Releases: vercel/next.js
Releases Β· vercel/next.js
v16.3.0-canary.21
Core Changes
- Redesign dev overlay: cleaner shell + instant fix-card guidance: #93755
Misc Changes
- Trace middleware/proxy source files in webpack NFT pipeline: #93871
Credits
Huge thanks to @unstubbable and @yavorpunchev for helping!
Contributors
unstubbable and yavorpunchev
Assets 2
v16.3.0-canary.20
Core Changes
- [turbopack] fix feature usage telemetry: #93100
- Add an info panel for the existing "Cache disabled" indicator: #93756
- Convert test/integration to isolated tests: #93247
- Extend instant error overlay to metadata, viewport, and sync IO errors: #93287
- Turbopack: expose hashes of source files to adapters: #93539
- bfcacheId: Opt out of state preservation: #93633
- Honor Suspense-above-body opt-in for dynamic
generateViewport: #93759 - Add
next internal static-routes-infoCLI command: #93399 - Craigandrews/ensure isr lru is written if requests collapsed: #93766
- Fix catch-all
router.querycorruption withbasePath+rewrites: #93294 - Surface invalid dynamic usage errors via Flight in dev: #93706
- Upgrade React from
dd453071-20260506tod5736f09-20260507: #93702 - Show inner
"use cache"as cause of nested-dynamic cache error: #93707 - Fix server action forwarding loop with middleware rewrites: #93792
- Instant Insights: When unable to complete validation provide a filename for the unvalidated boundary: #93770
Example Changes
- [examples] migrate cloudinary to vercel-blob: #93762
Misc Changes
- Turbopack: don't generate next-server.js.nft.json with adapters: #93684
- Repo: Add gh stack skill: #93705
- Fix React 18 tests: #93763
- docs: clarify cacheTag limit - it is per call: #93768
- docs: devIndicators with usage example: #93784
- Convert tests using createNext -> nextTestSetup: #93767
- Turbopack: fix lock-order inversion between Storage::map and Storage::snapshots: #93788
- [turbopack] Enforce
rootattribute for strongly consistent reads and collectibles: #93114 - Fix Turbopack worker_threads URL resolution: #93432
- docs: less aggressive AI agent hint for an experimental API: #93811
- docs: fix typos and links: #92541
- docs: less aggressive AI agent hint for an experimental API: #93814
- Patch
playwright-coreto resolve_finishedPromiseonrequestFailed: #93802 - Revert "[test] Skip flaky
cached-navigationstests": #93798 - fix: GNU xargs warns about incompatible --replace/--max-args: #93821
- fix: renumber non-sequential errors in errors.json: #93824
- simplify session dependent tasks (#91729): #93227
- fetch: respect HTTP Cache-Control headers with TTL-based invalidation (#91729): #93228
- [CC] fix: cachedNavigations missing asyncApiPromises in resumes: #93827
- Fix
Date.now()cause shadowing in sync IO error overlay: #93857 - Mark .agents/skills as internal so external
npx skills addhides them: #93856 - Instant Insights: only report non-validatable if dev render is error free: #93858
- Remove partialFallbacks config flag: #93859
- Fix warning in new apps caused by incorrect image dimensions: #93826
Credits
Huge thanks to @lukesandberg, @mischnic, @unstubbable, @timneutkens, @aurorascharff, @icyJoseph, @acdlite, @christopherkindl, @sokra, @gnoff, @publictheta, @gaojude, @unclebay143, @lubieowoce, @vercel-release-bot, and @samselikoff for helping!
Contributors
lukesandberg, unstubbable, and 14 other contributors
Assets 2
v16.3.0-canary.19
Misc Changes
- Proof of concept: task eviction after snapshot for turbo-tasks-backend: #91790
Credits
Huge thanks to @lukesandberg for helping!
Contributors
lukesandberg
Assets 2
v16.3.0-canary.18
Core Changes
- Remove redundant instant navigation prefetch header: #93713
- Instant Insights: Favor reporting errors from all potential navigations over reporting a failed attempt to validate when a slot is missing: #93714
Misc Changes
- CI speed improvements: #93411
Credits
Huge thanks to @acdlite, @gnoff, and @timneutkens for helping!
Contributors
gnoff, acdlite, and timneutkens
Assets 2
v16.3.0-canary.17
Core Changes
- Stabilize
unstable_io: #93621 - Use Next.js version as Turbopack persistent cache versioning key: #93605
- feat(turbopack): add chunkLoadingGlobal config option: #93488
- fix(devtools): render nested error messages with HotlinkedText: #93620
- Fix: Improved rewrite detection during optimistic routing: #93619
- Fix "type: module" in project dir when using standalone or adapters: #93612
- Instant Insights: favor reported errors over missing slots: #93709
Misc Changes
- Trace-server: Fix bottom up, and reduce allocations in turbopack-trace-server bottom-up grouping: #93460
- turbopack: reschedule stale tasks with correct invalidation priority: #92897
- [ci] Also pin first-party GH actions: #93609
- Remove ineffective turbo-tasks: #91341
Credits
Huge thanks to @gnoff, @sokra, @tim123abc, @aurorascharff, @acdlite, @timneutkens, @bgw, and @lukesandberg for helping!
Contributors
bgw, lukesandberg, and 6 other contributors
Assets 2
v16.3.0-canary.16
Core Changes
- Hold
cacheSignalacrossunstable_cacheforeground revalidation: #93617 - Encode non-ASCII characters in cache tags at construction: #93601
Credits
Huge thanks to @unstubbable for helping!
Contributors
unstubbable
Assets 2
v16.3.0-canary.15
Core Changes
- [devtools] Force ANSI colors on overlay code frames regardless of TTY: #93550
- Turbopack: Match proxy matchers with webpack implementation: #93594
- Track
searchParamsaccess through a Proxy to catch missing-key reads: #93549 - Cherry-pick ghsa commits to canary: #93614
Misc Changes
- docs: escape literal triple-backticks in contribution guide: #93584
- [test] Pin package manager to patch versions: #93592
- turbo-rcstr: replace
rcstr!macro_rules with proc macro: #93551 - Turbopack: Fix middleware matcher suffix: #93590
- Turbopack: Change DynEffect::dyn_value to DynEffect::value_hash, a simple u128: #93552
- [ci] Ensure graphite_ci_optimizer fails open even if github fails to fetch the action: #93615
Credits
Huge thanks to @aurorascharff, @icyJoseph, @eps1lon, @lukesandberg, @timneutkens, @unstubbable, and @bgw for helping!
Contributors
bgw, lukesandberg, and 5 other contributors
Assets 2
v16.3.0-canary.14
Contributors
mmastrac, sokra, and mischnic
Assets 2
v16.2.6
Note
This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.
Security Fixes
The following advisories have been addressed:
High:
- GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
- GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
- GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
- GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
- GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
- GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
- GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n
Moderate:
- GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
- GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
- GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
- GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses
Low:
- GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
- GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned
Core Changes
- fix: preserve HTTP access fallbacks during prerender recovery (#92231)
- Fix fallback route params case in app-page handler (#91737)
- Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
- Patch setHeader for direct route handlers (#93101)
- Include deployment id in
cacheHandlerskeys (#93453) - Fix double-encoding of URL pathname parts in client param parsing (#93491)
v15.5.18
This release contains security fixes for the following advisories:
High:
- GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
- GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
- GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
- GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
- GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
- GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
- GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n
Moderate:
- GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
- GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
- GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
- GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses
Low: