fix(deps): update dependency next to v15 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	^14.2.8 → ^15.0.0
next (source)	^14.2.8 → ^15.0.0

GitHub Vulnerability Alerts

CVE-2024-46982

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9
• Using pages router
• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

• Deployments using only app router
• Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

• Allam Rachid (zhero_)
• Henry Chen

CVE-2024-51479

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

CVE-2024-56332

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

CVE-2025-29927

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

CVE-2025-48068

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

CVE-2025-32421

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

GHSA-mwv6-3258-q52c

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

GHSA-5j59-xgg2-r9c4

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

CVE-2025-59471

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

GHSA-h25m-26qc-wcjf

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

---

Release Notes

vercel/next.js (next)

v15.0.8

Compare Source

Please see this changelog for more information about this security patch.

v15.0.7

Compare Source

v15.0.6

Compare Source

v15.0.5

Compare Source

Please see CVE-2025-66478 for additional details about this release.

v15.0.4

Compare Source

[!NOTE]
This release is backporting changes. It does not include all pending features/changes on canary.

Core Changes

• Use React 19 stable in Pages Router: #​73564

Credits

Huge thanks to @​eps1lon

v15.0.3

Compare Source

Core Changes

• Read page name from work store in server module map proxy: #​71669
• codemod: should not transform when param is not used: #​71664
• [dynamicIO] complete refactor to prerender: #​71687
• fix: metadata image route normalize path posix for windows: #​71673
• next-codemod(upgrade): optional catch when missing dev script: #​71598
• Avoid server action function indirection in Turbopack: #​71628
• fix: exclude basePath in findSourceMapURL: #​71719
• fix: stack frame text color in dark mode: #​71656
• Fix: revert the bad node binary handling: #​71723
• next-codemod: add empty pnpm-workspace.yaml to test fixtures to bypass PNPM workspace checks: #​71726
• warn on sync access if dynamicIO is not enabled: #​71696
• Update React from 69d4b800-20241021 to 45804af1-20241021: #​71718
• next-upgrade: do not add --turbopack flag when --turbo exists in next dev: #​71730
• feat: stitch errors with react owner stack: #​70393
• [dynamicIO] update data access error and documentation: #​71738
• Test cached form action with revalidate: #​71591
• Upgrade React from 45804af1-20241021 to 28668d39-20241023: #​71745
• Fix race condition when setting client reference manifests: #​71741
• Fix fetch with no-store inside of use cache: #​71754
• Remove the bottom collapse button in dev overlay: #​71658
• [dynamicIO] unify cache filling and lazy-module warming: #​71749
• Don't filter out source location frames through RSC: #​71752
• fix undefined default export error msg: #​71762
• Upgrade React from 28668d39-20241023 to 1631855f-20241023: #​71769
• Enable owner stack in experimental build: #​71716
• feat: add experiment for sharpjs cpu flags: #​71733
• fix: handle server component replay error in error overlay: #​71772
• Don't error asking for prebuilt bundles: #​71778
• Replace turbopack://[project]/... sourcemap uris with file://... in development: #​71489
• misc: update source map paths for bundled Next.js runtime: #​71779
• [dynamicIO] refine error message and docs: #​71781
• next-upgrade: change --turbo to --turbopack if applicable: #​71737
• Show all diff when uncollapse: #​71792
• Sourcemap errors in terminal by default : #​71444
• Fully enable custom error callbacks for app router: #​71794
• Simplify Server Action Webpack plugin: #​71721
• ensure DIO development segment errors are cleared after correcting: #​71811
• Include sourceframe in errors logged in the terminal during development: #​71803
• [dynamicIO] update prerender cache scoping and cache warming for validation: #​71822
• only force stack frame color in tty: #​71860
• Add test for fetch with auth in use cache: #​71768
• Fix race with hot-reloader-client clearing overlay errors: #​71771
• Fix dynamic tracking in dev: #​71867
• Revert "Sourcemap errors in terminal by default (#​71444)": #​71868
• Fix fetch caching inside of "use cache": #​71793
• Trace upload: only send traces for current session: #​71838
• Reland "Sourcemap errors in terminal by default": #​71877
• Implement information byte in Server Reference ID and other optimizations: #​71463
• fix: webpack build error on Windows: #​71943
• Run with --enable-source-maps by default in next dev: #​71820
• fix global-error styles: #​71914
• Use registerClientReference for ESM client component modules: #​71968
• Fix missing await of params when metadata is used with an image file: #​71871
• Upgrade React from 1631855f-20241023 to 02c0e824-20241028: #​71979
• Populate sourcemap ignoreList when Webpack is used: #​71821
• [dynamicIO] unify server and client prerender for non-ppr pathway: #​71764
• codemod: add separator to the parenthenese expr: #​71993
• Respect sourcemap's ignore list when printing errors in the terminal: #​71908
• fix console color to be compatible in chrome devtools: #​71939
• Delete obsolete codemod next-dynamic-access-named-export: #​72016
• fix: log the error instance modified extra location info: #​71930
• Compare error stack to dedupe error: #​71798

Example Changes

• experimental.instrumentationHook is not necessary anymore: #​71808
• Add Jude to nextjs team: #​71936

Misc Changes

• docs: fix broken link in Architecture/Turbopack documentation: #​71412
• test: migrate rest async api usage in tests: #​71663
• fix: docs for dynamic routing in next 15: #​71531
• Remove the 'new' keyword from the GET function sample code.: #​71671
• chore: fix wrong path of comments: #​71682
• docs(next-config): remove mention of appIsrStatus is on canary: #​71695
• react-sync: Ignore update notices from npm: #​71717
• Docs: Update default marker for fetch cache option: #​71728
• [docs] Fix page.tsx parameter types: #​71680
• [docs] Fix table.js containing TS code: #​71677
• docs(ppr): update note about ppr: #​71697
• docs lint: #​71748
• fixes error message asserts and lints: #​71747
• Fix docs for configuring Turbopack: #​71755
• docs(turbo): add experimental icon to turbo config section: #​71761
• feat(turbopack): Add __turbopack_original__ while tree shaking: #​71547
• test: re-enable test with note: #​71789
• Docs: Remove beta marker from Turbopack docs: #​71796
• Update docs 1: #​71812
• docs lint fixes: #​71813
• docs: remove "use cache" on before code snippet: #​71815
• Next docs broken links: #​71823
• [Turbopack] add optimization based on upper count: #​71606
• chore(turbo-tasks-backend): Use let instead of match for macro bindings: #​71756
• chore(turbo-tasks-backend): Remove collapsible-if lints: #​71758
• removing extra reference: #​71853
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 3): #​71665
• Update sync-dynamic-apis.mdx: #​71907
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 4): #​71804
• test: remove duplicated flaky test: #​71967
• docs: Fix typo in cacheLife configs in use-cache docs: #​71921
• Fix use cache example line highlights: #​71883
• Allow breakpoints to be set in packages/next/src/compiled: #​71986
• updated upgrade to v15 command in docs: #​71643
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 5): #​71861
• Clarify that streaming is blocked on generateMetadata for initial load: #​71985
• Docs: Add legacy tags: #​71964
• Docs: Fix broken link: #​72021
• (docs) use cache: Add text code formatting: #​71999
• docs: update file structure: #​71951
• Documentation Fix: Correct cacheTag Function Usage: #​71912
• correct expire calc & and Nested usage import in use-cache docs: #​71899
• Docs: Address internal use cache comments : #​71981
• Fix swc version mismatch when checking out an older version: #​71978

Credits

Huge thanks to @​ytori, @​unstubbable, @​huozhi, @​SebassNoob, @​tatsuteb, @​Marukome0743, @​gnoff, @​samcx, @​devjiwonchoi, @​imprakharshukla, @​migueldamota, @​eps1lon, @​ztanner, @​timneutkens, @​cantemizyurek, @​sebmarkbage, @​padmaia, @​ijjk, @​styfle, @​wbinnssmith, @​feedthejim, @​kdy1, @​shuding, @​molebox, @​ismaelrumzan, @​sokra, @​bgw, @​timeyoutakeit, @​AdonisAgelis, @​chicoxyzzy, @​gaojude, @​elitalpa, @​t3dotgg, @​gaearon, @​nisabmohd, @​gadcam, @​delbaoliveira, @​bennettdams, @​wiscaksono, and @​Developerayo for helping!

v15.0.2

Compare Source

Core Changes

• Read page name from work store in server module map proxy: #​71669
• codemod: should not transform when param is not used: #​71664
• [dynamicIO] complete refactor to prerender: #​71687
• fix: metadata image route normalize path posix for windows: #​71673
• next-codemod(upgrade): optional catch when missing dev script: #​71598
• Avoid server action function indirection in Turbopack: #​71628
• fix: exclude basePath in findSourceMapURL: #​71719
• fix: stack frame text color in dark mode: #​71656
• Fix: revert the bad node binary handling: #​71723
• next-codemod: add empty pnpm-workspace.yaml to test fixtures to bypass PNPM workspace checks: #​71726
• warn on sync access if dynamicIO is not enabled: #​71696
• Update React from 69d4b800-20241021 to 45804af1-20241021: #​71718
• next-upgrade: do not add --turbopack flag when --turbo exists in next dev: #​71730
• feat: stitch errors with react owner stack: #​70393
• [dynamicIO] update data access error and documentation: #​71738
• Test cached form action with revalidate: #​71591
• Upgrade React from 45804af1-20241021 to 28668d39-20241023: #​71745
• Fix race condition when setting client reference manifests: #​71741
• Fix fetch with no-store inside of use cache: #​71754
• Remove the bottom collapse button in dev overlay: #​71658
• [dynamicIO] unify cache filling and lazy-module warming: #​71749
• Don't filter out source location frames through RSC: #​71752
• fix undefined default export error msg: #​71762
• Upgrade React from 28668d39-20241023 to 1631855f-20241023: #​71769
• Enable owner stack in experimental build: #​71716
• feat: add experiment for sharpjs cpu flags: #​71733
• fix: handle server component replay error in error overlay: #​71772
• Don't error asking for prebuilt bundles: #​71778
• Replace turbopack://[project]/... sourcemap uris with file://... in development: #​71489
• misc: update source map paths for bundled Next.js runtime: #​71779
• [dynamicIO] refine error message and docs: #​71781
• next-upgrade: change --turbo to --turbopack if applicable: #​71737
• Show all diff when uncollapse: #​71792
• Sourcemap errors in terminal by default : #​71444
• Fully enable custom error callbacks for app router: #​71794
• Simplify Server Action Webpack plugin: #​71721
• ensure DIO development segment errors are cleared after correcting: #​71811
• Include sourceframe in errors logged in the terminal during development: #​71803
• [dynamicIO] update prerender cache scoping and cache warming for validation: #​71822
• only force stack frame color in tty: #​71860
• Add test for fetch with auth in use cache: #​71768
• Fix race with hot-reloader-client clearing overlay errors: #​71771
• Fix dynamic tracking in dev: #​71867
• Revert "Sourcemap errors in terminal by default (#​71444)": #​71868
• Fix fetch caching inside of "use cache": #​71793
• Trace upload: only send traces for current session: #​71838
• Reland "Sourcemap errors in terminal by default": #​71877
• Implement information byte in Server Reference ID and other optimizations: #​71463
• fix: webpack build error on Windows: #​71943
• Run with --enable-source-maps by default in next dev: #​71820
• fix global-error styles: #​71914
• Use registerClientReference for ESM client component modules: #​71968
• Fix missing await of params when metadata is used with an image file: #​71871
• Upgrade React from 1631855f-20241023 to 02c0e824-20241028: #​71979
• Populate sourcemap ignoreList when Webpack is used: #​71821
• [dynamicIO] unify server and client prerender for non-ppr pathway: #​71764
• codemod: add separator to the parenthenese expr: #​71993
• Respect sourcemap's ignore list when printing errors in the terminal: #​71908
• fix console color to be compatible in chrome devtools: #​71939
• Delete obsolete codemod next-dynamic-access-named-export: #​72016
• fix: log the error instance modified extra location info: #​71930
• Compare error stack to dedupe error: #​71798

Example Changes

• experimental.instrumentationHook is not necessary anymore: #​71808
• Add Jude to nextjs team: #​71936

Misc Changes

• docs: fix broken link in Architecture/Turbopack documentation: #​71412
• test: migrate rest async api usage in tests: #​71663
• fix: docs for dynamic routing in next 15: #​71531
• Remove the 'new' keyword from the GET function sample code.: #​71671
• chore: fix wrong path of comments: #​71682
• docs(next-config): remove mention of appIsrStatus is on canary: #​71695
• react-sync: Ignore update notices from npm: #​71717
• Docs: Update default marker for fetch cache option: #​71728
• [docs] Fix page.tsx parameter types: #​71680
• [docs] Fix table.js containing TS code: #​71677
• docs(ppr): update note about ppr: #​71697
• docs lint: #​71748
• fixes error message asserts and lints: #​71747
• Fix docs for configuring Turbopack: #​71755
• docs(turbo): add experimental icon to turbo config section: #​71761
• feat(turbopack): Add __turbopack_original__ while tree shaking: #​71547
• test: re-enable test with note: #​71789
• Docs: Remove beta marker from Turbopack docs: #​71796
• Update docs 1: #​71812
• docs lint fixes: #​71813
• docs: remove "use cache" on before code snippet: #​71815
• Next docs broken links: #​71823
• [Turbopack] add optimization based on upper count: #​71606
• chore(turbo-tasks-backend): Use let instead of match for macro bindings: #​71756
• chore(turbo-tasks-backend): Remove collapsible-if lints: #​71758
• removing extra reference: #​71853
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 3): #​71665
• Update sync-dynamic-apis.mdx: #​71907
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 4): #​71804
• test: remove duplicated flaky test: #​71967
• docs: Fix typo in cacheLife configs in use-cache docs: #​71921
• Fix use cache example line highlights: #​71883
• Allow breakpoints to be set in packages/next/src/compiled: #​71986
• updated upgrade to v15 command in docs: #​71643
• codemod(turbopack): Rewrite Vc fields in structs as ResolvedVc (part 5): #​71861
• Clarify that streaming is blocked on generateMetadata for initial load: #​71985
• Docs: Add legacy tags: #​71964
• Docs: Fix broken link: #​72021
• (docs) use cache: Add text code formatting: #​71999
• docs: update file structure: #​71951
• Documentation Fix: Correct cacheTag Function Usage: #​71912
• correct expire calc & and Nested usage import in use-cache docs: #​71899
• Docs: Address internal use cache comments : #​71981
• Fix swc version mismatch when checking out an older version: #​71978

Credits

Huge thanks to @​ytori, @​unstubbable, @​huozhi, @​SebassNoob, @​tatsuteb, @​Marukome0743, @​gnoff, @​samcx, @​devjiwonchoi, @​imprakharshukla, @​migueldamota, @​eps1lon, @​ztanner, @​timneutkens, @​cantemizyurek, @​sebmarkbage, @​padmaia, @​ijjk, @​styfle, @​wbinnssmith, @​feedthejim, @​kdy1, @​shuding, @​molebox, @​ismaelrumzan, @​sokra, @​bgw, @​timeyoutakeit, @​AdonisAgelis, @​chicoxyzzy, @​gaojude, @​elitalpa, @​t3dotgg, @​gaearon, @​nisabmohd, @​gadcam, @​delbaoliveira, @​bennettdams, @​wiscaksono, and @​Developerayo for helping!

v15.0.1

Compare Source

Core Changes

• Reland "[dynamicIO] warn for disallowed dynamic in dev": #​71567
• next-upgrade: prompt (un)install only when there's a change: #​71308
• chore(next-codemod): remove @next/font from optional Next.js packages to install: #​71563
• [dynamicIO] Avoid triggering memory leak false positive with makeHangingPromise: #​71576
• Avoid triggering memory leak false positive with makeHangingPromise: #​71579
• Upgrade React from 65a56d0e-20241020 to 69d4b800-20241021: #​71568
• avoid logging stacks for internal errors: #​71575
• Avoid server action endpoint function indirection: #​71572
• fix: handle terminal color in chrome console: #​71581
• [dynamicIO] Update prerender to use Fizz prerender: #​71580
• misc(next-upgrade): reuse process.cwd() value: #​71558
• [dynamicIO]: dev navigations should show disallowed dynamic errors: #​71595
• next-lint: Use ESLint v9 by default: #​71371
• fix: prevent router errors from being logged on the client: #​71583
• fix: next package resolving in dev overlay: #​71632
• Improve type coverage of setup-dev-bundler: #​71443
• fix(turbo-tasks): Implement ValueDebugFormat for ResolvedVc: #​71173
• Add --turbopack CLI flag: #​71657
• [dynamicIO] detect metadata boundaries in dev using server component stacks: #​71666

Example Changes

• chore: Update with-supabase to be compatible with Nextjs 15: #​71631
• Update Sanity example to next v15: #​71640

Misc Changes

• docs(ppr): remove v14 mention for ppr: #​71498
• docs: fix upgrade codemod command: #​71578
• Turbopack: Always use blob: URLs for assets in middleware: #​71471
• fix: metadata image route Windows path escaping: #​71615
• fix: third-parties package peer dependency: #​71620
• Fix module_resolution: "nodenext" with mjs or cjs: #​71635
• react-sync: Automatically update peer dependencies in libraries: #​71636
• chore(docs): fix typo in image.mdx docs: #​71647
• docs: remove the canary note on instrumentation: #​71649
• test: fix async api tests: #​71652
• Enable source maps for pnpm debug: #​71653
• codemod(turbopack): Rewrite more Vc fields in structs as ResolvedVc: #​71172

Credits

Huge thanks to @​gnoff, @​devjiwonchoi, @​samcx, @​ztanner, @​unstubbable, @​huozhi, @​mischnic, @​lubieowoce, @​eps1lon, @​ivasilov, @​styfle, @​bgw, @​stipsan, and @​timneutkens for helping!

v15.0.0

Compare Source

Core Changes

• refactor: next-flight-client-module-loader return conditions: #​64348
• Fix Server Action error logs for unhandled POST requests: #​64315
• Shared Revalidate Timings: #​64370
• Freeze loaded manifests: #​64313
• test: skip turbopack build test: #​64356
• Fix: css in next/dynamic component in edge runtime: #​64382
• Fix more Turbopack build tests: #​64384
• use pathToFileUrl to make esm import()s work with absolute windows paths: #​64386
• Improve rendering performance: #​64408
• Fix the method prop case in Server Actions transform: #​64398
• fix(next-lint): update option --report-unused-disable-directives to --report-unused-disable-directives-severity: #​64405
• Revert "Fix: css in next/dynamic component in edge runtime": #​64442
• default fetchCache to no-store when force-dynamic is set: #​64145
• router restore should take priority over pending actions: #​64449
• Fix client boundary inheritance for barrel optimization: #​64467
• improve turborepo caching: #​64493
• Update font data: #​64481
• BREAKING CHANGE: remove deprecated analyticsId from config, and the corresponding performance-relayer files and tests: #​64199
• feat: strip traceparent header from cachekey: #​64499
• Fix typo in dynamic-rendering.ts: #​64365
• fix(next): global not-found not working on multi-root layouts: #​63053
• chore(next): add keywords on package.json: #​64173
• Fix DynamicServerError not being thrown in fetch: #​64511
• fix: lib/helpers/install.ts to better support pnpm and properly respect root argument: #​64418
• fix(next): Metadata.openGraph values not resolving basic values when type is set: #​63620
• disable production chunking in dev: #​64488
• update turbopack: #​64501
• Turbopack: Allow client components to be imported in app routes: #​64520
• refactor: remove always truthy flag: #​64522
• Turbopack: don’t show long internal stack traces on build errors: #​64427
• next/script: Correctly apply async and defer props: #​52939
• chore(next/font): update @​capsizecss/metrics package: #​64528
• feat: add information that revalidate interval is in seconds: #​64229
• Typo "Minifer" in config.ts: #​64359
• Enhance types for Node and Edge envionments: #​64454
• feat: Add a validation for postcss with useLightningcss: #​64379
• fix HMR for cases where chunking changes: #​64367
• perf: improve Pages Router server rendering performance: #​64461
• Fix cjs client components tree-shaking: #​64558
• fix refresh behavior for discarded actions: #​64532
• fix: filter out middleware requests in logging: #​64549
• chore: remove unused rust dependencies: #​62176
• fix(next-swc): correctly set wasm fallback for known target triples: #​64567
• memoize layout router context: #​64575
• fi

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

ERROR: This version of pnpm requires at least Node.js v18.12
The current version of Node.js is v16.14.2
Visit https://r.pnpm.io/comp to see the list of past pnpm versions with respective Node.js version support.