766148f9cd48c0e218acafcd0f15defc14871bf4
Sebastian "Sebbie" Silbermann
Wed May 6 19:06:11 2026 +0200
v16.2.5

---END---
0dd94836a8b43209fcfefa448c141683c22c1a27
Zack Tanner
Fri May 1 12:15:38 2026 -0700
fix: add explicit checks for RSC header (#83) (#98)
(cherry picked from commit 807e363b13cc9395aa74f75122d1d16b4a46dc1a)
---END---
d166096c399c4fc4e09cd2d1bf26dca6579a855d
Zack Tanner
Fri May 1 12:15:28 2026 -0700
fix proxy matching for segment prefetch URLs (#89) (#96)
* fix: proxy should match segment prefetches for canonical urls

* include .rsc handling
---END---
9d50c0b7190f59c470308578e12882788819f14c
Josh Story
Fri May 1 09:18:31 2026 -0700
Strip next-resume header from incoming requests (#92)
This header is used by proxies to perform a concatenating resume render for partial prerendering. It is never sent from the client so we can filter it out when running in a mode that does not have an intermediate proxy.
---END---
df7ab5ad72f046ac5f92781278b4d9128aac25a5
Zack Tanner
Wed Apr 29 10:17:30 2026 -0700
fix: skip internal param normalization in unsupported environments

---END---
ed41d1d454c3c09e215e1204f9e4f980fbb15897
Josh Story
Wed Apr 29 08:28:35 2026 -0700
Move htmlescape to shared/lib (#91)
we have auditing that server files aren't included in client chunks but the new htmlescape usage in next/script is causing that validation to fail. This refactors the utility into lib/shared
---END---
b4c6705c70a08fd82fbc6d140956528a8c30505b
JJ Kasper
Tue Apr 21 16:30:03 2026 -0700
Ignore malformed CSP nonce headers

---END---
5b194ee2d452744eb839856a670bdc33b03062c4
JJ Kasper
Tue Apr 21 13:36:26 2026 -0700
router-server: guard upgrade proxy against absolute-url SSRF (#77)
* test: add rewrite request smuggling coverage

* router-server: guard upgrade proxy against absolute-url SSRF

* test: relax rewrite smuggling socket timeout

* router-server: preserve local websocket upgrades

---END---
cb171d749412b27d1602efdae210c89a30851935
JJ Kasper
Tue Apr 21 12:36:19 2026 -0700
Fix i18n middleware matching for default-locale data routes (#82)
* Fix i18n middleware matching for default-locale data routes

* unskip node middleware on deploy
---END---
89e995431a2e7a50f64c5510813bee156038e973
Sebastian "Sebbie" Silbermann
Tue Apr 21 23:37:08 2026 +0200
[16.x] Type hardening and performance improvements (#80)

---END---
66f6017f157ae19eb30522105c789999de2de7af
Josh Story
Tue Apr 21 14:03:41 2026 -0700
Escape properties for beforeInteractive scripts (#86)
props set on a next/script with beforeInteractive are serialized as JSON into an inline script to be exectuted prior to hydration by Next.js. The props were not additionally escaped and if user input was rendered as through a script it could allow fro XSS. This has alwways been true if you pass user input into the script body or via dangerouslySetInnHTML however and it is always the developers responsibility to sanitize user input before rendering. However wherever React has some automatic escaping to act as an additional defense against common mistakes leading to vulnerabilities like XSS Next.js should mirror that becasue from the user's perspective it is not clear that React is not directly rendering the script props and content.

This change adds additional escaping so that serialized properties cannot break out of the script scope and execute unexpected payloads.
---END---
3d98505a24c0c5ab6406ee46913bc72f37690795
Hendrik Liebau
Wed May 6 14:49:29 2026 +0200
[backport] fix: preserve HTTP access fallbacks during prerender recovery (#93470)
Backports:

- #92231

---------

Co-authored-by: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Co-authored-by: Andrew Clark <git@andrewclark.io>
---END---
bb5ada6e38c48b0c0a13d6ab44ca4dc0698aa457
Hendrik Liebau
Wed May 6 14:07:02 2026 +0200
[backport] [test] Deflake `instant-navs-devtools` (#93534)
Backports:

- #91912
- #93365

---------

Co-authored-by: Sebastian "Sebbie" Silbermann <sebastian.silbermann@vercel.com>
---END---
f1c11203d51235dfa4c8b9771b6287e823418aad
Hendrik Liebau
Wed May 6 11:51:44 2026 +0200
[backport] Fix double-encoding of URL pathname parts in client param parsing (#93506)
Backports:

- #93491
---END---
2d08397b3d4e58b4e007232fbe4241eb09d6795b
Hendrik Liebau
Tue May 5 23:54:20 2026 +0200
[backport] fix accidental test duplication (#93507)

---END---
75d19ecbb31d5bc9f97f0ec893052a17fd2027d5
Josh Story
Tue May 5 14:54:04 2026 -0700
[backport] Include deployment id in `cacheHandlers` keys (#93471)
Backport #93453 to 16.2

How was this ever working for dev? In that case, `buildId =
"development"` and so it always uses the same cache key

Co-authored-by: Niklas Mischkulnig <4586894+mischnic@users.noreply.github.com>
---END---
7ab1e2e93dad22d3c9c1afe395915ef33b73e7cf
Benjamin Woodruff
Fri Apr 10 10:12:46 2026 -0700
CI: Download and run self-contained datadog-ci instead of using pnpm dlx or npx (#92546)
`pnpm dlx` isn't using a lockfile. Using the self-contained binary from
GitHub and validate the checksum lets us effectively pin `datadog-ci`
and all of its possible transitive dependencies.

This is a follow-up for
https://vercel.slack.com/archives/C0APPN2LC83/p1775073127894859

(cherry picked from commit 631fae951db74245c004a9fbb98ed8be8d2b6f21)

---END---
084f2bcf1947aee69aed418412647fae29ef7050
Zack Tanner
Mon Apr 27 09:31:05 2026 -0700
[ci]: trigger signed release commit via API (#93285)
Stacked on https://github.com/vercel/next.js/pull/93245

Commit signing is required for anything that lands on `canary`. Our
previous workflow of using a PAT to push a commit no longer works, since
that would have been an unsigned commit.

In #93245 we switched to an app token for release workflow steps. This
continues by:

- Telling Lerna to bump packages but not commit
- Creating a signed commit with the staged changes via GitHub's API
- Then running the publish flow

Test Plan:
Dry run
[here](https://github.com/vercel/next.js/actions/runs/25001287978/job/73211826479)
Commit
[here](https://github.com/vercel/next.js/commit/3a8456a62b56615e2f8c1d1e6e7b4e14ce89e078)

(cherry picked from commit 012fd7df4ba12f0699754125dc0226b6c99937a2)

---END---
a3bb370b00e505815a4a89e646aa69c9e105db8f
Zack Tanner
Mon Apr 27 07:55:43 2026 -0700
[ci]: app-based release workflow (#93245)
Moves all release workflows off of a GH PAT and uses an app with a
short-lived token instead.

Test Plan:
Dry run
[here](https://github.com/vercel/next.js/actions/runs/24934593874).

However, this workflow is blocked until we figure out commit signing for
the bot app. Some options:
- The bot account generates a signing key and we use it in CI (not
great, bypasses the app)
- The org bypasses signature verification for the bot user (also not
great, requires an exemption rule)
- We need to rework the commit step so Lerna does not do the push, and
instead trigger it via the app + GH API. This seems like the best
option, will be added in a follow-up PR.

Note: `create-release-branch` workflow is broken in its current form, as
we will not be restoring administrator privileges to adjust environment
settings. This will become a manual step in the future.

(cherry picked from commit e69de2ffaf31743f6c015a1c645e913c8e59a436)

---END---
6e23383c562586021042c84683fc2794b79f1ca3
Zack Tanner
Tue Apr 21 11:23:06 2026 -0700
[ci]: add environment to publishRelease flow (#93093)
Moves the `environment` into `publishRelease` rather than
`trigger_release` since the actual action we want to create environment
rules for is the publish step.

(cherry picked from commit 2b846de4c59b5e47a28432e49106322c34915891)

---END---
f40b8876e68777c8b76d18c51187ebb7427c411d
Zack Tanner
Mon Apr 20 11:17:33 2026 -0700
[ci]: remove publish token in favor of OIDC (#93065)
Switches from a long-lived token to trusted publishing OIDC flow. This requires a bump to Node (for feature support). Otherwise just dropping unnecessary envs.

(cherry picked from commit 129896c2e462156cd4e0b7395d3e9861ce6204ae)

---END---
f6bda26ef9b96443f479c0ed952f1d05c19b1549
JJ Kasper
Mon Apr 27 12:28:09 2026 -0700
Fix fallback route params case in app-page handler (#93109)
## Summary
- backport the fallback route params fix from #91737 onto `next-16-2`
- preserve intermediate shells that suspend only for unresolved fallback
params during staged rendering
- add the missing `resolvedRouteParamKeys` request metadata needed by
this branch
---END---
70defda2a852a3428437e1d79ee1e3503095f47c
Zack Tanner
Thu Apr 23 18:53:07 2026 -0700
[ci]: switch to GitHub runners (#93164)
Switch CI from self-hosted runners to GitHub-hosted runners and fix the
follow-up issues that showed up once the hosted jobs were exercised.

- Move Linux workflows onto `ubuntu-latest-16-core-oss`, Windows
workflows onto `windows-latest-8-core-oss`, and the native mac release
lane onto `macos-15-intel`.
- Update the reusable build workflow to work in hosted environments by
relying on `runner.os` instead of label string matching, and by removing
the hardcoded `/home/runner` `fnm` path.
- Make Turbo/sccache configuration explicit for hosted runners:
  - unify on `vtest314-next-adapter-e2e-tests`
- pass `TURBO_TOKEN` via workflow env/secrets instead of assuming
runner-level env
- switch Turbo cache mode to `local:rw,remote:rw` so jobs still have
local cache behavior when remote cache is unavailable
- Update the `sccache` action defaults/docs to use the hosted-runner
secret setup (`TURBO_TOKEN`) instead of the old self-hosted token
wiring.
- Make Datadog reporting fail open so missing `DATA_DOG_API_KEY` does
not block CI.
- Fix the CLI reserved-port test so it asserts Next’s own `-p 1`
validation instead of failing earlier on hosted Linux due to
privileged-port binding.
- Replace the live `musl.cc` dependency in `native-builder.Dockerfile`
with musl sysroots imported from GHCR-hosted `rust-musl-cross` images,
keeping the existing `/opt/*-cross` layout used by the Linux native
build scripts.
- Fix the macOS native build workaround s so it applies to all
*-apple-darwin targets based on the Cargo target OS rather than the host
architecture, which avoids napi-build injecting the unsupported -Wl
linker arg when @next/swc is linked with rust-lld on hosted mac runners.

Test Plan:
- This PR's CI
- This
[build_and_deploy](https://github.com/vercel/next.js/actions/runs/24865715983/job/72801225722)
job running on every arch

---END---
af0e96ba231efe9f647cb5cd6f01d7c8abd25b3a
Zack Tanner
Wed Mar 18 12:17:31 2026 -0700
Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
In a deployed environment, `onCacheEntryV2` determines whether a
postponed response is HTML-origin or RSC-origin by checking whether
meta.url ends with `.rsc`.

For some dynamic full-route RSC requests, Next was passing a URL with
query params into onCacheEntry, for example:
`/[tenant]/samples.rsc?nxtPtenant=tenant-x`

Because that string does not end with .rsc, `onCacheEntryV2`
misclassified the request as HTML and treated it as text/html instead of
an RSC response.

This PR normalizes the URL before passing it to `onCacheEntry`, so the
callback receives the pathname rather than the full URL-with-query.

---------

Co-authored-by: JJ Kasper <jj@jjsweb.site>

---END---
2cdb7ed34f5b21782517cd40615ad5bc34b35923
Zack Tanner
Tue Apr 21 18:25:31 2026 -0700
[tests]: fix cache-components.test.ts type error (#93113)
Fixes a type error on canary after merging two PRs that touched the same
test.
---END---
8cd3fdc1117d158255450a95471abdfb900a8fbe
JJ Kasper
Tue Mar 24 14:57:10 2026 -0700
test: scope css data-url typing to fixture (#91877)
In the latest TypeScript version these imports now fail so updating the
assertion to handle them

x-ref:
https://github.com/vercel/next.js/actions/runs/23508766037/job/68431989897#step:35:443
---END---
6fd09bf8ab44ba22b798c6a965a3eb7e98c67dcd
JJ Kasper
Tue Apr 21 14:34:14 2026 -0700
Patch setHeader for direct route handlers (#93101)
## Summary
- apply the `setHeader` cookie-support patch to direct route module
handlers in `prepare()`
- make `patchSetHeaderWithCookieSupport()` idempotent so both entry
paths can call it safely
- add an adapter-like direct RSC regression test that fails without the
patch

Closes: NEXT-4919

## Testing
- `NEXT_SKIP_ISOLATE=1 NEXT_TEST_MODE=start pnpm testheadless
test/e2e/app-dir/cache-components/cache-components.test.ts -t "should
ignore late setHeader calls for direct RSC handlers after headers are
sent"`

<!-- NEXT_JS_LLM_PR -->
---END---
688ed31e210d81ab7d0dee57afae807fa00ff162
Zack Tanner
Tue Apr 21 13:55:58 2026 -0700
Strengthen _rsc cache-busting param (#92755)
This updates `_rsc` cache-busting param generation to use a stronger
digest so different RSC request variants are much less likely to produce
the same value.

It also updates the related request-validation and injected
resume/instant-test paths so they continue to generate and validate the
same `_rsc` values across client, server, and edge-reachable codepaths.
---END---
62ef3050964c1f460245e04f53f8eb959a8cfaf0
Steven
Thu Apr 16 19:36:50 2026 -0400
fix(next/image): ensure `images.maximumResponseBody` applies to local images too (#92920)
In a previous PR https://github.com/vercel/next.js/pull/88183, we added
`images.maximumResponseBody` but in only applied to external images.

This PR ensures the same config also applies to internal images.

---END---
15341fdf495d23b525e011f7eb91b62dd627664f
JJ Kasper
Mon Apr 13 16:26:34 2026 -0700
Ensure x-nextjs-data header is only set during resolve (#92752)
Makes sure we set this header during route resolving so user request
doesn't need to.
---END---
