Next.js Updates & Release Notes

Note

This release is backporting bug fixes. It does
not
include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
• [backport] Propagate adapter preferred regions (#94200)
• [16.2.x] Don't drop FormData entries (#94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @eps1lon, @icyJoseph, @unstubbable, @mischnic, @bgw, @timneutkens, and @lukesandberg for helping!

Note

This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

Note

This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

This release contains security fixes for the following advisories:

High

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @Badbird5907, @lukesandberg, @andrewimm, @sokra, and @mischnic for helping!

Note

This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @icyJoseph, @sokra, @wbinnssmith, @eps1lon, and @ztanner for helping!

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter (#92177)
• [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @nextjs-bot, @icyJoseph, @ijjk, @gaojude, @wbinnssmith, @lukesandberg, and @bgw for helping!

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#91698)
• Fix adapter outputs for dynamic metadata routes (#91680)
• Turbopack: fix webpack loader runner layer (#91727)
• Fix server actions in standalone mode with cacheComponents (#91711)
• turbo-persistence: remove Unmergeable mmap advice (#91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#91701)
• Turbopack: lazy require metadata and handle TLA (#91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#91666)

Credits

Huge thanks to @icyJoseph, @abhishekmardiya, @ijjk, @mischnic, @unstubbable, @sokra, and @lukesandberg for helping!

Tip

Check out our Next v16.2
Blog Post to learn more about this release.

Core Changes

• Upgrade React from f93b9fd4-20251217 to 65eec428-20251218 : #87323
• Turbopack: Create junction points instead of symlinks on Windows: #87606
• Turbopack: Symlink handling follow-up: #87637
• Add experimental routing package for resolving adapter routes: #86404
• Ensure outputs are correct with cache components in deployment adapters: #87018
• Move off of deprecated url.parse: #87257
• [strict-route-types] Add experimental.strictRouteTypes config: #87378
• misc: fix type check log for CI envs: #87838
• fix: revalidateTag with profile should not trigger client cache invalidation: #88069
• chore: warn when running tests against stale build: #88001
• Redesign default error pages with cleaner, more user-friendly UI: #87988
• dx: avoid next-env.d.ts change in dev: #88103
• prevent browser cache from using stale RSC responses from previous builds: #86554
• [strict-route-types] Typecheck App Router page props: #87386
• [strict-route-types] Enforce common React Component return types in App Router: #87389
• [strict-route-types] Switch to satisfies when validating page and route modules: #87398
• [strict-route-types] Don't reject number in config.api.bodyParser.sizeLimit when validating route: #87633
• Revert "dx: avoid next-env.d.ts change in dev": #88153
• [strict-route-types] Typecheck pages router routes in absence of App Router: #87628
• [strict-route-types] Ensure cache profiles and routes are type-checked even if .next is excluded: #87768
• add compilation error for taint when not enabled: #88173
• feat(next/image)!: add images.maximumResponseBody config: #88183
• Add maximum size limit for postponed body parsing: #88175
• metadata: use fixed segment in dynamic routes with static metadata files: #88113
• feat: add --experimental-cpu-prof flag for dev, build, and start: #87946
• Add experimental option to use no-cache instead of no-store in dev: #88182
• fix overlay frames cannot be opened sometimes: #88210
• Handle pnpm-workspace.yaml while searching for monorepo root: #74818
• Add more debug logs to use cache wrapper: #88219
• Omit unused arguments from use cache function calls: #86920
• Only log pending revalidates... debug log if applicable: #88221
• fix(next/image): bump [email protected]: #88238
• Disallow javascript urls in router methods and redirects: #88185
• Fix relative same host redirects in node middleware: #88253
• Remove loadConfig from main development process, pass value from child process: #88230
• Update deploy adapters outputs and handler interfaces for node and edge: #88247
• Move Ready in time before handler initialization: #88235
• next/image: support custom cache handlers: #88248
• feat: add Claude Code plugin marketplace with Cache Components skill: #87993
• refactor: consolidate PPR into cacheComponents architecture: #88243
• Turbopack: include fewer traced files for standalone: #88322
• feat(turbopack): add resolve plugin condition variant of Always and Never: #88190
• perf: use length = 0 to clear the logging array: #88244
• Time logs: Show full millisecond instead of 1 decimal: #88313
• [turbopack] Enable inferring module side effects by default: #87216
• Track search string as part of "refresh state": #87203
• Pass RouteTree into navigation function: #87256
• Read from segment cache unknown routes: #87293
• Pass loading boundary as part of RSC data: #87825
• Revert "refactor: consolidate PPR into cacheComponents architecture ( #88243 )": #88421
• fix: support TypeScript noUncheckedSideEffectImports for CSS imports: #88199
• Don't import typescript at runtime: #88321
• fix: use RDC for server action requests: #88129
• Warn when overriding Cache-Control header on /_next/ routes: #88353
• [prebuilt-skew-protection] feat: adding in automatic deploymentId: #88012
• Revert "[prebuilt-skew-protection] feat: adding in automatic deploymentId": #88449
• Turbopack: Update reqwest, remove experimental system TLS feature: #88290
• Revert "prevent browser cache from using stale RSC responses from pre…: #88457
• Turbopack: retain loader tree order for metadata: #88487
• Turbopack: more dead code: #88505
• fix(build): prevent route handler manifests from inheriting unrelated client components: #88419
• Upgrade React from 65eec428-20251218 to 3e1abcc8-20260113 : #88530
• Better typesafety for interopDefault: #88486
• keep next-env.d.s unchanged between dev and build: #88428
• Remove sibling caches from CacheNode tree: #87991
• Upgrade React from 3e1abcc8-20260113 to 4a3d993e-20260114 : #88547
• Finish deleting Mutable from router implementation: #88046
• fetch(next/image): reduce maximumResponseBody from 300MB to 50MB: #88588
• [CC] Fix dev validation error from server action bound args: #88600
• Fix incorrect 'Ready in' time for next start: #88589
• feat: server action logging: #88277
• Log browser error and warnings in terminal: #88352
• Upgrade React from 4a3d993e-20260114 to bef88f7c-20260116 : #88649
• fix: make RedirectType constant properties literal types: #88653
• Turbopack: add support for matching loaders on resource queries: #88644
• fix: capture promisified setImmediate separately: #88346
• fix: setImmediate[util.promisify.custom] access fails in edge runtime: #88685
• Fix --debug-build-paths bracket escaping for glob patterns: #88660
• Add negation pattern support to --debug-build-paths : #88654
• Only filter next config if experimental flag is enabled: #88733
• [Devtool Indicator] Fix cross alignment: #88664
• Turbopack: don't use build id for pages router client-side manifests: #88641
• Allow inspecting server with next start --inspect : #88744
• Turbopack: Add --debug-build-paths support to filter routes: #88655
• Upgrade React from bef88f7c-20260116 to 41b3e9a6-20260119 : #88756
• Use rewritten pathname for implicit cache tags: #88732
• Upgrade React from 41b3e9a6-20260119 to d2908752-20260119 : #88774
• Add experimental_gesturePush to App Router: #88776
• Rename rewroteURL to rewrittenPathname in request metadata: #88751
• Simplify getImplicitTags to accept pathname instead of url object: #88753
• Add NEXT_DEPLOYMENT_ID global: #86738
• Turbopack: remove deployment id suffix from client reference manifest chunks: #88741
• Inject <html data-dpl-id> and don't inline it into JS anymore: #88761
• [metadata] match the Metadata and ResolvedMetadata type: #88739
• Reuse bfcache data during Full prefetches: #88606
• Embed static sibling info in route tree: #88692
• Fix revalidatePath with params and trailing slash when deployed: #88623
• fix: preserve cache behavior for PPR fallback shells with root params: #88556
• Upgrade React from d2908752-20260119 to b546603b-20260121 : #88860
• stabilize browser log forward options: #88857
• [devtools] Wrap long file names of stack frames in the error overlay: #88886
• [devtools] Fix notch coloring of error overlay in forced colors mode: #88892
• Remove deploymentId from App Router RenderOptsPartial : #88866
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache: #88509
• [prebuilt-skew-protection] feat: adding in automatic deploymentId: #88496
• [devtool] Add hydration diff indicator for diff lines: #88919
• Revert "[prebuilt-skew-protection] feat: adding in automatic deploymentId": #88942
• [turbopack] add task type infromation to the print_cache_item_size feature: #88925
• Upgrade React from b546603b-20260121 to 24d8716e-20260123 : #88963
• Turbopack: add ?dpl= to all asset urls returned by Turbopack: #88828
• feat(next-codemod): add agents-md command for AI coding agents: #88961
• Update font data: #88975
• Improve agents-md prompt to force doc retrieval: #88997
• [Reapply] Add useEffectEvent to disallowed React APIs in Server Components: #88985
• Apply fixes for onBuildComplete and route module: #88831
• Rename renderOpts.nextExport to isBuildTimePrerendering : #88951
• docs: fix typos in README.mds: #89022
• refactor: consume global-error from loader tree: #88437
• Fix chunk loading when using __turbopack_load_by_url__ with query: #88899
• [mcp] change the mcp endpoint response to JSON: #88911
• Reapply "[turbopack] Add bundling support for worker_threads" ( #88725 ): #88967
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth: #89040
• Upgrade React from 24d8716e-20260123 to 8c34556c-20260126 : #89066
• Use null-prototype objects in server actions manifests: #89069
• Re-enable types-and-precompiled: #89070
• Apply segment changes to adapters outputs: #89072
• Improve no response route handler error: #89036
• Limit number of server action arguments to 1000: #89068
• [prebuilt-skew-protection] feat: adding in automatic deploymentId: #88958
• Decouple route stale time from segment-level data: #88834
• Decouple route and segment cache lifecycles: #88989
• [ci] Silence baseline-browser-mapping warnings: #89175
• [Cache Components] Prevent streaming fetch calls from hanging in dev: #89171
• React types update: #89110
• [nextjs] feat: removing length requirement: #89173
• add GPTBot to matcher for known bots: #89188
• Ensure .md licenses are included in vendored packages: #89201
• Switch development log item format as JSON: #89168
• IsolatedDevBuild flag removal: #89167
• fix: coerce HEAD to GET for internal images: #84180
• Upgrade React from 10680271-20260126 to 230772f9-20260128 : #89250
• Upgrade tar used to extract SWC binary : #89158
• Sort prerender manifest routes: #89246
• Track vary params for segments without server-side param access: #88998
• Optimistic routing: client-side route prediction: #88965
• Keep pages/404.js to be able to dynamically render it anyway: #89263
• fix: fully static pages should e...