commit 766148f9cd48c0e218acafcd0f15defc14871bf4
Author: Sebastian "Sebbie" Silbermann <sebastian.silbermann@vercel.com>
Date:   Wed May 6 19:06:11 2026 +0200

    v16.2.5

 lerna.json                                   |  2 +-
 packages/create-next-app/package.json        |  2 +-
 packages/eslint-config-next/package.json     |  4 ++--
 packages/eslint-plugin-internal/package.json |  2 +-
 packages/eslint-plugin-next/package.json     |  2 +-
 packages/font/package.json                   |  2 +-
 packages/next-bundle-analyzer/package.json   |  2 +-
 packages/next-codemod/package.json           |  2 +-
 packages/next-env/package.json               |  2 +-
 packages/next-mdx/package.json               |  2 +-
 packages/next-playwright/package.json        |  2 +-
 packages/next-plugin-storybook/package.json  |  2 +-
 packages/next-polyfill-module/package.json   |  2 +-
 packages/next-polyfill-nomodule/package.json |  2 +-
 packages/next-routing/package.json           |  2 +-
 packages/next-rspack/package.json            |  2 +-
 packages/next-swc/package.json               |  2 +-
 packages/next/package.json                   | 14 +++++++-------
 packages/react-refresh-utils/package.json    |  2 +-
 packages/third-parties/package.json          |  4 ++--
 pnpm-lock.yaml                               | 16 ++++++++--------
 21 files changed, 36 insertions(+), 36 deletions(-)

commit 0dd94836a8b43209fcfefa448c141683c22c1a27
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Fri May 1 12:15:38 2026 -0700

    fix: add explicit checks for RSC header (#83) (#98)
    
    (cherry picked from commit 807e363b13cc9395aa74f75122d1d16b4a46dc1a)

 packages/next/src/build/templates/app-page.ts      |  6 ++++--
 packages/next/src/server/app-render/app-render.tsx |  3 ++-
 packages/next/src/server/base-server.ts            |  5 +++--
 .../next/src/server/lib/is-rsc-request.test.ts     | 18 ++++++++++++++++
 packages/next/src/server/lib/is-rsc-request.ts     |  9 ++++++++
 .../src/server/lib/router-utils/resolve-routes.ts  |  3 ++-
 packages/next/src/server/web/adapter.ts            |  3 ++-
 .../cdn-cache-busting/cdn-cache-busting.test.ts    | 25 ++++++++++++++++++++++
 8 files changed, 65 insertions(+), 7 deletions(-)

commit d166096c399c4fc4e09cd2d1bf26dca6579a855d
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Fri May 1 12:15:28 2026 -0700

    fix proxy matching for segment prefetch URLs (#89) (#96)
    
    * fix: proxy should match segment prefetches for canonical urls
    
    * include .rsc handling

 .../build/analysis/get-page-static-info.test.ts    | 53 ++++++++++++++++++++--
 .../src/build/analysis/get-page-static-info.ts     | 23 ++++++++--
 2 files changed, 69 insertions(+), 7 deletions(-)

commit 9d50c0b7190f59c470308578e12882788819f14c
Author: Josh Story <story@hey.com>
Date:   Fri May 1 09:18:31 2026 -0700

    Strip next-resume header from incoming requests (#92)
    
    This header is used by proxies to perform a concatenating resume render for partial prerendering. It is never sent from the client so we can filter it out when running in a mode that does not have an intermediate proxy.

 packages/next/src/server/lib/server-ipc/utils.ts                       | 1 +
 .../app-dir/max-postponed-state-size/max-postponed-state-size.test.ts  | 3 +++
 2 files changed, 4 insertions(+)

commit df7ab5ad72f046ac5f92781278b4d9128aac25a5
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Wed Apr 29 10:17:30 2026 -0700

    fix: skip internal param normalization in unsupported environments

 .../next/src/server/route-modules/route-module.ts  |  8 ++++++-
 .../required-server-files/middleware-node.js       |  3 +++
 .../required-server-files/middleware.js            |  3 +++
 .../required-server-files.test.ts                  | 25 ++++++++++++++++++++++
 4 files changed, 38 insertions(+), 1 deletion(-)

commit ed41d1d454c3c09e215e1204f9e4f980fbb15897
Author: Josh Story <story@hey.com>
Date:   Wed Apr 29 08:28:35 2026 -0700

    Move htmlescape to shared/lib (#91)
    
    we have auditing that server files aren't included in client chunks but the new htmlescape usage in next/script is causing that validation to fail. This refactors the utility into lib/shared

 packages/next/src/client/script.tsx                                  | 2 +-
 packages/next/src/pages/_document.tsx                                | 2 +-
 .../metadata-insertion/create-server-inserted-metadata.tsx           | 2 +-
 packages/next/src/server/app-render/use-flight-response.tsx          | 5 ++++-
 packages/next/src/{server => shared/lib}/htmlescape.ts               | 0
 test/unit/htmlescape.test.ts                                         | 2 +-
 6 files changed, 8 insertions(+), 5 deletions(-)

commit b4c6705c70a08fd82fbc6d140956528a8c30505b
Author: JJ Kasper <jj@jjsweb.site>
Date:   Tue Apr 21 16:30:03 2026 -0700

    Ignore malformed CSP nonce headers

 .../get-script-nonce-from-header.test.ts           | 28 ++++++++++++++++
 .../app-render/get-script-nonce-from-header.tsx    | 38 +++++-----------------
 .../create-server-inserted-metadata.test.ts        | 12 +++++++
 .../create-server-inserted-metadata.tsx            |  6 +++-
 .../src/server/app-render/use-flight-response.tsx  |  4 +--
 packages/next/src/server/htmlescape.ts             | 17 ++++++++++
 .../subresource-integrity.test.ts                  | 18 +++++-----
 7 files changed, 82 insertions(+), 41 deletions(-)

commit 5b194ee2d452744eb839856a670bdc33b03062c4
Author: JJ Kasper <jj@jjsweb.site>
Date:   Tue Apr 21 13:36:26 2026 -0700

    router-server: guard upgrade proxy against absolute-url SSRF (#77)
    
    * test: add rewrite request smuggling coverage
    
    * router-server: guard upgrade proxy against absolute-url SSRF
    
    * test: relax rewrite smuggling socket timeout
    
    * router-server: preserve local websocket upgrades

 packages/next/src/server/lib/router-server.ts      | 21 ++++---
 .../rewrite-request-smuggling.test.ts              | 70 +++++++++++++++++++++-
 2 files changed, 82 insertions(+), 9 deletions(-)

commit cb171d749412b27d1602efdae210c89a30851935
Author: JJ Kasper <jj@jjsweb.site>
Date:   Tue Apr 21 12:36:19 2026 -0700

    Fix i18n middleware matching for default-locale data routes (#82)
    
    * Fix i18n middleware matching for default-locale data routes
    
    * unskip node middleware on deploy

 .../src/server/lib/router-utils/resolve-routes.ts  |  15 +++
 test/e2e/middleware-general/test/index.test.ts     |  33 ++++++-
 test/e2e/middleware-matcher/index.test.ts          | 106 +++++++++++++++++++++
 3 files changed, 150 insertions(+), 4 deletions(-)

commit 89e995431a2e7a50f64c5510813bee156038e973
Author: Sebastian "Sebbie" Silbermann <sebastian.silbermann@vercel.com>
Date:   Tue Apr 21 23:37:08 2026 +0200

    [16.x] Type hardening and performance improvements (#80)

 ...ver-dom-turbopack-client.browser.development.js |  2 +-
 ...rver-dom-turbopack-client.browser.production.js |  2 +-
 ...server-dom-turbopack-client.edge.development.js |  2 +-
 ...-server-dom-turbopack-client.edge.production.js |  2 +-
 ...server-dom-turbopack-client.node.development.js |  2 +-
 ...-server-dom-turbopack-client.node.production.js |  2 +-
 ...ver-dom-turbopack-server.browser.development.js | 64 ++++++++-------
 ...rver-dom-turbopack-server.browser.production.js | 62 +++++++-------
 ...server-dom-turbopack-server.edge.development.js | 76 ++++++++++-------
 ...-server-dom-turbopack-server.edge.production.js | 74 ++++++++++-------
 ...server-dom-turbopack-server.node.development.js | 94 ++++++++++++++--------
 ...-server-dom-turbopack-server.node.production.js | 92 +++++++++++++--------
 ...ver-dom-turbopack-client.browser.development.js |  6 +-
 ...rver-dom-turbopack-client.browser.production.js |  2 +-
 ...server-dom-turbopack-client.edge.development.js |  2 +-
 ...-server-dom-turbopack-client.edge.production.js |  2 +-
 ...server-dom-turbopack-client.node.development.js |  2 +-
 ...-server-dom-turbopack-client.node.production.js |  2 +-
 ...ver-dom-turbopack-server.browser.development.js | 64 ++++++++-------
 ...rver-dom-turbopack-server.browser.production.js | 62 +++++++-------
 ...server-dom-turbopack-server.edge.development.js | 76 ++++++++++-------
 ...-server-dom-turbopack-server.edge.production.js | 74 ++++++++++-------
 ...server-dom-turbopack-server.node.development.js | 94 ++++++++++++++--------
 ...-server-dom-turbopack-server.node.production.js | 92 +++++++++++++--------
 ...erver-dom-webpack-client.browser.development.js |  2 +-
 ...server-dom-webpack-client.browser.production.js |  2 +-
 ...t-server-dom-webpack-client.edge.development.js |  2 +-
 ...ct-server-dom-webpack-client.edge.production.js |  2 +-
 ...t-server-dom-webpack-client.node.development.js |  2 +-
 ...ct-server-dom-webpack-client.node.production.js |  2 +-
 ...erver-dom-webpack-server.browser.development.js | 64 ++++++++-------
 ...server-dom-webpack-server.browser.production.js | 62 +++++++-------
 ...t-server-dom-webpack-server.edge.development.js | 76 ++++++++++-------
 ...ct-server-dom-webpack-server.edge.production.js | 74 ++++++++++-------
 ...t-server-dom-webpack-server.node.development.js | 94 ++++++++++++++--------
 ...ct-server-dom-webpack-server.node.production.js | 92 +++++++++++++--------
 ...erver-dom-webpack-client.browser.development.js |  6 +-
 ...server-dom-webpack-client.browser.production.js |  2 +-
 ...t-server-dom-webpack-client.edge.development.js |  2 +-
 ...ct-server-dom-webpack-client.edge.production.js |  2 +-
 ...t-server-dom-webpack-client.node.development.js |  2 +-
 ...ct-server-dom-webpack-client.node.production.js |  2 +-
 ...erver-dom-webpack-server.browser.development.js | 64 ++++++++-------
 ...server-dom-webpack-server.browser.production.js | 62 +++++++-------
 ...t-server-dom-webpack-server.edge.development.js | 76 ++++++++++-------
 ...ct-server-dom-webpack-server.edge.production.js | 74 ++++++++++-------
 ...t-server-dom-webpack-server.node.development.js | 94 ++++++++++++++--------
 ...ct-server-dom-webpack-server.node.production.js | 92 +++++++++++++--------
 48 files changed, 1148 insertions(+), 756 deletions(-)

commit 66f6017f157ae19eb30522105c789999de2de7af
Author: Josh Story <story@hey.com>
Date:   Tue Apr 21 14:03:41 2026 -0700

    Escape properties for beforeInteractive scripts (#86)
    
    props set on a next/script with beforeInteractive are serialized as JSON into an inline script to be exectuted prior to hydration by Next.js. The props were not additionally escaped and if user input was rendered as through a script it could allow fro XSS. This has alwways been true if you pass user input into the script body or via dangerouslySetInnHTML however and it is always the developers responsibility to sanitize user input before rendering. However wherever React has some automatic escaping to act as an additional defense against common mistakes leading to vulnerabilities like XSS Next.js should mirror that becasue from the user's perspective it is not clear that React is not directly rendering the script props and content.
    
    This change adds additional escaping so that serialized properties cannot break out of the script scope and execute unexpected payloads.

 packages/next/src/client/script.tsx                | 15 ++--
 .../script-before-interactive-xss/app/layout.tsx   |  8 ++
 .../script-before-interactive-xss/app/page.tsx     | 45 ++++++++++
 .../app/xss-detector.tsx                           | 99 ++++++++++++++++++++++
 .../script-before-interactive-xss/next.config.js   |  6 ++
 .../public/xss-src.js                              |  2 +
 .../script-before-interactive-xss.test.ts          | 48 +++++++++++
 7 files changed, 215 insertions(+), 8 deletions(-)

commit 3d98505a24c0c5ab6406ee46913bc72f37690795
Author: Hendrik Liebau <mail@hendrik-liebau.de>
Date:   Wed May 6 14:49:29 2026 +0200

    [backport] fix: preserve HTTP access fallbacks during prerender recovery (#93470)
    
    Backports:
    
    - #92231
    
    ---------
    
    Co-authored-by: Zack Tanner <1939140+ztanner@users.noreply.github.com>
    Co-authored-by: Andrew Clark <git@andrewclark.io>

 packages/next/src/server/app-render/app-render.tsx | 135 ++++++++++++++++++---
 .../src/server/app-render/collect-segment-data.tsx |  20 +++
 .../server/app-render/create-component-tree.tsx    |  96 +++++++++++----
 .../app/cases/not-found-suspense/layout.tsx        |  17 +++
 .../app/cases/not-found-suspense/not-found.tsx     |   3 +
 .../app/cases/not-found-suspense/page.tsx          |   7 ++
 .../cache-components/cache-components.test.ts      |  14 +++
 7 files changed, 255 insertions(+), 37 deletions(-)

commit bb5ada6e38c48b0c0a13d6ab44ca4dc0698aa457
Author: Hendrik Liebau <mail@hendrik-liebau.de>
Date:   Wed May 6 14:07:02 2026 +0200

    [backport] [test] Deflake `instant-navs-devtools` (#93534)
    
    Backports:
    
    - #91912
    - #93365
    
    ---------
    
    Co-authored-by: Sebastian "Sebbie" Silbermann <sebastian.silbermann@vercel.com>

 .../instant-navs-devtools.test.ts                  | 29 ++++++++++++++--------
 1 file changed, 18 insertions(+), 11 deletions(-)

commit f1c11203d51235dfa4c8b9771b6287e823418aad
Author: Hendrik Liebau <mail@hendrik-liebau.de>
Date:   Wed May 6 11:51:44 2026 +0200

    [backport] Fix double-encoding of URL pathname parts in client param parsing (#93506)
    
    Backports:
    
    - #93491

 packages/next/src/client/route-params.ts           | 30 +++++++--
 .../encoded-slash-params/app/[slug]/page.tsx       | 16 +++++
 .../encoded-slash-params/app/layout.tsx            |  8 +++
 .../encoded-slash-params/app/page.tsx              | 27 ++++++++
 .../components/link-accordion.tsx                  | 33 ++++++++++
 .../encoded-slash-params.test.ts                   | 77 ++++++++++++++++++++++
 .../encoded-slash-params/next.config.js            |  8 +++
 7 files changed, 193 insertions(+), 6 deletions(-)

commit 2d08397b3d4e58b4e007232fbe4241eb09d6795b
Author: Hendrik Liebau <mail@hendrik-liebau.de>
Date:   Tue May 5 23:54:20 2026 +0200

    [backport] fix accidental test duplication (#93507)

 test/e2e/rewrite-request-smuggling/next.config.js  |  13 --
 test/e2e/rewrite-request-smuggling/pages/index.tsx |   3 -
 .../rewrite-request-smuggling.test.ts              | 234 ---------------------
 3 files changed, 250 deletions(-)

commit 75d19ecbb31d5bc9f97f0ec893052a17fd2027d5
Author: Josh Story <gnoff@storyposted.com>
Date:   Tue May 5 14:54:04 2026 -0700

    [backport] Include deployment id in `cacheHandlers` keys (#93471)
    
    Backport #93453 to 16.2
    
    How was this ever working for dev? In that case, `buildId =
    "development"` and so it always uses the same cache key
    
    Co-authored-by: Niklas Mischkulnig <4586894+mischnic@users.noreply.github.com>

 packages/next/src/build/index.ts                   |   2 +
 packages/next/src/build/static-paths/app.ts        |   3 +
 packages/next/src/build/templates/app-route.ts     |   2 +
 packages/next/src/build/utils.ts                   |   3 +
 packages/next/src/export/routes/app-route.ts       |   4 +-
 packages/next/src/export/worker.ts                 |   3 +-
 packages/next/src/server/app-render/app-render.tsx |   2 +
 .../app-render/work-async-storage.external.ts      |   4 ++
 .../next/src/server/async-storage/work-store.ts    |   7 +++
 packages/next/src/server/dev/next-dev-server.ts    |   1 +
 .../next/src/server/dev/static-paths-worker.ts     |   3 +
 .../src/server/route-modules/app-route/module.ts   |   2 +
 .../next/src/server/use-cache/use-cache-wrapper.ts |   2 +-
 packages/next/src/server/web/adapter.ts            |   2 +
 .../src/server/web/edge-route-module-wrapper.ts    |   1 +
 .../use-cache-cross-deployment/app/layout.tsx      |  16 ++++++
 .../use-cache-cross-deployment/app/page.tsx        |  26 +++++++++
 .../app/prerender/page.tsx                         |  21 +++++++
 .../app-dir/use-cache-cross-deployment/handler.js  |  35 ++++++++++++
 .../use-cache-cross-deployment/next.config.js      |  16 ++++++
 .../use-cache-cross-deployment/public/favicon.ico  | Bin 0 -> 15086 bytes
 .../use-cache-cross-deployment.test.ts             |  62 +++++++++++++++++++++
 22 files changed, 214 insertions(+), 3 deletions(-)

commit 7ab1e2e93dad22d3c9c1afe395915ef33b73e7cf
Author: Benjamin Woodruff <benjamin.woodruff@vercel.com>
Date:   Fri Apr 10 10:12:46 2026 -0700

    CI: Download and run self-contained datadog-ci instead of using pnpm dlx or npx (#92546)
    
    `pnpm dlx` isn't using a lockfile. Using the self-contained binary from
    GitHub and validate the checksum lets us effectively pin `datadog-ci`
    and all of its possible transitive dependencies.
    
    This is a follow-up for
    https://vercel.slack.com/archives/C0APPN2LC83/p1775073127894859
    
    (cherry picked from commit 631fae951db74245c004a9fbb98ed8be8d2b6f21)

 .github/actions/setup-datadog-ci/action.yml   | 37 +++++++++++++++++++++++++++
 .github/workflows/build_and_deploy.yml        | 12 +++++++--
 .github/workflows/build_reusable.yml          |  8 ++++--
 .github/workflows/test_e2e_deploy_release.yml | 11 ++++++--
 4 files changed, 62 insertions(+), 6 deletions(-)

commit 084f2bcf1947aee69aed418412647fae29ef7050
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Mon Apr 27 09:31:05 2026 -0700

    [ci]: trigger signed release commit via API (#93285)
    
    Stacked on https://github.com/vercel/next.js/pull/93245
    
    Commit signing is required for anything that lands on `canary`. Our
    previous workflow of using a PAT to push a commit no longer works, since
    that would have been an unsigned commit.
    
    In #93245 we switched to an app token for release workflow steps. This
    continues by:
    
    - Telling Lerna to bump packages but not commit
    - Creating a signed commit with the staged changes via GitHub's API
    - Then running the publish flow
    
    Test Plan:
    Dry run
    [here](https://github.com/vercel/next.js/actions/runs/25001287978/job/73211826479)
    Commit
    [here](https://github.com/vercel/next.js/commit/3a8456a62b56615e2f8c1d1e6e7b4e14ce89e078)
    
    (cherry picked from commit 012fd7df4ba12f0699754125dc0226b6c99937a2)

 scripts/release-github-api.js | 349 ++++++++++++++++++++++++++++++++++++++++++
 scripts/start-release.js      |  45 ++++--
 2 files changed, 380 insertions(+), 14 deletions(-)

commit a3bb370b00e505815a4a89e646aa69c9e105db8f
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Mon Apr 27 07:55:43 2026 -0700

    [ci]: app-based release workflow (#93245)
    
    Moves all release workflows off of a GH PAT and uses an app with a
    short-lived token instead.
    
    Test Plan:
    Dry run
    [here](https://github.com/vercel/next.js/actions/runs/24934593874).
    
    However, this workflow is blocked until we figure out commit signing for
    the bot app. Some options:
    - The bot account generates a signing key and we use it in CI (not
    great, bypasses the app)
    - The org bypasses signature verification for the bot user (also not
    great, requires an exemption rule)
    - We need to rework the commit step so Lerna does not do the push, and
    instead trigger it via the app + GH API. This seems like the best
    option, will be added in a follow-up PR.
    
    Note: `create-release-branch` workflow is broken in its current form, as
    we will not be restoring administrator privileges to adjust environment
    settings. This will become a manual step in the future.
    
    (cherry picked from commit e69de2ffaf31743f6c015a1c645e913c8e59a436)

 .github/workflows/build_and_deploy.yml      | 12 ++++-
 .github/workflows/create_release_branch.yml | 34 ++++++++++---
 .github/workflows/trigger_release.yml       | 33 +++++++++++--
 scripts/create-release-branch.js            | 28 ++++++-----
 scripts/publish-release.js                  |  8 +++-
 scripts/release-github-auth.js              | 74 +++++++++++++++++++++++++++++
 scripts/start-release.js                    | 55 +++++++++++----------
 7 files changed, 191 insertions(+), 53 deletions(-)

commit 6e23383c562586021042c84683fc2794b79f1ca3
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Tue Apr 21 11:23:06 2026 -0700

    [ci]: add environment to publishRelease flow (#93093)
    
    Moves the `environment` into `publishRelease` rather than
    `trigger_release` since the actual action we want to create environment
    rules for is the publish step.
    
    (cherry picked from commit 2b846de4c59b5e47a28432e49106322c34915891)

 .github/workflows/build_and_deploy.yml | 26 +++++++++++++++++++++++++-
 .github/workflows/trigger_release.yml  |  1 -
 2 files changed, 25 insertions(+), 2 deletions(-)

commit f40b8876e68777c8b76d18c51187ebb7427c411d
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Mon Apr 20 11:17:33 2026 -0700

    [ci]: remove publish token in favor of OIDC (#93065)
    
    Switches from a long-lived token to trusted publishing OIDC flow. This requires a bump to Node (for feature support). Otherwise just dropping unnecessary envs.
    
    (cherry picked from commit 129896c2e462156cd4e0b7395d3e9861ce6204ae)

 .github/workflows/build_and_deploy.yml    |  7 ++-----
 .github/workflows/release-next-rspack.yml | 11 +++--------
 scripts/publish-release.js                |  5 -----
 3 files changed, 5 insertions(+), 18 deletions(-)

commit f6bda26ef9b96443f479c0ed952f1d05c19b1549
Author: JJ Kasper <jj@jjsweb.site>
Date:   Mon Apr 27 12:28:09 2026 -0700

    Fix fallback route params case in app-page handler (#93109)
    
    ## Summary
    - backport the fallback route params fix from #91737 onto `next-16-2`
    - preserve intermediate shells that suspend only for unresolved fallback
    params during staged rendering
    - add the missing `resolvedRouteParamKeys` request metadata needed by
    this branch

 packages/next/src/build/templates/app-page.ts      |  83 +++-
 packages/next/src/server/request-meta.ts           |   7 +
 .../src/server/request/fallback-params.test.ts     |  68 +++
 .../next/src/server/request/fallback-params.ts     |  32 ++
 packages/next/src/server/server-utils.test.ts      | 131 +++++
 packages/next/src/server/server-utils.ts           |  36 +-
 packages/next/src/shared/lib/router/routes/app.ts  |  17 +-
 .../(domains)/settings/domains/loading.tsx         |   7 +
 .../[project]/(domains)/settings/domains/page.tsx  |  88 ++++
 .../[project]/(domains)/settings/layout.tsx        |  14 +
 .../app/[teamSlug]/[project]/loading.tsx           |   5 +
 .../app/[teamSlug]/[project]/page.tsx              | 101 ++++
 .../app/[teamSlug]/[project]/settings/layout.tsx   |  14 +
 .../app/[teamSlug]/[project]/settings/page.tsx     |  69 +++
 .../app/api/revalidate-layout/route.ts             |  59 +++
 .../vary-params-base-dynamic/app/layout.tsx        |   8 +
 .../vary-params-base-dynamic/app/page.tsx          |  56 +++
 .../app/revalidate-actions.ts                      |  29 ++
 .../components/link-accordion.tsx                  |  35 ++
 .../components/revalidate-controls.tsx             | 129 +++++
 .../vary-params-base-dynamic/next.config.js        |  19 +
 .../vary-params-base-dynamic.test.ts               | 550 +++++++++++++++++++++
 .../vary-params/pages/api/revalidate.ts            |  22 +
 .../root-params-segment-prefetch.test.ts           |  61 +++
 test/e2e/rewrite-request-smuggling/next.config.js  |  13 +
 test/e2e/rewrite-request-smuggling/pages/index.tsx |   3 +
 .../rewrite-request-smuggling.test.ts              | 234 +++++++++
 27 files changed, 1860 insertions(+), 30 deletions(-)

commit 70defda2a852a3428437e1d79ee1e3503095f47c
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Thu Apr 23 18:53:07 2026 -0700

    [ci]: switch to GitHub runners (#93164)
    
    Switch CI from self-hosted runners to GitHub-hosted runners and fix the
    follow-up issues that showed up once the hosted jobs were exercised.
    
    - Move Linux workflows onto `ubuntu-latest-16-core-oss`, Windows
    workflows onto `windows-latest-8-core-oss`, and the native mac release
    lane onto `macos-15-intel`.
    - Update the reusable build workflow to work in hosted environments by
    relying on `runner.os` instead of label string matching, and by removing
    the hardcoded `/home/runner` `fnm` path.
    - Make Turbo/sccache configuration explicit for hosted runners:
      - unify on `vtest314-next-adapter-e2e-tests`
    - pass `TURBO_TOKEN` via workflow env/secrets instead of assuming
    runner-level env
    - switch Turbo cache mode to `local:rw,remote:rw` so jobs still have
    local cache behavior when remote cache is unavailable
    - Update the `sccache` action defaults/docs to use the hosted-runner
    secret setup (`TURBO_TOKEN`) instead of the old self-hosted token
    wiring.
    - Make Datadog reporting fail open so missing `DATA_DOG_API_KEY` does
    not block CI.
    - Fix the CLI reserved-port test so it asserts Next’s own `-p 1`
    validation instead of failing earlier on hosted Linux due to
    privileged-port binding.
    - Replace the live `musl.cc` dependency in `native-builder.Dockerfile`
    with musl sysroots imported from GHCR-hosted `rust-musl-cross` images,
    keeping the existing `/opt/*-cross` layout used by the Linux native
    build scripts.
    - Fix the macOS native build workaround s so it applies to all
    *-apple-darwin targets based on the Cargo target OS rather than the host
    architecture, which avoids napi-build injecting the unsupported -Wl
    linker arg when @next/swc is linked with rust-lld on hosted mac runners.
    
    Test Plan:
    - This PR's CI
    - This
    [build_and_deploy](https://github.com/vercel/next.js/actions/runs/24865715983/job/72801225722)
    job running on every arch

 .github/workflows/build_and_deploy.yml             | 92 ++++++----------------
 .github/workflows/build_and_test.yml               | 10 +--
 .github/workflows/build_reusable.yml               | 21 ++---
 .github/workflows/integration_tests_reusable.yml   |  4 +-
 .github/workflows/pull_request_stats.yml           | 13 ++-
 .github/workflows/setup-nextjs-build.yml           |  6 +-
 .../workflows/test-turbopack-rust-bench-test.yml   |  4 +-
 .github/workflows/test_e2e_deploy_release.yml      |  1 +
 .github/workflows/test_e2e_project_reset_cron.yml  |  7 +-
 .github/workflows/turbopack-benchmark.yml          | 13 +--
 crates/next-napi-bindings/build.rs                 | 12 +--
 test/integration/cli/test/index.test.ts            | 11 ++-
 12 files changed, 84 insertions(+), 110 deletions(-)

commit af0e96ba231efe9f647cb5cd6f01d7c8abd25b3a
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Wed Mar 18 12:17:31 2026 -0700

    Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
    
    In a deployed environment, `onCacheEntryV2` determines whether a
    postponed response is HTML-origin or RSC-origin by checking whether
    meta.url ends with `.rsc`.
    
    For some dynamic full-route RSC requests, Next was passing a URL with
    query params into onCacheEntry, for example:
    `/[tenant]/samples.rsc?nxtPtenant=tenant-x`
    
    Because that string does not end with .rsc, `onCacheEntryV2`
    misclassified the request as HTML and treated it as text/html instead of
    an RSC response.
    
    This PR normalizes the URL before passing it to `onCacheEntry`, so the
    callback receives the pathname rather than the full URL-with-query.
    
    ---------
    
    Co-authored-by: JJ Kasper <jj@jjsweb.site>

 packages/next/src/build/templates/app-page.ts      |  9 +++-
 .../app/[tenant]/layout.tsx                        | 52 ++++++++++++++++++
 .../app/[tenant]/samples/page.tsx                  | 63 ++++++++++++++++++++++
 .../ppr-root-param-rsc-fallback/app/layout.tsx     |  9 ++++
 .../ppr-root-param-rsc-fallback/next.config.js     | 11 ++++
 .../ppr-root-param-rsc-fallback.test.ts            | 41 ++++++++++++++
 6 files changed, 184 insertions(+), 1 deletion(-)

commit 2cdb7ed34f5b21782517cd40615ad5bc34b35923
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Tue Apr 21 18:25:31 2026 -0700

    [tests]: fix cache-components.test.ts type error (#93113)
    
    Fixes a type error on canary after merging two PRs that touched the same
    test.

 test/e2e/app-dir/cache-components/cache-components.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

commit 8cd3fdc1117d158255450a95471abdfb900a8fbe
Author: JJ Kasper <jj@jjsweb.site>
Date:   Tue Mar 24 14:57:10 2026 -0700

    test: scope css data-url typing to fixture (#91877)
    
    In the latest TypeScript version these imports now fail so updating the
    assertion to handle them
    
    x-ref:
    https://github.com/vercel/next.js/actions/runs/23508766037/job/68431989897#step:35:443

 test/e2e/css-data-url-global-pages/data-url-css.d.ts | 2 ++
 1 file changed, 2 insertions(+)

commit 6fd09bf8ab44ba22b798c6a965a3eb7e98c67dcd
Author: JJ Kasper <jj@jjsweb.site>
Date:   Tue Apr 21 14:34:14 2026 -0700

    Patch setHeader for direct route handlers (#93101)
    
    ## Summary
    - apply the `setHeader` cookie-support patch to direct route module
    handlers in `prepare()`
    - make `patchSetHeaderWithCookieSupport()` idempotent so both entry
    paths can call it safely
    - add an adapter-like direct RSC regression test that fails without the
    patch
    
    Closes: NEXT-4919
    
    ## Testing
    - `NEXT_SKIP_ISOLATE=1 NEXT_TEST_MODE=start pnpm testheadless
    test/e2e/app-dir/cache-components/cache-components.test.ts -t "should
    ignore late setHeader calls for direct RSC handlers after headers are
    sent"`
    
    <!-- NEXT_JS_LLM_PR -->

 packages/next/src/server/lib/patch-set-header.ts   |  13 ++
 .../next/src/server/route-modules/route-module.ts  |   5 +
 .../cache-components/cache-components.test.ts      | 144 ++++++++++++++++++++-
 3 files changed, 161 insertions(+), 1 deletion(-)

commit 688ed31e210d81ab7d0dee57afae807fa00ff162
Author: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date:   Tue Apr 21 13:55:58 2026 -0700

    Strengthen _rsc cache-busting param (#92755)
    
    This updates `_rsc` cache-busting param generation to use a stronger
    digest so different RSC request variants are much less likely to produce
    the same value.
    
    It also updates the related request-validation and injected
    resume/instant-test paths so they continue to generate and validate the
    same `_rsc` values across client, server, and edge-reachable codepaths.

 packages/next/src/build/templates/app-page.ts      |  4 +-
 .../router-reducer/fetch-server-response.ts        |  4 +-
 .../set-cache-busting-search-param.test.ts         | 48 ++++++++++++
 .../set-cache-busting-search-param.ts              | 41 +++++++---
 .../next/src/server/app-render/action-handler.ts   | 21 +++--
 packages/next/src/server/base-server.ts            | 23 +++++-
 .../server/stream-utils/node-web-streams-helper.ts | 15 ++--
 .../lib/router/utils/cache-busting-search-param.ts | 89 +++++++++++++++++++---
 test/e2e/app-dir/app-prefetch/prefetching.test.ts  | 28 ++++---
 test/e2e/app-dir/app-validation/validation.test.ts | 56 +++++++++++++-
 test/e2e/app-dir/ppr-full/ppr-full.test.ts         | 16 ++--
 .../resume-data-cache/resume-data-cache.test.ts    |  7 +-
 .../rewrite-headers/rewrite-headers.test.ts        |  2 +-
 .../sub-shell-generation-middleware.test.ts        |  2 +-
 14 files changed, 287 insertions(+), 69 deletions(-)

commit 62ef3050964c1f460245e04f53f8eb959a8cfaf0
Author: Steven <steven@ceriously.com>
Date:   Thu Apr 16 19:36:50 2026 -0400

    fix(next/image): ensure `images.maximumResponseBody` applies to local images too (#92920)
    
    In a previous PR https://github.com/vercel/next.js/pull/88183, we added
    `images.maximumResponseBody` but in only applied to external images.
    
    This PR ensures the same config also applies to internal images.

 packages/next/errors.json                          |   3 +-
 packages/next/src/server/image-optimizer.ts        |  27 ++++
 packages/next/src/server/lib/mock-request.ts       |  37 ++++-
 packages/next/src/server/next-server.ts            |   1 +
 .../image-optimizer/fetch-internal-image.test.ts   | 152 +++++++++++++++++++++
 5 files changed, 215 insertions(+), 5 deletions(-)

commit 15341fdf495d23b525e011f7eb91b62dd627664f
Author: JJ Kasper <jj@jjsweb.site>
Date:   Mon Apr 13 16:26:34 2026 -0700

    Ensure x-nextjs-data header is only set during resolve (#92752)
    
    Makes sure we set this header during route resolving so user request
    doesn't need to.

 .../next/src/server/lib/router-utils/resolve-routes.ts | 18 +++++++++++++++---
 packages/next/src/server/lib/server-ipc/utils.ts       |  1 +
 test/e2e/middleware-general/test/index.test.ts         | 13 +++++++++++++
 3 files changed, 29 insertions(+), 3 deletions(-)
