Next.js

Core Changes

• fix: CSRF origin matching should be case-insensitive: #89127
• fix(build): format runAfterProductionCompile duration as human-readable time: #89232
• fix(router): support BigInt in query parameters: #89213
• Update font data: #89200
• Update font data: #89272
• Turbopack: add support for contentType condition for webpack loaders: #89156
• Revert "fix(router): support BigInt in query parameters": #89283
• Track vary params during static prerendering: #89267

Misc Changes

• refactor: Improve templates layout flexibility: #89245
• test: add client-cache.defaults failing deploy test: #89242
• test: add resume-data-cache failing deploy test: #89243
• [turbopack] Make shrinking logic declarative and optimize for immutable tasks: #89222
• Turbopack: Trace task modifications: #89229
• docs: Rename Error component to ErrorPage: #89284
• Turbopack: refactor extend transforms: #89116

Credits

Huge thanks to @alexcarpenter, @devjiwonchoi, @jaffarkeikei, @BradErz, @lukesandberg, @vercel-release-bot, @sokra, @eps1lon, @mintydev789, and @acdlite for helping!

Core Changes

• add GPTBot to matcher for known bots: #89188
• Ensure .md licenses are included in vendored packages: #89201
• Switch development log item format as JSON: #89168
• IsolatedDevBuild flag removal: #89167
• fix: coerce HEAD to GET for internal images: #84180
• Upgrade React from 10680271-20260126 to 230772f9-20260128: #89250
• Upgrade tar used to extract SWC binary : #89158
• Sort prerender manifest routes: #89246
• Track vary params for segments without server-side param access: #88998
• Optimistic routing: client-side route prediction: #88965
• Keep pages/404.js to be able to dynamically render it anyway: #89263
• fix: fully static pages should emit & serve static rsc payloads: #89202

Misc Changes

• Turbopack: change AsyncModulesInfo to use keyed reads: #89216
• Turbopack: selective reads of defined env vars in module analysis: #88759
• Turbopack: add support for turbopackOptional: true: #89227
• Turbopack: fix tracking modifications for transient and data: #89228
• [ci] Clear Jest transform cache: #89247
• Turbopack: Make the globals we pass to workers configurable: #88773
• Accept deploy script and log script as inputs: #89253
• [turbopack] mark persistent_task_type as inline: #89185
• [test] Add test suite name for Tests failures table: #89258

Credits

Huge thanks to @davidgolden, @sokra, @eps1lon, @huozhi, @icyJoseph, @mischnic, @mmastrac, @LucianBuzzo, @ijjk, @lukesandberg, @devjiwonchoi, @acdlite, and @ztanner for helping!

Misc Changes

• Update Rspack production test manifest: #89147
• Fix @next/routing for i18n api and dynamic routes: #89197
• Remove Vercel specific assertions from E2E deploy: #89198
• Add custom deploy and logs env for next-deploy: #89206

Credits

Huge thanks to @vercel-release-bot and @ijjk for helping!

Core Changes

• Decouple route stale time from segment-level data: #88834
• Decouple route and segment cache lifecycles: #88989
• [ci] Silence baseline-browser-mapping warnings: #89175
• [Cache Components] Prevent streaming fetch calls from hanging in dev: #89171
• React types update: #89110
• [nextjs] feat: removing length requirement: #89173

Misc Changes

• Turbopack: Remove unused argument: #80235
• Prettier-ignore changes in next-env.d.ts files in all top-level apps: #89176
• Turbopack: warn when tracing the whole project: #89157
• [docs] Always include unsafe-eval in dev Content-Security-Policy: #89163
• Add full adapters E2E tests to workflow: #89125

Credits

Huge thanks to @timneutkens, @acdlite, @unstubbable, @mischnic, @eps1lon, @ijjk, and @brookemosby for helping!

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#82340)
• Turbopack: support pattern into exports field (#82757)
• NFT tracing fixes (#84155 and #85323)
• Turbopack: validate CSS without computing all paths (#83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#89129)

Credits

Huge thanks to @timneutkens, @mischnic, @ztanner, and @wyattjoh for helping!

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @mischnic, @wyattjoh, and @ztanner for helping!

Core Changes

• Limit number of server action arguments to 1000: #89068
• [prebuilt-skew-protection] feat: adding in automatic deploymentId: #88958

Misc Changes

• [ci] Exclude tests by filename when merging manifests: #89093
• Turbopack: import with type should be handled via condition: #89035
• CC Guide: Fix filenames, reduce line breaks: #89065
• Enable pnpm dependency caching in e2e deploy tests: #88953
• [ci] Make gh auth status optional when triggering a release: #89098
• docs: fix code highlight in 07-fetching-data.mdx: #88727
• Update Rspack development test manifest: #89084
• tweak LRU sentinel cache key: #89123
• Turbopack: allow key block without hash in SST files: #88938

Credits

Huge thanks to @unstubbable, @sokra, @delbaoliveira, @eps1lon, @Juneezee, @brookemosby, @vercel-release-bot, and @ztanner for helping!

Misc Changes

• /pr-status (former /ci-failures): fetch PR reviews too: #89082
• Improve /pr-status: comments, argument, avoid full log: #89092
• chore(ci): rename 'new tests' jobs to 'new and changed tests': #89054
• Turbopack: Add postcss.config.ts support: #89049

Credits

Huge thanks to @sokra and @timneutkens for helping!

Core Changes

• Improve no response route handler error: #89036

Credits

Huge thanks to @timneutkens for helping!

Core Changes

• Apply segment changes to adapters outputs: #89072

Misc Changes

• Revert "Fix react-loadable-manifest chunk hash mismatch by preserving async loader mapping": #89073

Credits

Huge thanks to @ijjk and @bgw for helping!

Core Changes

• Use null-prototype objects in server actions manifests: #89069
• Re-enable types-and-precompiled: #89070

Misc Changes

• Fix reset deploy project script: #89001

Credits

Huge thanks to @unstubbable, @ijjk, and @eps1lon for helping!

Core Changes

• Apply fixes for onBuildComplete and route module: #88831
• Rename renderOpts.nextExport to isBuildTimePrerendering: #88951
• docs: fix typos in README.mds: #89022
• refactor: consume global-error from loader tree: #88437
• Fix chunk loading when using __turbopack_load_by_url__ with query: #88899
• [mcp] change the mcp endpoint response to JSON: #88911
• Reapply "[turbopack] Add bundling support for worker_threads" (#88725): #88967
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth: #89040
• Upgrade React from 24d8716e-20260123 to 8c34556c-20260126: #89066

Misc Changes

• Update Rspack development test manifest: #89004
• Update Rspack production test manifest: #89003
• Turbopack: remove Asset supertrait from Module trait. Modules don't have content: #86416
• docs: improve clarity in cache components and server/client docs: #88946
• docs: revalidatePath w/ rewrites and trailing slash: #88956
• [test] Improve deployment skew test for Pages Router data routes: #89038
• Fix react-loadable-manifest chunk hash mismatch by preserving async loader mapping: #88775
• Cache Component Guide: Building public, mostly static pages: #87248

Credits

Huge thanks to @ijjk, @vercel-release-bot, @mischnic, @sokra, @icyJoseph, @msmx-mnakagawa, @lukesandberg, @huozhi, @delbaoliveira, @timneutkens, and @unstubbable for helping!

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

Please see this changelog for more information about this security patch.

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

Please see this changelog for more information about this security patch.

Please see this changelog for more information about this security patch.

Please see this changelog for more information about this security patch.

Please see this changelog for more information about this security patch.