vercel/next.js

84/100
// permanent record of scan from 2026-05-09 · stack: Node.js · pnpm · Turbo · Rust (SWC) · GitHub Actions · Rspack · TypeScript
// permalink — this URL always shows scan -LuQZ0hC from 2026-05-09, even if a newer public scan exists for this repo.

Nine dimensions

DevOps
82
Multiple workflows with build-and-test on canary, PR auto-labeler, stats generation, rspack scheduled tests, and Slack-integrated retry pipelines.
Security
82
OSV scan: no CVEs. Secret scan: no patterns. No committed env files. Workflows use pinned action SHAs with minimal permissions scopes.
Cost & infra
88
MIT license imposes no licensing cost; managed GitHub Actions and Vercel KV for timings; no visible self-hosted infrastructure dependencies.
QA & testing
88
1882 test files plus integration_tests_reusable.yml running E2E and legacy integration tests across 6–16 parallel matrix groups is world-class QA infrastructure.
Performance
80
Turbopack and Rspack as alternative bundlers, TURBO_CACHE with remote caching, 16-group parallel test matrices, and release-with-assertions Rust builds.
Architecture
82
Monorepo with pnpm workspaces, create_release_branch.yml with GitHub App tokens, code_freeze.yml workflow, and proper release branch gating.
Code quality
85
Next.js is a mature framework with 139k stars; custom ast-grep lint rules, nextest config, and CODEOWNERS prove engineering rigor beyond any boilerplate.
Observability
84
retry_test.yml and retry_deploy_test.yml send Slack webhooks on failures; next-integration-stat tracks test pass rates; KV store backs test timings.
Maintainability
82
MIT license, detailed issue templates with reproduction requirements, CODEOWNERS, stale/PR-lock workflows, and comprehensive .github structure.

Top findings (AI)

high

Rspack integration has known failing tests at scale

rspack-update-tests-manifest.yml is a recurring workflow dedicated to tracking passing/failing/skipped tests, and both Rspack test workflows use 12–16 parallel groups with 90-minute timeouts. This indicates Rspack is not yet parity-grade for production use in all Next.js scenarios.

high

No Dockerfile or root deployment config in repo

The framework repo has no Dockerfile, no vercel.json, and no deploy config at the root. Vercel deploys Next.js externally; this repo cannot be self-hosted from source without custom configuration. Consumers adopting self-hosted next-server need to build their own container strategy.

medium

3,908 open issues with no defined SLA

issue_stale.yml marks issues stale after 545 days of inactivity and closes them after 7 more days, but the 3,908 open count (before the stale policy runs) means a significant backlog. The stale action runs on a daily schedule with 300 operations-per-run cap, which may not clear the queue fast enough.

medium

No visible security-specific CI workflow

No dedicated SAST, dependency audit, or CodeQL workflow is visible in .github/workflows/. OSV scan confirmed no declared dependencies were scanned — the framework likely has transitive deps that were not in the scan surface. Security posture depends on what Vercel does internally, not what's visible in this repo.

medium

Graphite CI optimizer is not enforced — bypass label exists

graphite_ci_optimizer.yml can be bypassed by adding label 'CI Bypass Graphite Optimization' and pushing a new commit. This means developers can skip expensive CI jobs on any PR, creating a potential gap where untested changes land on canary.

medium

TURBO_REMOTE_CACHE requires a paid Vercel token

build_and_test.yml and build_and_deploy.yml both set TURBO_TEAM to 'vtest314-next-adapter-e2e-tests' with TURBO_TOKEN secret. Turbo remote caching is a Vercel Teams feature; the entire CI pipeline degrades to local-only cache if the secret is unavailable, per the 'degrade gracefully' comment in the config.

Scan your own repo

Free 60-second scan. No signup.

Run a free scan →