fix(image): align next/image API with Next.js 16.0.0

[Divkix]

Pre-requisite for #364 — This PR aligns the API surface; #364 adds Sharp-based build-time image optimization on top.

Closes #386

Summary

Aligns vinext's next/image implementation with the Next.js 16.0.0 API surface. Any library or app code written against Next.js 16's image API should now work on vinext without modification.

Changes

• StaticImageData: Add blurWidth and blurHeight optional fields
• imageSizes default: Remove 16 → [32, 48, 64, 96, 128, 256, 384] (matches Next.js 16)
• contentDispositionType default: "inline" → "attachment" (security — prevents XSS via image endpoint)
• preload prop: New prop replacing deprecated priority (both now trigger loading="eager" + fetchPriority="high")
• qualities config: Add images.qualities support with findClosestQuality() rounding and server-side validation
• AVIF quality offset: Apply Math.max(quality - 20, 1) for AVIF in handleImageOptimization (matches Next.js)
• Deprecated props: Accept and ignore onLoadingComplete, layout, objectFit, objectPosition, lazyBoundary, lazyRoot
• PlaceholderValue type: Widen to "blur" | "empty" | \data:image/${string}``
• width/height type: Widen to number | \${number}`` with automatic string→number parsing
• Type exports: Export StaticRequire, StaticImport, ImageLoaderProps, ImageProps
• allowedQualities: Add quality validation to parseImageParams

What's deferred

localPatterns, minimumCacheTTL, loader/loaderFile global config, disableStaticImages, maximumRedirects, dangerouslyAllowLocalIP, images.unoptimized global, @hapi/accept negotiation, and strict w/q required params — these are either not yet needed or would break existing vinext users.

Test plan

• pnpm test tests/image-component.test.ts — 41 tests pass (new tests for preload, deprecated props, string dims, data placeholder, StaticImport, type exports)
• pnpm test tests/image-imports.test.ts — 20 tests pass
• pnpm test tests/shims.test.ts — 577 pass (updated DEFAULT_IMAGE_SIZES and contentDisposition default assertions)
• pnpm test tests/deploy.test.ts — 193 tests pass
• pnpm test tests/image-config.test.ts — 33 tests pass
• pnpm run typecheck — no new errors (pre-existing __NEXT_DATA__ errors only)
• pnpm run lint — clean

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/vinext@385

commit: 647026f

[Copilot]

Pull request overview

This PR aligns vinext's next/image shim with the Next.js 16.0.0 API surface. It updates defaults (image sizes, Content-Disposition), adds new props (preload, deprecated compat props, string width/height, data:image/ placeholder), exports new types, adds quality allowlist support (images.qualities), and applies the AVIF quality offset used in Next.js 16.

Changes:

• Aligns next/image types and props with Next.js 16 (new preload prop, deprecated props, PlaceholderValue type, StaticImport/StaticRequire types, string dimensions)
• Updates image config defaults: DEFAULT_IMAGE_SIZES drops 16, Content-Disposition changes from "inline" to "attachment" for XSS protection
• Adds images.qualities config support with client-side findClosestQuality() rounding and server-side parseImageParams validation, plus AVIF quality offset in the optimization handler

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
packages/vinext/src/shims/image.tsx	Core Next.js 16 API alignment: new types, props, and quality URL building
packages/vinext/src/server/image-optimization.ts	DEFAULT_IMAGE_SIZES update, allowedQualities param in parseImageParams, Content-Disposition default, AVIF quality offset
packages/vinext/src/server/prod-server.ts	App Router server Content-Disposition default updated to "attachment"
packages/vinext/src/config/next-config.ts	Adds qualities field and updates JSDoc for contentDispositionType
packages/vinext/src/global.d.ts	Adds __VINEXT_IMAGE_QUALITIES process env type declaration
packages/vinext/src/index.ts	Exposes images.qualities via Vite define
tests/shims.test.ts	Updates assertions for new defaults (DEFAULT_IMAGE_SIZES, Content-Disposition)
tests/image-component.test.ts	New tests for Next.js 16 API surface features

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new allowedQualities parameter in parseImageParams has no test coverage. The existing test suite in tests/shims.test.ts thoroughly tests every other parseImageParams validation (widths, quality range, URL safety, etc.) but there are no tests verifying that:

1. A quality value not in allowedQualities returns null.
2. A quality value that is in allowedQualities is accepted.

This gap is significant because the quality validation code path (line 79) is also never exercised through handleImageOptimization (see separate comment), making it hard to detect the wiring issue.

[Copilot]

The findClosestQuality reduce call uses 0 as the initial accumulator value (second argument to reduce). Since 0 is not a valid quality value, when all valid quality values in the array are farther from quality than 0 is, the function returns 0 instead of the closest valid quality.

For example, with qualities = [25, 50, 75, 100] and quality = 10:

• abs(25 - 10) = 15 vs abs(0 - 10) = 10 → 0 wins
• Same for all subsequent values
• Returns 0, which is an invalid quality that will cause the image URL to carry ?q=0, and be rejected by the server's quality validation (q < 1 → return null).

The initial accumulator should be qualities[0] to ensure a valid quality value is always returned. Since the guard if (!qualities?.length) return quality already ensures the array has at least one element, qualities[0] is always safe here.

[Copilot]

The PR correctly changes the default Content-Disposition to "attachment" for the App Router production server (line 601), but the Pages Router production server (startPagesRouterServer, around line 775 in prod-server.ts) was not updated and still defaults to "inline".

This means the security fix is incomplete: images served through the Pages Router's Node.js production server will still use Content-Disposition: inline, leaving XSS-via-image-endpoint open on that code path.

The "Content-Disposition": pagesImageConfig?.contentDispositionType ?? "inline" on line 775 should be ?? "attachment" to match all other call sites.

[Copilot]

allowedQualities was added as a new parameter to parseImageParams, but handleImageOptimization (the main entry point used by all workers) calls parseImageParams(url, allowedWidths) without passing allowedQualities. This means the quality validation added here is never actually enforced through handleImageOptimization. The PR description claims "server-side validation" for qualities, but it is only reachable if callers invoke parseImageParams directly. To fully enforce the allowlist, allowedQualities (or qualities as part of ImageConfig) needs to be threaded through handleImageOptimization.

[Copilot]

The JSDoc comment for imageSizes still says Defaults to Next.js defaults: [16, 32, 48, 64, 96, 128, 256, 384], but the actual default was changed to [32, 48, 64, 96, 128, 256, 384] (removing 16). This comment should be updated to reflect the new default.

[james-elicx]

/bigbonk review

[ask-bonk]

Good work aligning the image API with Next.js 16. The type exports, preload prop, deprecated prop handling, StaticImport/StaticRequire unwrapping, AVIF quality offset, and Content-Disposition default change are all solid.

Two issues need fixing before merge (one correctness bug, one security gap), plus a few minor items.

---

Security: Pages Router Content-Disposition still defaults to "inline"

packages/vinext/src/server/prod-server.ts:775 was not updated:

"Content-Disposition": pagesImageConfig?.contentDispositionType ?? "inline",

This should be ?? "attachment" to match the App Router prod server (line 601), the handleImageOptimization helper (line 176), and all the updated tests. Without this, the XSS-via-image-endpoint mitigation is incomplete for Pages Router production deployments.

---

Stale JSDoc on imageSizes

packages/vinext/src/config/next-config.ts:165 still says:

Defaults to Next.js defaults: [16, 32, 48, 64, 96, 128, 256, 384]

but the actual default was changed to [32, 48, 64, 96, 128, 256, 384].

---

allowedQualities not wired through handleImageOptimization (non-blocking)

parseImageParams accepts allowedQualities as a third argument, but handleImageOptimization on line 207 calls parseImageParams(url, allowedWidths) without passing it. The server-side quality validation is unreachable from the main request handler. Since the client-side findClosestQuality rounds quality before building the URL, this is defense-in-depth rather than a correctness issue. Worth either wiring it through or removing the dead code path, but not a blocker.

[ask-bonk]

Bug: reduce uses 0 as the initial accumulator, which is not a valid quality value and wins the comparison whenever the closest real quality is farther from quality than 0 is.

Example: findClosestQuality(10, [25, 50, 75, 100]) returns 0 because |0 - 10| = 10 < |25 - 10| = 15. That q=0 then gets rejected server-side (q < 1 → null → 400).

The guard on line 139 already ensures qualities has at least one element, so qualities[0] is safe:

Suggested change

	return qualities.reduce((prev, cur) => (Math.abs(cur - quality) < Math.abs(prev - quality) ? cur : prev), 0);
	return qualities.reduce((prev, cur) => (Math.abs(cur - quality) < Math.abs(prev - quality) ? cur : prev), qualities[0]);

[ask-bonk]

Missing test coverage: findClosestQuality and allowedQualities server validation have no tests. The findClosestQuality bug (initial accumulator 0) would have been caught by a test like:

describe("findClosestQuality", () => {
  it("returns closest allowed quality for low input", () => {
    // With qualities [25, 50, 75, 100] and quality 10, should return 25
    expect(imageOptimizationUrl("/test.png", 100, 10)).toContain("q=25");
  });
});

Also consider a parseImageParams test for quality not in allowedQualities returning null.

[ask-bonk]

Review submitted successfully. Here's a summary of the feedback:

Requested changes on PR #385:

1. Bug (blocking) — findClosestQuality initial accumulator: The reduce call uses 0 as the initial value, which is an invalid quality. When all allowed qualities are farther from the input than 0, the function returns 0, causing a server-side 400 error. Fix: use qualities[0] instead. Inline suggestion provided.

2. Security gap (blocking) — Pages Router Content-Disposition: prod-server.ts:775 still defaults to "inline" for the Pages Router production server, while the App Router server, handleImageOptimization, and all tests were updated to "attachment". This leaves the XSS mitigation incomplete.

3. Stale JSDoc (minor): next-config.ts:165 still documents imageSizes default as including 16, but the actual default was changed to start at 32.

4. Dead code path (non-blocking observation): allowedQualities is accepted by parseImageParams but never passed from handleImageOptimization, making server-side quality validation unreachable.

5. Missing test coverage (non-blocking): No tests for findClosestQuality edge cases or allowedQualities server validation — the accumulator bug would have been caught with a simple test.

github run

[james-elicx]

/bigbonk re-review

[ask-bonk]

Good work. The second commit addressed all the blocking issues from the prior reviews (the findClosestQuality accumulator bug, the Pages Router Content-Disposition gap, and the stale JSDoc). The implementation is clean and well-tested.

Two non-blocking observations — neither is worth blocking the PR over, but they'd be good follow-ups.

---

allowedQualities not wired from callers (non-blocking)

handleImageOptimization now accepts allowedQualities as the 5th parameter, but no caller passes it:

• deploy.ts:454 (App Router worker) — passes allowedWidths only
• deploy.ts:545 (Pages Router worker) — passes allowedWidths and imageConfig only
• All tests call with at most 4 args

The client-side findClosestQuality rounding means this is defense-in-depth, not a correctness issue — the URL will already carry a valid quality value by the time it hits the server. But the dead code path is confusing. Consider either wiring allowedQualities through from config in a follow-up, or removing the server-side check until it's actually needed.

Remote image path doesn't handle data:image/ placeholder (minor)

The data:image/ placeholder handling was added to the local image path (image.tsx:410-413) and getImageProps (image.tsx:577-579), but the remote image code path (image.tsx:364-365) still only checks placeholder === "blur". A remote image with placeholder="data:image/png;base64,..." won't show the blur background when rendered via @unpic/react. This is a minor edge case, but worth noting for completeness.

[ask-bonk]

Non-blocking: allowedQualities is accepted here but no caller passes it. deploy.ts:454 and deploy.ts:545 both omit the 5th argument, and the prod-server uses parseImageParams directly without qualities. This makes the server-side quality validation unreachable in practice.

Since findClosestQuality on the client side already rounds to a valid value before building the URL, this isn't a correctness issue. Consider either wiring it through from config in a follow-up or deferring the parameter until callers need it.

[ask-bonk]

Review submitted successfully. Here's a summary of what I found:

Approved — the PR is in good shape after the second commit addressed all blocking issues from earlier reviews.

What was fixed in the second commit

• findClosestQuality accumulator bug (now correctly uses qualities[0] instead of 0)
• Pages Router Content-Disposition default updated to "attachment"
• JSDoc for imageSizes updated to reflect the new default (without 16)
• Tests added for findClosestQuality edge cases

Two non-blocking observations

1. allowedQualities is dead code server-side — handleImageOptimization accepts it but no caller passes it (deploy.ts, prod-server, tests all omit it). The client-side findClosestQuality rounding makes this defense-in-depth, not a bug, but the unused parameter is confusing.

2. Remote image path misses data:image/ placeholder — The new data:image/ placeholder support was added for local images and getImageProps, but the @unpic/react code path for remote images still only checks placeholder === "blur". Minor edge case.

github run

[Divkix]

I'll work on the 2 non-blocking issues and also on readme and the skills command

[james-elicx]

/bigbonk re-review

[ask-bonk]

Thorough and well-structured alignment with the Next.js 16 image API. The three commits tell a clean story: initial implementation, review feedback fixes, and non-blocking follow-ups. All the blocking issues from prior reviews have been addressed.

A few minor observations below — none are blockers.

[ask-bonk]

Minor: parseInt with radix 10 will parse "200px" as 200 and "" as NaN. The empty string case is harmless (returns undefined via the guard above), but a string like "200px" silently becoming 200 might mask user errors.

Next.js 16 types this as number | \${number}`` so in practice only pure numeric strings are expected — this is fine as-is, just noting the behavior.

[ask-bonk]

Nit: priority || preload evaluates left-to-right and both are optional booleans defaulting to undefined. When both are falsy, isEager is undefined (falsy), which works correctly in the ternary on line 329. Just noting that isEager is boolean | undefined, not strictly boolean. Not a bug, but !!priority || !!preload or Boolean(priority || preload) would be slightly more explicit if you wanted a strict boolean.

[ask-bonk]

Good coverage of preload prop. Consider adding a test that verifies preload and priority together don't conflict (both true should still produce loading="eager" and fetchPriority="high" — not double attributes). Currently the test only tests them independently.

[ask-bonk]

The AVIF quality offset (quality - 20) is a significant behavioral change for production image serving. There's no test coverage verifying this adjustment — the existing handleImageOptimization transform test on line 6050 of shims.test.ts only tests WebP (which doesn't get the offset). A test with Accept: image/avif that captures the options passed to transformImage and asserts quality === 55 for input q=75 would lock in this behavior.

Not blocking since this matches documented Next.js 16 behavior, but worth adding to prevent accidental regression.

[ask-bonk]

The custom loader path sets loading and decoding but doesn't set fetchPriority like the local image path does (line 467). In Next.js 16, priority/preload adds fetchPriority="high" regardless of whether a custom loader is used. Minor gap.

Suggested change

	loading={isEager ? "eager" : (loading ?? "lazy")}
	loading={isEager ? "eager" : (loading ?? "lazy")}
	fetchPriority={isEager ? "high" : undefined}
	decoding="async"

[ask-bonk]

Review submitted. Here's a summary of my findings:

Approved — the PR is solid after three commits that progressively addressed all prior review feedback.

What's good

• Clean Next.js 16 API alignment: preload, qualities, string dimensions, data:image/ placeholders, deprecated prop handling, type exports
• Security fix (Content-Disposition: attachment) applied consistently across all four code paths (App Router prod, Pages Router prod, handleImageOptimization helper, image config)
• findClosestQuality accumulator bug was fixed (uses qualities[0] instead of 0) with good test coverage
• Dead allowedQualities server-side parameter was cleaned up in the third commit
• Remote data:image/ placeholder gap was addressed in the third commit

Minor observations (non-blocking)

1. Missing fetchPriority on custom loader path — the loader code path sets loading="eager" for preload/priority but doesn't add fetchPriority="high", unlike the local and remote image paths. Suggested a fix.
2. No test for AVIF quality offset — the -20 quality adjustment in handleImageOptimization has no test coverage. The existing transform test only uses WebP.
3. Minor type looseness — isEager is boolean | undefined rather than strict boolean (works fine in practice).
4. Missing combined preload+priority test — tests cover each independently but not both together.

github run

[Divkix]

Will work on these and try to match with latest release v16.1 to verify no changes are there so it could be latest

[Divkix]

Implemented the Next.js 16 contract-layer pass for next/image on this branch.

What changed:

• Reworked the next/image shim around a shared prop-normalization path so <Image> and getImageProps() follow the same behavior.
• Aligned fixed-width srcSet generation with Next.js allSizes / 1x, 2x selection instead of the previous device-size-only logic.
• Added overrideSrc, global images.unoptimized, data: / blob: unoptimized handling, static-import aspect-ratio inference, and Next 16.1 dpl propagation for local image URLs.
• Switched preload / priority behavior to emit preload hints instead of forcing loading="eager" and fetchPriority="high".
• Expanded the image config surface and normalization (loader, loaderFile, path, localPatterns, formats, qualities, minimumCacheTTL, maximumRedirects, maximumResponseBody, dangerouslyAllowLocalIP, disableStaticImages, etc.).
• Tightened the shared optimizer contract for required w / q, local/remote allowlists, config-driven cache headers, format negotiation, and filename-bearing Content-Disposition.
• Kept PR feat(image): build-time image optimization via Sharp #364 boundaries intact: no Sharp/build-time optimization work and no vinext-only public image metadata added here.

Verification:

• pnpm test tests/image-component.test.ts tests/image-config.test.ts tests/image-imports.test.ts tests/next-config.test.ts
• pnpm run typecheck

[Divkix]

@james-elicx should i merge this in #364 instead? the vitest is failing because of work to be done in #364

[james-elicx]

Hmm I would have assumed we'd be able to do this without adding the new Sharp optimisation... Was it the aligning with next 16 that introduced that problem? Happy to go back a couple commits and merge based on the Bonk review a few commits ago if you want to keep the PRs separate?

[Divkix]

Okay, I tried something and this should fix the ci

[james-elicx]

/bigbonk re-review

[ask-bonk]

Review

CI is green, and the core image API alignment with Next.js 16 is well-executed — the getImgProps-style normalization, preload prop, qualities rounding, StaticImport unwrapping, AVIF quality offset, and Content-Disposition default change all look correct and match upstream.

I have a few concerns below, one security issue that should be addressed before merge, and some scope/architecture observations.

Security: fetchRemoteImage forwards all request headers to external hosts

This is the most important issue. The fetch(currentUrl, { headers: request.headers }) call at line 228 forwards the entire original request's headers — including Cookie, Authorization, and any custom tokens — to whatever external host is configured in remotePatterns. An attacker who gets a domain added to remotePatterns (or exploits an overly broad pattern) can exfiltrate session tokens. Next.js only forwards a selective subset of headers (primarily Accept). This should be fixed before merge.

Scope creep: resolveId refactoring

The resolveId hook was changed from the optimized { filter, handler } object form to a plain function, removing the Vite hook filter optimization. This means the hook now runs for every module resolution in the project, not just next/* and virtual:vinext-* imports. The new direct alias resolution, extensionless import resolution for node_modules, and .js variant generation are useful ecosystem fixes but are unrelated to next/image and would benefit from their own PR with targeted testing. Including them here makes the diff harder to review and the risk surface larger.

source.body reuse after transformImage failure

In the catch block at line 343-349, source.body is reused after being passed to transformImage. If transformImage partially consumed the ReadableStream before throwing, the stream is locked/consumed and cannot be passed to a new Response. This will produce a runtime error or truncated response. Consider buffering the source body into an ArrayBuffer before passing it to transformImage, or returning a 500 error in the catch path instead of attempting to serve the original.

isBlockedLocalHost has coverage gaps

The SSRF protection at line 192 misses several common bypass patterns:

• 0.0.0.0 (equivalent to localhost on many systems)
• IPv4-mapped IPv6 addresses like ::ffff:127.0.0.1 or ::ffff:10.0.0.1
• The fc/fd prefix check at line 197 matches any hostname starting with those letters (e.g. fcbarcelona.com), not just IPv6 ULA addresses

The fc/fd check should verify the string is actually an IPv6 address before matching. Consider checking for : in the hostname.

Minor observations (non-blocking)

1. No test for AVIF quality offset — the -20 adjustment in handleImageOptimization line 327 has no test coverage. A test with Accept: image/avif that verifies quality === 55 for input q=75 would lock in this behavior.

2. Remote image fetching is untested — fetchRemoteImage, fetchSourceImage, isBlockedLocalHost, and toContentDispositionFilename have zero unit test coverage. These are security-critical code paths.

3. __NEXT_DATA__ type declaration (global.d.ts) — This was added in this PR but is unrelated to image changes. The PR description doesn't mention it.

[ask-bonk]

Security issue: Forwarding all request headers to external hosts leaks sensitive data (Cookie, Authorization, custom tokens) to any domain configured in remotePatterns. Next.js only forwards a selective subset.

Suggested change

	headers: request.headers,
	const response = await fetch(currentUrl, {
	headers: { Accept: request.headers.get("Accept") ?? "*/*" },
	redirect: "manual",
	});

[ask-bonk]

Bug: source.body was already passed to handlers.transformImage() on line 329. If transformImage partially consumed the ReadableStream before throwing, this stream is locked/consumed and cannot be reused in a new Response. This will cause a runtime error or produce a truncated response.

Consider either:

1. Buffering the source into an ArrayBuffer before passing to transformImage (so you can reconstruct a fresh stream on failure), or
2. Returning a 500 error here instead of attempting to serve the already-consumed original.

[ask-bonk]

Bug: The fc/fd prefix check matches any hostname starting with those letters, not just IPv6 ULA addresses. For example, fcbarcelona.com or fdny.gov would be incorrectly blocked.

This should verify the string is actually an IPv6 address (contains :) before checking the prefix:

Suggested change

	if (lower === "::1" || lower.startsWith("fc") || lower.startsWith("fd")) {
	return true;
	if (lower === "::1" || (lower.includes(":") && (lower.startsWith("fc") || lower.startsWith("fd")))) {

[ask-bonk]

Missing check for 0.0.0.0 — on many systems this is equivalent to localhost. Also missing checks for IPv4-mapped IPv6 addresses (::ffff:127.0.0.1, ::ffff:10.x.x.x, etc.), which are common SSRF bypass techniques.

Consider adding:

if (lower === '0.0.0.0') return true;
if (lower.startsWith('::ffff:')) {
  const mapped = lower.slice(7);
  // Recurse with the mapped IPv4 address
  return isBlockedLocalHost(mapped);
}

[ask-bonk]

Scope concern: This resolveId refactoring removes the Vite hook filter (filter: { id: /(?:next\/|virtual:vinext-)/ }) and replaces it with a plain function that runs for every module resolution in the project. The new direct alias resolution (line 1353), extensionless import resolution for node_modules (line 1362-1383), and .js variant generation (line 943 in configResolved) are useful ecosystem fixes, but they're unrelated to the next/image API alignment.

Running resolveId on every import (including react, vite, all node_modules, etc.) instead of only next/* and virtual:vinext-* is a performance regression for large projects. I'd suggest splitting this into its own PR where it can be tested independently — especially the fs.existsSync calls on every extensionless relative import from node_modules, which are synchronous I/O in a hot path.

[ask-bonk]

Nit: qualityInt is passed to generateImgAttrs and then to the loader, but when no quality prop is given, qualityInt is undefined. The default loader handles this via quality ?? 75 in defaultLoader (line 365), but custom loaders receive undefined as the quality property of ImageLoaderProps. This matches Next.js behavior (where quality is optional in ImageLoaderProps), but it's worth noting that custom loaders are responsible for defaulting quality themselves.

[ask-bonk]

Review posted successfully. Here's a summary of what I flagged:

Security (should fix before merge):

• fetchRemoteImage forwards all request headers (including Cookie, Authorization) to external hosts — should only forward Accept
• isBlockedLocalHost has SSRF bypass gaps: missing 0.0.0.0, IPv4-mapped IPv6, and the fc/fd prefix check incorrectly matches non-IPv6 hostnames like fcbarcelona.com

Bug:

• source.body is reused in the catch block after transformImage may have partially consumed the ReadableStream — will cause runtime errors or truncated responses

Scope concern:

• The resolveId refactoring removes the Vite hook filter optimization, making it run on every module resolution. This plus the extensionless import resolver and .js variant generation are unrelated to next/image and should ideally be in their own PR

Non-blocking observations:

• No test coverage for AVIF quality offset, remote image fetching, SSRF protection, or Content-Disposition filename derivation
• __NEXT_DATA__ type change is unrelated to image work

github run

[Divkix]

Addressed the review items in this branch:

• Fixed the remote image header leak in fetchRemoteImage() by forwarding only Accept upstream.
• Hardened the literal local-host / private-IP checks for 0.0.0.0, IPv4-mapped IPv6, and IPv6 ULA/link-local ranges, while avoiding the fc* hostname false positive. Redirect hops are re-checked before following.
• Fixed the transform fallback path by buffering the source image once and recreating a fresh stream for transformImage(), so a partially consumed source stream no longer breaks the fallback response.
• Restored the filtered resolveId hook shape and removed the unrelated runtime resolver broadening; also removed the unrelated window.__NEXT_DATA__ redeclaration.

Coverage updates:

• Added tests for remote-header forwarding, local-IP blocking, redirect-to-local blocking, remote filename derivation, and transform failure after stream consumption in tests/shims.test.ts.
• AVIF quality-offset coverage was already present and remains in tests/shims.test.ts.
• The custom-loader quality behavior is intentionally unchanged; custom loaders still receive optional quality, matching Next.js.

Validation run locally:

• pnpm test tests/shims.test.ts
• pnpm test tests/ecosystem.test.ts
• pnpm run typecheck

[james-elicx]

/bonk re-review

[ask-bonk]

Review

Good work aligning the next/image API surface with Next.js 16. The shared normalizeProps path for <Image> and getImageProps(), the preload link-hint emission via ServerInsertedHTMLContext, the SSRF protection with per-hop redirect checking, the stream-buffering strategy for transform fallback, and the Accept-only header forwarding are all well-designed.

One bug that should be fixed before merge, plus several non-blocking observations.

---

Bug: App Router worker entry doesn't pass imageConfig to handleImageOptimization

The generated App Router worker entry in generateAppRouterWorkerEntry() (deploy.ts, line 454-460) calls handleImageOptimization(request, handlers, allowedWidths) with only 3 arguments. The 4th parameter (imageConfig) is missing. Compare with:

• Pages Router worker entry (line 563): passes all 4 args including imageConfig
• App Router prod-server (line 612-620): passes imageConfig
• Pages Router prod-server (line 781-788): passes pagesImageConfig

The generated App Router worker entry also doesn't construct an imageConfig variable from vinextConfig (the Pages Router entry does this at lines 514-530). Additionally, line 452 hardcodes "/_vinext/image" while the Pages Router entry uses imageConfig?.path ?? "/_vinext/image" (line 555).

Impact: All image config settings (remote/local patterns, SVG policy, CSP, qualities validation, cache TTL, dangerouslyAllowLocalIP, custom path) are silently ignored for App Router Cloudflare Worker deployments.

---

Non-blocking observations

1. minimumCacheTTL default diverges 240x from Next.js — imageConfigDefault.minimumCacheTTL is 14_400 (4 hours) vs Next.js 16's 60 (1 minute). If this is intentional for Cloudflare Workers, add a comment. If not, it should match upstream.

2. findClosestQuality has zero test coverage — TRACKING.md claims 8 tests pass, but no test file contains any reference to findClosestQuality. The tracking entry is phantom. The function is on the critical path for URL generation.

3. OnLoadingComplete not re-exported from "next/image" module — Exported from image.tsx:41 but missing from next-shims.d.ts lines 133-141. Import will fail in TypeScript.

4. isBlockedIpv4 doesn't block 0.0.0.0/8 — The explicit 0.0.0.0 string check catches the exact address, but isBlockedIpv4 doesn't check a === 0. Addresses like 0.1.2.3 (which may resolve to localhost on some systems) bypass the check.

5. onLoadingComplete callback is never invoked — It's destructured and warned about in dev, but the callback itself is silently dropped. In Next.js, it's still wired to fire on image load for backward compat.

6. blurWidth/blurHeight declared but unused — StaticImageData declares these fields but normalizeProps never reads them. Minor feature gap vs Next.js.

[ask-bonk]

Intentional? Next.js 16 defaults minimumCacheTTL to 60 (seconds). This is 14_400 (4 hours) — a 240x difference. If this is a deliberate optimization for Cloudflare Workers (where re-optimization is expensive), it should have a comment explaining the deviation. If not, it should match upstream.

Suggested change

	minimumCacheTTL: 14_400,
	minimumCacheTTL: 14_400, // 4 hours — intentionally higher than Next.js default (60s) for Workers

[ask-bonk]

Phantom test entry. This claims findClosestQuality has 7 tests + 1 equidistant, all PASS. However, no *.test.ts file in the repository contains any reference to findClosestQuality. These tests don't exist. Either add the tests or remove this tracking entry.

[ask-bonk]

Minor: OnLoadingComplete is exported from image.tsx (line 41) but missing from this re-export list. Code doing import type { OnLoadingComplete } from "next/image" will get a TypeScript error.

Suggested change

	};
	export type {
	ImageProps,
	ImageLoader,
	ImageLoaderProps,
	PlaceholderValue,
	StaticImageData,
	StaticImport,
	StaticRequire,
	OnLoadingComplete,
	};

(Also needs OnLoadingComplete added to the import on line 123.)

[ask-bonk]

Low severity: isBlockedIpv4 doesn't check a === 0, so addresses in the 0.0.0.0/8 range (e.g., 0.1.2.3) bypass this. The explicit lower === "0.0.0.0" string check at line 294 only catches the exact address. On some systems, 0.x.x.x addresses resolve to localhost.

Suggested change

	(a === 192 && b === 168)
	return (
	a === 0 ||
	a === 10 ||
	a === 127 ||
	(a === 169 && b === 254) ||
	(a === 172 && b >= 16 && b <= 31) ||
	(a === 192 && b === 168)
	);

With this change, the explicit 0.0.0.0 string check at line 294 becomes redundant and can be removed.

[ask-bonk]

Non-blocking: onLoadingComplete is warned about here but the callback is never actually invoked — it's destructured at line 434 and silently dropped. In Next.js, deprecated onLoadingComplete is still wired to fire when the image loads. Users migrating from older Next.js code will silently lose this behavior.

Consider wiring it through onLoad for backward compat:

onLoad: (e) => {
  onLoad?.(e);
  if (onLoadingComplete) onLoadingComplete(e.currentTarget);
},

[ask-bonk]

Review submitted successfully. Here's a summary of the feedback:

Bug (should fix before merge)

• App Router worker entry missing imageConfig — generateAppRouterWorkerEntry() in deploy.ts calls handleImageOptimization with only 3 args, omitting the imageConfig parameter that the Pages Router entry correctly passes. This means all image security/config settings are silently ignored for App Router Cloudflare Worker deployments.

Non-blocking observations (with inline comments)

1. minimumCacheTTL default is 14,400s vs Next.js's 60s — 240x higher, needs documentation if intentional
2. findClosestQuality has zero test coverage — TRACKING.md claims 8 tests pass but they don't exist
3. OnLoadingComplete type missing from next/image module re-exports — TypeScript import will fail
4. isBlockedIpv4 doesn't block 0.0.0.0/8 range — suggestion to add a === 0 check
5. onLoadingComplete callback is never invoked — warned in dev but silently dropped
6. blurWidth/blurHeight declared but unused in normalizeProps

github run

[Divkix]

I think this should be good, worked through issues

[Divkix]

Closing for now — the merge of parallel worktree changes introduced too much risk of subtle bugs. Will revisit this alignment work in a future PR with a cleaner approach.

[james-elicx]

No worries, thanks for your time so far