chore(deps): update dependency next to v15.4.7 [security]

[svc-secops]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	^15.2.3 -> ^15.4.7
next (source)	15.2.4 -> 15.4.7

GitHub Vulnerability Alerts

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

---

Next.js Content Injection Vulnerability for Image Optimization

CVE-2025-55173 / GHSA-xv57-4mr9-wg8v

More information

Details

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

• https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v
• https://nvd.nist.gov/vuln/detail/CVE-2025-55173
• https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
• https://github.com/vercel/next.js
• https://vercel.com/changelog/cve-2025-55173
• http://vercel.com/changelog/cve-2025-55173

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

CVE-2025-57752 / GHSA-g5qg-72qw-gw5v

More information

Details

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

Severity

• CVSS Score: 6.2 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
• https://nvd.nist.gov/vuln/detail/CVE-2025-57752
• https://github.com/vercel/next.js/pull/82114
• https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
• https://github.com/vercel/next.js
• https://vercel.com/changelog/cve-2025-57752

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Next.js Improper Middleware Redirect Handling Leads to SSRF

CVE-2025-57822 / GHSA-4342-x723-ch2f

More information

Details

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

References

• https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f
• https://nvd.nist.gov/vuln/detail/CVE-2025-57822
• https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8
• https://github.com/vercel/next.js
• https://vercel.com/changelog/cve-2025-57822

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/next.js (next)

v15.4.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix router handling when setting a location response header #​82588

Credits

Huge thanks to @​ztanner for helping!

v15.4.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: _error page's req.url can be overwritten to dynamic param on minimal mode (#​82347)
• fix: add ?dpl to fonts in /_next/static/media (#​82384)

Credits

Huge thanks to @​devjiwonchoi, @​ijjk, and @​styfle for helping!

v15.4.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix API stripping JSON incorrectly (#​82062)
• Fix i18n fallback: false collision (#​82158)
• Revert "Fix tracing of server actions imported by client components (#​82167)
• Ensure setAssetPrefix updates config instance (#​82165)
• Turbopack: update mimalloc (#​82166)
• fix(next/image): fix image-optimizer.ts headers (#​82175)
• fix(next/image): improve and simplify detect-content-type (#​82174)

Credits

Huge thanks to @​ijjk, @​sokra, and @​styfle for helping!

v15.4.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix dynamicParams false layout case in dev (#​82026)
• Turbopack: fix scope hoisting variable renaming bug (#​81640)
• Upgrade to swc v33 (#​81750)
• Revert "[metadata] use https protocol for schema urls" (#​81934)

Credits

Huge thanks to @​bgw @​mischnic @​huozhi @​lukesandberg and @​ijjk for helping!

v15.4.3

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Turbopack: fix dist dir on Windows (#​81758)

Credits

Huge thanks to @​mischnic for helping!

v15.4.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• pages router metadata bugs with React 19 (#​81733)
• [metadata] replace for initial body icon case (#​81688)
• Ensure custom NextServer config is honored (#​81681)

Credits

Huge thanks to @​huozhi, @​ijjk, and @​ztanner for helping!

v15.4.1

Compare Source

[!TIP]
Check out our Next v15.4 Blog Post to learn more about this release.

Core Changes

• [next-server] fix params duplicate in query after rewrite: #​77939
• [next-server] preserve rsc query for rsc redirects: #​77963
• Turbopack: fix a bug where marking a task a completed causes a panic when reading the output: #​77922
• Turbopack warning spelling fix: #​77999
• Allow URL schemes that include +, - or .: #​77932
• [dev-overlay] Remove unused hydration error related code: #​77929
• [dev-overlay] Unify error deduplication logic: #​78017
• fix: use the match result after matching using the matched path header: #​77994
• Upgrade React from 3fbfb9ba-20250409 to c44e4a25-20250409: #​78031
• Move unhandled rejection handling to shared path: #​77997
• fix: ensure app router not found works when deployed with pages i18n config: #​77905
• Uninstall existing uncaughtException listeners to prevent the process from crashing: #​78042
• Experimental bfcache: Restore state w/ : #​77992
• Add graceful error fallback for bots requests: #​77916
• Upgrade React from c44e4a25-20250409 to 1d6c8168-20250411: #​78067
• [next-server] remove unnecessary query shallow copy: #​78003
• [dev-overlay] disable copy button when clipboard is not available: #​78101
• [dev-overlay] Stop stashing React error details on error instances: #​77975
• [dynamicIO] Model invalid dynamic on empty shells: #​77270
• fix: bump [email protected]: #​78149
• Handle graceful fallback for custom error boundaries: #​78121
• [dev-overlay] Stop squashing hydration related errors in App Router: #​78140
• [test] Enable strictNullChecks in test utils: #​78142
• Document Turbopack trace viewer: #​78184
• [dev-overlay] Fix error dialog resizing logic: #​78144
• Include types in published eslint-plugin-next: #​78109
• [dev-overlay] Stop appending wrong Owner Stacks to SSR-only shell errors: #​77302
• [dev-overlay] Add dedicated label for recoverable errors: #​78186
• [chore] remove unused __NEXT_PRIVATE_RUNTIME_TYPE: #​78230
• Preserve slashes when custom URL schemes are used in redirects: #​78176
• ignore-list published sources if they have a sourcemap: #​78242
• Upgrade React from 1d6c8168-20250411 to 39cad7af-20250411: #​78152
• Turbopack: add test case for persistent caching: #​77030
• Upgrade React from 39cad7af-20250411 to b04254fd-20250415: #​78253
• fix: alternate bundler support for dropping client pages in AMP: #​77601
• [errors] refactor default global-error into a separate file: #​78182
• [metadata] render streaming metadata on the top level: #​77620
• [metadata] skip head cache in default slot: #​78206
• chore: Backport SWC-based RC optimization (#​78260)
• fix: bump [email protected] (#​78164)
• @next/mdx: Use stable turbopack config options: #​78261
• Upgrade React from b04254fd-20250415 to 4a36d3ea-20250416: #​78297
• Add graceful error boundary for bots requests: #​78298
• make sure eslint-plugin-next is built when running 'pnpm dev': #​78305
• Migrate pages API routes to handler interface: #​78166
• Update middleware public/static matching: #​78325
• Fix dynamic route param encoding: #​78326
• [Turbopack] refactor persistent caching from log based to cow approach: #​76234
• Add onInvalidate option to router.prefetch: #​77880
• Reserve bandwidth for most recently hovered link : #​78362
• fix: handle incremental PPR with client segment cache: #​78387
• fix: amphtml-validator WASM errors (for real): #​78379
• Turbopack: Remove next start --turbopack: #​78384
• Upgrade React from 4a36d3ea-20250416 to bc6184dd-20250417: #​78322
• [chore] remove dead code missing required error: #​78403
• [ts-next-plugin] remove typescript vfs and related metadata plugin: #​78237
• [ts-next-plugin] auto import metadata type: #​78258
• [ts-next-plugin] warn to add correct type for metadata exports: #​78254
• [ts-next-plugin] fix: validate metadata node before checking type: #​78414
• [errors] fix edge server initial error is not sent via hmr: #​78415
• misc: use correct capitals for React terms: #​78445
• Skip empty prefetch request for dynamic routes: #​78436
• Turbopack: don’t warn about webpack being configured when experimental.turbo is set: #​77998
• Upgrade React from bc6184dd-20250417 to 914319ae-20250423: #​78468
• Update turbopack to syn2: #​78385
• [next-server] ensure prepare is done before preloading entry: #​78454
• Upgrade React from 914319ae-20250423 to 197d6a04-20250424: #​78516
• [dev-overlay] Move error.name to label: #​78198
• [ts-next-plugin] update log for utils: #​78538
• [ppr] Route Cardinality Updates: #​78476
• Turbopack: support ignore comments for NFT fs access tracing: #​78460
• Externalize manifest loading in pages-api: #​78358
• Update font data: #​78525
• refactor: skip the prospective render when there's a more specific route to be rendered: #​78555
• fix: bodySizeLimit error responses + limit for non-multipart actions: #​77746
• [dynamicIO] Do not skip dynamic validation when metadata is dynamic: #​78574
• [dynamicIO] log dynamic validation errors consistently in dev: #​78575
• [ts-next-plugin] clean up unused proxy: #​78539
• [dynamicIO] Disallow only dynamic metadata: #​78576
• fix: make webpack handle "use cache" in node_modules : #​78606
• Use React's prerender function for "use cache" with Dynamic IO: #​78382
• Use node: prefixed in ESM emit of standalone server.js: #​78624
• feat: add ravendb library to server-external-packages.json: #​78319
• docs: fix typo in ppr.ts: #​78590
• Pre-compile busboy dependency: #​78634
• Pages API handler interface follow-ups: #​78638
• Repeat fix in #​78387 for routes without params: #​78568
• [dev-tools] Fix width transition logic: #​78635
• [ts-next-plugin] fix: warn only if no type: #​78628
• [ts-next-plugin] fix: warn only if no type for separate export: #​78629
• chore: Drop @swc/counter: #​78674
• Turbopack: use small thread local collector that flushes to global collector: #​78343
• Upgrade React from 197d6a04-20250424 to 5dc00d6b-20250428: #​78640
• Fix bad decoding for x-matched-path header: #​78677
• Fix pages API rewrite case: #​78644
• chore: update rspack to 1.3.8: #​78485
• Always apply render preparations after running an action: #​77898
• Exclude config package from bundling: #​78671
• Upgrade builtin babel packages: #​78673
• Upgrade loader-utils v2 to latest patch: #​78707
• [Link] Add prefetch="auto" option: #​78689
• [build-sourcemaps] Ensure errors during prerender can be sourcemapped: #​78709
• Upgrade React from 5dc00d6b-20250428 to 408d055a-20250430: #​78715
• build: Fix minifier options for webpack builds: #​78717
• refactor(next-swc): Do not amend minifier options from Rust code: #​78719
• Change stylistic ESLint TypeScript defaults: #​78679
• fix: replace original request body after middleware execution: #​77662
• remove draft.isEnabled setter from exotic draftMode wrappers: #​77972
• Turbopack: limit compaction merging by size instead of count: #​78669
• [build-sourcemaps] Include codeframes in prod when sourcemaps are enabled: #​78710
• feat: build lifecycle hooks - afterProductionCompile: #​77345
• fix: make sure that the patched fetch cache set promise is properly awaited: #​75971
• [dev-overlay] Make badge draggable: #​78716
• Turbopack: fix ESM project in standalone mode: #​78774
• Revert "[Link] Add prefetch="auto" option": #​78820
• Downgrade React from 408d055a-20250430 to 197d6a04-20250424: #​78834
• Reland "[Link] Add prefetch="auto" option": #​78821
• build: Update @swc/core npm package to v1.11.24: #​77668
• Turbopack: Implement regex support for matching webpack loaders: #​78733
• Turbopack: Add support for extension regex in @next/mdx: #​78734
• backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#​78488) (#​78883)
• @​next/mdx: Use stable turbopack config options (#​78880)
• Fix react-compiler: Fix detection of interest (#​78879)
• Fix turbopack: Backport sourcemap bugfix (#​78881)
• [next-server] preserve rsc query for rsc redirects (#​78876)
• Update middleware public/static matching (#​78875)
• [dev-overlay] Polish mobile view: #​78863
• [dev-overlay] Consider scrollbar width for drag positioning: #​78865
• Add handling for setting deployment id via cookie: #​78841
• Run export child process with runtime's default max-old-space-size: #​78712
• [dynamicIO] cache tracking for import(): #​74152
• [dev-overlay] solidate the line number parsing: #​78868
• Update send to v0.18.0: #​78816
• Scope runInCleanSnapshot to Work Store: #​78930
• Removes onNavigate from transition scope: #​78605
• Add nonce handling from CSP in pages router: #​78936
• Ensure manual nonce on Script works as expected: #​78939
• Treat _debugInfo as a wellknown property for sync request data access purposes: #​78942
• chore(CI): Run rspack tests in build_and_test.yml: #​78757
• bugfix: Fix a bug that caused conflicting assets when adding a child compiler: #​78011
• [Fix] Inverse prefetch segment for Pages routes: #​78932
• Fix tracing of server actions imported by client components: #​78968
• Revert "fix: alternate bundler support for dropping client page": #​78974
• Fix --no-mangling for "use cache" functions: #​78993
• chore: update rspack to 1.3.9: #​78984
• [not-found] Add global-not-found convention: #​78783
• [not-found] support metadata exports of global-not-found: #​78961
• Prevent "use cache" timeout errors from being caught in userland code: #​78998
• patch react via recast instead of string replacements: #​78916
• [link] Avoid inlining of LinkProps in emitted declarations: #​78773
• [next-config-ts] fix: read tsconfig file using TypeScript API: #​79055
• Replace node:url usage in server-utils: #​79094
• [build-sourcemaps] Remove unused static workers: #​79107
• fix: cli test failed when using rspack: #​79081
• [build-sourcemaps] Allow inspecting prerender worker: #​79098
• Add initial modifyConfig hook: #​79162
• Re-land updated bundler for pre-bundling: #​79164
• [dynamicIO] model pathname access in metadata as async : #​79136
• Update font data: #​79179
• bugfix (pages): assetPrefix should not cause hard nav in development: #​79176
• Reland "Ensure mangling is disabled for dev runtime builds (#​75297)": #​79201
• docs: add graceful error boundary example: #​77781
• turbo-tasks: Encode location information into panics: #​78945
• feat(turbopack): Add basic compilation event support: #​78785
• chore(dev-overlay): Minor cleanups to useDelayedRender hook: #​79119
• Update font data: #​79227
• Rename define-env-plugin.ts to define-env.ts: #​79224
• Always pass implicit/soft tags into the CacheHandler.get method: #​79213
• fix(dev-overlay): Ignore right clicks on the indicator draggable: #​79120
• Fix dangling promise in unstable-cache: #​79248
• Revert "Partial Fallback Prerendering Route Shells (#​69282)": #​79258
• [devtool] initial support for segment explorer: #​78858
• Client router should discard stale prefetch entries for static pages: #​79309
• [dynamicIO] fix: do not apply import tracking transform in edge: #​79284
• Turbopack build: Fix type: module with output: standalone: #​79292
• [TypeScript Plugin] Moved the diagnostics' positions to the prop's type instead of the value for client-boundary warnings: #​79193
• Use onPostpone to determine if segment prefetch is partial: #​79299
• Enable ppr when dynamicIO is enabled: #​79302
• fix: replaceIdentifiersInAst takes an expression, not a string: #​79196
• Remove DIO w/o PPR branch from app-render.tsx: #​79303
• Remove prospective fallback prerenders: #​79304
• Fixed rewrite param parsing for interception routes in Vercel deployments: #​79204
• [build-sourcemaps] Sourcemap errors during prerender if experimental.enablePrerenderSourceMaps is enabled: #​79109
• [release] use @changesets/changelog-github for changelog format: #​79040
• next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
• Always show warning if fetch cache limit hit: #​79384
• feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
• [release] use @changesets/changelog-github for changelog format: #​79040
• next.config.ts: Implement compiler.defineServer for server-only constants: #​79225
• Always show warning if fetch cache limit hit: #​79384
• feat(turbopack) Added sending events to log how long writing entrypoints to disk takes.: #​79256
• Only share incremental cache for edge in next start (#​79389)
• [TypeScript Plugin] Match method signature (someFunc(): void) type for client boundary warnings: #​79144
• Only share incremental cache for edge in next start: #​79386
• fix: rspack framework and lib cacheGroups: #​79172
• Make sure bundle analyzer does not trigger warning with turbopack: #​79399
• [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
• Implement initial handler interface for pages routes: #​79260
• [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
• [dynamicIO] Avoid timeout errors with dynamic params in "use cache": #​78882
• Implement initial handler interface for pages routes: #​79260
• [Segment Cache] Fix: Ensure server references can be prerendered: #​79448
• [Segment Cache] Fix: Skew during dynamic prefetch: #​79416
• [dynamicIO] reimplement dynamicIO validation on prerender: #​79414
• fix: remove redundant performance.measure usage: #​79475
• [devtools] Add a very minimal API for restarting the dev server: #​79265
• Model prerender store as separate server and client scopes: #​79429
• fix: Merge link header from middleware with the ones from React (#​73431)
• fix(edge): run after() if request is cancelled mid-streaming (#​76013)
• gate segmentCache branch in base-server (#​79505)
• Model prerender store as separate server and client scopes: #​79429
• Use metadata for cache entry status code: #​79512
• fix(dev-overlay): Better handle edge-case file paths in launchEditor: #​79526
• [build-sourcemaps] Increase stacktrace limit during prerender: #​79498
• fix: Rspack not skip .d.ts file: #​79285
• Revert "[next-server] skip setting vary header for basic routes": #​79426
• [ppr] Narrow condition for fallback shell generation at runtime: #​79565
• Turbopack: derive de/serialize for loader config: #​79581
• Update font data: #​79642
• Avoid bundling dev overlay in page template: #​79641
• Enable preview builds for forks: #​79648
• misc: remove leftover clientInstrumentationHook type: #​79701
• cleanup(turbopack): Embed Global vs Specific channel type in the Rust type system: #​79291
• [dev-overlay] Show error overlay on any thrown value in /app: #​79658
• [dev-overlay] Move error handlers into dispatcher in /app: #​79660
• Verify cache-busting param during segment prefetch: #​79563
• update(turbopack): Update the messaging UX for timing writing files to disk: #​79469
• [dev-overlay] Move Redbox open/close into dispatcher: #​79698
• chore: update rspack to 1.3.12: #​79428
• Enable repeated tsc runs in packages/next without having to build first: #​79782
• Run tsc in watch mode during pnpm dev: #​79785
• Reinstate vary (#​79939)
• fix(next-swc): Fix interestingness detection for React Compiler (#​79558)
• fix(next-swc): Fix react compiler usefulness detector (#​79480)
• fix(dev-overlay): Better handle edge-case file paths in launchEditor (#​79526)
• Client router should discard stale prefetch entries for static pages (#​79362)
• fix: preload fonts in template.js: #​79417
• feat: using eval source map plugin for Rspack: #​79199
• feat: using builtin CssChunkingPlugin for rspack: #​79762
• fix(napi): Update generated types, add alias for RcStr: #​79915
• [dev-overlay] Fix highlighted line cut off on scroll: #​79930
• fix(next/font): allow custom font-family in declarations: #​76274
• Remove subissues from Issue: #​79988
• [devtools] Add a query parameter to restart endpoint to invalidate the persistent cache: #​79425
• Implement handler interface for app-page: #​79568
• Migrate app route to handler interface: #​80008
• Turbopack Build: Fix underscore path tests: #​79778
• Fix watchmode for taskr tasks: #​80020
• Update font data: #​80036
• Fix defunct ESLint overrides: #​80053
• [devtools] Add an endpoint to poll for server status: #​80005
• [dynamicIO] Only report client sync IO errors if they are above a Suspense boundary: #​80026
• [dev-overlay] Parse stacks in reducer not during dispatch: #​79788
• Remove obsolete @ts-expect-error: #​80065
• [dev-tools] Navigation header replaces close button: #​80097
• [dev-overlay] Inject get*Stack implementation: #​79789
• [dev-overlay] Fix dark‐mode styling for <option> in Preferences dropdowns: #​80025
• Use relative sources in require() instead of next/dist/ if possible: #​80054
• [dev-overlay] Inject isRecoverableError implementation: #​80003
• [devtool] fix explorer flag consuming and style: #​80110
• [dev-tools] add restart dev server button to error overlay: #​80060
• [dev-tools] add restart dev server button on dev-tools indicator preferences: #​80072
• [chore] remove legacy useEarlyImport flag: #​80112
• [testmode] Fix types of wrapRequestHandler: #​80055
• Extend bot list with googleweblight, Storebot-Google, Google-Inspecti…: #​77728
• [dev-overlay] Inject getSquashedHydrationErrorDetails implementation: #​80046
• [dev-tools] better description for restart server button: #​80118
• [dev-tools] style: preferences section title: #​80120
• [metadata] refactor to remove async metadata: #​78495
• [dynamicIO] Document client component remediations for sync IO: #​79787
• [dynamicIO] prioritize preprocessing RSC rows when prerendering: #​80125
• [dev-overlay] Remove unused onError in /pages: #​79982
• Remove unused vendored server-inserted-metadata module: #​80143
• Webpack Build: Use name-contenthash instead of name-chunkhash for dynamic imports: #​80153
• [dev-overlay] Remove unnecessary code from /pages dev error boundary: #​79983
• Turbopack Build: Implement helpful error for missing sass package: #​80155
• [global-not-found] fix shared css imports not being picked: #​80151
• Add experimental flag for RSC request validation: #​80157
• [dev-overlay] Remove indirection in app dev error boundary : #​79984
• Docs: preload entries impact on memory consumption: #​80098
• [dev-overlay] Move building indicator into Dev Overlay state: #​79985
• [metadata] only render one metadata outlet: #​80146
• Add a regions property to the Functions Config Manifest file: #​80104
• [metadata] fix nonce prop for hoist script: #​80174
• docs: fix grammar in Code of Conduct section ('them' → 'it') : #​80181
• [error-overlay] remove footer message: #​80169
• Turbopack: Log persistent cache store time: #​80149
• fix(turbopack): Next.js package not found panics in Turbopack: #​79572
• [turbopack] Compute Import Traces for Issues: #​79351
• Typecheck require() calls: #​80056
• Revert "[turbopack] Compute Import Traces for Issues": #​80215
• remove unique metadata prop from initial RSC payload #​79388
• Replay redirect if RSC parameter is missing: #​80180
• [devtool] style the segment explorer as nested view: #​80212
• Prerender with streaming metadata during revalidation: #​80245
• fix: invalid middleware configs should fail the build: #​80221
• [dev-overlay] Render /app Dev Overlay with a separate React instance: #​79699
• [devtool] display segment explorer as tree view: #​80261
• [dev-overlay] Use same bundle for Pages and App Router: #​80019
• Revert "Revert "[turbopack] Compute Import Traces for Issues"": #​80220
• [dev-overlay] Publish as production bundle: #​80295
• [metadata] only serve block streaming metadata for html bots: #​80272
• Update font data: #​80301
• Update font data: #​80340
• [dev-overlay] fix duplicate re-render of errors: #​80322
• [build-sourcemaps] Only compute codeframe once: #​80326
• [test] Fix Dev Overlay Storybook: #​80288
• [test] Fix crashes in Dev Overlay Stories: #​80292
• [metadata] use https protocol for schema urls: #​80356
• [dev-overlay] Remove positive tab-index: #​80289
• [devtools] Implement default /.well-known/appspecific/com.chrome.devtools.json endpoint in dev: #​80260
• [dev-overlay] Fix outstanding a11y issues reported by Axe: #​80290
• provide declarations for server-only/client-only: #​80361
• [test] Stop opening browser by default in local Dev Overlay Storybook: #​80291
• [dev-overlay] Move hot reloader client code out of react-dev-overlay: #​80278
• [dev-overlay] Remove unused code: #​80279
• [dev-overlay] Move app/pages related features closers together: #​80280
• Discard Infinity expiration for implicit tags: #​80387
• fix(next-swc-wasm): Only enable turbo-rcstr's napi feature when building the next-swc-napi crate/package: #​80390
• Add response handling inside handlers: #​80189
• feat(turbopack): Add simple tree shaker: #​78286
• Fix a couple typos: #​80080
• [dev-overlay] Move code into new top-level folder in src/next-devtools: #​80281
• Ensure we normalize .rsc/.prefetch.rsc: #​80409
• Turbopack Build: Fix /index/index handling: #​80413
• [segment-explorer] optimize tree view: #​80392
• Upgrade @​playwright/test and cleanup internal APIs: #​80334
• Backport config.allowedDevOrigins (#​80410) (Learn More)
• [segment-explorer] Signal updates to React: #​80316
• [segment explorer] fix soft navigation case: #​80443
• Update the warning text for when multiple lockfiles are found: #​80214
• feat: in Rspack using native fn implemented by us using SWC to replace load module: #​80342
• chore: fix link to good first issue: #​80478
• Disable fetch cache size limit for implicit caching during build: #​80480
• [dynamicIO] Split up static generation into two phases: #​79629
• fix(turbopack): Fix config caching for turbopack + React Compiler: #​80498
• [dynamicIO] Use filled Resume Data Cache for final-phase prerenders: [#​

---

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

This PR has been generated by Renovate Bot.

[svc-secops]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: · Yarn 4.9.1
➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed in 0s 913ms
➤ YN0000: ┌ Post-resolution validation
➤ YN0060: │ @types/react is listed by your project with version 19.0.2 (peddff), which doesn't satisfy what react-focus-lock (via @chakra-ui/react) and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ @yarnpkg/core is listed by your project with version 4.2.0 (p4e948), which doesn't satisfy what @yarnpkg/cli and other dependencies request (^4.4.1).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p1eb2e), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p1ecf7), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p2be3d), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p38093), which doesn't satisfy what @apollo/client and other dependencies request (^16.6.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p4b3c5), which doesn't satisfy what @apollo/client and other dependencies request (^16.6.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p74662), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p7c14e), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (p9d845), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pa1182), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pc1d15), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pc49da), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pd4beb), which doesn't satisfy what @apollo/client and other dependencies request (^16.6.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pd9955), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ graphql is listed by your project with version 17.0.0-alpha.2 (pf0659), which doesn't satisfy what @apollo/client and other dependencies request (^16.0.0).
➤ YN0060: │ react is listed by your project with version 19.0.0 (pd410a), which doesn't satisfy what framer-motion and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ react is listed by your project with version 19.0.0 (pf06e9), which doesn't satisfy what ssr-only-secrets and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ react-dom is listed by your project with version 19.0.0 (p21a4c), which doesn't satisfy what framer-motion and other dependencies request (^18.2.0).
➤ YN0002: │ @apollo/client-integration-tanstack-start@workspace:packages/tanstack-start doesn't provide vite (p58222), requested by @tanstack/start.
➤ YN0002: │ @apollo/client-react-streaming@workspace:packages/client-react-streaming [fc55e] doesn't provide webpack (p25bda), requested by react-server-dom-webpack.
➤ YN0002: │ @apollo/client-react-streaming@workspace:packages/client-react-streaming doesn't provide webpack (p5ca41), requested by react-server-dom-webpack.
➤ YN0002: │ @integration-test/jest@workspace:integration-test/jest doesn't provide @testing-library/dom (p47416), requested by @testing-library/react and other dependencies.
➤ YN0002: │ @integration-test/tanstack-start@workspace:integration-test/tanstack-start doesn't provide @tanstack/react-router (p21743), requested by @tanstack/router-devtools.
➤ YN0002: │ @integration-test/tanstack-start@workspace:integration-test/tanstack-start doesn't provide vite (p9e1e8), requested by @tanstack/start and other dependencies.
➤ YN0002: │ @integration-test/vitest@workspace:integration-test/vitest doesn't provide @testing-library/dom (p1caec), requested by @testing-library/react.
➤ YN0002: │ @integration-test/vitest@workspace:integration-test/vitest doesn't provide vite (pc1d9a), requested by @vitejs/plugin-react.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide @jest/globals (pc7d0f), requested by @testing-library/react-render-stream.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide expect (p25412), requested by @testing-library/react-render-stream.
➤ YN0002: │ @internal/test-utils@workspace:packages/test-utils doesn't provide jsdom (p35d94), requested by global-jsdom.
➤ YN0002: │ monorepo@workspace:. doesn't provide webpack (p5bc50), requested by @size-limit/webpack-why.
➤ YN0002: │ packages-shared@workspace:packages doesn't provide typescript (p496ab), requested by @typescript-eslint/eslint-plugin and other dependencies.
➤ YN0086: │ Some peer dependencies are incorrectly met by your project; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code.
➤ YN0086: │ Some peer dependencies are incorrectly met by dependencies; run yarn explain peer-requirements for details.
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
apollo__client-integration-react-router	Error		Aug 30, 2025 11:31am
apollo__client-integration-tanstack-start	Error		Aug 30, 2025 11:31am
apollo__experimental-nextjs-app-support	Building	Preview	Aug 30, 2025 11:31am

[changeset-bot]

⚠️ No Changeset found

Latest commit: d98bfa5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[netlify]

❌ Deploy Preview for apollo-client-nextjs-docmodel failed.

Name	Link
🔨 Latest commit	d98bfa5
🔍 Latest deploy log	https://app.netlify.com/projects/apollo-client-nextjs-docmodel/deploys/68b2e0de2215eb000866754c