chore(deps): update dependency next to v14.2.7 [security]

[apalchys]

This PR contains the following updates:

Package	Type	Update	Change
next			13.4.3 -> 14.2.7
next (source)	dependencies	major	13.4.3 -> 14.2.7

GitHub Vulnerability Alerts

CVE-2023-46298

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

• The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
• The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

CVE-2024-56332

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

---

Release Notes

vercel/next.js

v14.2.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Revert "chore: externalize undici for bundling" (#​65727)
• Refactor internal routing headers to use request meta (#​66987)
• fix(next): add cross origin in react dom preload (#​67423)
• build: upgrade edge-runtime (#​67565)
• GTM dataLayer parameter should take an object, not an array of strings (#​66339)
• fix: properly patch lockfile against swc bindings (#​66515)
• Add deployment id header for rsc payload if present (#​67255)
• Update font data (#​68639)
• fix i18n data pathname resolving (#​68947)
• pages router: ensure x-middleware-cache is respected (#​67734)
• Fix bad modRequest in flight entry manifest #​68888
• Reject next image urls in image optimizer #​68628
• Fix hmr assetPrefix escaping and reuse logic from other files #​67983

Credits

Huge thanks to @​kjugi, @​huozhi, @​ztanner, @​SukkaW, @​marlier, @​Kikobeats, @​syi0808, @​ijjk, and @​samcx for helping!

v14.2.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Ensure fetch cache TTL is updated properly (#​69164)

v14.2.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• avoid merging global css in a way that leaks into other chunk groups (#​67373)
• Fix server action edge redirect with middleware rewrite (#​67148)
• fix(next): reject protocol-relative URLs in image optimization (#​65752)
• fix(next-swc): correct path interop to filepath for wasm (#​65633)
• Use addDependency to track metadata route file changes (#​66714)
• Fix noindex is missing on static not-found page (#​67135)
• perf: improve retrieving versionInfo on Turbo HMR (#​67309)
• fix(next/image): handle invalid url (#​67465)
• fix(next): initial prefetch cache not set properly with different search params (#​65977)
• fix: Backport class properties fix (#​67377)
• Upgrade acorn (#​67592)

Misc

• Log stdio for pull-turbo-cache script (#​66759)
• Ensure turbo is setup when building in docker (#​66804)

Credits

Huge thanks to @​devjiwonchoi, @​ijjk, @​emmerich, @​huozhi, @​kdy1, @​kwonoj, @​styfle, and @​sokra for helping!

v14.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: ensure route handlers properly track dynamic access (#​66446)
• fix NextRequest proxy in edge runtime (#​66551)
• Fix next/dynamic with babel and src dir (#​65177)
• Use vercel deployment url for metadataBase fallbacks (#​65089)
• fix(next/image): detect react@19 for fetchPriority prop (#​65235)
• Fix loading navigation with metadata and prefetch (#​66447)
• prevent duplicate RSC fetch when action redirects (#​66620)
• ensure router cache updates reference the latest cache values (#​66681)
• Prevent append of trailing slash in cases where path ends with a file extension (#​66636)
• Fix inconsistency with 404 getStaticProps cache-control (#​66674)
• Use addDependency to track metadata route file changes (#​66714)
• Add timeout/retry handling for fetch cache (#​66652)
• fix: app-router prefetch crash when an invalid URL is passed to Link (#​66755)

Credits

Huge thanks to @​ztanner, @​ijjk, @​wbinnssmith, @​huozhi, and @​lubieowoce for helping!

v14.2.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix: resolve mixed re-exports module as cjs (#​64681)
• fix: mixing namespace import and named import client components (#​64809)
• Fix mixed exports in server component with barrel optimization (#​64894)
• Fix next/image usage in mdx(#​64875)
• fix(fetch-cache): fix additional typo, add type & data validation (#​64799)
• prevent erroneous route interception during lazy fetch (#​64692)
• fix root page revalidation when redirecting in a server action (#​64730)
• fix: remove traceparent from cachekey should not remove traceparent from original object (#​64727)
• Clean-up fetch metrics tracking (#​64746)

Credits

Huge thanks to @​huozhi, @​samcx, @​ztanner, @​Jeffrey-Zutt, and @​ijjk for helping!

v14.2.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix Server Action error logs for unhandled POST requests (#​64315)
• Improve rendering performance (#​64408)
• Fix the method prop case in Server Actions transform (#​64398)
• fix(next-lint): update option --report-unused-disable-directives to --report-unused-disable-directives-severity (#​64405)
• tweak test for Azure (#​64424)
• router restore should take priority over pending actions (#​64449)
• Fix client boundary inheritance for barrel optimization (#​64467)
• improve turborepo caching (#​64493)
• feat: strip traceparent header from cachekey (#​64499)
• Fix more Turbopack build tests
• Update lockfile for compatibility with turbo (#​64360)
• Fix typo in dynamic-rendering.ts (#​64365)
• Fix DynamicServerError not being thrown in fetch (#​64511)
• fix(next): Metadata.openGraph values not resolving basic values when type is set (#​63620)
• disable production chunking in dev (#​64488)
• Fix cjs client components tree-shaking (#​64558)
• fix refresh behavior for discarded actions (#​64532)
• fix: filter out middleware requests in logging (#​64549)
• Turbopack: Allow client components to be imported in app routes (#​64520)
• Fix ASL bundling for dynamic css (#​64451)
• add pathname normalizer for actions (#​64592)
• fix incorrect refresh request when basePath is set (#​64589)
• test: skip turbopack build test (#​64356)
• hotfix(turbopack): Update with patch for postcss.config.js path resolution on Windows (#​64677)

Credits

Huge thanks to @​shuding, @​coltonehrman, @​ztanner, @​huozhi, @​sokra, @​Jeffrey-Zutt, @​timneutkens, @​wbinnssmith, @​wiesson, @​ijjk, @​devjiwonchoi, and @​bgw for helping!

v14.2.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• use pathToFileUrl to make esm import()s work with absolute windows paths (#​64386) @​sokra

Credits

Huge thanks to @​sokra for helping!

v14.2.0

Compare Source

Learn more: https://nextjs.org/blog/next-14-2

Core Changes

• Update build worker warning to use debug: #​60847
• fix: added @​sentry/profiling-node to sep list to prevent build/bundle breakage: #​60855
• Optimize build trace ignores: #​60859
• Deprecation warning for config.analyticsId: #​60677
• chore: indicate staleness more prominently in next info output: #​60376
• Telemetry: createComponentTree span: #​60857
• chore: replace micromatch w/ picomatch: #​60699
• Report HMR latency as trace spans for Turbopack: #​60799
• Turbopack: always log HMR rebuild times: #​60908
• Error overlay refactors: #​60886
• Use precompiled source-map in overlay middleware: #​60932
• Use more precompiled deps in react-dev-overlay: #​60959
• Fix next phase for next build: #​60969
• chore: update turbopack: #​60980
• refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc: #​59300
• disable static generation on interception routes: #​61004
• Docs: Address community feedback: #​60960
• avoid output of webpack stats: #​61023
• Revert "refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc": #​61021
• fix useSelectedLayoutSegment's support for parallel routes: #​60912
• Dynamic APIs: #​60645
• Enable next.js version checker in turbopack: #​61034
• chore: Update terser to v5.27.0: #​61068
• Update swc_core to v0.87.28: #​60876
• update turbopack: #​61015
• Implement client_root for edge in Turbopack: #​61024
• fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: #​60776
• fix(image): warn when animated image is missing unoptimized prop: #​61045
• Fix version checker not displaying when version newer than npm: #​61075
• Fix sitemap generateSitemaps support for string id: #​61088
• ppr: ensure the router state tree is provided for interception routes: #​61059
• Improve the Server Actions SWC transform: #​61001
• Fix instrument bundling as client components: #​60984
• fix(turbopack): use correct layout for 404 page: #​61032
• fix: emotion import source should be enabled in SSR contexts: #​61099
• chore: update turbopack: #​61090
• fix(turbopack): custom page extensions for _app: #​60789
• Disable trace uploads with NEXT_TRACE_UPLOAD_DISABLE: #​61101
• add optimizeServerReact to config-shared: #​61106
• Fix filesystempublicroutes test for Turbopack: #​61132
• chore: upgrade webpack to 5.90.0: #​61109
• Add maxDuration to typescript plugin allowed exports: #​59193
• Upgrade Turbopack: #​61190
• build: remove sentry from the externals list: #​61194
• exclude default routes from isPageStatic check: #​61173
• Add stack trace to client rendering bailout error: #​61200
• chore: refactor image optimization to separate external/internal urls: #​61172
• parallel routes: support multi-slot layouts: #​61115
• Refine revalidatePath warning message: #​61220
• revert changes to process default routes at build: #​61241
• Fix cookie merging in Server Action redirections: #​61113
• Update swc_core to v0.89.x: #​61086
• Fix Server Reference being double registered: #​61244
• Fix Server Action redirection with absolute internal URL: #​60798
• Fix indentation in source code of dev overlay: #​61216
• Update swc_core to v0.89.4: #​61285
• fix: Revert preset-env mode of styled-jsx in webpack mode: #​61306
• DX: add route context to the dynamic errors: #​61332
• Telemetry: add time-to-first-byte signal: #​61238
• Refine logging message of experiments: #​61337
• fix(turbopack): don't parse .ts files as .tsx: #​61219
• Update turbopack: #​61381
• Same as #​61360: #​61369
• Always respect NEXT_TRACE_UPLOAD_DISABLED: #​61402
• parallel routes: fix catch-all slots being treated as optional catch-all: #​61174
• fix hmr telemetry reporting: #​61420
• chore: Update swc_core to v0.89.6: #​61426
• Update turbopack: #​61433
• fix a perf problem in VersionedContentMap: #​61442
• Fix next dynamic import named export from client components: #​61378
• fix issues loading CSS in default slots: #​61428
• avoid sending issues turbopack messages to browser: #​61443
• Support crossOrigin in Turbopack: #​61461
• Pass down __NEXT_EXPERIMENTAL_REACT env to webpack build worker explicitly: #​61463
• Replace image optimizer IPC call with request handler: #​61471
• feat(next): trace build dependencies for turborepo: #​59553
• Turbopack: fix telemetry attributes for swc options: #​61474
• Always show version text in error overlay: #​61421
• Fix build worker callback arg missing correct page path : #​61347
• Update font data: #​61479
• build: upgrade edge-runtime: #​61030
• Fix experimental react support in app-route runtime: #​61511
• Fix .env hmr for Node.js runtime in Turbopack: #​61504
• remove unnecessary PPR branch in non-PPR reducer: #​61176
• fix: bump @vercel/[email protected]: #​61538
• chore: update ESLint and plugins to latest: #​61544
• Update turbopack: #​61553
• feat: first pass of next/font manifest: #​61424
• Fix .env HMR for Turbopack in Edge runtime: #​61565
• build(cargo): bump up turbopack: #​61590
• refactor(next-core): consolidate custom ecma transform rules: #​61481
• ensure server action errors notify rejection handlers: #​61588
• feat(turbopack): only preload fonts that opt in: #​61591
• feat(turbopack): serve google fonts locally and allow preloading them: #​61596
• Update font data: #​61621
• Remove unused mockedRes in resolveRoutes: #​61635
• Fix @​react-pdf/renderer not working in RSC: #​61317
• Remove extra edge-runtime/primitives override: #​61641
• Encode revalidateTag value fixes #​61390: #​61392
• Update README.md: #​48717
• chore: update README.md: #​61650
• avoid processing client components and server actions in route handlers: #​60985
• chore: Update @swc/helpers to v0.5.5: #​61659
• feat(ts): expose MiddlewareConfig interface: #​61576
• Revert "build: upgrade edge-runtime": #​61686
• feat(ts): add JSDoc comments for public APIs: #​61649
• fix(next-core): adjust server alias for the context: #​61690
• fix setAssetPrefix when running on NextCustomServer: #​61676
• fix: status code for 404 props queries to avoid client side navigation with empty props: #​60968
• fix(next-eslint): .eslintrc.json not being created by next lint on App Router: #​55104
• Update React from 60a927d to 2bc7d33: #​61522
• fix(turbopack): read preload option for google fonts: #​61679
• decode magic identifiers: #​61658
• Associate server error digest with browser logged one: #​61592
• chore: update turbopack: #​61682
• fix loading issue when navigating to page with async metadata: #​61687
• fix(ts): ReadonlyURLSearchParams should extend URLSearchParams: #​61419
• fix navigation issue when dynamic param casing changes: #​61726
• Fix next/server api alias for ESM pkg: #​61721
• feat(transforms): enable rsc transforms for the remaining contexts: #​61231
• fix: allow some recursion for middleware subrequests: #​60615
• feat(next-swc): support wasm32-* build target: #​61586
• Turbopack: convert between locations correctly: #​61477
• feat(next/image)!: remove squoosh in favor of sharp as optional dep: #​61696
• Navigation Signals in PPR: #​60450
• Revert "Turbopack: convert between locations correctly (#​61477)": #​61733
• Fix duplicate line in README: #​61691
• docs: fix example code missing comma: #​59012
• Reapply "Turbopack: convert between locations correctly (#​61477)" (#​61733): #​61735
• Fix: Error Fetching _devpagesmanifest.json #​17274: #​60349
• fix jsDoc of notFound: #​61692
• feat(next-core): expand matching js extensions for the rules: #​61745
• source map fixes: #​61723
• Add experimental touchstart flag for testing: #​61747
• partially fix css duplication in app dir: #​61198
• build(cargo): add deps for the wasi: #​61784
• fix(ts): match MiddlewareConfig with documentation: #​61718
• Fix attempted import error for react: #​61791
• consolidate prefetch utils & separate build util: #​61789
• Skip client-side data-fetching after ssr error : #​51377
• fix(next-swc): Detect exports.foo from cjs_finder: #​61795
• feat(next-core): build time client|server-only assertion: #​61732
• Fall back loading chunks for sourcemap tracing: #​61790
• Increase Rust stack size: #​61809
• Revert "feat(next/image)!: remove squoosh in favor of sharp as optional dep": #​61810
• DX: fix error overlay flash: #​61813
• feat: Allow specifying useLightningcss for styled-jsx: #​61359
• Guard against restoring router state with missing data: #​61822
• fix: babel usage with next/image: #​61835
• fix:(next/image) handle remotePatterns with a dot in the pathname: #​60488
• Update React from 2bc7d33 to ba5e6a8: #​61837
• DX: fix error overlay flash: #​61813
• feat: Allow specifying useLightningcss for styled-jsx: #​61359
• Guard against restoring router state with missing data: #​61822
• fix: babel usage with next/image: #​61835
• fix:(next/image) handle remotePatterns with a dot in the pathname: #​60488
• Update React from 2bc7d33 to ba5e6a8: #​61837
• update turbopack: #​61187
• conditionally send Next-URL in Vary response: #​61794
• provide interception rewrites to edge runtime: #​61414
• Update app-index to only ever construct the initial data response once: #​61869
• Move turbopack helpers: #​61917
• hot-reloader-turbopack refactors: #​61929
• More hot-reloader-turbopack refactors: #​61940
• fix(next/image): improve warning when fill and sizes="100vw": #​61949
• build(cargo): bump up turbopack to latest: #​61952
• build(cargo): update turbopack for filewatcher fix: #​61955
• ci(workflow): deploy rustdocs for turbopack: #​61958
• Support resuming a complete HTML prerender that has dynamic flight data: #​60865
• Fix empty white page with parallel routes + loading boundaries: #​61597
• Update swc_core to v0.90.7 and update turbopack: #​61662
• Turbopack: remove server addr: #​61932
• More hot-reloader-turbopack refactors: #​61993
• Use destructured object for #​61993: #​61996
• only prefix prefetch cache entries if they vary based on Next-URL: #​61235
• seed prefetch cache with initial page: #​61535
• Remove leftover server addr references: #​61997
• log fast refresh in app dir: #​61441
• docs(turbopack): build more docs: #​61977
• fix(next-core): correct error message: #​62011
• docs(turbopack): reduce documentation size: #​62016
• Reduce memory/cache overhead from over loader processing: #​62005
• fix: bump @vercel/[email protected]: #​62019
• refactor(next-core): do not reexport turbopack_binding: #​62018
• build: Update swc_core to v0.90.8: #​61976
• merge pages and app overlays: #​60899
• Rename internal utility naming for clarification : #​62048
• fix: handle multiple x-forwarded-proto headers: #​58824
• Fix server components externals on SSR layer: #​61986
• Fixed useParams hook undesired re-renders and updated it to use PathParamsContext in the app router.: #​60708
• docs(turbopack): conslidate existing links: #​62034
• fix(custom-transform): allow to assert empty program for rsc: #​61922
• fix navigation applying stale data when triggered from global not found: #​62033
• fix(turbopack): react-dom/server in rsc context: #​61165
• refactor(tests): make chain more "correct": #​51728
• Add puppeteer-core to server-external-packages.json: #​62063
• Fix extra swc optimizer applied to node_modules in browser layer: #​62051
• docs(turbopack): revise links: #​62062
• Fix output: export with custom distDir: #​62064
• fix(next-core): apply image-loader alias to the remaining context: #​62070
• More hot-reloader-turbopack refactors: #​62055
• Ensure Turbopack writes font optimization manifest: #​62079
• update turbopack: #​62080
• chore: hide version info network error: #​62084
• Add dev option to Turbopack createProject(): #​62083
• Remove unused app-turbopack files: #​62087
• make router restore action resilient to a missing tree: #​62098
• Turbopack: add support for dynamic requests in require() and import(): #​62092
• docs(turbopack): move docs to separate: #​62069
• Implement Vc: #​62099
• fix: add zeromq to server-external-packages.json: #​62105
• Fix trailing slash for canonical url: #​62109
• Consolidate NextMode checks: #​62106
• Improve the Server Actions SWC transform (part 2): #​62052
• Should not warn metadataBase missing if only absolute urls are present: #​61898
• Update to turbopack-240215.5: #​62119
• Add polyfill for Object.hasOwn: #​60437
• OpenTelemetry: trace API routes in page router: #​62120
• Fix @​next/mdx types: #​57580
• DX: hide the webpack info prefix for module paths: #​62101
• Show build errors from Turbopack: #​62139
• Fix issue with ComponentMod being read in Turbopack: #​62141
• Fix handling subpath for server components externals: #​62150
• docs(next-api): trying to document project_update_info_subscribe: #​61962
• add support for esmExternals in pages: #​61983
• docs: updated link in JSDoc for the shallow property in link.tsx: #​62181
• Update font data: #​62173
• Update split chunk handling for edge/node: #​62205
• Ensure webpack build worker defaults on: #​62214
• feat: Lint invalid CSS modules: #​62040
• Add page name to error logged in Turbopack: #​62218
• add turbo.resolveExtensions to allow to customize extensions: #​62004
• fix(turbopack): catchall route matching: #​62114
• fix: clarify Dynamic API calls in wrong context: #​62143
• refactor(turbopack): wrap manifest loading in helper class: #​62118
• refactor(turbopack): resolve routes by page name instead of pathname: #​61778
• Ensure handleRouteType does not throw in production builds: #​62234
• fix: set swr delta: #​61330
• Fix type error in build.ts: #​62253
• fix(next): terser-webpack-plugin path in taskfile.js is missing 'src': #​62229
• Update swc_core to v0.90.10: #​62222
• Add test log prefix for otel: #​62258
• Update turbopack: #​62263
• feat(cli): show available memory/CPU cores in next info: #​62249
• fix(turbopack): print missing slots in debug message: #​62280
• Tree shake the unused exports in direct relative imported client component module: #​62238
• Verify correctness of externals: #​62235
• Renew prefetch cache entry after update from server: #​61573
• fix(next-core): fix aliased free var for edge runtime: #​62289
• update turbopack: #​62285
• Allow fetch to propagate arbitrary init options: #​62168
• Add flag for early import app router modules: #​61168
• Add otel span for client component loading: #​62296
• Fix perf spans: #​62306
• fix(next-core): properly normalize app route for _: #​62307
• fix(next-font): update capsize css so fallbacks are updated with the …: #​62309
• Fix draft mode invariant: #​62121
• Revert "Update split chunk handling for edge/node": #​62313
• Turbopack: reduce tasks needed for emitting: #​62291
• Turbopack: add SSR category to tracing: #​62318
• fix(error-overlay): correct module grouping: #​62206
• Revert "Turbopack: reduce tasks needed for emitting": #​62324
• feat(error-overlay): hide <unknown>/stringify methods in <anonymous> file from stack: #​62325
• eslint-config-next: allow typescript eslint v7: #​62137
• Revert "Revert "Update split chunk handling for edge/node" (#​62313)": #​62336
• Revert "Ensure webpack build worker defaults on": #​62342
• avoid loading the page loader chunk on initial page load: #​62269
• output filesystem without watching: #​62340
• Turbopack: limit build concurrency, show progress bar: #​62319
• Update data cache max size error: #​62348
• Add experimental flag for early exit on prerender error: #​62367
• fix(next-swc): Fix span for invalid 'use server' directives: #​62259
• scope issues from subscriptions to the websocket connection: #​62344
• Turbopack: resolve endpoints to avoid extra nesting in tracing: #​62317
• fix(next-lint): fix next lint not throwing exit 1 on error: #​62378
• Remove default fallback behavior when route group is missing a default: #​62370
• Correctly pass prependData and additionalData to sass-loader for Turbopack: #​62397
• chore(docs): mention that next.config.js must have default export: #​62341
• chore(cli): add clarifying comment: #​62418
• OTEL: Add top span for middleware: #​62421
• Turbopack react-refresh: perform full reload on runtime error: #​62359
• Simplify node/edge server chunking some: #​62424
• update configSchema.ts with experimental#useEarlyImport: #​62408
• Fix module-level Server Action creation with closure-closed values: #​62437
• Upgrade vendored react: #​62326
• Turbopack: reduce memory usage: #​62432
• Fixed typo.: #​62440
• fix(turbopack): deal with eventual consistency in get_directory_tree: #​62444
• Telemetry: ensure the ClientComponentLoad metric is only reported when available: #​62459
• [turbopack] update edge alias: #​62461
• Rename currentIssues to currentEntryIssues: #​62524
• update turbopack: #​62523
• add plugin to avoid too many css requests: #​62530
• feat(error-overlay): hide Node.js internals: #​62532
• Create react server condition alias for next/navigation api: #​62456
• Add IssueKey type: #​62526
• OTEL: Ensure that RSC:1 requests get the next.route attr: #​62464
• Display only one hydration error when there's few in error overlay: #​62448
• Upgrade vendored react: #​62549
• Improve TS plugin options: #​62438
• Revert "fix(build-output): show stack during CSR bailout warning": #​62592
• Improve redirection handling: #​62561
• fix router crash on revalidate + popstate: #​62383
• fix: improve error when starting next without building: #​62404
• feat(turbopack): Sort issues: #​62566
• refactor createInfinitePromise to be re-used unresolveable thenable: #​62595
• fix(build-output): show stack during CSR bailout warning: #​62594
• Fix redirect under suspense boundary with basePath: #​62597
• Ensure dynamic routes dont match _next/static unexpectedly: #​62559
• Fix metadata json manifest convention: #​62615
• Migrate locale redirect handling to router-server: #​62606
• fix(next-swc): Provide tokio context required for WASM plugins: #​62441
• Update swc_core to v0.90.12: #​62518
• Update Turbopack: #​62632
• Fix instrumentation with only pages: #​62622
• Fix: generateSitemaps in production giving 404: #​62212
• Refactor flight-manifest-plugin to use compilation.entrypoints directly: #​62636
• Fix Router Error Events in Shallow Routing by Skipping cancelHandler Creation: #​61771
• DX: display highlited pesudo html when bad nesting html error occurred: #​62590
• build(cargo): remove unused features: #​62616
• feat(next-swc): lightningcss binding: #​62604
• fix: Enable SearchParams to be displayed after redirect in Server Action: #​62582
• fix(navigation): allow useSelectedLayoutSegment(s) in Pages Router: #​62584
• Consistently use /_not-found for not found page in App Router: #​62679
• Add experimental config for navigation raf test: #​62668
• Turbopack: remove unused code: #​62690
• Revert "Ensure dynamic routes dont match _next/static unexpectedly": #​62691
• fix(turbopack): don't emit issues for deleted pages: #​62012
• perf: don't emit issues via websocket for now: #​59024
• add native css nesting support: #​62644
• refactor(next-swc): remove unused features: #​62696
• Upgrade mini-css-extract-plugin: #​62698
• Update precompiled for mini-css-extract-plugin: #​62699
• feat: display text diff for text mismatch hydration errors: #​62684
• Fix lint check: #​62702
• chore: remove unused helper: #​62701
• Add param to debug PPR skeleton in dev: #​62703
• Update font data: #​62704
• Turbopack: remove node_modules error filter: #​62586
• fix(error-overlay): improve a11y, minor refactors: #​62723
• Handle top level errors coming from Turbopack entrypoints subscription: #​62528
• Add compiler error for conflicting App Router and Pages Router in Turbopack: #​62531
• fix dev overlay pseudo html collapsing: #​62728
• Route static render error message: remove duplicate word: #​62738
• Update version from backport: #​62745
• Add a flag to disable MergeCssChunksPlugin: #​62746
• refactor(cli): refactor cli to commander: #​61877
• Turbopack: Trace server app render errors through source maps: #​62611
• build(cargo): update turbopack: #​62744
• Turbopack: sass support: #​62717
• refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc: #​61832
• fix: Add stricter check for "use server" exports: #​62821
• fix(next-core): throw on invalid metadata handler: #​62829
• Revert "Add experimental config for navigation raf test (#​62668)": #​62834
• Revert "refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc": #​62838
• remove reducer unit tests: [#​62766](https://togithub.com

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.