commit 766148f9cd48c0e218acafcd0f15defc14871bf4 Author: Sebastian "Sebbie" Silbermann Date: Wed May 6 19:06:11 2026 +0200 v16.2.5 lerna.json | 2 +- packages/create-next-app/package.json | 2 +- packages/eslint-config-next/package.json | 4 ++-- packages/eslint-plugin-internal/package.json | 2 +- packages/eslint-plugin-next/package.json | 2 +- packages/font/package.json | 2 +- packages/next-bundle-analyzer/package.json | 2 +- packages/next-codemod/package.json | 2 +- packages/next-env/package.json | 2 +- packages/next-mdx/package.json | 2 +- packages/next-playwright/package.json | 2 +- packages/next-plugin-storybook/package.json | 2 +- packages/next-polyfill-module/package.json | 2 +- packages/next-polyfill-nomodule/package.json | 2 +- packages/next-routing/package.json | 2 +- packages/next-rspack/package.json | 2 +- packages/next-swc/package.json | 2 +- packages/next/package.json | 14 +++++++------- packages/react-refresh-utils/package.json | 2 +- packages/third-parties/package.json | 4 ++-- pnpm-lock.yaml | 16 ++++++++-------- 21 files changed, 36 insertions(+), 36 deletions(-) commit 0dd94836a8b43209fcfefa448c141683c22c1a27 Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Fri May 1 12:15:38 2026 -0700 fix: add explicit checks for RSC header (#83) (#98) (cherry picked from commit 807e363b13cc9395aa74f75122d1d16b4a46dc1a) packages/next/src/build/templates/app-page.ts | 6 ++++-- packages/next/src/server/app-render/app-render.tsx | 3 ++- packages/next/src/server/base-server.ts | 5 +++-- .../next/src/server/lib/is-rsc-request.test.ts | 18 ++++++++++++++++ packages/next/src/server/lib/is-rsc-request.ts | 9 ++++++++ .../src/server/lib/router-utils/resolve-routes.ts | 3 ++- packages/next/src/server/web/adapter.ts | 3 ++- .../cdn-cache-busting/cdn-cache-busting.test.ts | 25 ++++++++++++++++++++++ 8 files changed, 65 insertions(+), 7 deletions(-) commit d166096c399c4fc4e09cd2d1bf26dca6579a855d Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Fri May 1 12:15:28 2026 -0700 fix proxy matching for segment prefetch URLs (#89) (#96) * fix: proxy should match segment prefetches for canonical urls * include .rsc handling .../build/analysis/get-page-static-info.test.ts | 53 ++++++++++++++++++++-- .../src/build/analysis/get-page-static-info.ts | 23 ++++++++-- 2 files changed, 69 insertions(+), 7 deletions(-) commit 9d50c0b7190f59c470308578e12882788819f14c Author: Josh Story Date: Fri May 1 09:18:31 2026 -0700 Strip next-resume header from incoming requests (#92) This header is used by proxies to perform a concatenating resume render for partial prerendering. It is never sent from the client so we can filter it out when running in a mode that does not have an intermediate proxy. packages/next/src/server/lib/server-ipc/utils.ts | 1 + .../app-dir/max-postponed-state-size/max-postponed-state-size.test.ts | 3 +++ 2 files changed, 4 insertions(+) commit df7ab5ad72f046ac5f92781278b4d9128aac25a5 Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Wed Apr 29 10:17:30 2026 -0700 fix: skip internal param normalization in unsupported environments .../next/src/server/route-modules/route-module.ts | 8 ++++++- .../required-server-files/middleware-node.js | 3 +++ .../required-server-files/middleware.js | 3 +++ .../required-server-files.test.ts | 25 ++++++++++++++++++++++ 4 files changed, 38 insertions(+), 1 deletion(-) commit ed41d1d454c3c09e215e1204f9e4f980fbb15897 Author: Josh Story Date: Wed Apr 29 08:28:35 2026 -0700 Move htmlescape to shared/lib (#91) we have auditing that server files aren't included in client chunks but the new htmlescape usage in next/script is causing that validation to fail. This refactors the utility into lib/shared packages/next/src/client/script.tsx | 2 +- packages/next/src/pages/_document.tsx | 2 +- .../metadata-insertion/create-server-inserted-metadata.tsx | 2 +- packages/next/src/server/app-render/use-flight-response.tsx | 5 ++++- packages/next/src/{server => shared/lib}/htmlescape.ts | 0 test/unit/htmlescape.test.ts | 2 +- 6 files changed, 8 insertions(+), 5 deletions(-) commit b4c6705c70a08fd82fbc6d140956528a8c30505b Author: JJ Kasper Date: Tue Apr 21 16:30:03 2026 -0700 Ignore malformed CSP nonce headers .../get-script-nonce-from-header.test.ts | 28 ++++++++++++++++ .../app-render/get-script-nonce-from-header.tsx | 38 +++++----------------- .../create-server-inserted-metadata.test.ts | 12 +++++++ .../create-server-inserted-metadata.tsx | 6 +++- .../src/server/app-render/use-flight-response.tsx | 4 +-- packages/next/src/server/htmlescape.ts | 17 ++++++++++ .../subresource-integrity.test.ts | 18 +++++----- 7 files changed, 82 insertions(+), 41 deletions(-) commit 5b194ee2d452744eb839856a670bdc33b03062c4 Author: JJ Kasper Date: Tue Apr 21 13:36:26 2026 -0700 router-server: guard upgrade proxy against absolute-url SSRF (#77) * test: add rewrite request smuggling coverage * router-server: guard upgrade proxy against absolute-url SSRF * test: relax rewrite smuggling socket timeout * router-server: preserve local websocket upgrades packages/next/src/server/lib/router-server.ts | 21 ++++--- .../rewrite-request-smuggling.test.ts | 70 +++++++++++++++++++++- 2 files changed, 82 insertions(+), 9 deletions(-) commit cb171d749412b27d1602efdae210c89a30851935 Author: JJ Kasper Date: Tue Apr 21 12:36:19 2026 -0700 Fix i18n middleware matching for default-locale data routes (#82) * Fix i18n middleware matching for default-locale data routes * unskip node middleware on deploy .../src/server/lib/router-utils/resolve-routes.ts | 15 +++ test/e2e/middleware-general/test/index.test.ts | 33 ++++++- test/e2e/middleware-matcher/index.test.ts | 106 +++++++++++++++++++++ 3 files changed, 150 insertions(+), 4 deletions(-) commit 89e995431a2e7a50f64c5510813bee156038e973 Author: Sebastian "Sebbie" Silbermann Date: Tue Apr 21 23:37:08 2026 +0200 [16.x] Type hardening and performance improvements (#80) ...ver-dom-turbopack-client.browser.development.js | 2 +- ...rver-dom-turbopack-client.browser.production.js | 2 +- ...server-dom-turbopack-client.edge.development.js | 2 +- ...-server-dom-turbopack-client.edge.production.js | 2 +- ...server-dom-turbopack-client.node.development.js | 2 +- ...-server-dom-turbopack-client.node.production.js | 2 +- ...ver-dom-turbopack-server.browser.development.js | 64 ++++++++------- ...rver-dom-turbopack-server.browser.production.js | 62 +++++++------- ...server-dom-turbopack-server.edge.development.js | 76 ++++++++++------- ...-server-dom-turbopack-server.edge.production.js | 74 ++++++++++------- ...server-dom-turbopack-server.node.development.js | 94 ++++++++++++++-------- ...-server-dom-turbopack-server.node.production.js | 92 +++++++++++++-------- ...ver-dom-turbopack-client.browser.development.js | 6 +- ...rver-dom-turbopack-client.browser.production.js | 2 +- ...server-dom-turbopack-client.edge.development.js | 2 +- ...-server-dom-turbopack-client.edge.production.js | 2 +- ...server-dom-turbopack-client.node.development.js | 2 +- ...-server-dom-turbopack-client.node.production.js | 2 +- ...ver-dom-turbopack-server.browser.development.js | 64 ++++++++------- ...rver-dom-turbopack-server.browser.production.js | 62 +++++++------- ...server-dom-turbopack-server.edge.development.js | 76 ++++++++++------- ...-server-dom-turbopack-server.edge.production.js | 74 ++++++++++------- ...server-dom-turbopack-server.node.development.js | 94 ++++++++++++++-------- ...-server-dom-turbopack-server.node.production.js | 92 +++++++++++++-------- ...erver-dom-webpack-client.browser.development.js | 2 +- ...server-dom-webpack-client.browser.production.js | 2 +- ...t-server-dom-webpack-client.edge.development.js | 2 +- ...ct-server-dom-webpack-client.edge.production.js | 2 +- ...t-server-dom-webpack-client.node.development.js | 2 +- ...ct-server-dom-webpack-client.node.production.js | 2 +- ...erver-dom-webpack-server.browser.development.js | 64 ++++++++------- ...server-dom-webpack-server.browser.production.js | 62 +++++++------- ...t-server-dom-webpack-server.edge.development.js | 76 ++++++++++------- ...ct-server-dom-webpack-server.edge.production.js | 74 ++++++++++------- ...t-server-dom-webpack-server.node.development.js | 94 ++++++++++++++-------- ...ct-server-dom-webpack-server.node.production.js | 92 +++++++++++++-------- ...erver-dom-webpack-client.browser.development.js | 6 +- ...server-dom-webpack-client.browser.production.js | 2 +- ...t-server-dom-webpack-client.edge.development.js | 2 +- ...ct-server-dom-webpack-client.edge.production.js | 2 +- ...t-server-dom-webpack-client.node.development.js | 2 +- ...ct-server-dom-webpack-client.node.production.js | 2 +- ...erver-dom-webpack-server.browser.development.js | 64 ++++++++------- ...server-dom-webpack-server.browser.production.js | 62 +++++++------- ...t-server-dom-webpack-server.edge.development.js | 76 ++++++++++------- ...ct-server-dom-webpack-server.edge.production.js | 74 ++++++++++------- ...t-server-dom-webpack-server.node.development.js | 94 ++++++++++++++-------- ...ct-server-dom-webpack-server.node.production.js | 92 +++++++++++++-------- 48 files changed, 1148 insertions(+), 756 deletions(-) commit 66f6017f157ae19eb30522105c789999de2de7af Author: Josh Story Date: Tue Apr 21 14:03:41 2026 -0700 Escape properties for beforeInteractive scripts (#86) props set on a next/script with beforeInteractive are serialized as JSON into an inline script to be exectuted prior to hydration by Next.js. The props were not additionally escaped and if user input was rendered as through a script it could allow fro XSS. This has alwways been true if you pass user input into the script body or via dangerouslySetInnHTML however and it is always the developers responsibility to sanitize user input before rendering. However wherever React has some automatic escaping to act as an additional defense against common mistakes leading to vulnerabilities like XSS Next.js should mirror that becasue from the user's perspective it is not clear that React is not directly rendering the script props and content. This change adds additional escaping so that serialized properties cannot break out of the script scope and execute unexpected payloads. packages/next/src/client/script.tsx | 15 ++-- .../script-before-interactive-xss/app/layout.tsx | 8 ++ .../script-before-interactive-xss/app/page.tsx | 45 ++++++++++ .../app/xss-detector.tsx | 99 ++++++++++++++++++++++ .../script-before-interactive-xss/next.config.js | 6 ++ .../public/xss-src.js | 2 + .../script-before-interactive-xss.test.ts | 48 +++++++++++ 7 files changed, 215 insertions(+), 8 deletions(-) commit 3d98505a24c0c5ab6406ee46913bc72f37690795 Author: Hendrik Liebau Date: Wed May 6 14:49:29 2026 +0200 [backport] fix: preserve HTTP access fallbacks during prerender recovery (#93470) Backports: - #92231 --------- Co-authored-by: Zack Tanner <1939140+ztanner@users.noreply.github.com> Co-authored-by: Andrew Clark packages/next/src/server/app-render/app-render.tsx | 135 ++++++++++++++++++--- .../src/server/app-render/collect-segment-data.tsx | 20 +++ .../server/app-render/create-component-tree.tsx | 96 +++++++++++---- .../app/cases/not-found-suspense/layout.tsx | 17 +++ .../app/cases/not-found-suspense/not-found.tsx | 3 + .../app/cases/not-found-suspense/page.tsx | 7 ++ .../cache-components/cache-components.test.ts | 14 +++ 7 files changed, 255 insertions(+), 37 deletions(-) commit bb5ada6e38c48b0c0a13d6ab44ca4dc0698aa457 Author: Hendrik Liebau Date: Wed May 6 14:07:02 2026 +0200 [backport] [test] Deflake `instant-navs-devtools` (#93534) Backports: - #91912 - #93365 --------- Co-authored-by: Sebastian "Sebbie" Silbermann .../instant-navs-devtools.test.ts | 29 ++++++++++++++-------- 1 file changed, 18 insertions(+), 11 deletions(-) commit f1c11203d51235dfa4c8b9771b6287e823418aad Author: Hendrik Liebau Date: Wed May 6 11:51:44 2026 +0200 [backport] Fix double-encoding of URL pathname parts in client param parsing (#93506) Backports: - #93491 packages/next/src/client/route-params.ts | 30 +++++++-- .../encoded-slash-params/app/[slug]/page.tsx | 16 +++++ .../encoded-slash-params/app/layout.tsx | 8 +++ .../encoded-slash-params/app/page.tsx | 27 ++++++++ .../components/link-accordion.tsx | 33 ++++++++++ .../encoded-slash-params.test.ts | 77 ++++++++++++++++++++++ .../encoded-slash-params/next.config.js | 8 +++ 7 files changed, 193 insertions(+), 6 deletions(-) commit 2d08397b3d4e58b4e007232fbe4241eb09d6795b Author: Hendrik Liebau Date: Tue May 5 23:54:20 2026 +0200 [backport] fix accidental test duplication (#93507) test/e2e/rewrite-request-smuggling/next.config.js | 13 -- test/e2e/rewrite-request-smuggling/pages/index.tsx | 3 - .../rewrite-request-smuggling.test.ts | 234 --------------------- 3 files changed, 250 deletions(-) commit 75d19ecbb31d5bc9f97f0ec893052a17fd2027d5 Author: Josh Story Date: Tue May 5 14:54:04 2026 -0700 [backport] Include deployment id in `cacheHandlers` keys (#93471) Backport #93453 to 16.2 How was this ever working for dev? In that case, `buildId = "development"` and so it always uses the same cache key Co-authored-by: Niklas Mischkulnig <4586894+mischnic@users.noreply.github.com> packages/next/src/build/index.ts | 2 + packages/next/src/build/static-paths/app.ts | 3 + packages/next/src/build/templates/app-route.ts | 2 + packages/next/src/build/utils.ts | 3 + packages/next/src/export/routes/app-route.ts | 4 +- packages/next/src/export/worker.ts | 3 +- packages/next/src/server/app-render/app-render.tsx | 2 + .../app-render/work-async-storage.external.ts | 4 ++ .../next/src/server/async-storage/work-store.ts | 7 +++ packages/next/src/server/dev/next-dev-server.ts | 1 + .../next/src/server/dev/static-paths-worker.ts | 3 + .../src/server/route-modules/app-route/module.ts | 2 + .../next/src/server/use-cache/use-cache-wrapper.ts | 2 +- packages/next/src/server/web/adapter.ts | 2 + .../src/server/web/edge-route-module-wrapper.ts | 1 + .../use-cache-cross-deployment/app/layout.tsx | 16 ++++++ .../use-cache-cross-deployment/app/page.tsx | 26 +++++++++ .../app/prerender/page.tsx | 21 +++++++ .../app-dir/use-cache-cross-deployment/handler.js | 35 ++++++++++++ .../use-cache-cross-deployment/next.config.js | 16 ++++++ .../use-cache-cross-deployment/public/favicon.ico | Bin 0 -> 15086 bytes .../use-cache-cross-deployment.test.ts | 62 +++++++++++++++++++++ 22 files changed, 214 insertions(+), 3 deletions(-) commit 7ab1e2e93dad22d3c9c1afe395915ef33b73e7cf Author: Benjamin Woodruff Date: Fri Apr 10 10:12:46 2026 -0700 CI: Download and run self-contained datadog-ci instead of using pnpm dlx or npx (#92546) `pnpm dlx` isn't using a lockfile. Using the self-contained binary from GitHub and validate the checksum lets us effectively pin `datadog-ci` and all of its possible transitive dependencies. This is a follow-up for https://vercel.slack.com/archives/C0APPN2LC83/p1775073127894859 (cherry picked from commit 631fae951db74245c004a9fbb98ed8be8d2b6f21) .github/actions/setup-datadog-ci/action.yml | 37 +++++++++++++++++++++++++++ .github/workflows/build_and_deploy.yml | 12 +++++++-- .github/workflows/build_reusable.yml | 8 ++++-- .github/workflows/test_e2e_deploy_release.yml | 11 ++++++-- 4 files changed, 62 insertions(+), 6 deletions(-) commit 084f2bcf1947aee69aed418412647fae29ef7050 Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Mon Apr 27 09:31:05 2026 -0700 [ci]: trigger signed release commit via API (#93285) Stacked on https://github.com/vercel/next.js/pull/93245 Commit signing is required for anything that lands on `canary`. Our previous workflow of using a PAT to push a commit no longer works, since that would have been an unsigned commit. In #93245 we switched to an app token for release workflow steps. This continues by: - Telling Lerna to bump packages but not commit - Creating a signed commit with the staged changes via GitHub's API - Then running the publish flow Test Plan: Dry run [here](https://github.com/vercel/next.js/actions/runs/25001287978/job/73211826479) Commit [here](https://github.com/vercel/next.js/commit/3a8456a62b56615e2f8c1d1e6e7b4e14ce89e078) (cherry picked from commit 012fd7df4ba12f0699754125dc0226b6c99937a2) scripts/release-github-api.js | 349 ++++++++++++++++++++++++++++++++++++++++++ scripts/start-release.js | 45 ++++-- 2 files changed, 380 insertions(+), 14 deletions(-) commit a3bb370b00e505815a4a89e646aa69c9e105db8f Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Mon Apr 27 07:55:43 2026 -0700 [ci]: app-based release workflow (#93245) Moves all release workflows off of a GH PAT and uses an app with a short-lived token instead. Test Plan: Dry run [here](https://github.com/vercel/next.js/actions/runs/24934593874). However, this workflow is blocked until we figure out commit signing for the bot app. Some options: - The bot account generates a signing key and we use it in CI (not great, bypasses the app) - The org bypasses signature verification for the bot user (also not great, requires an exemption rule) - We need to rework the commit step so Lerna does not do the push, and instead trigger it via the app + GH API. This seems like the best option, will be added in a follow-up PR. Note: `create-release-branch` workflow is broken in its current form, as we will not be restoring administrator privileges to adjust environment settings. This will become a manual step in the future. (cherry picked from commit e69de2ffaf31743f6c015a1c645e913c8e59a436) .github/workflows/build_and_deploy.yml | 12 ++++- .github/workflows/create_release_branch.yml | 34 ++++++++++--- .github/workflows/trigger_release.yml | 33 +++++++++++-- scripts/create-release-branch.js | 28 ++++++----- scripts/publish-release.js | 8 +++- scripts/release-github-auth.js | 74 +++++++++++++++++++++++++++++ scripts/start-release.js | 55 +++++++++++---------- 7 files changed, 191 insertions(+), 53 deletions(-) commit 6e23383c562586021042c84683fc2794b79f1ca3 Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Tue Apr 21 11:23:06 2026 -0700 [ci]: add environment to publishRelease flow (#93093) Moves the `environment` into `publishRelease` rather than `trigger_release` since the actual action we want to create environment rules for is the publish step. (cherry picked from commit 2b846de4c59b5e47a28432e49106322c34915891) .github/workflows/build_and_deploy.yml | 26 +++++++++++++++++++++++++- .github/workflows/trigger_release.yml | 1 - 2 files changed, 25 insertions(+), 2 deletions(-) commit f40b8876e68777c8b76d18c51187ebb7427c411d Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Mon Apr 20 11:17:33 2026 -0700 [ci]: remove publish token in favor of OIDC (#93065) Switches from a long-lived token to trusted publishing OIDC flow. This requires a bump to Node (for feature support). Otherwise just dropping unnecessary envs. (cherry picked from commit 129896c2e462156cd4e0b7395d3e9861ce6204ae) .github/workflows/build_and_deploy.yml | 7 ++----- .github/workflows/release-next-rspack.yml | 11 +++-------- scripts/publish-release.js | 5 ----- 3 files changed, 5 insertions(+), 18 deletions(-) commit f6bda26ef9b96443f479c0ed952f1d05c19b1549 Author: JJ Kasper Date: Mon Apr 27 12:28:09 2026 -0700 Fix fallback route params case in app-page handler (#93109) ## Summary - backport the fallback route params fix from #91737 onto `next-16-2` - preserve intermediate shells that suspend only for unresolved fallback params during staged rendering - add the missing `resolvedRouteParamKeys` request metadata needed by this branch packages/next/src/build/templates/app-page.ts | 83 +++- packages/next/src/server/request-meta.ts | 7 + .../src/server/request/fallback-params.test.ts | 68 +++ .../next/src/server/request/fallback-params.ts | 32 ++ packages/next/src/server/server-utils.test.ts | 131 +++++ packages/next/src/server/server-utils.ts | 36 +- packages/next/src/shared/lib/router/routes/app.ts | 17 +- .../(domains)/settings/domains/loading.tsx | 7 + .../[project]/(domains)/settings/domains/page.tsx | 88 ++++ .../[project]/(domains)/settings/layout.tsx | 14 + .../app/[teamSlug]/[project]/loading.tsx | 5 + .../app/[teamSlug]/[project]/page.tsx | 101 ++++ .../app/[teamSlug]/[project]/settings/layout.tsx | 14 + .../app/[teamSlug]/[project]/settings/page.tsx | 69 +++ .../app/api/revalidate-layout/route.ts | 59 +++ .../vary-params-base-dynamic/app/layout.tsx | 8 + .../vary-params-base-dynamic/app/page.tsx | 56 +++ .../app/revalidate-actions.ts | 29 ++ .../components/link-accordion.tsx | 35 ++ .../components/revalidate-controls.tsx | 129 +++++ .../vary-params-base-dynamic/next.config.js | 19 + .../vary-params-base-dynamic.test.ts | 550 +++++++++++++++++++++ .../vary-params/pages/api/revalidate.ts | 22 + .../root-params-segment-prefetch.test.ts | 61 +++ test/e2e/rewrite-request-smuggling/next.config.js | 13 + test/e2e/rewrite-request-smuggling/pages/index.tsx | 3 + .../rewrite-request-smuggling.test.ts | 234 +++++++++ 27 files changed, 1860 insertions(+), 30 deletions(-) commit 70defda2a852a3428437e1d79ee1e3503095f47c Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Thu Apr 23 18:53:07 2026 -0700 [ci]: switch to GitHub runners (#93164) Switch CI from self-hosted runners to GitHub-hosted runners and fix the follow-up issues that showed up once the hosted jobs were exercised. - Move Linux workflows onto `ubuntu-latest-16-core-oss`, Windows workflows onto `windows-latest-8-core-oss`, and the native mac release lane onto `macos-15-intel`. - Update the reusable build workflow to work in hosted environments by relying on `runner.os` instead of label string matching, and by removing the hardcoded `/home/runner` `fnm` path. - Make Turbo/sccache configuration explicit for hosted runners: - unify on `vtest314-next-adapter-e2e-tests` - pass `TURBO_TOKEN` via workflow env/secrets instead of assuming runner-level env - switch Turbo cache mode to `local:rw,remote:rw` so jobs still have local cache behavior when remote cache is unavailable - Update the `sccache` action defaults/docs to use the hosted-runner secret setup (`TURBO_TOKEN`) instead of the old self-hosted token wiring. - Make Datadog reporting fail open so missing `DATA_DOG_API_KEY` does not block CI. - Fix the CLI reserved-port test so it asserts Next’s own `-p 1` validation instead of failing earlier on hosted Linux due to privileged-port binding. - Replace the live `musl.cc` dependency in `native-builder.Dockerfile` with musl sysroots imported from GHCR-hosted `rust-musl-cross` images, keeping the existing `/opt/*-cross` layout used by the Linux native build scripts. - Fix the macOS native build workaround s so it applies to all *-apple-darwin targets based on the Cargo target OS rather than the host architecture, which avoids napi-build injecting the unsupported -Wl linker arg when @next/swc is linked with rust-lld on hosted mac runners. Test Plan: - This PR's CI - This [build_and_deploy](https://github.com/vercel/next.js/actions/runs/24865715983/job/72801225722) job running on every arch .github/workflows/build_and_deploy.yml | 92 ++++++---------------- .github/workflows/build_and_test.yml | 10 +-- .github/workflows/build_reusable.yml | 21 ++--- .github/workflows/integration_tests_reusable.yml | 4 +- .github/workflows/pull_request_stats.yml | 13 ++- .github/workflows/setup-nextjs-build.yml | 6 +- .../workflows/test-turbopack-rust-bench-test.yml | 4 +- .github/workflows/test_e2e_deploy_release.yml | 1 + .github/workflows/test_e2e_project_reset_cron.yml | 7 +- .github/workflows/turbopack-benchmark.yml | 13 +-- crates/next-napi-bindings/build.rs | 12 +-- test/integration/cli/test/index.test.ts | 11 ++- 12 files changed, 84 insertions(+), 110 deletions(-) commit af0e96ba231efe9f647cb5cd6f01d7c8abd25b3a Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Wed Mar 18 12:17:31 2026 -0700 Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541) In a deployed environment, `onCacheEntryV2` determines whether a postponed response is HTML-origin or RSC-origin by checking whether meta.url ends with `.rsc`. For some dynamic full-route RSC requests, Next was passing a URL with query params into onCacheEntry, for example: `/[tenant]/samples.rsc?nxtPtenant=tenant-x` Because that string does not end with .rsc, `onCacheEntryV2` misclassified the request as HTML and treated it as text/html instead of an RSC response. This PR normalizes the URL before passing it to `onCacheEntry`, so the callback receives the pathname rather than the full URL-with-query. --------- Co-authored-by: JJ Kasper packages/next/src/build/templates/app-page.ts | 9 +++- .../app/[tenant]/layout.tsx | 52 ++++++++++++++++++ .../app/[tenant]/samples/page.tsx | 63 ++++++++++++++++++++++ .../ppr-root-param-rsc-fallback/app/layout.tsx | 9 ++++ .../ppr-root-param-rsc-fallback/next.config.js | 11 ++++ .../ppr-root-param-rsc-fallback.test.ts | 41 ++++++++++++++ 6 files changed, 184 insertions(+), 1 deletion(-) commit 2cdb7ed34f5b21782517cd40615ad5bc34b35923 Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Tue Apr 21 18:25:31 2026 -0700 [tests]: fix cache-components.test.ts type error (#93113) Fixes a type error on canary after merging two PRs that touched the same test. test/e2e/app-dir/cache-components/cache-components.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8cd3fdc1117d158255450a95471abdfb900a8fbe Author: JJ Kasper Date: Tue Mar 24 14:57:10 2026 -0700 test: scope css data-url typing to fixture (#91877) In the latest TypeScript version these imports now fail so updating the assertion to handle them x-ref: https://github.com/vercel/next.js/actions/runs/23508766037/job/68431989897#step:35:443 test/e2e/css-data-url-global-pages/data-url-css.d.ts | 2 ++ 1 file changed, 2 insertions(+) commit 6fd09bf8ab44ba22b798c6a965a3eb7e98c67dcd Author: JJ Kasper Date: Tue Apr 21 14:34:14 2026 -0700 Patch setHeader for direct route handlers (#93101) ## Summary - apply the `setHeader` cookie-support patch to direct route module handlers in `prepare()` - make `patchSetHeaderWithCookieSupport()` idempotent so both entry paths can call it safely - add an adapter-like direct RSC regression test that fails without the patch Closes: NEXT-4919 ## Testing - `NEXT_SKIP_ISOLATE=1 NEXT_TEST_MODE=start pnpm testheadless test/e2e/app-dir/cache-components/cache-components.test.ts -t "should ignore late setHeader calls for direct RSC handlers after headers are sent"` packages/next/src/server/lib/patch-set-header.ts | 13 ++ .../next/src/server/route-modules/route-module.ts | 5 + .../cache-components/cache-components.test.ts | 144 ++++++++++++++++++++- 3 files changed, 161 insertions(+), 1 deletion(-) commit 688ed31e210d81ab7d0dee57afae807fa00ff162 Author: Zack Tanner <1939140+ztanner@users.noreply.github.com> Date: Tue Apr 21 13:55:58 2026 -0700 Strengthen _rsc cache-busting param (#92755) This updates `_rsc` cache-busting param generation to use a stronger digest so different RSC request variants are much less likely to produce the same value. It also updates the related request-validation and injected resume/instant-test paths so they continue to generate and validate the same `_rsc` values across client, server, and edge-reachable codepaths. packages/next/src/build/templates/app-page.ts | 4 +- .../router-reducer/fetch-server-response.ts | 4 +- .../set-cache-busting-search-param.test.ts | 48 ++++++++++++ .../set-cache-busting-search-param.ts | 41 +++++++--- .../next/src/server/app-render/action-handler.ts | 21 +++-- packages/next/src/server/base-server.ts | 23 +++++- .../server/stream-utils/node-web-streams-helper.ts | 15 ++-- .../lib/router/utils/cache-busting-search-param.ts | 89 +++++++++++++++++++--- test/e2e/app-dir/app-prefetch/prefetching.test.ts | 28 ++++--- test/e2e/app-dir/app-validation/validation.test.ts | 56 +++++++++++++- test/e2e/app-dir/ppr-full/ppr-full.test.ts | 16 ++-- .../resume-data-cache/resume-data-cache.test.ts | 7 +- .../rewrite-headers/rewrite-headers.test.ts | 2 +- .../sub-shell-generation-middleware.test.ts | 2 +- 14 files changed, 287 insertions(+), 69 deletions(-) commit 62ef3050964c1f460245e04f53f8eb959a8cfaf0 Author: Steven Date: Thu Apr 16 19:36:50 2026 -0400 fix(next/image): ensure `images.maximumResponseBody` applies to local images too (#92920) In a previous PR https://github.com/vercel/next.js/pull/88183, we added `images.maximumResponseBody` but in only applied to external images. This PR ensures the same config also applies to internal images. packages/next/errors.json | 3 +- packages/next/src/server/image-optimizer.ts | 27 ++++ packages/next/src/server/lib/mock-request.ts | 37 ++++- packages/next/src/server/next-server.ts | 1 + .../image-optimizer/fetch-internal-image.test.ts | 152 +++++++++++++++++++++ 5 files changed, 215 insertions(+), 5 deletions(-) commit 15341fdf495d23b525e011f7eb91b62dd627664f Author: JJ Kasper Date: Mon Apr 13 16:26:34 2026 -0700 Ensure x-nextjs-data header is only set during resolve (#92752) Makes sure we set this header during route resolving so user request doesn't need to. .../next/src/server/lib/router-utils/resolve-routes.ts | 18 +++++++++++++++--- packages/next/src/server/lib/server-ipc/utils.ts | 1 + test/e2e/middleware-general/test/index.test.ts | 13 +++++++++++++ 3 files changed, 29 insertions(+), 3 deletions(-)