[pull] canary from vercel:canary #749
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Based on: - #88834 - #88989 --- This implements a partial "vary params" optimization for the segment cache. When a segment doesn't access params on the server, its prefetched data can be reused across different param values. Two cases are handled: 1. Segments without a user-provided layout (only loading.tsx or nothing) 2. Segments with a 'use client' layout The server now includes a varyParams field in segment prefetch responses. When varyParams is an empty Set, the client re-keys the cache entry with Fallback for all param values, making it reusable across different params. This is a stepping stone toward full vary params tracking where Server Components would track which specific params they access during rendering.
Based on: - #88834 - #88989 - #88998 --- Adds optimistic routing, enabling the client to predict route structure for URLs that haven't been prefetched yet. When navigating to a URL like /blog/post-2, if we've previously learned the pattern from /blog/post-1, we can predict the route structure without waiting for a server response. The client learns route patterns from server responses and builds a trie indexed by URL parts. When a cache miss occurs, we check if the URL matches a known pattern. If so, we create a synthetic cache entry from the template, allowing immediate rendering of loading boundaries. Static siblings (like /blog/featured alongside /blog/[slug]) are tracked to avoid incorrect predictions — we only predict dynamic routes when we're confident no static sibling matches.
Needed for vercel/vercel#14795 Keep the file so that we can instead dynamically render it as opposed to having to bundle the prerender into the function
This restores fast navigations to fully static PPR routes in Cache
Components, even when prefetch hasn’t completed or `prefetch={false}` is
used. In legacy versions of PPR, the `prefetchDataRoute` entries would
be populated with `.prefetch.rsc` values containing static RSC payloads.
This regressed in cache components, and the only static RSC payloads
were in the `.segments` directory. However, when Next.js triggers a
regular RSC request (non-prefetch), either because the prefetch hadn't
completed yet or `prefetch={false}` was configured, we'd route to the
empty fallback and trigger a function invocation.
This restores old behavior of emitting a `.rsc` file for a fully static
route. This information technically also exists in the `.segments`
directory, but it's split into parts, and it's now routed to unless
explicitly done so via the `next-router-segment-prefetch` header. In
addition to emitting the route, this also ensures we set
`prefetchDataRoute` to point to this. This is how the Vercel adapter
knows the file to serve.
An e2e regression test now asserts that `prefetch={false}` navigation
does not wait for a dynamic render. The deploy test will be unblocked
once vercel/vercel#14770 lands.
### What Switches the `create-next-app` templates (`app-tw`, `app`) to flex-based layouts instead of `min-height: 100vh`. ### Why At Clerk, we ship a template on top of `create-next-app` that adds a header with sign-in/sign-up links to the root layout. The current `min-height: 100vh` approach causes overflow as soon as you add anything to the layout. Here's a [minimal repo showing the overflow issue](https://github.com/alexcarpenter/nextjs-layout-template-repo). Using flexbox lets the page fill remaining space naturally, so headers/footers don't force an overflow and avoids us having to modify the `page.tsx` template. ### Changes **Tailwind (`app-tw`):** - Layout: `h-full` on `<html>`, `min-h-full flex flex-col` on `<body>` - Page: `min-h-screen` → `flex flex-col flex-1` **CSS Modules (`app`):** - `globals.css`: `height: 100%` on html, `min-height: 100%; display: flex; flex-direction: column` on body - `page.module.css`: `min-height: 100vh` → `flex: 1` The empty templates (`app-empty`, `app-tw-empty`) don't have height styling so they're unchanged. | BEFORE | AFTER | |--------|--------| | <img width="1392" height="1522" alt="Screenshot 2026-01-29 at 9 41 58 AM" src="https://github.com/user-attachments/assets/6642de41-253b-42c0-af2d-d55c4e651541" /> | <img width="1392" height="1522" alt="Screenshot 2026-01-29 at 9 42 31 AM" src="https://github.com/user-attachments/assets/633f3d46-ed8c-4d05-8173-77f2cf166703" /> | Closes NEXT- Fixes #
This deployment test has been failing very recently since the first attempt of [v16.1.5](https://github.com/vercel/next.js/actions/runs/21373599266/attempts/2). Tried deflaking at #87412, but seems to have no effect. This PR adds the test case to the deployment test manifest to unblock sync. Will continue deflaking at this PR at #89106 x-ref: [Datadog](https://app.datadoghq.com/ci/test/runs?query=test_level%3Atest%20%40ci.pipeline.name%3Atest-e2e-deploy-release%20%40ci.pipeline.url%3A%2A%2Fattempts%2F2%20%40test.status%3Afail&agg_m=count&agg_m_source=base&agg_q=%40test.name&agg_q_source=base&agg_t=count¤tTab=overview&eventStack=&fromUser=true&index=citest&panel=%7B%22queryString%22%3A%22%40test.name%3A%5C%22app%20dir%20client%20cache%20semantics%20%28default%20semantics%29%20prefetch%3D%7Bundefined%7D%20-%20default%20should%20refetch%20the%20full%20page%20after%205%20mins%5C%22%22%2C%22filters%22%3A%5B%7B%22isClicked%22%3Atrue%2C%22source%22%3A%22log%22%2C%22path%22%3A%22test.name%22%2C%22value%22%3A%22app%20dir%20client%20cache%20semantics%20%28default%20semantics%29%20prefetch%3D%7Bundefined%7D%20-%20default%20should%20refetch%20the%20full%20page%20after%205%20mins%22%7D%5D%2C%22timeRange%22%3A%7B%22from%22%3A1769209200000%2C%22to%22%3A1769514811691%2C%22live%22%3Afalse%7D%7D&test-detail-history=log_test.status%2Ctimestamp%2Clog_git.branch%2Clog_git.commit.sha%2Clog_test.is_known_flaky&top_n=30&top_o=top&viz=query_table&x_missing=true&start=1769209200000&end=1769514811691&paused=true) x-ref: [slack thread](https://vercel.slack.com/archives/C02CDC2ALJH/p1769519877570459) Part of https://linear.app/vercel/issue/NAR-719/fix-deploy-tests
This deployment test has been failing very recently. This PR adds the test case to the deployment test manifest to unblock sync. Will continue deflaking at this PR at #89187 x-ref: [Datadog](https://app.datadoghq.com/ci/test/runs?query=test_level%3Atest%20%40ci.pipeline.name%3Atest-e2e-deploy-release%20%40ci.pipeline.url%3A%2A%2Fattempts%2F2%20%40test.status%3Afail&agg_m=count&agg_m_source=base&agg_q=%40test.name&agg_q_source=base&agg_t=count¤tTab=history&eventStack=&fromUser=true&index=citest&panel=%7B%22queryString%22%3A%22%40test.name%3A%5C%22resume-data-cache%20should%20have%20consistent%20data%20between%20static%20and%20dynamic%20renders%20with%20fetch%20cache%5C%22%22%2C%22filters%22%3A%5B%7B%22isClicked%22%3Atrue%2C%22source%22%3A%22log%22%2C%22path%22%3A%22test.name%22%2C%22value%22%3A%22resume-data-cache%20should%20have%20consistent%20data%20between%20static%20and%20dynamic%20renders%20with%20fetch%20cache%22%7D%5D%2C%22timeRange%22%3A%7B%22from%22%3A1769520224000%2C%22to%22%3A1769693024000%2C%22live%22%3Atrue%7D%7D&test-detail-history=log_test.status%2Ctimestamp%2Clog_git.branch%2Clog_git.commit.sha%2Clog_test.is_known_flaky&top_n=30&top_o=top&viz=query_table&x_missing=true&start=1769520224360&end=1769693024360&paused=false) Part of https://linear.app/vercel/issue/NAR-719/fix-deploy-tests
## Summary This PR fixes ~two~ one bug~s~ in the `isCsrfOriginAllowed` function used for Server Actions CSRF protection: 1. **Case sensitivity bug**: Domain matching was case-sensitive, but DNS names are case-insensitive per [RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.3). This caused legitimate requests to fail CSRF checks when the Origin header contained uppercase characters. 2. ~**Trailing dot bug**: FQDNs with trailing dots (e.g., `example.com.`) weren't matched. The trailing dot is valid DNS notation representing the root zone.~ Edit: Reverted, see comments on PR ## The Problem Before this fix: ```javascript isCsrfOriginAllowed('sub.VERCEL.com', ['*.vercel.com']) // false ❌ isCsrfOriginAllowed('sub.vercel.com.', ['*.vercel.com']) // false ❌ ``` Both of these should return `true` because: - DNS is case-insensitive (RFC 1035 §2.3.3) - Trailing dots are valid FQDN notation ## The Fix Normalize both domain and pattern before comparison: - Convert to lowercase - Strip trailing dots ## Testing Added new test cases for: - Case-insensitive matching (various case combinations) - Trailing dot handling (in both domain and pattern) All existing tests continue to pass. ## Related - This affects users who configure `serverActions.allowedOrigins` in `next.config.js` - The bug could cause legitimate Server Action requests to be rejected with CSRF errors if the browser sends an Origin header with different casing than the configured pattern
…le time (#89232) This change should unifiy the runAfterProductionCompile output to follow the same style as other times printed in the build logs. Currently build logs look like ``` ✓ Compiled successfully in 89s Running next.config.js provided runAfterProductionCompile ... ✓ Finished writing to filesystem cache in 18.5s ✓ Completed runAfterProductionCompile in 36134ms Skipping validation of types ``` I hope they will now look like ``` ✓ Compiled successfully in 89s Running next.config.js provided runAfterProductionCompile ... ✓ Finished writing to filesystem cache in 18.5s ✓ Completed runAfterProductionCompile in 36.1s Skipping validation of types ``` (and yes i know 36s is shameful thats my next problem but this irked me enough to want the build output looking nicer ahhaha) It feels like adding a test for this would be semi counter productive without basically ending up adding sleeps and then in reality its testing more the logic of `durationToStringWithNanoseconds`.
…le tasks (#89222) Use field annotations to drive what fields get 'shrunk' when a task completes. Doing this also optimizes the implementation since instead of scanning for each field we care about we walk all fields and handle the correct subset as we find them. Also take advantage of some features of immutable tasks (which account for about 25% of all tasks), and more aggressively drop some fields Saves quite a bit of memory and maybe a little bit of time 
**What changed?** `stringifyUrlQueryParam` now handles `bigint` type properly. **Why?** BigInt is a valid JavaScript primitive but was being converted to empty string: Before: ```js stringifyUrlQueryParam(123n) // '' ❌ ``` After: ```js stringifyUrlQueryParam(123n) // '123' ✓ ``` **Use case:** Query parameters with large integers (IDs, timestamps) often use BigInt to avoid precision loss. **Testing** Manual testing with BigInt values.
This auto-generated PR updates font data with latest available Co-authored-by: nextjs-bot <it+nextjs-bot@vercel.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
10 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )