Next.js Release Notes

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @Badbird5907, @lukesandberg, @andrewimm, @sokra, and @mischnic for helping!

Note

This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @icyJoseph, @sokra, @wbinnssmith, @eps1lon, and @ztanner for helping!

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter (#92177)
• [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @nextjs-bot, @icyJoseph, @ijjk, @gaojude, @wbinnssmith, @lukesandberg, and @bgw for helping!

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#91698)
• Fix adapter outputs for dynamic metadata routes (#91680)
• Turbopack: fix webpack loader runner layer (#91727)
• Fix server actions in standalone mode with cacheComponents (#91711)
• turbo-persistence: remove Unmergeable mmap advice (#91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#91701)
• Turbopack: lazy require metadata and handle TLA (#91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#91666)

Credits

Huge thanks to @icyJoseph, @abhishekmardiya, @ijjk, @mischnic, @unstubbable, @sokra, and @lukesandberg for helping!

Tip

Check out our Next v16.2
Blog Post to learn more about this release.

Core Changes

• Upgrade React from f93b9fd4-20251217 to 65eec428-20251218 : #87323
• Turbopack: Create junction points instead of symlinks on Windows: #87606
• Turbopack: Symlink handling follow-up: #87637
• Add experimental routing package for resolving adapter routes: #86404
• Ensure outputs are correct with cache components in deployment adapters: #87018
• Move off of deprecated url.parse: #87257
• [strict-route-types] Add experimental.strictRouteTypes config: #87378
• misc: fix type check log for CI envs: #87838
• fix: revalidateTag with profile should not trigger client cache invalidation: #88069
• chore: warn when running tests against stale build: #88001
• Redesign default error pages with cleaner, more user-friendly UI: #87988
• dx: avoid next-env.d.ts change in dev: #88103
• prevent browser cache from using stale RSC responses from previous builds: #86554
• [strict-route-types] Typecheck App Router page props: #87386
• [strict-route-types] Enforce common React Component return types in App Router: #87389
• [strict-route-types] Switch to satisfies when validating page and route modules: #87398
• [strict-route-types] Don't reject number in config.api.bodyParser.sizeLimit when validating route: #87633
• Revert "dx: avoid next-env.d.ts change in dev": #88153
• [strict-route-types] Typecheck pages router routes in absence of App Router: #87628
• [strict-route-types] Ensure cache profiles and routes are type-checked even if .next is excluded: #87768
• add compilation error for taint when not enabled: #88173
• feat(next/image)!: add images.maximumResponseBody config: #88183
• Add maximum size limit for postponed body parsing: #88175
• metadata: use fixed segment in dynamic routes with static metadata files: #88113
• feat: add --experimental-cpu-prof flag for dev, build, and start: #87946
• Add experimental option to use no-cache instead of no-store in dev: #88182
• fix overlay frames cannot be opened sometimes: #88210
• Handle pnpm-workspace.yaml while searching for monorepo root: #74818
• Add more debug logs to use cache wrapper: #88219
• Omit unused arguments from use cache function calls: #86920
• Only log pending revalidates... debug log if applicable: #88221
• fix(next/image): bump [email protected]: #88238
• Disallow javascript urls in router methods and redirects: #88185
• Fix relative same host redirects in node middleware: #88253
• Remove loadConfig from main development process, pass value from child process: #88230
• Update deploy adapters outputs and handler interfaces for node and edge: #88247
• Move Ready in time before handler initialization: #88235
• next/image: support custom cache handlers: #88248
• feat: add Claude Code plugin marketplace with Cache Components skill: #87993
• refactor: consolidate PPR into cacheComponents architecture: #88243
• Turbopack: include fewer traced files for standalone: #88322
• feat(turbopack): add resolve plugin condition variant of Always and Never: #88190
• perf: use length = 0 to clear the logging array: #88244
• Time logs: Show full millisecond instead of 1 decimal: #88313
• [turbopack] Enable inferring module side effects by default: #87216
• Track search string as part of "refresh state": #87203
• Pass RouteTree into navigation function: #87256
• Read from segment cache unknown routes: #87293
• Pass loading boundary as part of RSC data: #87825
• Revert "refactor: consolidate PPR into cacheComponents architecture ( #88243 )": #88421
• fix: support TypeScript noUncheckedSideEffectImports for CSS imports: #88199
• Don't import typescript at runtime: #88321
• fix: use RDC for server action requests: #88129
• Warn when overriding Cache-Control header on /_next/ routes: #88353
• [prebuilt-skew-protection] feat: adding in automatic deploymentId: #88012
• Revert "[prebuilt-skew-protection] feat: adding in automatic deploymentId": #88449
• Turbopack: Update reqwest, remove experimental system TLS feature: #88290
• Revert "prevent browser cache from using stale RSC responses from pre…: #88457
• Turbopack: retain loader tree order for metadata: #88487
• Turbopack: more dead code: #88505
• fix(build): prevent route handler manifests from inheriting unrelated client components: #88419
• Upgrade React from 65eec428-20251218 to 3e1abcc8-20260113 : #88530
• Better typesafety for interopDefault: #88486
• keep next-env.d.s unchanged between dev and build: #88428
• Remove sibling caches from CacheNode tree: #87991
• Upgrade React from 3e1abcc8-20260113 to 4a3d993e-20260114 : #88547
• Finish deleting Mutable from router implementation: #88046
• fetch(next/image): reduce maximumResponseBody from 300MB to 50MB: #88588
• [CC] Fix dev validation error from server action bound args: #88600
• Fix incorrect 'Ready in' time for next start: #88589
• feat: server action logging: #88277
• Log browser error and warnings in terminal: #88352
• Upgrade React from 4a3d993e-20260114 to bef88f7c-20260116 : #88649
• fix: make RedirectType constant properties literal types: #88653
• Turbopack: add support for matching loaders on resource queries: #88644
• fix: capture promisified setImmediate separately: #88346
• fix: setImmediate[util.promisify.custom] access fails in edge runtime: #88685
• Fix --debug-build-paths bracket escaping for glob patterns: #88660
• Add negation pattern support to --debug-build-paths : #88654
• Only filter next config if experimental flag is enabled: #88733
• [Devtool Indicator] Fix cross alignment: #88664
• Turbopack: don't use build id for pages router client-side manifests: #88641
• Allow inspecting server with next start --inspect : #88744
• Turbopack: Add --debug-build-paths support to filter routes: #88655
• Upgrade React from bef88f7c-20260116 to 41b3e9a6-20260119 : #88756
• Use rewritten pathname for implicit cache tags: #88732
• Upgrade React from 41b3e9a6-20260119 to d2908752-20260119 : #88774
• Add experimental_gesturePush to App Router: #88776
• Rename rewroteURL to rewrittenPathname in request metadata: #88751
• Simplify getImplicitTags to accept pathname instead of url object: #88753
• Add NEXT_DEPLOYMENT_ID global: #86738
• Turbopack: remove deployment id suffix from client reference manifest chunks: #88741
• Inject <html data-dpl-id> and don't inline it into JS anymore: #88761
• [metadata] match the Metadata and ResolvedMetadata type: #88739
• Reuse bfcache data during Full prefetches: #88606
• Embed static sibling info in route tree: #88692
• Fix revalidatePath with params and trailing slash when deployed: #88623
• fix: preserve cache behavior for PPR fallback shells with root params: #88556
• Upgrade React from d2908752-20260119 to b546603b-20260121 : #88860
• stabilize browser log forward options: #88857
• [devtools] Wrap long file names of stack frames in the error overlay: #88886
• [devtools] Fix notch coloring of error overlay in forced colors mode: #88892
• Remove deploymentId from App Router RenderOptsPartial : #88866
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache: #88509
• [prebuilt-skew-protection] feat: adding in automatic deploymentId: #88496
• [devtool] Add hydration diff indicator for diff lines: #88919
• Revert "[prebuilt-skew-protection] feat: adding in automatic deploymentId": #88942
• [turbopack] add task type infromation to the print_cache_item_size feature: #88925
• Upgrade React from b546603b-20260121 to 24d8716e-20260123 : #88963
• Turbopack: add ?dpl= to all asset urls returned by Turbopack: #88828
• feat(next-codemod): add agents-md command for AI coding agents: #88961
• Update font data: #88975
• Improve agents-md prompt to force doc retrieval: #88997
• [Reapply] Add useEffectEvent to disallowed React APIs in Server Components: #88985
• Apply fixes for onBuildComplete and route module: #88831
• Rename renderOpts.nextExport to isBuildTimePrerendering : #88951
• docs: fix typos in README.mds: #89022
• refactor: consume global-error from loader tree: #88437
• Fix chunk loading when using __turbopack_load_by_url__ with query: #88899
• [mcp] change the mcp endpoint response to JSON: #88911
• Reapply "[turbopack] Add bundling support for worker_threads" ( #88725 ): #88967
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth: #89040
• Upgrade React from 24d8716e-20260123 to 8c34556c-20260126 : #89066
• Use null-prototype objects in server actions manifests: #89069
• Re-enable types-and-precompiled: #89070
• Apply segment changes to adapters outputs: #89072
• Improve no response route handler error: #89036
• Limit number of server action arguments to 1000: #89068
• [prebuilt-skew-protection] feat: adding in automatic deploymentId: #88958
• Decouple route stale time from segment-level data: #88834
• Decouple route and segment cache lifecycles: #88989
• [ci] Silence baseline-browser-mapping warnings: #89175
• [Cache Components] Prevent streaming fetch calls from hanging in dev: #89171
• React types update: #89110
• [nextjs] feat: removing length requirement: #89173
• add GPTBot to matcher for known bots: #89188
• Ensure .md licenses are included in vendored packages: #89201
• Switch development log item format as JSON: #89168
• IsolatedDevBuild flag removal: #89167
• fix: coerce HEAD to GET for internal images: #84180
• Upgrade React from 10680271-20260126 to 230772f9-20260128 : #89250
• Upgrade tar used to extract SWC binary : #89158
• Sort prerender manifest routes: #89246
• Track vary params for segments without server-side param access: #88998
• Optimistic routing: client-side route prediction: #88965
• Keep pages/404.js to be able to dynamically render it anyway: #89263
• fix: fully static pages should e...

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @unstubbable, @styfle, @eps1lon, and @ztanner for helping!

Note

This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#82340)
• Turbopack: support pattern into exports field (#82757)
• NFT tracing fixes (#84155 and #85323)
• Turbopack: validate CSS without computing all paths (#83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#89129)

Credits

Huge thanks to @timneutkens , @mischnic , @ztanner , and @wyattjoh for helping!