Date: Wed, 4 Mar 2026 14:49:09 +0000 Subject: [PATCH 6/6] fix(webapp): don't pass posthog proxy to auth when PostHog is not configured The posthog Proxy object is always truthy even when NEXT_PUBLIC_POSTHOG_KEY is not set. When passed to Better Auth, the after hook calls posthog?.capture() which hits the Proxy get trap. The trap returns undefined instead of a no-op function when posthogClient is null, causing TypeError: b?.capture is not a function on user signup. Fix: only pass posthog to auth when PostHog key is actually configured. --- apps/webapp/src/lib/auth.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/webapp/src/lib/auth.ts b/apps/webapp/src/lib/auth.ts index 81566da..ca3f1dc 100644 --- a/apps/webapp/src/lib/auth.ts +++ b/apps/webapp/src/lib/auth.ts @@ -20,7 +20,7 @@ export const auth = getAuth({ } : undefined, logger, - posthog, + posthog: env.NEXT_PUBLIC_POSTHOG_KEY ? posthog : undefined, trustedOrigins: [env.NEXT_PUBLIC_APP_URL], emailFrom: env.NOTIFICATIONS_EMAIL_FROM, });