Next.js Version Monitoring
Why: The music.skyhouse.dev Next.js app was the vector of the March 2026 cryptominer incident; this adds a nightly notifier so an out-of-date Next.js is caught early.
Following the security incident in March where an unpatched version of Next.js was exploited, Damien requested a proactive approach to monitor the version running in the music-discovery-client Docker container. While the app is currently patched, staying informed of upstream updates allows for timely, manual intervention if a critical update is published.
1. Monitoring Script
We created a monitoring script that runs without needing root. It inspects the actual package.json used by Next.js inside the running container and compares it against the latest published version on npm.
- Action: Wrote
/usr/local/bin/nextjs-checkto query the container viadocker exec, fetch the latest npm version viacurlandjq, and alert Damien via the existing Telegram bot script if they differ. - Action: Included a
--dry-runflag to allow safe testing without spamming Telegram, mirroring the style of existing scripts.
2. Scheduled Execution
The check runs nightly and logs its results locally. By not alerting on version parity or container downtime (silent exit 0), it avoids alert fatigue.
- Action: Appended a cron entry to the
plexuser's crontab running daily at 5:00 AM, outputting logs to/home/plex/.cache/nextjs-check.log.