Update dependency next to v15.4.7 [SECURITY]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	15.1.6 → 15.4.7

GitHub Vulnerability Alerts

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

CVE-2025-48068

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

CVE-2025-49826

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

• Allam Rachid zhero;
• Allam Yasser (inzo)

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

GHSA-9qr9-h5gf-34mp

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

GHSA-mwv6-3258-q52c

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

GHSA-w37m-7fhw-fmv9

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

---

Release Notes

vercel/next.js (next)

v15.4.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix router handling when setting a location response header #​82588

Credits

Huge thanks to @​ztanner for helping!

v15.4.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#​82347)
• fix: add ?dpl to fonts in /_next/static/media (#​82384)

Credits

Huge thanks to @​devjiwonchoi, @​ijjk, and @​styfle for helping!

v15.4.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix API stripping JSON incorrectly (#​82062)
• Fix i18n fallback: false collision (#​82158)
• Revert "Fix tracing of server actions imported by client components (#​82167)
• Ensure setAssetPrefix updates config instance (#​82165)
• Turbopack: update mimalloc (#​82166)
• fix(next/image): fix image-optimizer.ts headers (#​82175)
• fix(next/image): improve and simplify detect-content-type (#​82174)

Credits

Huge thanks to @​ijjk, @​sokra, and @​styfle for helping!

v15.4.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix dynamicParams false layout case in dev (#​82026)
• Turbopack: fix scope hoisting variable renaming bug (#​81640)
• Upgrade to swc v33 (#​81750)
• Revert "[metadata] use https protocol for schema urls" (#​81934)

Credits

Huge thanks to @​bgw @​mischnic @​huozhi @​lukesandberg and @​ijjk for helping!

v15.4.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: fix dist dir on Windows (#​81758)

Credits

Huge thanks to @​mischnic for helping!

v15.4.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• pages router metadata bugs with React 19 (#​81733)
• [metadata] replace for initial body icon case (#​81688)
• Ensure custom NextServer config is honored (#​81681)

Credits

Huge thanks to @​huozhi, @​ijjk, and @​ztanner for helping!

v15.4.1

Compare Source

[!TIP]
Check out our Next v15.4 Blog Post to learn more about this release.

Core Changes

• [next-server] fix params duplicate in query after rewrite: #​77939
• [next-server] preserve rsc query for rsc redirects: #​77963
• Turbopack: fix a bug where marking a task a completed causes a panic when reading the output: #​77922
• Turbopack warning spelling fix: #​77999
• Allow URL schemes that include +, - or .: #​77932
• [dev-overlay] Remove unused hydration error related code: #​77929
• [dev-overlay] Unify error deduplication logic: #​78017
• fix: use the match result after matching using the matched path header: #​77994
• Upgrade React from 3fbfb9ba-20250409 to c44e4a25-20250409: #​78031
• Move unhandled rejection handling to shared path: #​77997
• fix: ensure app router not found works when deployed with pages i18n config: #​77905
• Uninstall existing uncaughtException listeners to prevent the process from crashing: #​78042
• Experimental bfcache: Restore state w/ : #​77992
• Add graceful error fallback for bots requests: #​77916
• Upgrade React from c44e4a25-20250409 to 1d6c8168-20250411: #​78067
• [next-server] remove unnecessary query shallow copy: #​78003
• [dev-overlay] disable copy button when clipboard is not available: #​78101
• [dev-overlay] Stop stashing React error details on error instances: #​77975
• [dynamicIO] Model invalid dynamic on empty shells: #​77270
• fix: bump image-size@1.2.1: #​78149
• Handle graceful fallback for custom error boundaries: #​78121
• [dev-overlay] Stop squashing hydration related errors in App Router: #​78140
• [test] Enable strictNullChecks in test utils: #​78142
• Document Turbopack trace viewer: #​78184
• [dev-overlay] Fix error dialog resizing logic: #​78144
• Include types in published eslint-plugin-next: #​78109
• [dev-overlay] Stop appending wrong Owner Stacks to SSR-only shell errors: #​77302
• [dev-overlay] Add dedicated label for recoverable errors: #​78186
• [chore] remove unused __NEXT_PRIVATE_RUNTIME_TYPE: #​78230
• Preserve slashes when custom URL schemes are used in redirects: #​78176
• ignore-list published sources if they have a sourcemap: #​78242
• Upgrade React from 1d6c8168-20250411 to 39cad7af-20250411: #​78152
• Turbopack: add test case for persistent caching: #​77030
• Upgrade React from 39cad7af-20250411 to b04254fd-20250415: #​78253
• fix: alternate bundler support for dropping client pages in AMP: #​77601
• [errors] refactor default global-error into a separate file: #​78182
• [metadata] render streaming metadata on the top level: #​77620
• [metadata] skip head cache in default slot: #​78206
• chore: Backport SWC-based RC optimization (#​78260)
• fix: bump image-size@​1.2.1 (#​78164)
• @next/mdx: Use stable turbopack config options: #​78261
• Upgrade React from b04254fd-20250415 to 4a36d3ea-20250416: #​78297
• Add graceful error boundary for bots requests: #​78298
• make sure eslint-plugin-next is built when running 'pnpm dev': #​78305
• Migrate pages API routes to handler interface: #​78166
• Update middleware public/static matching: #​78325
• Fix dynamic route param encoding: #​78326
• [Turbopack] refactor persistent caching from log based to cow approach: #​76234
• Add onInvalidate option to router.prefetch: #​77880
• Reserve bandwidth for most recently hovered link : #​78362
• fix: handle incremental PPR with client segment cache: #​78387
• fix: amphtml-validator WASM errors (for real): #​78379
• Turbopack: Remove next start --turbopack: #​78384
• Upgrade React from 4a36d3ea-20250416 to bc6184dd-20250417: #​78322
• [chore] remove dead code missing required error: #​78403
• [ts-next-plugin] remove typescript vfs and related metadata plugin: #​78237
• [ts-next-plugin] auto import metadata type: #​78258
• [ts-next-plugin] warn to add correct type for metadata exports: #​78254
• [ts-next-plugin] fix: validate metadata node before checking type: #​78414
• [errors] fix edge server initial error is not sent via hmr: #​78415
• misc: use correct capitals for React terms: #​78445
• Skip empty prefetch request for dynamic routes: #​78436
• Turbopack: don’t warn about webpack being configured when experimental.turbo is set: #​77998
• Upgrade React from bc6184dd-20250417 to 914319ae-20250423: #​78468
• Update turbopack to syn2: #​78385
• [next-server] ensure prepare is done before preloading entry: #​78454
• Upgrade React from 914319ae-20250423 to 197d6a04-20250424: #​78516
• [dev-overlay] Move error.name to label: #​78198
• [ts-next-plugin] update log for utils: #​78538
• [ppr] Route Cardinality Updates: #​78476
• Turbopack: support ignore comments for NFT fs access tracing: #​78460
• Externalize manifest loading in pages-api: #​78358
• Update font data: #​78525
• refactor: skip the prospective render when there's a more specific route to be rendered: #​78555
• fix: bodySizeLimit error responses + limit for non-multipart actions: #​77746
• [dynamicIO] Do not skip dynamic validation when metadata is dynamic: #​78574
• [dynamicIO] log dynamic validation errors consistently in dev: #​78575
• [ts-next-plugin] clean up unused proxy: #​78539
• [dynamicIO] Disallow only dynamic metadata: #​78576
• fix: make webpack handle "use cache" in node_modules : #​78606
• Use React's prerender function for "use cache" with Dynamic IO: #​78382
• Use node: prefixed in ESM emit of standalone server.js: #​78624
• feat: add ravendb library to server-external-packages.json: #​78319
• docs: fix typo in ppr.ts: #​78590
• Pre-compile busboy dependency: #​78634
• Pages API handler interface follow-ups: #​78638
• Repeat fix in #​78387 for routes without params: #​78568
• [dev-tools] Fix width transition logic: #​78635
• [ts-next-plugin] fix: warn only if no type: #​78628
• [ts-next-plugin] fix: warn only if no type for separate export: #​78629
• chore: Drop @swc/counter: #​78674
• Turbopack: use small thread local collector that flushes to global collector: #​78343
• Upgrade React from 197d6a04-20250424 to 5dc00d6b-20250428: #​78640
• Fix bad decoding for x-matched-path header: #​78677
• Fix pages API rewrite case: #​78644
• chore: update rspack to 1.3.8: #​78485
• Always apply render preparations after running an action: #​77898
• Exclude config package from bundling: #​78671
• Upgrade builtin babel packages: #​78673
• Upgrade loader-utils v2 to latest patch: #​78707
• [Link] Add prefetch="auto" option: #​78689
• [build-sourcemaps] Ensure errors during prerender can be sourcemapped: #​78709
• Upgrade React from 5dc00d6b-20250428 to 408d055a-20250430: #​78715
• build: Fix minifier options for webpack builds: #​78717
• refactor(next-swc): Do not amend minifier options from Rust code: #​78719
• Change stylistic ESLint TypeScript defaults: #​78679
• fix: replace original request body after middleware execution: #​77662
• remove draft.isEnabled setter from exotic draftMode wrappers: #​77972
• Turbopack: limit compaction merging by size instead of count: #​78669
• [build-sourcemaps] Include codeframes in prod when sourcemaps are enabled: #​78710
• feat: build lifecycle hooks - afterProductionCompile: #​77345
• fix: make sure that the patched fetch cache set promise is properly awaited: #​75971
• [dev-overlay] Make badge draggable: #​78716
• Turbopack: fix ESM project in standalone mode: #​78774
• Revert "[Link] Add prefetch="auto" option": #​78820
• Downgrade React from 408d055a-20250430 to 197d6a04-20250424: #​78834
• Reland "[Link] Add prefetch="auto" option": #​78821
• build: Update @swc/core npm package to v1.11.24: #​77668
• Turbopack: Implement regex support for matching webpack loaders: #​78733
• Turbopack: Add support for extension regex in @next/mdx: #​78734
• backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#​78488) (#​78883)
• @​next/mdx: Use stable turbopack config options (#​78880)
• Fix react-compiler: Fix detection of interest (#​78879)
• Fix turbopack: Backport sourcemap bugfix (#​78881)
• [next-server] preserve rsc query for rsc redirects (#​78876)
• Update middleware public/static matching (#​78875)
• [dev-overlay] Polish mobile view: #​78863
• [dev-overlay] Consider scrollbar width for drag positioning: #​78865
• Add handling for setting deployment id via cookie: #​78841
• Run export child process with runtime's default max-old-space-size: #​78712
• [dynamicIO] cache tracking for import(): #​74152
• [dev-overlay] solidate the line number parsing: #​78868
• Update send to v0.18.0: #​78816
• Scope runInCleanSnapshot to Work Store: #​78930
• Removes onNavigate from transition scope: #​78605
• Add nonce handling from CSP in pages router: #​78936
• Ensure manual nonce on Script works as expected: #​78939
• Treat _debugInfo as a wellknown property for sync request data access purposes: #​78942
• chore(CI): Run rspack tests in build_and_test.yml: #​78757
• bugfix: Fix a bug that caused conflicting assets when adding a child compiler: #​78011
• [Fix] Inverse prefetch segment for Pages routes: #​78932
• Fix tracing of server actions imported by client components: #​78968
• Revert "fix: alternate bundler support for dropping client page": #​78974
• Fix --no-mangling for "use cache" functions: #​78993
• chore: update rspack to 1.3.9: #​78984
• [not-found] Add global-not-found convention: #​78783
• [not-found] support metadata exports of global-not-found: #​78961
• Prevent "use cache" timeout errors from being caught in userland code: #​78998
• patch react via recast instead of string replacements: #​78916
• [link] Avoid inlining of LinkProps in emitted declarations: #​78773
• [next-config-ts] fix: read tsconfig file using TypeScript API: #​79055
• Replace node:url usage in server-utils: #​79094
• [build-sourcemaps] Remove unused static workers: #​79107
• fix: cli test failed when using rspack: #​79081
• [build-sourcemaps] Allow inspecting prerender worker: #​79098
• Add initial modifyConfig hook: #​79162
• Re-land updated bundler for pre-bundling: #​79164
• [dynamicIO] model pathname access in metadata as async : #​79136
• Update font data: #​79179
• bugfix (pages): assetPrefix should not cause hard nav in development: #​79176
• Reland "Ensure mangling is disabled for dev runtime builds (#​75297)": #​79201
• docs: add graceful error boundary example: #​77781
• turbo-tasks: Encode location information into panics: #​78945
• feat(turbopack): Add basic compilation event support: #​78785
• chore(dev-overlay): Minor cleanups to useDelayedRender hook: #​79119
• Update font data: #​79227
• Rename define-env-plugin.ts to define-env.ts: #​79224
• Always pass implicit/soft tags into the CacheHandler.get method: #​79213
• fix(dev-overlay): Ignore right clicks on the indicator draggable: #​79120
• Fix dangling promise in unstable-cache: #​79248
• Revert "Partial Fallback Prerendering Route Shells (#​69282)": #​79258
• [devtool] initial support for segment explorer: #​78858
• Client router should discard stale prefetch entries for static pages: #​79309
• [dynamicIO] fix: do not apply import tracking transform in edge: #​79284
• Turbopack build: Fix type: module with output: standalone: #​79292
• [TypeScript Plugin] Moved the diagnostics' positions to the prop's type instead of the value for client-boundary warnings: #​79193
• Use onPostpone to determine if segment prefetch is partial: #​79299
• Enable ppr when dynamicIO is enabled: #​79302
• fix: replaceIdentifiersInAst takes an expression, not a string: #​79196
• Remove DIO w/o PPR branch from app-render.tsx: #​79303
• Remove prospective fallback prerenders: #​79304
• Fixed rewrite param parsing for interception routes in Vercel deployments: #​79204
• [build-sourcemaps] Sourcemap errors during prerender if experimental.enablePrerenderSourceMaps is enabled: #​79109
• [release] use @changesets/changelog-github for changelog format: #​79040
• next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
• Always show warning if fetch cache limit hit: #​79384
• feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
• [release] use @changesets/changelog-github for changelog format: #​79040
• next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
• Always show warning if fetch cache limit hit: #​79384
• feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
• Only share incremental cache for edge in next start (#​79389)
• [TypeScript Plugin] Match method signature (someFunc(): void) type for client boundary warnings: #​79144
• Only share incremental cache for edge in next start: #​79386
• fix: rspack framework and lib cacheGroups: #​79172
• Make sure bundle analyzer does not trigger warning with turbopack: #​79399
• [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
• Implement initial handler interface for pages routes: #​79260
• [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
• [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
• Implement initial handler interface for pages routes: #​79260
• [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
• [Segment Cache] Fix: Skew during dynamic prefetch: #​79416
• [dynamicIO] reimplement dynamicIO validation on prerender: #​79414
• fix: remove redundant performance.measure usage: #​79475
• [devtools] Add a very minimal API for restarting the dev server: #​79265
• Model prerender store as separate server and client scopes: #​79429
• fix: Merge link header from middleware with the ones from React (#​73431)
• fix(edge): run after() if request is cancelled mid-streaming (#​76013)
• gate segmentCache branch in base-server (#​79505)
• Model prerender store as separate server and client scopes: #​79429
• Use metadata for cache entry status code: #​79512
• fix(dev-overlay): Better handle edge-case file paths in launchEditor: #​79526
• [build-sourcemaps] Increase stacktrace limit during prerender: #​79498
• fix: Rspack not skip .d.ts file: #​79285
• Revert "[next-server] skip setting vary header for basic routes": #​79426
• [ppr] Narrow condition for fallback shell generation at runtime: #​79565
• Turbopack: derive de/serialize for loader config: #​79581
• Update font data: #​79642
• Avoid bundling dev overlay in page template: #​79641
• Enable preview builds for forks: #​79648
• misc: remove leftover clientInstrumentationHook type: #​79701
• cleanup(turbopack): Embed Global vs Specific channel type in the Rust type system: #​79291
• [dev-overlay] Show error overlay on any thrown value in /app: #​79658
• [dev-overlay] Move error handlers into dispatcher in /app: #​79660
• Verify cache-busting param during segment prefetch: #​79563
• update(turbopack): Update the messaging UX for timing writing files to disk: #​79469
• [dev-overlay] Move Redbox open/close into dispatcher: #​79698
• chore: update rspack to 1.3.12: #​79428
• Enable repeated tsc runs in packages/next without having to build first: #​79782
• Run tsc in watch mode during pnpm dev: #​79785
• Reinstate vary (#​79939)
• fix(next-swc): Fix interestingness detection for React Compiler (#​79558)
• fix(next-swc): Fix react compiler usefulness detector (#​79480)
• fix(dev-overlay): Better handle edge-case file paths in launchEditor (#​79526)
• Client router should discard stale prefetch entries for static pages (#​79362)
• fix: preload fonts in template.js: #​79417
• feat: using eval source map plugin for Rspack: #​79199
• feat: using builtin CssChunkingPlugin for rspack: #​79762
• fix(napi): Update generated types, add alias for RcStr: #​79915
• [dev-overlay] Fix highlighted line cut off on scroll: #​79930
• fix(next/font): allow custom font-family in declarations: #​76274
• Remove subissues from Issue: #​79988
• [devtools] Add a query parameter to restart endpoint to invalidate the persistent cache: #​79425
• Implement handler interface for app-page: #​79568
• Migrate app route to handler interface: #​80008
• Turbopack Build: Fix underscore path tests: #​79778
• Fix watchmode for taskr tasks: #​80020
• Update font data: #​80036
• Fix defunct ESLint overrides: #​80053
• [devtools] Add an endpoint to poll for server status: #​80005
• [dynamicIO] Only report client sync IO errors if they are above a Suspense boundary: #​80026
• [dev-overlay] Parse stacks in reducer not during dispatch: #​79788
• Remove obsolete @ts-expect-error: #​80065
• [dev-tools] Navigation header replaces close button: #​80097
• [dev-overlay] Inject get*Stack implementation: #​79789
• [dev-overlay] Fix dark‐mode styling for <option> in Preferences dropdowns: #​80025
• Use relative sources in require() instead of next/dist/ if possible: #​80054
• [dev-overlay] Inject isRecoverableError implementation: #​80003
• [devtool] fix explorer flag consuming and style: #​80110
• [dev-tools] add restart dev server button to error overlay: #​80060
• [dev-tools] add restart dev server button on dev-tools indicator preferences: #​80072
• [chore] remove legacy useEarlyImport flag: #​80112
• [testmode] Fix types of wrapRequestHandler: #​80055
• Extend bot list with googleweblight, Storebot-Google, Google-Inspecti…: #​77728
• [dev-overlay] Inject getSquashedHydrationErrorDetails implementation: #​80046
• [dev-tools] better description for restart server button: #​80118
• [dev-tools] style: preferences section title: #​80120
• [metadata] refactor to remove async metadata: #​78495
• [dynamicIO] Document client component remediations for sync IO: #​79787
• [dynamicIO] prioritize preprocessing RSC rows when prerendering: #​80125
• [dev-overlay] Remove unused onError in /pages: #​79982
• Remove unused vendored server-inserted-metadata module: #​80143
• Webpack Build: Use name-contenthash instead of name-chunkhash for dynamic imports: #​80153
• [dev-overlay] Remove unnecessary code from /pages dev error boundary: #​79983
• Turbopack Build: Implement helpful error for missing sass package: #​80155
• [global-not-found] fix shared css imports not being picked: #​80151
• Add experimental flag for RSC request validation: #​80157
• [dev-overlay] Remove indirection in app dev error boundary : #​79984
• Docs: preload entries impact on memory consumption: #​80098
• [dev-overlay] Move building indicator into Dev Overlay state: #​79985
• [metadata] only render one metadata outlet: #​80146
• Add a regions property to the Functions Config Manifest file: #​80104
• [metadata] fix nonce prop for hoist script: #​80174
• docs: fix grammar in Code of Conduct section ('them' → 'it') : #​80181
• [error-overlay] remove footer message: #​80169
• Turbopack: Log persistent cache store time: #​80149
• fix(turbopack): Next.js package not found panics in Turbopack: #​79572
• [turbopack] Compute Import Traces for Issues: #​79351
• Typecheck require() calls: #​80056
• Revert "[turbopack] Compute Import Traces for Issues": #​80215
• remove unique metadata prop from initial RSC payload #​79388
• Replay redirect if RSC parameter is missing: #​80180
• [devtool] style the segment explorer as nested view: #​80212
• Prerender with streaming metadata during revalidation: #​80245
• fix: invalid middleware configs should fail the build: #​80221
• [dev-overlay] Render /app Dev Overlay with a separate React instance: #​79699
• [devtool] display segment explorer as tree view: #​80261
• [dev-overlay] Use same bundle for Pages and App Router: #​80019
• Revert "Revert "[turbopack] Compute Import Traces for Issues"": #​80220
• [dev-overlay] Publish as production bundle: #​80295
• [metadata] only serve block streaming metadata for html bots: #​80272
• Update font data: #​80301
• Update font data: #​80340
• [dev-overlay] fix duplicate re-render of errors: #​80322
• [build-sourcemaps] Only compute codeframe once: #​80326
• [test] Fix Dev Overlay Storybook: #​80288
• [test] Fix crashes in Dev Overlay Stories: #​80292
• [metadata] use https protocol for schema urls: #​80356
• [dev-overlay] Remove positive tab-index: #​80289
• [devtools] Implement default /.well-known/appspecific/com.chrome.devtools.json endpoint in dev: #​80260
• [dev-overlay] Fix outstanding a11y issues reported by Axe: #​80290
• provide declarations for server-only/client-only: #​80361
• [test] Stop opening browser by default in local Dev Overlay Storybook: #​80291
• [dev-overlay] Move hot reloader client code out of react-dev-overlay: #​80278
• [dev-overlay] Remove unused code: #​80279
• [dev-overlay] Move app/pages related features closers together: #​80280
• Discard Infinity expiration for implicit tags: #​80387
• fix(next-swc-wasm): Only enable turbo-rcstr's napi feature when building the next-swc-napi crate/package: #​80390
• Add response handling inside handlers: #​80189
• feat(turbopack): Add simple tree shaker: #​78286
• Fix a couple typos: #​80080
• [dev-overlay] Move code into new top-level folder in src/next-devtools: #​80281
• Ensure we normalize .rsc/.prefetch.rsc: #​80409
• Turbopack Build: Fix /index/index handling: #​80413
• [segment-explorer] optimize tree view: #​80392
• Upgrade @​playwright/test and cleanup internal APIs: #​80334
• Backport config.allowedDevOrigins (#​80410) (Learn More)
• [segment-explorer] Signal updates to React: #​80316
• [segment explorer] fix soft navigation case: #​80443
• Update the warning text for when multiple lockfiles are found: #​80214
• feat: in Rspack using native fn implemented by us using SWC to replace load module: #​80342
• chore: fix link to good first issue: #​80478
• Disable fetch cache size limit for implicit caching during build: #​80480
• [dynamicIO] Split up static generation into two phases: [#​79629](https:

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
cv	Ready	Preview, Comment	Jan 8, 2026 5:55pm