fix(deps): update dependency next [security] - autoclosed

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	15.3.8 → 15.4.10
next (source)	16.0.10 → 16.1.7
next (source)	16.1.6 → 16.1.7
next (source)	15.4.10 → 15.5.14
next (source)	15.5.9 → 15.5.14
next (source)	15.3.8 → 15.5.14

GitHub Vulnerability Alerts

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

CVE-2025-59471

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

GHSA-h25m-26qc-wcjf

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

CVE-2026-27977

Summary

In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.

Impact

If a developer visits attacker-controlled content while running an affected next dev server with allowedDevOrigins configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.

This issue affects development mode only. It does not affect next start, and it does not expose internal debugging functionality to the network by default.

Patches

Fixed by validating Origin: null through the same cross-site origin-allowance checks used for other origins on internal development endpoints.

Workarounds

If upgrade is not immediately possible:

• Do not expose next dev to untrusted networks.
• If you use allowedDevOrigins, reject requests and websocket upgrades with Origin: null for internal dev endpoints at your proxy.

CVE-2026-27978

Summary

origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.

Impact

An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).

Patches

Fixed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.

Workarounds

If upgrade is not immediately possible:

• Add CSRF tokens for sensitive Server Actions.
• Prefer SameSite=Strict on sensitive auth cookies.
• Do not allow 'null' in serverActions.allowedOrigins unless intentionally required and additionally protected.

CVE-2026-27979

Summary

A request containing the next-resume: 1 header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.

Impact

In applications using the App Router with Partial Prerendering capability enabled (via experimental.ppr or cacheComponents), an attacker could send oversized next-resume POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.

Patches

Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded.

Workarounds

If upgrade is not immediately possible:

• Block requests containing the next-resume header, as this is never valid to be sent from an untrusted client.

CVE-2026-29057

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

Patches

The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path.

Workarounds

If upgrade is not immediately possible:

• Block chunked DELETE/OPTIONS requests on rewritten routes at your edge/proxy.
• Enforce authentication/authorization on backend routes per our security guidance.

CVE-2026-27980

Summary

The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.

Impact

An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.

Workarounds

If upgrade is not immediately possible:

• Periodically clean .next/cache/images.
• Reduce variant cardinality (e.g., tighten values for images.localPatterns, images.remotePatterns, and images.qualities)

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

---

Release Notes

vercel/next.js (next)

v15.4.10

Compare Source

v15.4.9

Compare Source

v15.4.8

Compare Source

v15.4.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix router handling when setting a location response header #​82588

Credits

Huge thanks to @​ztanner for helping!

v15.4.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#​82347)
• fix: add ?dpl to fonts in /_next/static/media (#​82384)

Credits

Huge thanks to @​devjiwonchoi, @​ijjk, and @​styfle for helping!

v15.4.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix API stripping JSON incorrectly (#​82062)
• Fix i18n fallback: false collision (#​82158)
• Revert "Fix tracing of server actions imported by client components (#​82167)
• Ensure setAssetPrefix updates config instance (#​82165)
• Turbopack: update mimalloc (#​82166)
• fix(next/image): fix image-optimizer.ts headers (#​82175)
• fix(next/image): improve and simplify detect-content-type (#​82174)

Credits

Huge thanks to @​ijjk, @​sokra, and @​styfle for helping!

v15.4.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix dynamicParams false layout case in dev (#​82026)
• Turbopack: fix scope hoisting variable renaming bug (#​81640)
• Upgrade to swc v33 (#​81750)
• Revert "[metadata] use https protocol for schema urls" (#​81934)

Credits

Huge thanks to @​bgw @​mischnic @​huozhi @​lukesandberg and @​ijjk for helping!

v15.4.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: fix dist dir on Windows (#​81758)

Credits

Huge thanks to @​mischnic for helping!

v15.4.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• pages router metadata bugs with React 19 (#​81733)
• [metadata] replace for initial body icon case (#​81688)
• Ensure custom NextServer config is honored (#​81681)

Credits

Huge thanks to @​huozhi, @​ijjk, and @​ztanner for helping!

v15.4.1

Compare Source

[!TIP]
Check out our Next v15.4 Blog Post to learn more about this release.

Core Changes

• [next-server] fix params duplicate in query after rewrite: #​77939
• [next-server] preserve rsc query for rsc redirects: #​77963
• Turbopack: fix a bug where marking a task a completed causes a panic when reading the output: #​77922
• Turbopack warning spelling fix: #​77999
• Allow URL schemes that include +, - or .: #​77932
• [dev-overlay] Remove unused hydration error related code: #​77929
• [dev-overlay] Unify error deduplication logic: #​78017
• fix: use the match result after matching using the matched path header: #​77994
• Upgrade React from 3fbfb9ba-20250409 to c44e4a25-20250409: #​78031
• Move unhandled rejection handling to shared path: #​77997
• fix: ensure app router not found works when deployed with pages i18n config: #​77905
• Uninstall existing uncaughtException listeners to prevent the process from crashing: #​78042
• Experimental bfcache: Restore state w/ : #​77992
• Add graceful error fallback for bots requests: #​77916
• Upgrade React from c44e4a25-20250409 to 1d6c8168-20250411: #​78067
• [next-server] remove unnecessary query shallow copy: #​78003
• [dev-overlay] disable copy button when clipboard is not available: #​78101
• [dev-overlay] Stop stashing React error details on error instances: #​77975
• [dynamicIO] Model invalid dynamic on empty shells: #​77270
• fix: bump image-size@1.2.1: #​78149
• Handle graceful fallback for custom error boundaries: #​78121
• [dev-overlay] Stop squashing hydration related errors in App Router: #​78140
• [test] Enable strictNullChecks in test utils: #​78142
• Document Turbopack trace viewer: #​78184
• [dev-overlay] Fix error dialog resizing logic: #​78144
• Include types in published eslint-plugin-next: #​78109
• [dev-overlay] Stop appending wrong Owner Stacks to SSR-only shell errors: #​77302
• [dev-overlay] Add dedicated label for recoverable errors: #​78186
• [chore] remove unused __NEXT_PRIVATE_RUNTIME_TYPE: #​78230
• Preserve slashes when custom URL schemes are used in redirects: #​78176
• ignore-list published sources if they have a sourcemap: #​78242
• Upgrade React from 1d6c8168-20250411 to 39cad7af-20250411: #​78152
• Turbopack: add test case for persistent caching: #​77030
• Upgrade React from 39cad7af-20250411 to b04254fd-20250415: #​78253
• fix: alternate bundler support for dropping client pages in AMP: #​77601
• [errors] refactor default global-error into a separate file: #​78182
• [metadata] render streaming metadata on the top level: #​77620
• [metadata] skip head cache in default slot: #​78206
• chore: Backport SWC-based RC optimization (#​78260)
• fix: bump image-size@​1.2.1 (#​78164)
• @next/mdx: Use stable turbopack config options: #​78261
• Upgrade React from b04254fd-20250415 to 4a36d3ea-20250416: #​78297
• Add graceful error boundary for bots requests: #​78298
• make sure eslint-plugin-next is built when running 'pnpm dev': #​78305
• Migrate pages API routes to handler interface: #​78166
• Update middleware public/static matching: #​78325
• Fix dynamic route param encoding: #​78326
• [Turbopack] refactor persistent caching from log based to cow approach: #​76234
• Add onInvalidate option to router.prefetch: #​77880
• Reserve bandwidth for most recently hovered link : #​78362
• fix: handle incremental PPR with client segment cache: #​78387
• fix: amphtml-validator WASM errors (for real): #​78379
• Turbopack: Remove next start --turbopack: #​78384
• Upgrade React from 4a36d3ea-20250416 to bc6184dd-20250417: #​78322
• [chore] remove dead code missing required error: #​78403
• [ts-next-plugin] remove typescript vfs and related metadata plugin: #​78237
• [ts-next-plugin] auto import metadata type: #​78258
• [ts-next-plugin] warn to add correct type for metadata exports: #​78254
• [ts-next-plugin] fix: validate metadata node before checking type: #​78414
• [errors] fix edge server initial error is not sent via hmr: #​78415
• misc: use correct capitals for React terms: #​78445
• Skip empty prefetch request for dynamic routes: #​78436
• Turbopack: don’t warn about webpack being configured when experimental.turbo is set: #​77998
• Upgrade React from bc6184dd-20250417 to 914319ae-20250423: #​78468
• Update turbopack to syn2: #​78385
• [next-server] ensure prepare is done before preloading entry: #​78454
• Upgrade React from 914319ae-20250423 to 197d6a04-20250424: #​78516
• [dev-overlay] Move error.name to label: #​78198
• [ts-next-plugin] update log for utils: #​78538
• [ppr] Route Cardinality Updates: #​78476
• Turbopack: support ignore comments for NFT fs access tracing: #​78460
• Externalize manifest loading in pages-api: #​78358
• Update font data: #​78525
• refactor: skip the prospective render when there's a more specific route to be rendered: #​78555
• fix: bodySizeLimit error responses + limit for non-multipart actions: #​77746
• [dynamicIO] Do not skip dynamic validation when metadata is dynamic: #​78574
• [dynamicIO] log dynamic validation errors consistently in dev: #​78575
• [ts-next-plugin] clean up unused proxy: #​78539
• [dynamicIO] Disallow only dynamic metadata: #​78576
• fix: make webpack handle "use cache" in node_modules : #​78606
• Use React's prerender function for "use cache" with Dynamic IO: #​78382
• Use node: prefixed in ESM emit of standalone server.js: #​78624
• feat: add ravendb library to server-external-packages.json: #​78319
• docs: fix typo in ppr.ts: #​78590
• Pre-compile busboy dependency: #​78634
• Pages API handler interface follow-ups: #​78638
• Repeat fix in #​78387 for routes without params: #​78568
• [dev-tools] Fix width transition logic: #​78635
• [ts-next-plugin] fix: warn only if no type: #​78628
• [ts-next-plugin] fix: warn only if no type for separate export: #​78629
• chore: Drop @swc/counter: #​78674
• Turbopack: use small thread local collector that flushes to global collector: #​78343
• Upgrade React from 197d6a04-20250424 to 5dc00d6b-20250428: #​78640
• Fix bad decoding for x-matched-path header: #​78677
• Fix pages API rewrite case: #​78644
• chore: update rspack to 1.3.8: #​78485
• Always apply render preparations after running an action: #​77898
• Exclude config package from bundling: #​78671
• Upgrade builtin babel packages: #​78673
• Upgrade loader-utils v2 to latest patch: #​78707
• [Link] Add prefetch="auto" option: #​78689
• [build-sourcemaps] Ensure errors during prerender can be sourcemapped: #​78709
• Upgrade React from 5dc00d6b-20250428 to 408d055a-20250430: #​78715
• build: Fix minifier options for webpack builds: #​78717
• refactor(next-swc): Do not amend minifier options from Rust code: #​78719
• Change stylistic ESLint TypeScript defaults: #​78679
• fix: replace original request body after middleware execution: #​77662
• remove draft.isEnabled setter from exotic draftMode wrappers: #​77972
• Turbopack: limit compaction merging by size instead of count: #​78669
• [build-sourcemaps] Include codeframes in prod when sourcemaps are enabled: #​78710
• feat: build lifecycle hooks - afterProductionCompile: #​77345
• fix: make sure that the patched fetch cache set promise is properly awaited: #​75971
• [dev-overlay] Make badge draggable: #​78716
• Turbopack: fix ESM project in standalone mode: #​78774
• Revert "[Link] Add prefetch="auto" option": #​78820
• Downgrade React from 408d055a-20250430 to 197d6a04-20250424: #​78834
• Reland "[Link] Add prefetch="auto" option": #​78821
• build: Update @swc/core npm package to v1.11.24: #​77668
• Turbopack: Implement regex support for matching webpack loaders: #​78733
• Turbopack: Add support for extension regex in @next/mdx: #​78734
• backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#​78488) (#​78883)
• @​next/mdx: Use stable turbopack config options (#​78880)
• Fix react-compiler: Fix detection of interest (#​78879)
• Fix turbopack: Backport sourcemap bugfix (#​78881)
• [next-server] preserve rsc query for rsc redirects (#​78876)
• Update middleware public/static matching (#​78875)
• [dev-overlay] Polish mobile view: #​78863
• [dev-overlay] Consider scrollbar width for drag positioning: #​78865
• Add handling for setting deployment id via cookie: #​78841
• Run export child process with runtime's default max-old-space-size: #​78712
• [dynamicIO] cache tracking for import(): #​74152
• [dev-overlay] solidate the line number parsing: #​78868
• Update send to v0.18.0: #​78816
• Scope runInCleanSnapshot to Work Store: #​78930
• Removes onNavigate from transition scope: #​78605
• Add nonce handling from CSP in pages router: #​78936
• Ensure manual nonce on Script works as expected: #​78939
• Treat _debugInfo as a wellknown property for sync request data access purposes: #​78942
• chore(CI): Run rspack tests in build_and_test.yml: #​78757
• bugfix: Fix a bug that caused conflicting assets when adding a child compiler: #​78011
• [Fix] Inverse prefetch segment for Pages routes: #​78932
• Fix tracing of server actions imported by client components: #​78968
• Revert "fix: alternate bundler support for dropping client page": #​78974
• Fix --no-mangling for "use cache" functions: #​78993
• chore: update rspack to 1.3.9: #​78984
• [not-found] Add global-not-found convention: #​78783
• [not-found] support metadata exports of global-not-found: #​78961
• Prevent "use cache" timeout errors from being caught in userland code: #​78998
• patch react via recast instead of string replacements: #​78916
• [link] Avoid inlining of LinkProps in emitted declarations: #​78773
• [next-config-ts] fix: read tsconfig file using TypeScript API: #​79055
• Replace node:url usage in server-utils: #​79094
• [build-sourcemaps] Remove unused static workers: #​79107
• fix: cli test failed when using rspack: #​79081
• [build-sourcemaps] Allow inspecting prerender worker: #​79098
• Add initial modifyConfig hook: #​79162
• Re-land updated bundler for pre-bundling: #​79164
• [dynamicIO] model pathname access in metadata as async : #​79136
• Update font data: #​79179
• bugfix (pages): assetPrefix should not cause hard nav in development: #​79176
• Reland "Ensure mangling is disabled for dev runtime builds (#​75297)": #​79201
• docs: add graceful error boundary example: #​77781
• turbo-tasks: Encode location information into panics: #​78945
• feat(turbopack): Add basic compilation event support: #​78785
• chore(dev-overlay): Minor cleanups to useDelayedRender hook: #​79119
• Update font data: #​79227
• Rename define-env-plugin.ts to define-env.ts: #​79224
• Always pass implicit/soft tags into the CacheHandler.get method: #​79213
• fix(dev-overlay): Ignore right clicks on the indicator draggable: #​79120
• Fix dangling promise in unstable-cache: #​79248
• Revert "Partial Fallback Prerendering Route Shells (#​69282)": #​79258
• [devtool] initial support for segment explorer: #​78858
• Client router should discard stale prefetch entries for static pages: #​79309
• [dynamicIO] fix: do not apply import tracking transform in edge: #​79284
• Turbopack build: Fix type: module with output: standalone: #​79292
• [TypeScript Plugin] Moved the diagnostics' positions to the prop's type instead of the value for client-boundary warnings: #​79193
• Use onPostpone to determine if segment prefetch is partial: #​79299
• Enable ppr when dynamicIO is enabled: #​79302
• fix: replaceIdentifiersInAst takes an expression, not a string: #​79196
• Remove DIO w/o PPR branch from app-render.tsx: #​79303
• Remove prospective fallback prerenders: #​79304
• Fixed rewrite param parsing for interception routes in Vercel deployments: #​79204
• [build-sourcemaps] Sourcemap errors during prerender if experimental.enablePrerenderSourceMaps is enabled: #​79109
• [release] use @changesets/changelog-github for changelog format: #​79040
• next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
• Always show warning if fetch cache limit hit: #​79384
• feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
• [release] use @changesets/changelog-github for changelog format: #​79040
• next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
• Always show warning if fetch cache limit hit: #​79384
• feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
• Only share incremental cache for edge in next start (#​79389)
• [TypeScript Plugin] Match method signature (someFunc(): void) type for client boundary warnings: #​79144
• Only share incremental cache for edge in next start: #​79386
• fix: rspack framework and lib cacheGroups: #​79172
• Make sure bundle analyzer does not trigger warning with turbopack: #​79399
• [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
• Implement initial handler interface for pages routes: #​79260
• [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
• [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
• Implement initial handler interface for pages routes: #​79260
• [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
• [Segment Cache] Fix: Skew during dynamic prefetch: #​79416
• [dynamicIO] reimplement dynamicIO validation on prerender: #​79414
• fix: remove redundant performance.measure usage: #​79475
• [devtools] Add a very minimal API for restarting the dev server: #​79265
• Model prerender store as separate server and client scopes: #​79429
• fix: Merge link header from middleware with the ones from React (#​73431)
• fix(edge): run after() if request is cancelled mid-streaming (#​76013)
• gate segmentCache branch in base-server (#​79505)
• Model prerender store as separate server and client scopes: #​79429
• Use metadata for cache entry status code: #​79512
• fix(dev-overlay): Better handle edge-case file paths in launchEditor: #​79526
• [build-sourcemaps] Increase stacktrace limit during prerender: #​79498
• fix: Rspack not skip .d.ts file: #​79285
• Revert "[next-server] skip setting vary header for basic routes": #​79426
• [ppr] Narrow condition for fallback shell generation at runtime: #​79565
• Turbopack: derive de/serialize for loader config: #​79581
• Update font data: #​79642
• Avoid bundling dev overlay in page template: #​79641
• Enable preview builds for forks: #​79648
• misc: remove leftover clientInstrumentationHook type: #​79701
• cleanup(turbopack): Embed Global vs Specific channel type in the Rust type system: #​79291
• [dev-overlay] Show error overlay on any thrown value in /app: #​79658
• [dev-overlay] Move error handlers into dispatcher in /app: #​79660
• Verify cache-busting param during segment prefetch: #​79563
• update(turbopack): Update the messaging UX for timing writing files to disk: #​79469
• [dev-overlay] Move Redbox open/close into dispatcher: #​79698
• chore: update rspack to 1.3.12: #​79428
• Enable repeated tsc runs in packages/next without having to build first: #​79782
• Run tsc in watch mode during pnpm dev: #​79785
• Reinstate vary (#​79939)
• fix(next-swc): Fix interestingness detection for React Compiler (#​79558)
• fix(next-swc): Fix react compiler usefulness detector (#​79480)
• fix(dev-overlay): Better handle edge-case file paths in launchEditor (#​79526)
• Client router should discard stale prefetch entries for static pages (#​79362)
• fix: preload fonts in template.js: #​79417
• feat: using eval source map plugin for Rspack: #​79199
• feat: using builtin CssChunkingPlugin for rspack: #​79762
• fix(napi): Update generated types, add alias for RcStr: #​79915
• [dev-overlay] Fix highlighted line cut off on scroll: #​79930
• fix(next/font): allow custom font-family in declarations: #​76274
• Remove subissues from Issue: #​79988
• [devtools] Add a query parameter to restart endpoint to invalidate the persistent cache: #​79425
• Implement handler interface for app-page: #​79568
• Migrate app route to handler interface: #​80008
• Turbopack Build: Fix underscore path tests: #​79778
• Fix watchmode for taskr tasks: #​80020
• Update font data: #​80036
• Fix defunct ESLint overrides: #​80053
• [devtools] Add an endpoint to poll for server status: #​80005
• [dynamicIO] Only report client sync IO errors if they are above a Suspense boundary: #​80026
• [dev-overlay] Parse stacks in reducer not during dispatch: #​79788
• Remove obsolete @ts-expect-error: #​80065
• [dev-tools] Navigation header replaces close button: #​80097
• [dev-overlay] Inject get*Stack implementation: #​79789
• [dev-overlay] Fix dark‐mode styling for <option> in Preferences dropdowns: #​80025
• Use relative sources in require() instead of next/dist/ if possible: #​80054
• [dev-overlay] Inject isRecoverableError implementation: #​80003
• [devtool] fix explorer flag consuming and style: #​80110
• [dev-tools] add restart dev server button to error overlay: #​80060
• [dev-tools] add restart dev server button on dev-tools indicator preferences: #​80072
• [chore] remove legacy useEarlyImport flag: #​80112
• [testmode] Fix types of wrapRequestHandler: #​80055
• Extend bot list with googleweblight, Storebot-Google, Google-Inspecti…: #​77728
• [dev-overlay] Inject getSquashedHydrationErrorDetails implementation: #​80046
• [dev-tools] better description for restart server button: #​80118
• [dev-tools] style: preferences section title: #​80120
• [metadata] refactor to remove async metadata: #​78495
• [dynamicIO] Document client component remediations for sync IO: #​79787
• [dynamicIO] prioritize preprocessing RSC rows when prerendering: #​80125
• [dev-overlay] Remove unused onError in /pages: #​79982
• Remove unused vendored server-inserted-metadata module: #​80143
• Webpack Build: Use name-contenthash instead of name-chunkhash for dynamic imports: #​80153
• [dev-overlay] Remove unnecessary code from /pages dev error boundary: #​79983
• Turbopack Build: Implement helpful error for missing sass package: #​80155
• [global-not-found] fix shared css imports not being picked: #​80151
• Add experimental flag for RSC request validation: #​80157
• [dev-overlay] Remove indirection in app dev error boundary : #​79984
• Docs: preload entries impact on memory consumption: #​80098
• [dev-overlay] Move building indicator into Dev Overlay state: #​79985
• [metadata] only render one metadata outlet: #​80146
• Add a regions property to the Functions Config Manifest file: #​80104
• [metadata] fix nonce prop for hoist script: #​80174
• docs: fix grammar in Code of Conduct section ('them' → 'it') : [#​80181](https://redirect.github.com/vercel/next.js/issues

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.