LGPL-3.0 license usage of sharp dependencies blocks us from using Next 15

[axten]

Link to the code that reproduces this issue

https://codesandbox.io/p/devbox/lucid-cohen-8r5tyq?workspaceId=cf95a29a-9e60-48fa-8cf5-0d217db0d3c6

To Reproduce

Since sharp was getting a direct dependency of Next.js we now have legal issues from using Next.js v15.
Our company-set pipeline license checker action (snyk) automatically stops the PR validation and stops us from upgrading to v15.

list of affected deps:

 [email protected] › [email protected] › @img/[email protected] › @img/[email protected]
 [email protected] › [email protected] › @img/[email protected] › @img/[email protected]
 [email protected] › [email protected] › @img/[email protected] › @img/[email protected]
 [email protected] › [email protected] › @img/[email protected] › @img/[email protected]
 [email protected] › [email protected] › @img/[email protected] › @img/[email protected]
 [email protected] › [email protected] › @img/[email protected] › @img/[email protected]
 [email protected] › [email protected] › @img/[email protected] › @img/[email protected]
 [email protected] › [email protected] › @img/[email protected] › @img/[email protected]

I already started conversation about it with legal department, but what I get so far is:

The LGPL-3.0 (Lesser General Public License) is a concern mainly due to how it governs usage, distribution, and modifications of libraries within other software. Specifically:

Copyleft Requirements: LGPL-3.0 is a "weak copyleft" license, meaning that if you modify the LGPL-licensed library itself, you must release those modifications under the same LGPL license. However, you don't have to release the entire codebase under LGPL—only the changes to the LGPL-licensed library.
Distribution Implications: If you distribute software that statically links or tightly integrates with LGPL-licensed code, you might need to provide users with access to the library source code and instructions on how they could replace it in your application. In a frontend context, this could potentially mean offering a way for end-users to swap out the LGPL library in your distributed code, which can be challenging in web apps.
Compatibility with Commercial Use: Many companies avoid LGPL in commercial software because of the obligation to share library modifications and the potential complications if they want to embed or redistribute the code in products.

I'm not a lawyer so I'm not sure how to handle this case but from my understanding, Next.js shouldn't have this kind of dependencies.
please help!

Current vs. Expected behavior

Next.js shouldn't have a dependency with LGPL-3.0 license

Provide environment information

Next.js 15.x

Which area(s) are affected? (Select all that apply)

Not sure

Which stage(s) are affected? (Select all that apply)

Other (Deployed)

Additional context

No response

[vitorcosta039]

Same here in my project

[KillerCodeMonkey]

i am not a lawyer. But i do not know, if this license issue is really an issue in this case.

sharp is from the same person providing/supporting libvips and releasing sharp as Apache License Version 2.0 and not as LGPL-3.0.

Normally the libvips native code is not bundled - so not "changed" on server side applications.
Sharp just uses the binaries.
So yes it is linked - but in sharp (Apache license), but you are not touching/changing anything. So i see no problem here.