chore(deps): update dependency next to v16 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	^15.2.3 → ^16.0.10

GitHub Vulnerability Alerts

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

---

Release Notes

vercel/next.js (next)

v16.0.10

Compare Source

v16.0.9

Compare Source

v16.0.8

Compare Source

v16.0.7

Compare Source

v16.0.6

Compare Source

v16.0.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix(nodejs-middleware): await for body cloning to be properly finalized (#​85418)

Credits

Huge thanks to @​lucasadrianof for helping!

v16.0.4

Compare Source

v16.0.3

Compare Source

Core Changes

• fix: Rspack throw error when using ForceCompleteRuntimePlugin: #​85221
• fix: build CLI output not displaying Proxy (Middleware) when nodejs runtime: #​85403
• fix: staleTimes.static should consistently enforce a 30s minimum: #​85479
• [turbopack] fix build of empty entries of pages: #​84873
• Cache the head separately from the route tree: #​84724
• Allow inspecting dev server on default port with next dev --inspect: #​85037
• Avoid proxying React modules through workUnitStore: #​85486
• fix: redirect should always return updated router state: #​85533
• Upgrade React from b4455a6e-20251027 to 4f931700-20251029: #​85518
• [turbopack] Move generation of cacheLife types out of the webpack plugin and into the dev bundler directly: #​85539
• Ensure user-space stack frame for 'use cache' in page/layout component: #​85519
• Update parallel routes in build-complete: #​85546
• fully remove clientSegmentCache flag: #​85541
• [turbopack] Support relative paths in turbopack source maps.: #​85146
• Release unnecessary memory on hydration finish: #​84967
• Preserve interception markers in parameter types: #​85526
• move segment cache entries to top level segment-cache dir: #​85542
• Upgrade React from 4f931700-20251029 to 561ee24d-20251101: #​85670
• [devtools] Remove title from preferences: #​85698
• Update font data: #​85708
• Don't invalidate hot reloader excessively during dev server boot: #​85732
• [codemod] fix: next-lint-to-eslint-cli did not handle 'next' plugin: #​85749
• Upgrade React from 561ee24d-20251101 to 67f7d47a-20251103: #​85762
• Tracing: Fix memory leak in span map: #​85529
• Fix documentation typo in refresh function: #​85696
• fix: eslint-config-next types was exporting to dist/src: #​85768
• Upgrade React from 67f7d47a-20251103 to f646e8ff-20251104: #​85772
• remove unused RSC payload property: #​85746
• [runtime prefetching]: fix runtime prefetching when deployed: #​85595
• Turbopack: next build --analyze: #​85197
• Build: Log amount of workers during static generation: #​85706
• Upgrade React from f646e8ff-20251104 to dd048c3b-20251105: #​85819
• Sync devFallbackParams when generateStaticParams change: #​85741
• chore: upgrade rspack 1.6.0: #​84210
• [mcp] get_routes mcp tool: #​85773
• Split each path param into a separate cache key : #​85758
• [turbopack] change server source maps in production to use relative paths: #​85576
• fix: skip collecting metadata for app-error in webpack: #​85892
• fix: support root span attributes with a custom server: #​85521
• fix isDynamicRSC condition when deployed: #​85919
• [turbopack] Make it possible to synchronously access native bindings: #​85787
• Upgrade React from dd048c3b-20251105 to fa50caf5-20251107: #​85906
• Fix telemetry event loss on build failures and server shutdown: #​85867
• Remove one stack frame from 'use cache' call stacks: #​85966
• Upgrade React from fa50caf5-20251107 to 52684925-20251110: #​85980
• Deployment adapter: fix metadata for "/" route: #​85820
• Enable React's default Transition indicator behind a flag: #​86000
• update routes-manifest to include whether app has pages routes: #​86051

Misc Changes

• chore: Add opt-level = s for not frequently used crates: #​85426
• [test] Deflake cache-components-allow-otel-spans: #​85466
• [test] Move remaining experimental.cacheLife: #​85467
• Turbopack: chore: Remove mopa dependency in turbo-tasks (2nd attempt): #​85286
• Update Proxy docs: #​85439
• [CNA] Do not prompt for Turbopack: #​85404
• Clean up new release process: #​85458
• Update E2E tests workflow: #​85485
• Update E2E deploy tests manifest: #​85483
• docs: example are incorrect async function exports only: #​85453
• [test] Handle CLI assertions where no "Compiling..." log is present: #​85499
• [test] Speed up refresh test: #​85505
• [test] Add test cases for dynamic caches without suspense boundaries: #​85500
• docs: Routes are wrapped w/ Activity in Cache Components: #​85309
• docs: GET handler behavior under cache components: #​85389
• [test] Avoid needless start/stop from using createSandbox: #​85507
• [test] Use --debug-build-paths instead of NEXT_PRIVATE_APP_PATHS: #​85504
• docs: revalidateTag requires second argument: #​85284
• Refactor GTM implementation to support google tag gateway: #​81011
• Update Rspack production test manifest: #​85494
• Update Rspack development test manifest: #​85495
• [docs] Fix a typo: #​85492
• [test] Regenerate tsconfig.json files: #​85515
• [Turbopack] clean up completion.rs a bit: #​84863
• [test] Remove maxRetries and hardError parameters: #​85536
• Turbopack: remove the .into() alias to .cell(): #​85516
• [test] Consolidate identical snapshots across different bundlers: #​85532
• [turbopack] Change where cells are created in resolve_raw to make cell allocation order deterministic.: #​85525
• Turbopack: Make tasks deterministic: #​85524
• [test] Separate act and assertions: #​85508
• [test] assert* -> waitFor* when the util is not instant: #​85450
• Turbopack: move whole_app_module_graphs to top level: #​84897
• [test] Bail on sending requests to Next.js instance if it's no longer available: #​85557
• [test] Deflake tests comparing two random numbers: #​85571
• [test] Disallow custom RegExp-like implementations in check: #​85537
• [test] Deflake prerender suite: #​85563
• Turbopack: chore: Remove some dead MagicAny serialization code from turbo_tasks::value: #​85577
• [test]: fix broken scroll restoration test: #​85599
• [test] Deflake nested after() tests: #​85566
• [test] Stop installing unused dependencies: #​85569
• [test] Consider test/integration/ in flake detection tests: #​85590
• Turbopack: more checks on verify_serialization: #​84952
• Turbopack: add track_caller to improve panics: #​85565
• Turbopack: add verify_determinism feature to check if tasks are deterministic: #​85559
• docs: cache life rework: #​85224
• Turbopack: fix hanging dev server and builds with fs cache: #​85606
• Turbopack: Fix compound assignment expression evaluation (#​85478): #​85593
• Turbopack: fix Scope holding Arc too long: #​85611
• [ci] Improve change detection logic in run-for-change script: #​85619
• [test] Ignore in deploy tests if a child process isn't available: #​85636
• Turbopack: add size_hint and len for Chunk iterator: #​85622
• [test]: move resume-data-cache to e2e test: #​85647
• Update Rspack development test manifest: #​85662
• Update Rspack production test manifest: #​85661
• Update Rspack production test manifest: #​85688
• Update Rspack development test manifest: #​85689
• [test] Deflake root-optional-revalidate: #​85584
• docs: fix generateImageMetadata example to use normal params object: #​85658
• Turbopack: Upgrade image crate: #​85084
• docs: update multi sitemap argumenmt type: #​85701
• [test] Move all files to .ts (6/6): #​85641
• Turbopack: add a batch add method to the storage: #​84270
• docs: recommend reverse-proxy when self-hosting: #​85650
• [test] Deflake prefetching.stale-times: #​85733
• [test] Deflake custom cache handler test: #​85610
• [test] Allow CLI integration test to be retryable: #​85586
• docs: update docs to mention ESLint as default: #​85740
• docs(next.config): this docs should remove ".mts" is not supported.: #​85716
• Turbopack: cleanup StyleSheetLike: #​85718
• Turbopack: disable tree shaking for tracing: #​85722
• [test] Move all files to .ts (3/6): #​85638
• [test] Move all files to .ts (2/6): #​85637
• [test] Move all files to .ts (1/6): #​85634
• docs: generateSitemap passes id as promise: #​85767
• [test] Move all files to .ts (4/6): #​85639
• docs: disclosure on path-to-regexp: #​85629
• chore: update rspack binding to 1.6.0: #​85717
• Turbopack: trace worker_threads worker entry: #​85734
• Update Rspack development test manifest: #​85761
• Turbopack: chore: Remove extern crate and macro_use syntax: #​85778
• [turbopack] Drop duration and allocation tracking from CaptureFuture: #​85534
• Turbopack: chore: Remove dead RouteMatcher stuff: #​85784
• docs: fresh up getting started 00: #​85736
• Turbopack: chore: Remove the serde_regex dependency, which wasn't very heavily used: #​85578
• Turbopack: use batch add in connect children: #​85623
• [test] Move all files to .ts (5/6): #​85640
• [test] Deflake legacy-link-behavior: #​85805
• Resolve request ID confusion: #​85809
• Turbopack: use batch add to add initial followers: #​85624
• Turbopack: chore: Remove dead experimental.ppr struct field: #​85792
• Turbopack: chore: Avoid string clones in Glob::parse by using RcStr: #​85579
• Update Rspack production test manifest: #​85795
• docs: getting started updates 01: #​85750
• chore: Update patricia_tree dependency, remove manual serde impls: #​85785
• docs: keywords in system reqs and add browserslist: #​85838
• Honour NEXT_TEST_PREFER_OFFLINE in install-native.mjs: #​85850
• Turbopack: chore: Update anyhow, remove old backtrace feature: #​85844
• Turbopack: Remove some dead (or useless) code from next-core/src/next_client_reference/visit_client_reference.rs: #​85843
• sort dependencies for smaller diffs: #​82291
• Update Rspack development test manifest: #​85846
• Turbopack: Remove non_operation_vc_strongly_consistent feature usage from next-api: #​85874
• Turbopack: remove the streaming hack for improved stability: #​85858
• test: Port clean-distdir integration test to the modern e2e test framework: #​85828
• Update font data: #​85920
• Update deploy manifest: #​85924
• Turbopack: chore: Merge turbo-tasks-macros-shared crate into turbo-tasks-macros: #​85917
• Turbopack: Fix IO concurrency for MacOS: #​85861
• Add Appwrite Sites to supported adapters: #​85830
• [turbopack] Remove LocalTaskType::Native, it is dead: #​85480
• [test] Increase response timeout in next.browserWithResponse(): #​85911
• Hoist inner 'use cache' functions to reduce function allocations: #​85904
• docs: eslint config update: #​85969
• Fix Turbopack local font font-family declaration: #​85913
• switch to slice in createRuntimePrefetchTransformStream: #​85822
• Update authentication.mdx: Fix Auth0 Link: #​85953
• Turbopack: remove unused function: #​85974
• docs: cacheHandlers: #​85311
• docs: Feedback item on proxy default: #​86004
• [test] Add missing test fixtures for cacheLife & cacheTag in client: #​85872
• Fix false-positive build error for cacheLife & cacheTag: #​85875
• [cna] For pnpm ignore postinstall from sharp and unrs-resolver: #​83168
• Turbopack: refactor evaluate to take module_graph: #​85971
• Turbopack: remove duplicate traversal implementations: #​85853
• Omit unused encryptActionBoundArgs/decryptActionBoundArgs imports: #​86015
• Turbopack: cleanup db log and add verbose option: #​85965
• [ci]: fix retry_deploy_test workflow: #​85981
• Fix typo in documentation: #​86054

Credits

Huge thanks to @​kdy1, @​eps1lon, @​SyMind, @​bgw, @​swarnava, @​devjiwonchoi, @​ztanner, @​ijjk, @​huozhi, @​icyJoseph, @​acdlite, @​unstubbable, @​gnoff, @​gusfune, @​vercel-release-bot, @​lukesandberg, @​sokra, @​hayes, @​shuding, @​wyattjoh, @​marjan-ahmed, @​timneutkens, @​ajstrongdev, @​zigang93, @​mischnic, @​Nayeem-XTREME, @​hamirmahal, @​eli0shin, @​tessamero, @​gaojude, @​jamesdaniels, @​georgesfarah, and @​timeyoutakeit for helping!

v16.0.2

Compare Source

[!NOTE]
This version includes no code or feature changes. To get the latest change, please look for the next patch release v16.0.3 or next@​latest

v16.0.1

Compare Source

v16.0.0

Compare Source

v15.5.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#​85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#​89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#​82340)
• Turbopack: support pattern into exports field (#​82757)
• NFT tracing fixes (#​84155 and #​85323)
• Turbopack: validate CSS without computing all paths (#​83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#​89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

v15.5.10

Compare Source

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.5.9

Compare Source

v15.5.8

Compare Source

v15.5.7

Compare Source

v15.5.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: don't define process.cwd() in node_modules #​83452

Credits

Huge thanks to @​mischnic for helping!

v15.5.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Split code-frame into separate compiled package (#​84238)
• Add deprecation warning to Runtime config (#​84650)
• fix: unstable_cache should perform blocking revalidation during ISR revalidation (#​84716)
• feat: experimental.middlewareClientMaxBodySize body cloning limit (#​84722)
• fix: missing next/link types with typedRoutes (#​84779)

Misc Changes

• docs: early October improvements and fixes (#​84334)

Credits

Huge thanks to @​devjiwonchoi, @​ztanner, and @​icyJoseph for helping!

v15.5.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: ensure onRequestError is invoked when otel enabled (#​83343)
• fix: devtools initial position should be from next config (#​83571)
• [devtool] fix overlay styles are missing (#​83721)
• Turbopack: don't match dynamic pattern for node_modules packages (#​83176)
• Turbopack: don't treat metadata routes as RSC (#​82911)
• [turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (#​83357)
• Turbopack: throw large static metadata error earlier (#​82939)
• fix: error overlay not closing when backdrop clicked (#​83981)
• Turbopack: flush Node.js worker IPC on error (#​84077)

Misc Changes

• [CNA] use linter preference (#​83194)
• CI: use KV for test timing data (#​83745)
• docs: september improvements and fixes (#​83997)

Credits

Huge thanks to @​yiminghe, @​huozhi, @​devjiwonchoi, @​mischnic, @​lukesandberg, @​ztanner, @​icyJoseph, @​leerob, @​fufuShih, @​dwrth, @​aymericzip, @​obendev, @​molebox, @​OoMNoO, @​pontasan, @​styfle, @​HondaYt, @​ryuapp, @​lpalmes, and @​ijjk for helping!

v15.5.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: validation return types of pages API routes (#​83069)
• fix: relative paths in dev in validator.ts (#​83073)
• fix: remove satisfies keyword from type validation to preserve old TS compatibility (#​83071)

Credits

Huge thanks to @​bgub for helping!

v15.5.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: disable unknownatrules lint rule entirely (#​83059)
• revert: add ?dpl to fonts in /_next/static/media (#​83062)

Credits

Huge thanks to @​bgub and @​ztanner for helping!

v15.5.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: aliased navigations should apply scroll handling (#​82900)
• Turbopack: fix invalid NFT entry with file behind symlink (#​82887)
• fix: typesafe linking to route handlers and pages API routes (#​82858)
• fix: change "noUnknownAtRules" to "warn" for Biome (#​82974)
• fix: add path normalization to getRelativePath for Windows (#​82918)
• feat: add typesafety with config.typedRoutes to redirect() and permanentRedirect() (#​82860)
• fix: avoid importing types that will be unused (#​82856)
• fix: update the config.api.responseLimit type (#​82852)
• fix: update validation return types (#​82854)

Credits

Huge thanks to @​bgub, @​mischnic, and @​ztanner for helping!

v15.5.0

Compare Source

Core Changes

• Use and enforce exhaustive switch statements for work unit store: #​81577
• Enable @typescript-eslint/switch-exhaustiveness-check rule: #​81583
• [dynamicIO] use RSC dynamicness to control partial vs complete PPR result: #​81627
• [dynamicIO] Do not use React.unstable_postpone(): #​81652
• feat: new detachable panel UI: #​81483
• Turbopack: content-hash PageLoaderAsset: #​81450
• [segment explorer] fix content overflow styling: #​81649
• Improve reliability of owner stacks for async I/O errors: #​81501
• fix(router): Prevent redirect loop on root data requests with basePath: #​81096
• Ensure custom NextServer config is honored: #​81681
• Fix before interactive incorrectly render css: #​81146
• perf: memorize exclude function in webpack config: #​81525
• Also enforce experimental features when there's no next config file: #​81679
• feat(next/image): warn when images.qualities is undefined: #​81690
• feat(build): optimize filterUniqueParamsCombinations to generate sub-combinations: #​81321
• Update NextAdapter type and re-export: #​81692
• upgrade to path-to-regexp@​6.3.0: #​80123
• [metadata] replace for initial body icon case: #​81688
• [segment explorer] remove dev panel ui flag: #​81670
• Simplify running test apps locally with ppr or dynamicIO enabled: #​81668
• [turbopack] Return cached Promise from __turbopack_load_by_url__ : #​81663
• Upgrade React from 97cdd5d3-20250710 to 2f0e7e57-20250715: #​81678
• Delete unused renderToString function: #​81707
• Discard prerendered route handler data from FS cache after revalidation: #​81611
• Upgrade React from 2f0e7e57-20250715 to d85ec5f5-20250716: #​81708
• Ignore pending revalidations during prerendering: #​81621
• [turbopack] Clear chunk cache on HMR instead of creating new next-server VM: #​81664
• fix: rootParams should throw in client when fallbackParams are not present: #​81711
• perf(build): optimize buildAppStaticPaths performance and add helper function: #​81386
• Turbopack: Support string without options for @​next/mdx: #​81713
• [Segment Cache] Support dynamic head prefetching: #​81677
• [sourcemaps] Consistent cursor columns: #​81375
• fix: revert client segment route changes for sub shell generation: #​81731
• fix: pages router metadata bugs with React 19: #​81733
• Improve error handling for headers/cookies/draftMode in 'use cache': #​81716
• [devtool] fix duplicate rendered indicator on server: #​81729
• [devtool] enable segment explorer by default: #​81737
• [turbopack] Stop exposing globals from Turbopack runtime: #​81727
• Remove unnecessary await: #​81761
• [chore] bump zod to latest v3: #​81757
• feat(turbopack): Log anonymized internal error (panic) information to telemetry: #​81272
• fix: revert client segment route changes for sub shell generation: #​81740
• bugfix: static resources staleTime should be renewed once refetched: #​81771
• [devtool] move font styling to global.css: #​81782
• [devtool] copy decoded info of error details: #​81735
• fix(build): add sourcePage context for PPR dynamic route lambda creation: #​81781
• refactor: rename experimental.dynamicIO to experimental.cacheComponents: #​81562
• Properly handle hanging promise rejections during prerendering: #​81754
• Upgrade React from d85ec5f5-20250716 to dffacc7b-20250717: #​81767
• Refactor: Get rid of overly generic getExpectedRequestStore function: #​81791
• [devtool] migrate css reset to global.css: #​81783
• [dev-tools] Robust shortcut detection: #​81756
• [segment explorer] hide for pages router: #​81813
• [devtool] fix scrollbar styling: #​81814
• fix(ppr): ensure fallback route params trigger dynamic resume: #​81812
• [devtools] restart server pending state: #​80858
• Turbopack: fix dist dir on Windows: #​81758
• fix: remove boundary sentinel from RSC responses: #​81857
• [sourcemaps] Try VM for retrieving source maps first: #​81869
• [devtools] save user config inside .next/cache: #​81807
• Server: Remove unused code: #​81886
• refactor: encapsulate content type within RenderResult: #​81861
• refactor: handle null RenderResult responses gracefully: #​81895
• Upgrade React from dffacc7b-20250717 to e9638c33-20250721: #​81899
• chore(devtools): sync todos to linear: #​81901
• Introduce 'use cache: private': #​81816
• chore(deps): update browserslist: #​81851
• Remove web-server from edge-ssr-app: #​81389
• Stabilize node middleware support: #​81907
• Add run-turbopack-compiler trace span: #​81917
• fix: support calling onClose multiple times in edge-ssr-app: #​81911
• fix: logging the correct process for listened port: #​81903
• Build: Include rewrites in manifest generation: #​81894
• Routing: Clean up some code: #​81932
• [sourcemaps] Ensure codeframe when calling Client Functions from Server: #​81918
• [segment explorer] missing file suggestion: #​81617
• [turbopack] Always print trace labels in headers: #​81728
• Revert "[metadata] use https protocol for schema urls": #​81934
• Upgrade React from e9638c33-20250721 to 7513996f-20250722: #​81940
• Upgrade to swc v33: #​81750
• Remove extra base-server code: #​81944
• Turbopack: flatten sourceInfo to avoid objects, reorder args, compress node.js entry: #​81545
• Fix dynamicParams false layout case in dev: #​81990
• Initial MCP implementation: #​81770
• Fix: Unresolved param in x-nextjs-rewritten-query: #​81991
• Turbopack: Add an option to use system TLS certificates (fixes #​79060, fixes #​79059): #​81818
• Turbopack: Remove unused proxy option in turbo-tasks-fetch, lightly document HTTP_PROXY/HTTPS_PROXY environment variables: #​81905
• Upgrade React from 7513996f-20250722 to edac0dde-20250723: #​81984
• [devtools] Cleanup folder structure: #​82012
• [devtools] Fix "open in editor" for locations in stackframes: #​82013
• [Segment Cache] Fix: Key by rewritten search: #​81986
• Upgrade vercel og and remove yoga type patching: #​81937
• [perf] cache load config results: #​80570
• Turbopack: use prototype for turbopack context for better runtime performance: #​81547
• [reactcompiler] Test with latest RC: #​82002
• [devtools] Fix various exhaustive-deps violations: #​82010
• [devtools] Apply React Compiler to Next.js DevTools source: #​82004
• Upgrade React from edac0dde-20250723 to 3d14fcf0-20250724: #​82020
• Adjusted the warning message to be more descriptive: #​82054
• Track fallback params on workUnitStore: #​82003
• Fix API stripping JSON incorrectly: #​82061
• Upgrade React from 3d14fcf0-20250724 to 19baee81-20250725: #​82063
• use FetchStrategy to control prefetching behavior everywhere: #​82032
• [Segment Cache] set fetchStrategy on segments from a dynamic request: #​82059
• Revert "Upgrade vercel og and remove yoga type patching (#​81937)": #​82066
• Optimize segment data routes: #​82033
• Turbopack: write tasks doesn't need to be session dependent, as effects will restore: #​78727
• [sourcemaps] Fully sourcemap stacks on the Server: #​81904
• fix(Rspack): use loaderContext.utils.contextify to replace ModuleFilenameHelpers.createFilename: #​82104
• next/root-params: #​80255
• fix(next/image): fix image-optimizer.ts headers: #​82114
• Upgrade React from 19baee81-20250725 to eaee5308-20250728: #​82120
• Fix validateRSCRequestHeaders incorrect redirect: #​82119
• fix(next/image): improve and simplify detect-content-type: #​82118
• [CacheComponents] Use fallback params when validating dynamic routes in dev: #​82069
• Extract getDynamicParam to a shared module: #​82137
• Fix i18n fallback: false collision: #​82136
• [segment explorer] normalize path when running inside monorepo: #​82146
• [segment explorer] windows compatibility: #​82147
• Upgrade React from eaee5308-20250728 to 9be531cd-20250729: #​82159
• Ensure setAssetPrefix updates config instance: #​82160
• Revert "Fix tracing of server actions imported by client components (#​78968): #​82161
• Remove useMDXComponents argument: #​80871
• Fix RSC hash validation for middleware external rewrites: #​82176
• @next/codemod: update docs url in README: #​82135
• @next/codemod: Add experimental.turbo to turbopack codemod for Next.js configs: #​82134
• refactor: lowercase app router header values: #​82169
• Strip internals from NextRequest types: #​82172
• allow

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	c1a23ef
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/697f724a5c5d74000890aa3f

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 41.44
• Iterations/s: 13.83
• Failed Requests: 0.00% (0 of 2493)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 900 kB 15 kB/s
     data_sent......................: 1.9 MB 32 kB/s
     http_req_blocked...............: avg=7.63µs  min=2.27µs   med=5.81µs   max=1.1ms    p(90)=7.07µs   p(95)=7.69µs  
     http_req_connecting............: avg=488ns   min=0s       med=0s       max=474.15µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=95.86ms min=8.47ms   med=79.62ms  max=577.58ms p(90)=165.41ms p(95)=187.31ms
       { expected_response:true }...: avg=95.86ms min=8.47ms   med=79.62ms  max=577.58ms p(90)=165.41ms p(95)=187.31ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2493
     http_req_receiving.............: avg=92.75µs min=26.53µs  med=78.66µs  max=2.51ms   p(90)=108.22µs p(95)=136.15µs
     http_req_sending...............: avg=35.35µs min=10.35µs  med=27.77µs  max=2.96ms   p(90)=38.46µs  p(95)=49.34µs 
     http_req_tls_handshaking.......: avg=0s      min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=95.73ms min=8.28ms   med=79.51ms  max=577.48ms p(90)=165.32ms p(95)=187.2ms 
     http_reqs......................: 2493   41.440411/s
     iteration_duration.............: avg=288.9ms min=184.56ms med=276.29ms max=1.11s    p(90)=350.75ms p(95)=385.8ms 
     iterations.....................: 832    13.830093/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4