Vercel Deployment

1---2name: vercel-deployment3description: Expert knowledge for deploying to Vercel with Next.js4risk: safe5source: vibeship-spawner-skills (Apache 2.0)6date_added: 2026-02-277---8 9# Vercel Deployment10 11Expert knowledge for deploying to Vercel with Next.js12 13## Capabilities14 15- vercel16- deployment17- edge-functions18- serverless19- environment-variables20 21## Prerequisites22 23- Required skills: nextjs-app-router24 25## Patterns26 27### Environment Variables Setup28 29Properly configure environment variables for all environments30 31**When to use**: Setting up a new project on Vercel32 33// Three environments in Vercel:34// - Development (local)35// - Preview (PR deployments)36// - Production (main branch)37 38// In Vercel Dashboard:39// Settings → Environment Variables40 41// PUBLIC variables (exposed to browser)42NEXT_PUBLIC_SUPABASE_URL=https://xxx.supabase.co43NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...44 45// PRIVATE variables (server only)46SUPABASE_SERVICE_ROLE_KEY=eyJ...  // Never NEXT_PUBLIC_!47DATABASE_URL=postgresql://...48 49// Per-environment values:50// Production: Real database, production API keys51// Preview: Staging database, test API keys52// Development: Local/dev values (also in .env.local)53 54// In code, check environment:55const isProduction = process.env.VERCEL_ENV === 'production'56const isPreview = process.env.VERCEL_ENV === 'preview'57 58### Edge vs Serverless Functions59 60Choose the right runtime for your API routes61 62**When to use**: Creating API routes or middleware63 64// EDGE RUNTIME - Fast cold starts, limited APIs65// Good for: Auth checks, redirects, simple transforms66 67// app/api/hello/route.ts68export const runtime = 'edge'69 70export async function GET() {71  return Response.json({ message: 'Hello from Edge!' })72}73 74// middleware.ts (always edge)75export function middleware(request: NextRequest) {76  // Fast auth checks here77}78 79// SERVERLESS (Node.js) - Full Node APIs, slower cold start80// Good for: Database queries, file operations, heavy computation81 82// app/api/users/route.ts83export const runtime = 'nodejs'  // Default, can omit84 85export async function GET() {86  const users = await db.query('SELECT * FROM users')87  return Response.json(users)88}89 90### Build Optimization91 92Optimize build for faster deployments and smaller bundles93 94**When to use**: Preparing for production deployment95 96// next.config.js97/** @type {import('next').NextConfig} */98const nextConfig = {99  // Minimize output100  output: 'standalone',  // For Docker/self-hosting101 102  // Image optimization103  images: {104    remotePatterns: [105      { hostname: 'your-cdn.com' },106    ],107  },108 109  // Bundle analyzer (dev only)110  // npm install @next/bundle-analyzer111  ...(process.env.ANALYZE === 'true' && {112    webpack: (config) => {113      const { BundleAnalyzerPlugin } = require('webpack-bundle-analyzer')114      config.plugins.push(new BundleAnalyzerPlugin())115      return config116    },117  }),118}119 120// Reduce serverless function size:121// - Use dynamic imports for heavy libs122// - Check bundle with: npx @next/bundle-analyzer123 124### Preview Deployment Workflow125 126Use preview deployments for PR reviews127 128**When to use**: Setting up team development workflow129 130// Every PR gets a unique preview URL automatically131 132// Protect preview deployments with password:133// Vercel Dashboard → Settings → Deployment Protection134 135// Use different env vars for preview:136// - PREVIEW: Use staging database137// - PRODUCTION: Use production database138 139// In code, detect preview:140if (process.env.VERCEL_ENV === 'preview') {141  // Show "Preview" banner142  // Use test payment processor143  // Disable analytics144}145 146// Comment preview URL on PR (automatic with Vercel GitHub integration)147 148### Custom Domain Setup149 150Configure custom domains with proper SSL151 152**When to use**: Going to production153 154// In Vercel Dashboard → Domains155 156// Add domains:157// - example.com (apex/root)158// - www.example.com (subdomain)159 160// DNS Configuration (at your registrar):161// Type: A, Name: @, Value: 76.76.21.21162// Type: CNAME, Name: www, Value: cname.vercel-dns.com163 164// Redirect www to apex (or vice versa):165// Vercel handles this automatically166 167// In next.config.js for redirects:168module.exports = {169  async redirects() {170    return [171      {172        source: '/old-page',173        destination: '/new-page',174        permanent: true,  // 308175      },176    ]177  },178}179 180## Sharp Edges181 182### NEXT_PUBLIC_ exposes secrets to the browser183 184Severity: CRITICAL185 186Situation: Using NEXT_PUBLIC_ prefix for sensitive API keys187 188Symptoms:189- Secrets visible in browser DevTools → Sources190- Security audit finds exposed keys191- Unexpected API access from unknown sources192 193Why this breaks:194Variables prefixed with NEXT_PUBLIC_ are inlined into the JavaScript195bundle at build time. Anyone can view them in browser DevTools.196This includes all your users and potential attackers.197 198Recommended fix:199 200Only use NEXT_PUBLIC_ for truly public values:201 202// SAFE to use NEXT_PUBLIC_203NEXT_PUBLIC_SUPABASE_URL=https://xxx.supabase.co204NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...  // Anon key is designed to be public205NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_...206NEXT_PUBLIC_GA_ID=G-XXXXXXX207 208// NEVER use NEXT_PUBLIC_209SUPABASE_SERVICE_ROLE_KEY=eyJ...     // Full database access!210STRIPE_SECRET_KEY=sk_live_...         // Can charge cards!211DATABASE_URL=postgresql://...          // Direct DB access!212JWT_SECRET=...                         // Can forge tokens!213 214// Access server-only vars in:215// - Server Components (app router)216// - API Routes217// - Server Actions ('use server')218// - getServerSideProps (pages router)219 220### Preview deployments using production database221 222Severity: HIGH223 224Situation: Not configuring separate environment variables for preview225 226Symptoms:227- Test data appearing in production228- Production data corrupted after PR merge229- Users seeing test accounts/content230 231Why this breaks:232Preview deployments run untested code. If they use production database,233a bug in a PR can corrupt production data. Also, testers might create234test data that shows up in production.235 236Recommended fix:237 238Set up separate databases for each environment:239 240// In Vercel Dashboard → Settings → Environment Variables241 242// Production (production env only):243DATABASE_URL=postgresql://prod-host/prod-db244 245// Preview (preview env only):246DATABASE_URL=postgresql://staging-host/staging-db247 248// Or use Vercel's branching databases:249// - Neon, PlanetScale, Supabase all support branch databases250// - Auto-create preview DB for each PR251 252// For Supabase, create a staging project:253// Production:254NEXT_PUBLIC_SUPABASE_URL=https://prod-xxx.supabase.co255 256// Preview:257NEXT_PUBLIC_SUPABASE_URL=https://staging-xxx.supabase.co258 259### Serverless function too large, slow cold starts260 261Severity: HIGH262 263Situation: API route or server component has slow initial load264 265Symptoms:266- First request takes 3-10+ seconds267- Subsequent requests are fast268- Function size limit exceeded error269- Deployment fails with size error270 271Why this breaks:272Vercel serverless functions have a 50MB limit (compressed).273Large functions mean slow cold starts (1-5+ seconds).274Heavy dependencies like puppeteer, sharp can cause this.275 276Recommended fix:277 278Reduce function size:279 280// 1. Use dynamic imports for heavy libs281export async function GET() {282  const sharp = await import('sharp')  // Only loads when needed283  // ...284}285 286// 2. Move heavy processing to edge or external service287export const runtime = 'edge'  // Much smaller, faster cold start288 289// 3. Check bundle size290// npx @next/bundle-analyzer291// Look for large dependencies292 293// 4. Use external services for heavy tasks294// - Image processing: Cloudinary, imgix295// - PDF generation: API service296// - Puppeteer: Browserless.io297 298// 5. Split into multiple functions299// /api/heavy-task/start - Queue the job300// /api/heavy-task/status - Check progress301 302### Edge runtime missing Node.js APIs303 304Severity: HIGH305 306Situation: Using Node.js APIs in edge runtime functions307 308Symptoms:309- X is not defined at runtime310- Cannot find module fs311- Works locally, fails deployed312- Middleware crashes313 314Why this breaks:315Edge runtime runs on V8, not Node.js. Many Node APIs are missing:316fs, path, crypto (partial), child_process, and most native modules.317Your code will fail at runtime with "X is not defined".318 319Recommended fix:320 321Check API compatibility before using edge:322 323// SUPPORTED in Edge:324// - fetch, Request, Response325// - crypto.subtle (Web Crypto)326// - TextEncoder, TextDecoder327// - URL, URLSearchParams328// - Headers, FormData329// - setTimeout, setInterval330 331// NOT SUPPORTED in Edge:332// - fs, path, os333// - Buffer (use Uint8Array)334// - crypto.createHash (use crypto.subtle)335// - Most npm packages with native deps336 337// If you need Node.js APIs:338export const runtime = 'nodejs'  // Use Node runtime instead339 340// For crypto hashing in edge:341// WRONG342import { createHash } from 'crypto'  // Fails in edge343 344// RIGHT345async function hash(message: string) {346  const encoder = new TextEncoder()347  const data = encoder.encode(message)348  const hashBuffer = await crypto.subtle.digest('SHA-256', data)349  return Array.from(new Uint8Array(hashBuffer))350    .map(b => b.toString(16).padStart(2, '0'))351    .join('')352}353 354### Function timeout causes incomplete operations355 356Severity: MEDIUM357 358Situation: Long-running operations timing out359 360Symptoms:361- Task timed out after X seconds362- Incomplete database operations363- Partial file uploads364- Function killed mid-execution365 366Why this breaks:367Vercel has timeout limits:368- Hobby: 10 seconds369- Pro: 60 seconds (can increase to 300)370- Enterprise: 900 seconds371 372Operations exceeding this are killed mid-execution.373 374Recommended fix:375 376Handle long operations properly:377 378// 1. Return early, process async379export async function POST(request: Request) {380  const data = await request.json()381 382  // Queue for background processing383  await queue.add('process-data', data)384 385  // Return immediately386  return Response.json({ status: 'queued' })387}388 389// 2. Use streaming for long responses390export async function GET() {391  const stream = new ReadableStream({392    async start(controller) {393      for (const chunk of generateChunks()) {394        controller.enqueue(chunk)395        await sleep(100)  // Prevents timeout396      }397      controller.close()398    }399  })400  return new Response(stream)401}402 403// 3. Use external services for heavy processing404// - Trigger serverless function, return job ID405// - Process in background (Inngest, Trigger.dev)406// - Client polls for completion407 408// 4. Increase timeout (Pro plan)409// vercel.json:410{411  "functions": {412    "app/api/slow/route.ts": {413      "maxDuration": 60414    }415  }416}417 418### Environment variable missing at runtime but present at build419 420Severity: MEDIUM421 422Situation: Environment variable works in build but undefined at runtime423 424Symptoms:425- Env var is undefined in production426- Value doesn't change after updating in dashboard427- Works in dev, wrong value in production428- Requires redeploy to update value429 430Why this breaks:431Some env vars are only available at build time (hardcoded into bundle).432If you expect a runtime value but it was baked in at build, you get433the build-time value or undefined.434 435Recommended fix:436 437Understand when env vars are read:438 439// BUILD TIME (baked into bundle):440// - NEXT_PUBLIC_* variables441// - next.config.js442// - generateStaticParams443// - Static pages444 445// RUNTIME (read on each request):446// - Server Components (without cache)447// - API Routes448// - Server Actions449// - Middleware450 451// To force runtime reading:452export const dynamic = 'force-dynamic'453 454// For config that must be runtime:455// Don't use NEXT_PUBLIC_, read on server and pass to client456 457// Check which env vars you need:458// Build: URLs, public keys, feature flags (if static)459// Runtime: Secrets, database URLs, user-specific config460 461### CORS errors calling API routes from different domain462 463Severity: MEDIUM464 465Situation: Frontend on different domain can't call API routes466 467Symptoms:468- CORS policy error in browser console469- No Access-Control-Allow-Origin header470- Requests work in Postman but not browser471- Works same-origin, fails cross-origin472 473Why this breaks:474By default, browsers block cross-origin requests. Vercel doesn't475automatically add CORS headers. If your frontend is on a different476domain (or localhost in dev), requests fail.477 478Recommended fix:479 480Add CORS headers to API routes:481 482// app/api/data/route.ts483export async function GET(request: Request) {484  const data = await fetchData()485 486  return Response.json(data, {487    headers: {488      'Access-Control-Allow-Origin': '*',  // Or specific domain489      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',490      'Access-Control-Allow-Headers': 'Content-Type, Authorization',491    },492  })493}494 495// Handle preflight requests496export async function OPTIONS() {497  return new Response(null, {498    headers: {499      'Access-Control-Allow-Origin': '*',500      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',501      'Access-Control-Allow-Headers': 'Content-Type, Authorization',502    },503  })504}505 506// Or use next.config.js for all routes:507module.exports = {508  async headers() {509    return [510      {511        source: '/api/:path*',512        headers: [513          { key: 'Access-Control-Allow-Origin', value: '*' },514        ],515      },516    ]517  },518}519 520### Page shows stale data after deployment521 522Severity: MEDIUM523 524Situation: Updated data not appearing after new deployment525 526Symptoms:527- Old content shows after deploy528- Changes not visible immediately529- Different users see different versions530- Data updates but page doesn't531 532Why this breaks:533Vercel caches aggressively. Static pages are cached at the edge.534Even dynamic pages may be cached if not configured properly.535Old cached versions served until cache expires or is purged.536 537Recommended fix:538 539Control caching behavior:540 541// Force no caching (always fresh)542export const dynamic = 'force-dynamic'543export const revalidate = 0544 545// ISR - revalidate every 60 seconds546export const revalidate = 60547 548// On-demand revalidation (after mutation)549import { revalidatePath, revalidateTag } from 'next/cache'550 551// In Server Action:552async function updatePost(id: string) {553  await db.post.update({ ... })554  revalidatePath(`/posts/${id}`)  // Purge this page555  revalidateTag('posts')          // Purge all with this tag556}557 558// Purge via API (deployment hook):559// POST https://your-site.vercel.app/api/revalidate?path=/posts560 561// Check caching in response headers:562// x-vercel-cache: HIT = served from cache563// x-vercel-cache: MISS = freshly generated564 565## Validation Checks566 567### Secret in NEXT_PUBLIC Variable568 569Severity: CRITICAL570 571Message: Secret exposed via NEXT_PUBLIC_ prefix. This will be visible in browser.572 573Fix action: Remove NEXT_PUBLIC_ prefix and access only in server-side code574 575### Hardcoded Vercel URL576 577Severity: WARNING578 579Message: Hardcoded Vercel URL. Use VERCEL_URL environment variable instead.580 581Fix action: Use process.env.VERCEL_URL or NEXT_PUBLIC_VERCEL_URL582 583### Node.js API in Edge Runtime584 585Severity: ERROR586 587Message: Node.js module used in Edge runtime. fs/path not available in Edge.588 589Fix action: Use runtime = 'nodejs' or remove Node.js dependencies590 591### API Route Without CORS Headers592 593Severity: WARNING594 595Message: API route without CORS headers may fail cross-origin requests.596 597Fix action: Add Access-Control-Allow-Origin header if API is called from other domains598 599### API Route Without Error Handling600 601Severity: WARNING602 603Message: API route without try/catch. Unhandled errors return 500 without details.604 605Fix action: Wrap in try/catch and return appropriate error responses606 607### Secret Read in Static Context608 609Severity: WARNING610 611Message: Server secret accessed in static generation. Value baked into build.612 613Fix action: Move secret access to runtime code or use NEXT_PUBLIC_ for public values614 615### Large Package Import616 617Severity: WARNING618 619Message: Large package imported. May cause slow cold starts. Consider alternatives.620 621Fix action: Use lodash-es with tree shaking, date-fns instead of moment, @aws-sdk/client-* instead of aws-sdk622 623### Dynamic Page Without Revalidation Config624 625Severity: WARNING626 627Message: Dynamic page without revalidation config. Consider setting revalidation strategy.628 629Fix action: Add export const revalidate = 60 for ISR, or 0 for no cache630 631## Collaboration632 633### Delegation Triggers634 635- next.js|app router|pages|server components -> nextjs-app-router (Deployment needs Next.js patterns)636- database|supabase|backend -> supabase-backend (Deployment needs database)637- auth|authentication|session -> nextjs-supabase-auth (Deployment needs auth config)638- monitoring|logs|errors|analytics -> analytics-architecture (Deployment needs monitoring)639 640### Production Launch641 642Skills: vercel-deployment, nextjs-app-router, supabase-backend, nextjs-supabase-auth643 644Workflow:645 646```6471. App configuration (nextjs-app-router)6482. Database setup (supabase-backend)6493. Auth config (nextjs-supabase-auth)6504. Deploy (vercel-deployment)651```652 653### CI/CD Pipeline654 655Skills: vercel-deployment, devops, qa-engineering656 657Workflow:658 659```6601. Test automation (qa-engineering)6612. Pipeline config (devops)6623. Deploy strategy (vercel-deployment)663```664 665## Related Skills666 667Works well with: `nextjs-app-router`, `supabase-backend`668 669## When to Use670- User mentions or implies: vercel671- User mentions or implies: deploy672- User mentions or implies: deployment673- User mentions or implies: hosting674- User mentions or implies: production675- User mentions or implies: environment variables676- User mentions or implies: edge function677- User mentions or implies: serverless function678 679## Limitations680- Use this skill only when the task clearly matches the scope described above.681- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.682- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.