Update npm package next to v16 [SECURITY]

[hash-worker]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	15.5.10 -> 16.0.10

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

---

Release Notes

vercel/next.js (next)

v16.0.10

Compare Source

Please see the Next.js Security Update for information about this security patch.

v16.0.9

Compare Source

v16.0.8

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Update react version in cna templates (#​86950)

Credits

Huge thanks to @​huozhi for helping!

v16.0.7

Compare Source

Please see CVE-2025-66478 for additional details about this release.

v16.0.6

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• bump the browserslist version to silence a warning in CI (#​86625)

Credits

Huge thanks to @​lukesandberg for helping!

v16.0.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix(nodejs-middleware): await for body cloning to be properly finalized (#​85418)

Credits

Huge thanks to @​lucasadrianof for helping!

v16.0.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: Rename proxy.js to middleware.js in NFT file (#​86214)
• fix: prevent fetch abort errors propagating to user error boundaries (#​86277)
• Turbopack: fix passing project options from napi (#​86256)

Credits

Huge thanks to @​devjiwonchoi, @​sokra and @​ztanner for helping!

v16.0.3

Compare Source

Core Changes

• fix: Rspack throw error when using ForceCompleteRuntimePlugin: #​85221
• fix: build CLI output not displaying Proxy (Middleware) when nodejs runtime: #​85403
• fix: staleTimes.static should consistently enforce a 30s minimum: #​85479
• [turbopack] fix build of empty entries of pages: #​84873
• Cache the head separately from the route tree: #​84724
• Allow inspecting dev server on default port with next dev --inspect: #​85037
• Avoid proxying React modules through workUnitStore: #​85486
• fix: redirect should always return updated router state: #​85533
• Upgrade React from b4455a6e-20251027 to 4f931700-20251029: #​85518
• [turbopack] Move generation of cacheLife types out of the webpack plugin and into the dev bundler directly: #​85539
• Ensure user-space stack frame for 'use cache' in page/layout component: #​85519
• Update parallel routes in build-complete: #​85546
• fully remove clientSegmentCache flag: #​85541
• [turbopack] Support relative paths in turbopack source maps.: #​85146
• Release unnecessary memory on hydration finish: #​84967
• Preserve interception markers in parameter types: #​85526
• move segment cache entries to top level segment-cache dir: #​85542
• Upgrade React from 4f931700-20251029 to 561ee24d-20251101: #​85670
• [devtools] Remove title from preferences: #​85698
• Update font data: #​85708
• Don't invalidate hot reloader excessively during dev server boot: #​85732
• [codemod] fix: next-lint-to-eslint-cli did not handle 'next' plugin: #​85749
• Upgrade React from 561ee24d-20251101 to 67f7d47a-20251103: #​85762
• Tracing: Fix memory leak in span map: #​85529
• Fix documentation typo in refresh function: #​85696
• fix: eslint-config-next types was exporting to dist/src: #​85768
• Upgrade React from 67f7d47a-20251103 to f646e8ff-20251104: #​85772
• remove unused RSC payload property: #​85746
• [runtime prefetching]: fix runtime prefetching when deployed: #​85595
• Turbopack: next build --analyze: #​85197
• Build: Log amount of workers during static generation: #​85706
• Upgrade React from f646e8ff-20251104 to dd048c3b-20251105: #​85819
• Sync devFallbackParams when generateStaticParams change: #​85741
• chore: upgrade rspack 1.6.0: #​84210
• [mcp] get_routes mcp tool: #​85773
• Split each path param into a separate cache key : #​85758
• [turbopack] change server source maps in production to use relative paths: #​85576
• fix: skip collecting metadata for app-error in webpack: #​85892
• fix: support root span attributes with a custom server: #​85521
• fix isDynamicRSC condition when deployed: #​85919
• [turbopack] Make it possible to synchronously access native bindings: #​85787
• Upgrade React from dd048c3b-20251105 to fa50caf5-20251107: #​85906
• Fix telemetry event loss on build failures and server shutdown: #​85867
• Remove one stack frame from 'use cache' call stacks: #​85966
• Upgrade React from fa50caf5-20251107 to 52684925-20251110: #​85980
• Deployment adapter: fix metadata for "/" route: #​85820
• Enable React's default Transition indicator behind a flag: #​86000
• update routes-manifest to include whether app has pages routes: #​86051

Misc Changes

• chore: Add opt-level = s for not frequently used crates: #​85426
• [test] Deflake cache-components-allow-otel-spans: #​85466
• [test] Move remaining experimental.cacheLife: #​85467
• Turbopack: chore: Remove mopa dependency in turbo-tasks (2nd attempt): #​85286
• Update Proxy docs: #​85439
• [CNA] Do not prompt for Turbopack: #​85404
• Clean up new release process: #​85458
• Update E2E tests workflow: #​85485
• Update E2E deploy tests manifest: #​85483
• docs: example are incorrect async function exports only: #​85453
• [test] Handle CLI assertions where no "Compiling..." log is present: #​85499
• [test] Speed up refresh test: #​85505
• [test] Add test cases for dynamic caches without suspense boundaries: #​85500
• docs: Routes are wrapped w/ Activity in Cache Components: #​85309
• docs: GET handler behavior under cache components: #​85389
• [test] Avoid needless start/stop from using createSandbox: #​85507
• [test] Use --debug-build-paths instead of NEXT_PRIVATE_APP_PATHS: #​85504
• docs: revalidateTag requires second argument: #​85284
• Refactor GTM implementation to support google tag gateway: #​81011
• Update Rspack production test manifest: #​85494
• Update Rspack development test manifest: #​85495
• [docs] Fix a typo: #​85492
• [test] Regenerate tsconfig.json files: #​85515
• [Turbopack] clean up completion.rs a bit: #​84863
• [test] Remove maxRetries and hardError parameters: #​85536
• Turbopack: remove the .into() alias to .cell(): #​85516
• [test] Consolidate identical snapshots across different bundlers: #​85532
• [turbopack] Change where cells are created in resolve_raw to make cell allocation order deterministic.: #​85525
• Turbopack: Make tasks deterministic: #​85524
• [test] Separate act and assertions: #​85508
• [test] assert* -> waitFor* when the util is not instant: #​85450
• Turbopack: move whole_app_module_graphs to top level: #​84897
• [test] Bail on sending requests to Next.js instance if it's no longer available: #​85557
• [test] Deflake tests comparing two random numbers: #​85571
• [test] Disallow custom RegExp-like implementations in check: #​85537
• [test] Deflake prerender suite: #​85563
• Turbopack: chore: Remove some dead MagicAny serialization code from turbo_tasks::value: #​85577
• [test]: fix broken scroll restoration test: #​85599
• [test] Deflake nested after() tests: #​85566
• [test] Stop installing unused dependencies: #​85569
• [test] Consider test/integration/ in flake detection tests: #​85590
• Turbopack: more checks on verify_serialization: #​84952
• Turbopack: add track_caller to improve panics: #​85565
• Turbopack: add verify_determinism feature to check if tasks are deterministic: #​85559
• docs: cache life rework: #​85224
• Turbopack: fix hanging dev server and builds with fs cache: #​85606
• Turbopack: Fix compound assignment expression evaluation (#​85478): #​85593
• Turbopack: fix Scope holding Arc too long: #​85611
• [ci] Improve change detection logic in run-for-change script: #​85619
• [test] Ignore in deploy tests if a child process isn't available: #​85636
• Turbopack: add size_hint and len for Chunk iterator: #​85622
• [test]: move resume-data-cache to e2e test: #​85647
• Update Rspack development test manifest: #​85662
• Update Rspack production test manifest: #​85661
• Update Rspack production test manifest: #​85688
• Update Rspack development test manifest: #​85689
• [test] Deflake root-optional-revalidate: #​85584
• docs: fix generateImageMetadata example to use normal params object: #​85658
• Turbopack: Upgrade image crate: #​85084
• docs: update multi sitemap argumenmt type: #​85701
• [test] Move all files to .ts (6/6): #​85641
• Turbopack: add a batch add method to the storage: #​84270
• docs: recommend reverse-proxy when self-hosting: #​85650
• [test] Deflake prefetching.stale-times: #​85733
• [test] Deflake custom cache handler test: #​85610
• [test] Allow CLI integration test to be retryable: #​85586
• docs: update docs to mention ESLint as default: #​85740
• docs(next.config): this docs should remove ".mts" is not supported.: #​85716
• Turbopack: cleanup StyleSheetLike: #​85718
• Turbopack: disable tree shaking for tracing: #​85722
• [test] Move all files to .ts (3/6): #​85638
• [test] Move all files to .ts (2/6): #​85637
• [test] Move all files to .ts (1/6): #​85634
• docs: generateSitemap passes id as promise: #​85767
• [test] Move all files to .ts (4/6): #​85639
• docs: disclosure on path-to-regexp: #​85629
• chore: update rspack binding to 1.6.0: #​85717
• Turbopack: trace worker_threads worker entry: #​85734
• Update Rspack development test manifest: #​85761
• Turbopack: chore: Remove extern crate and macro_use syntax: #​85778
• [turbopack] Drop duration and allocation tracking from CaptureFuture: #​85534
• Turbopack: chore: Remove dead RouteMatcher stuff: #​85784
• docs: fresh up getting started 00: #​85736
• Turbopack: chore: Remove the serde_regex dependency, which wasn't very heavily used: #​85578
• Turbopack: use batch add in connect children: #​85623
• [test] Move all files to .ts (5/6): #​85640
• [test] Deflake legacy-link-behavior: #​85805
• Resolve request ID confusion: #​85809
• Turbopack: use batch add to add initial followers: #​85624
• Turbopack: chore: Remove dead experimental.ppr struct field: #​85792
• Turbopack: chore: Avoid string clones in Glob::parse by using RcStr: #​85579
• Update Rspack production test manifest: #​85795
• docs: getting started updates 01: #​85750
• chore: Update patricia_tree dependency, remove manual serde impls: #​85785
• docs: keywords in system reqs and add browserslist: #​85838
• Honour NEXT_TEST_PREFER_OFFLINE in install-native.mjs: #​85850
• Turbopack: chore: Update anyhow, remove old backtrace feature: #​85844
• Turbopack: Remove some dead (or useless) code from next-core/src/next_client_reference/visit_client_reference.rs: #​85843
• sort dependencies for smaller diffs: #​82291
• Update Rspack development test manifest: #​85846
• Turbopack: Remove non_operation_vc_strongly_consistent feature usage from next-api: #​85874
• Turbopack: remove the streaming hack for improved stability: #​85858
• test: Port clean-distdir integration test to the modern e2e test framework: #​85828
• Update font data: #​85920
• Update deploy manifest: #​85924
• Turbopack: chore: Merge turbo-tasks-macros-shared crate into turbo-tasks-macros: #​85917
• Turbopack: Fix IO concurrency for MacOS: #​85861
• Add Appwrite Sites to supported adapters: #​85830
• [turbopack] Remove LocalTaskType::Native, it is dead: #​85480
• [test] Increase response timeout in next.browserWithResponse(): #​85911
• Hoist inner 'use cache' functions to reduce function allocations: #​85904
• docs: eslint config update: #​85969
• Fix Turbopack local font font-family declaration: #​85913
• switch to slice in createRuntimePrefetchTransformStream: #​85822
• Update authentication.mdx: Fix Auth0 Link: #​85953
• Turbopack: remove unused function: #​85974
• docs: cacheHandlers: #​85311
• docs: Feedback item on proxy default: #​86004
• [test] Add missing test fixtures for cacheLife & cacheTag in client: #​85872
• Fix false-positive build error for cacheLife & cacheTag: #​85875
• [cna] For pnpm ignore postinstall from sharp and unrs-resolver: #​83168
• Turbopack: refactor evaluate to take module_graph: #​85971
• Turbopack: remove duplicate traversal implementations: #​85853
• Omit unused encryptActionBoundArgs/decryptActionBoundArgs imports: #​86015
• Turbopack: cleanup db log and add verbose option: #​85965
• [ci]: fix retry_deploy_test workflow: #​85981
• Fix typo in documentation: #​86054

Credits

Huge thanks to @​kdy1, @​eps1lon, @​SyMind, @​bgw, @​swarnava, @​devjiwonchoi, @​ztanner, @​ijjk, @​huozhi, @​icyJoseph, @​acdlite, @​unstubbable, @​gnoff, @​gusfune, @​vercel-release-bot, @​lukesandberg, @​sokra, @​hayes, @​shuding, @​wyattjoh, @​marjan-ahmed, @​timneutkens, @​ajstrongdev, @​zigang93, @​mischnic, @​Nayeem-XTREME, @​hamirmahal, @​eli0shin, @​tessamero, @​gaojude, @​jamesdaniels, @​georgesfarah, and @​timeyoutakeit for helping!

v16.0.2

Compare Source

[!NOTE]
This version includes no code or feature changes. To get the latest change, please look for the next patch release v16.0.3 or next@​latest

v16.0.1

Compare Source

Core Changes

• fix(static-paths): add depth tracking to parallel route param resolution: #​85319
• Fix types of @​next/mdx: #​82238
• Ensure getServerInsertedHTML skips rendering correctly: #​85394
• Fix duplicate .next/types include on Windows: #​85400
• Exclude next-js condition from middleware, proxy, and instrumentation: #​85321
• remove unstable_forceStale prefetch option & restore prefetch={true} functionality: #​85411
• Upgrade React from 2bcbf254-20251020 to 6160773f-20251023: #​85277
• fix(next/image): swap dependencies: #​85419
• Handle Origin: null headers: #​85402
• Generalize Segment Cache fallback implementation: #​84652
• fix: ensure req.query is writable: #​81573
• fix: Proxy not picked up on Windows: #​85443
• [test] Ensure we can toggle the DevTools menu while status indicators are active: #​85456
• Fix crash when suspending in Components using useActionQueue: #​85459

Misc Changes

• docs: create-next-app react-compiler and new prompts: #​85213
• docs: cache components - introduction: #​85196
• docs: use cache feedback: #​85169
• docs: stabilize apis in docs: #​85219
• docs: revalidateTag immediate expiration in Route Handlers: #​85223
• Docs/use cache feedback 2: #​85222
• docs: added use cache: remote docs: #​85145
• docs: proxy runtime defaults to nodejs: #​85204
• chore: cache components feedback: #​85241
• docs: add a note that cache components is opt-in near the top: #​85245
• Docs/v16 feedback: #​85259
• Update command to install babel-plugin-react-compiler as a devDependency: #​85235
• docs: typegen next-env.d.ts feedback: #​85273
• docs: link to MCP guide from upgrade: #​85308
• docs: regexp removed from middleware config: #​85343
• docs: simplify MCP guide to focus on next-devtools-mcp: #​85353
• docs: fix proxy matcher overflow: #​85337
• docs: point out diff in serialization types for arguments and return values: #​85338
• [test] Update snapshots: #​85407
• docs: Fix typo in SEO section of loading.mdx: #​85301
• Fix typo in Fast Refresh documentation: #​85352
• Fix grammatical errors in updating data documentation: #​85067
• [test] Skip devlow benchmarks on PRs: #​85408
• [test] Unflake typed-env suite: #​85410
• Update rust toolchain to 2025-10-27: #​85409
• [test] Speed up prefetching suite: #​85417
• docs: remove inaccuracies from use cache: private: #​85425
• [test] Exclude Next.js internal stack frames from cache-component-error CLI output assertions: #​85421
• [test] Exclude likely Next.js internal Components from component stacks in Redbox assertions: #​85420
• Turbopack: correctly trace files with npm: #​85323

Credits

Huge thanks to @​icyJoseph, @​wyattjoh, @​devjiwonchoi, @​arnabsen, @​remcohaszing, @​denesbeck, @​gaojude, @​mhart, @​eps1lon, @​jesuistuan, @​codr, @​InfiniteCodeMonkeys, @​gnoff, @​ztanner, @​wbinnssmith, @​styfle, @​acdlite, @​ale-grosselle, and @​mischnic for helping!

v16.0.0

Compare Source

[!TIP]
Check out our Next v16 Blog Post to learn more about this release.

Core Changes

• Development: Don't import app-router / hot-reloader through next/link in application code: #​83656
• Remove clientParamParsing requirement from RDC for Navigations: #​83661
• Upgrade React from 6b70072c-20250909 to 886b3d36-20250910: #​83650
• Turbopack: Use readFileSync / writeFileSync for manifest writing: #​83694
• Upgrade React from 886b3d36-20250910 to f3a80361-20250911: #​83696
• Don't create client-side debug channel if the feature is disabled: #​83699
• fix: dev should produce the correct default fallback regex to match builds/Turbopack: #​83701
• [devtool] fix overlay styles are missing: #​83721
• Revert "Remove clientParamParsing requirement from RDC for Navigations": #​83725
• Only enable unhandledRejection filtering when opted in: #​83726
• Fix index data route for adapter build-complete: #​83730
• Remove leading underscore for unhandledRejection envvar: #​83732
• Upgrade React from f3a80361-20250911 to 93d7aa69-20250912: #​83729
• Upgrade React from 93d7aa69-20250912 to 8a8e9a7e-20250912: #​83742
• Fix reentrancy of unhandledRejection filtering: #​83741
• Fix type for unhandled rejection handler process.removeListener: #​83748
• [OTel] fix: Root span name should not include high cardinality URL: #​75416
• Turbopack: Remove matchers.reload() call on each request: #​83720
• [Breaking] Flat config as default in @next/eslint-plugin-next: #​83763
• fix: Rspack splitChunks.chunks regex: #​83670
• Revert "Turbopack: Remove matchers.reload() call on each request": #​83819
• fix: unstable_cache should perform blocking revalidation during ISR revalidation: #​83820
• fix(Rspack): resolve HMR unresponsiveness or unexpected full reload & update dev snapshot: #​83480
• Allow next.config.mts for Node.js native TS resolver: #​83556
• chore: Ensure Import Trace starts in a newline: #​83638
• Development: Remove matchers.reload() on each request: #​83829
• Upgrade React from 8a8e9a7e-20250912 to 5e0c951b-20250916: #​83850
• Bump typescript 5.9.2: #​83833
• Allow headers, rewrites and redirects to be defined as sync functions: #​83743
• Turbopack: Optimize addedRoutes and removedRoutes calculation: #​83840
• [next-config-ts] Set Node.js native TS loader fallback flag to process.env: #​83832
• Development: Clarify TypescriptStatus in watcher: #​83857
• Upgrade sharp dependency to version ^0.34.4: #​83892
• Upgrade React from 5e0c951b-20250916 to 128abcfa-20250917: #​83906
• Add native ts resolver docs link to transpile-config: #​83914
• OTel: use srcPage for templates when next.route is unavailable: #​83911
• Remove inline CSS sourcemaps from next-devtools: #​83917
• Development: Move all TypeScript related work in watcher together: #​83912
• [Cache Components] Allow sync IO inside console methods : #​83843
• Upgrade React from 128abcfa-20250917 to 84af9085-20250917: #​83959
• Build: Add .next/trace-build with high level trace: #​83949
• Remove force writing **/*.mts to tsconfig: #​83967
• feat: Isolate dev build from prod: #​83961
• Remove JS size reporting from next build: #​83815
• Docs/workspace setup: #​83490
• Turbopack: support import ... with {type: "bytes"}: #​83896
• fix: error overlay not closing when backdrop clicked: #​83981
• Upgrade React from 84af9085-20250917 to d415fd3e-20250919: #​84003
• fix: worker logs should still support color: #​84024
• Update font data: #​84005
• Allow passing port to next internal trace: #​83907
• Turbopack: error when importing Typescript in node_modules: #​83990
• Turbopack: Deterministic builds (prerender-manifest, .next/package.json, ./next/postcss.js): #​84081
• Turbopack: Fix babel-loader (allowing built-in or manual configuration): #​82676
• [Cache Components] allow using headers() in runtime prefetches: #​83838
• [Breaking] Remove deprecated publicRuntimeConfig and serverRuntimeConfig: #​83944
• Turbopack: mode to disable tracing: #​83683
• babel-loader: Fix a few issues with config caching: #​83973
• Turbopack: Merge babel-loader and react-compiler configuration logic to avoid running babel twice: #​83502
• [breaking]: enable router scroll optimization by default: #​84102
• Fix layout for ssgPageRoutes in the file tree: #​84104
• Turbopack: Remove useless 'default' built-in webpack loader condition: #​84111
• Fix: Client should auto reload after server restarts: #​83971
• trace-build: Add missing spans: #​84080
• Development: Remove TypeScript from the hot path during bootup: #​84090
• Guide users to experimental.cacheComponents config: #​84121
• Development: Only load webpack when used: #​84123
• Turbopack: Skip loading webpack plugin: #​84125
• Development: Only load createEnvDefinitions when used: #​83935
• BREAKING CHANGE!: bump default images.minimumCacheTTL from 1 min to 4 hours: #​84105
• Feat: Add Model Context Protocol (MCP) server to Next.js dev server: #​84100
• Upgrade React from d415fd3e-20250919 to 1eca9a27-20250922: #​84093
• Turbopack: Remove the deprecated .turbo config object: #​84109
• Flag excess properties in Next.js config with TypeScript: #​84069
• docs: update Security section to direct disclosures : #​84156
• ci: Enable experimental.isolatedDevBuild for test-experimental-dev: #​84099
• [turbopack] Ensure React Compiler options are based dev vs prod: #​84062
• Enable anonymous function naming in React Compiler: #​84070
• Revert "[Breaking] Remove deprecated publicRuntimeConfig and serverRuntimeConfig (#​83944)": #​84167
• Fix double comma in build manifest: #​84131
• [turbopack] set app dir only to true when no pages entries detected: #​84144
• Split code-frame into separate compiled package: #​84174
• refactor: separate forward browser logs utils: #​84151
• Upgrade React from 1eca9a27-20250922 to e2332183-20250924: #​84189
• [Cache Components] default to filtering unhandledRejection after abort: #​84192
• fix: prevent URL mutation in router rewrites: #​83963
• fix(server): fix pages router resume router matching: #​84158
• Feat: get_errors MCP endpoint: #​84161
• Add internal environment variable for enabling React Compiler: #​84176
• [devtools] Disable React's default Transition indicator: #​84202
• Upgrade React from e2332183-20250924 to b0c1dc01-20250925: #​84248
• Feat: get_page_metadata MCP endpoint: #​84211
• feat: capture logs into logging file during development: #​84183
• babel-loader: Avoid calling expensive isReactCompilerRequired check when we must run Babel anyways: #​84103
• [mcp] expose logging: #​84226
• Move config.turbopack.moduleIds to config.experimental.turbopackModuleIds: #​84230
• Show invalid default export errors during prerendering: #​84242
• fix: make sure caller exists in babel preset: #​84154
• [mcp] allow to enable mcp server through env var: #​84278
• fix(metadata): make formatDetection respect true/false properly: #​83924
• Upgrade React from b0c1dc01-20250925 to df38ac9a-20250926: #​84276
• Add a --webpack flag and default --turbopack to true: #​84216
• fix: Update URL resolution logic to handle search parameters on root path /?foo=bar: #​78262
• [Breaking] Remove deprecated sync access to Dynamic APIs: #​84179
• Move config.turbopack.moduleIds to config.experimental.turbopackModuleIds: #​84230
• Show invalid default export errors during prerendering: #​84242
• fix: make sure caller exists in babel preset: #​84154
• [mcp] allow to enable mcp server through env var: #​84278
• fix(metadata): make formatDetection respect true/false properly: #​83924
• Upgrade React from b0c1dc01-20250925 to df38ac9a-20250926: #​84276
• Add a --webpack flag and default --turbopack to true: #​84216
• fix: Update URL resolution logic to handle search parameters on root path /?foo=bar: #​78262
• [Breaking] Remove deprecated sync access to Dynamic APIs: #​84179
• Turbopack: only write merged manifests when they have been changed: #​84261
• Turbopack: add separate turbopackPersistentCachingForBuild/ForDev flags: #​84215
• Revert "Add a --webpack flag and default --turbopack to true (#​84216)": #​84348
• Upgrade React from df38ac9a-20250926 to d15d7fd7-20250929: #​84347
• Mark React Compiler integration as stable: #​84220
• [cna] Add reactCompiler option: #​82251
• Turbopack: remove canary version check for turbopackPersistentCachingForDev: #​84277
• [turbopack] Add support for debug_ids: #​84319
• Revert "Revert "Add a --webpack flag and default --turbopack to true (#​84216)"": #​84351
• [Breaking] Remove AMP codemod: #​84356
• [Breaking] Remove deprecated built-in AMP: #​84312
• auto-enable clientParamParsing and clientSegmentCache w/ cacheComponents: #​84250
• [mcp] get server action tool: #​84382
• Revert "Revert "Revert "Add a --webpack flag and default --turbopack to true (#​84216)""": #​84389
• Update otel test assertions and pages span_name: #​84393
• [Breaking] Bump minimum TypeScript version to 5.1.0: #​84384
• Upgrade React from d15d7fd7-20250929 to ef889445-20250930: #​84383
• [Breaking] Remove deprecated unstable_rootParams: #​84373
• [metadata] remove falsy dynamicParams approach: #​84405
• fix: next rspack binding NextExternalsPlugin: #​84303
• Development: Skip route matching when there is an existing match: #​84227
• Revert "auto-enable clientParamParsing and clientSegmentCache w/ cacheComponents": #​84419
• Upgrade React from ef889445-20250930 to 548235db-20251001: #​84416
• [Breaking] Update default browserslist config: #​84401
• Upgrade React from 548235db-20251001 to 1bd1f01f-20251001: #​84417
• Allow metadataBase to be a string URL in addition to URL instance: #​84297
• Upgrade React from 1bd1f01f-20251001 to 86181134-20251001: #​84427
• [mcp] logging file should be reset for each session: #​84425
• Revert "Revert "Revert "Revert "Add a --webpack flag and default --turbopack to true (#​84216)"""": [#​84394](https://redirect.github.com/vercel/next.js/issues/8

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cursor]

PR Summary

Upgrades Next.js across the repo with associated lockfile changes.

• Bumps next to 16.0.10 in apps/hash-frontend and libs/@local/hash-isomorphic-utils
• Refreshes yarn.lock: updates @next/* SWC binaries, moves sharp to 0.34.5 (adds @img/colour, new libvips/riscv64 variants), and updates transitive deps like detect-libc and semver
• No application code changes

^{Written by Cursor Bugbot for commit b55d723. This will update automatically on new commits. Configure here.}

[augmentcode]

🤖 Augment PR Summary

Summary: Updates Next.js to v16.0.10 across the repo to pick up upstream security fixes.

Changes:

• Bumps next from 15.5.10 → 16.0.10 in apps/hash-frontend.
• Bumps next from 15.5.10 → 16.0.10 in libs/@local/hash-isomorphic-utils to keep workspace dependencies aligned.
• Refreshes yarn.lock to capture Next v16’s updated transitive dependency graph (including updated @next/* SWC artifacts and related packages).

Technical Notes: This is a major Next.js upgrade, so it’s worth validating any Next-adjacent tooling/peer deps (e.g., @next/*) and confirming runtime behavior under the current Next configuration.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

With next bumped to 16, @next/bundle-analyzer is still pinned to 15.5.9; can we confirm this combination is supported (or that the analyzer isn’t used here) to avoid peer-dep/install or build-time issues?

_{🤖 Was this useful? React with 👍 or 👎}

[augmentcode]

The PR description for CVE-2025-59472 recommends upgrading to 16.1.5 to mitigate; can we confirm 16.0.10 fully addresses the vulnerability alert for our deployment mode (especially if PPR/minimal mode is enabled)?

_{🤖 Was this useful? React with 👍 or 👎}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
hashdotdesign	Ready	Preview, Comment	Jan 28, 2026 4:20pm

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Webpack config ignored due to Turbopack default change

Medium Severity

Upgrading next to 16.0.10 changes the default bundler for next dev from webpack to Turbopack. The project's next.config.js contains custom webpack configuration including @svgr/webpack for SVG handling, async WASM support, and custom resolve aliases—none of which will be applied when Turbopack runs. The dev script still runs plain next dev without the --webpack flag, so development server functionality will break. Either the dev script needs --webpack flag or equivalent Turbopack configuration (turbopack.rules) needs to be added.