[pull] canary from vercel:canary #188
Open
+1,788,467
−313,459
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
ijjk
force-pushed
the
canary
branch
5 times, most recently
from
df8579c
to
47e5ebe
Compare
ijjk
force-pushed
the
canary
branch
3 times, most recently
from
e078ebe
to
6b863fe
Compare
<!-- Thanks for opening a PR! Your contribution is much appreciated. To make sure your PR is handled as smoothly as possible we request that you follow the checklist sections below. Choose the right checklist for the change(s) that you're making: ## For Contributors ### Improving Documentation - Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide ### Adding or Updating Examples - The "examples guidelines" are followed from our contributing doc https://github.com/vercel/next.js/blob/canary/contributing/examples/adding-examples.md - Make sure the linting passes by running `pnpm build && pnpm lint`. See https://github.com/vercel/next.js/blob/canary/contributing/repository/linting.md ### Fixing a bug - Related issues linked using `fixes #number` - Tests added. See: https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ### Adding a feature - Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. (A discussion must be opened, see https://github.com/vercel/next.js/discussions/new?category=ideas) - Related issues/discussions are linked using `fixes #number` - e2e tests added (https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs) - Documentation added - Telemetry added. In case of a feature if it's used or not. - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ## For Maintainers - Minimal description (aim for explaining to someone not on the team to understand the PR) - When linking to a Slack thread, you might want to share details of the conclusion - Link both the Linear (Fixes NEXT-xxx) and the GitHub issues - Add review comments if necessary to explain to the reviewer the logic behind a change ### What? ### Why? ### How? Closes NEXT- Fixes # --> ### What? Currently, the `router.push` method does not sanitize URL arguments, which can cause cross-site scripting (XSS) bugs in next.js sites through the running of untrusted code in a JavaScript URL. This was reported as #50093 and was closed, with an explanation that it is the developer's responsibility to sanitize `router.push` input. This PR is an addition to the next.js docs to document that issue and let developers know that they cannot send untrusted or unsanitized URLs into `router.push`. ### Why? Cross-site scripting bugs can be quite high severity, as they often allow attackers to steal credentials and data. Furthermore, the API most similar to `router.push` in the web API, `history.pushState`, does not accept JavaScript URLs, so developers might reasonably not know that they need to sanitize `router.push` input. Searching through public github repos finds more than 1,000 projects that may be vulnerable to this issue, so I believe it's a pretty widespread misunderstanding of the API.
<!-- Thanks for opening a PR! Your contribution is much appreciated. To make sure your PR is handled as smoothly as possible we request that you follow the checklist sections below. Choose the right checklist for the change(s) that you're making: ## For Contributors ### Improving Documentation - Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide ### Adding or Updating Examples - The "examples guidelines" are followed from our contributing doc https://github.com/vercel/next.js/blob/canary/contributing/examples/adding-examples.md - Make sure the linting passes by running `pnpm build && pnpm lint`. See https://github.com/vercel/next.js/blob/canary/contributing/repository/linting.md ### Fixing a bug - Related issues linked using `fixes #number` - Tests added. See: https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ### Adding a feature - Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. (A discussion must be opened, see https://github.com/vercel/next.js/discussions/new?category=ideas) - Related issues/discussions are linked using `fixes #number` - e2e tests added (https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs) - Documentation added - Telemetry added. In case of a feature if it's used or not. - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ## For Maintainers - Minimal description (aim for explaining to someone not on the team to understand the PR) - When linking to a Slack thread, you might want to share details of the conclusion - Link both the Linear (Fixes NEXT-xxx) and the GitHub issues - Add review comments if necessary to explain to the reviewer the logic behind a change Closes NEXT- Fixes # --> ### What? Explicitly mentions `--inspect=0.0.0.0` and its use case. ### Why? NextJS apps are commonly run inside docker containers when self-hosting. In this case, the example in the docs will not work as expected, blocking users who are not familiar with the --inspect flag. ### How? Added a "Good to Know" content block. Co-authored-by: JJ Kasper <jj@jjsweb.site>
…olvedVc` (#71746) It's not common that you'd have a `&mut Vc` or `&mut ResolvedVc` (because they're `Copy`), but there are some edge cases where you might, and there's no technical reason we can't `impl IntoFuture` for these, so let's do it.
- Preparing to filter out this pages from the stable docs
…72081) Closes: https://linear.app/vercel/issue/DOC-3683/iterate-on-caching-apis-docs-and-update-them-based-on-notion-notes - Add JS code blocks - Update reference pages to follow template - Move conceptual content into deep dive (will be committed separately) - Create a `cacheLife` function reference page - Add **good to know** notes on: - Serialization - PPR - Add interleaving example (handling non-serializable arguments) --------- Co-authored-by: Rich Haines <hello@richardhaines.dev>
## Summary Unlike [`useActionState`](https://react.dev/reference/react/useActionState), `useFormState` is imported from `react-dom`. ### Improving Documentation - [x] Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - [x] Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
## Description Catch-up #71404. Add `await cookies()` to the other sections. ### Improving Documentation - [x] Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - [x] Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
## Summary Add a slash to correct the problem. ### Improving Documentation - [x] Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - [x] Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
### What? Added Firefox debugging instructions to Next.js docs ### Why? To support developers who use Firefox for debugging ### How? - Added Firefox config to VS Code launch settings - Added Firefox-specific debugging instructions - Updated relevant docs sections to include Firefox alongside Chrome --------- Co-authored-by: Novalinium <nova@noblejury.com> Co-authored-by: Delba de Oliveira <32464864+delbaoliveira@users.noreply.github.com>
If a `fetch` call inside of `"use cache"` has not specified `cache: 'force-cache'` or `revalidate`, we should not cache it implicitly in the fetch cache. Instead, it's only cached as part of the surrounding cached function. Those `fetch` calls that do specify `cache: 'force-cache'` or `revalidate` are still cached in the fetch cache. They're like an inner `"use cache"`. They also don't inherit the tags of the outer `"use cache"`. partially reverts #71793 and #72075 closes #72090
… useEffect (#72362) ### What? Under certain circumstances, the Storage APIs, such as local storage, are not available. For example, the Brave browser allows users to block `all cookies`, which forbids access to local storage. - https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage#securityerror ### Why? When access to local storage fails, the development mode page crashes, leading to the `Application Error` view. ### How? Wrap on a try/catch the local storage access done within a use-effect, under `__NEXT_APP_ISR_INDICATOR`. There is another local storage access point, but that one is done as part of `processMessage`, which is called within a `try/catch` block already. Fixes #72046 Co-authored-by: JJ Kasper <jj@jjsweb.site>
When performing RSC requests, if the incoming data has a different build ID than the client, we perform an MPA navigation/refresh to load the updated build and ensure that the client and server in sync. Currently we store the build ID in the router state, but becauase it's always in lockstep with the app instance, it's not actually stateful. We can store it in a global. The ID gets assigned as a side-effect during app initialization. It should never change after being set the first time. In practice, because setAppBuildId is called before hydration starts, it will always get assigned to the actual build ID before it's ever needed by a navigation. (If for some reasons it didn't, due to a bug or race condition, then on navigation the build comparision would fail and trigger an MPA navigation.) The logical flow of how the global is assigned is more convoluted than it should be because we currently decode the Flight stream inside the React render phase (via a hook), because that's required to propagate resource hints correctly. Conceptually it would make more sense to decode the stream before starting hydration and pass the decoded data to the root component as props; this would also allow us to block hydration until the id is set. But we'll need to address the hints problem first. As a follow up, we should probably do the same thing for the App Router reducer, which is already a global store in practice but is referenced and passed everywhere as if it were owned by the React tree.
A multi-zone Next.js app might have complex rewrites for its client assets. For these apps, resolving a source map through the `/__nextjs_source-map` dev middleware might fail because the asset might belong to a different app. Instead of trying to resolve those rewrites (i.e. using `fetch` instead of `fs`), we can just bypass the source map dev middleware for client chunks. Because we control how those source maps are generated, we can safely assume that the `sourceMappingURL` is relative to the filename, with an added `.map` extension. The browser can just request this file, and it gets served through the normal dev server, without the need to route this through the source map dev middleware. reverts #72258
## Summary Get rid of unnecessary `rc.`.
### Why? To customize Image Optimation, the user can use a custom loader, but that information was out from the related lint error message. Closes NDX-181
This pull request removes the unstable_after from the Dynamic APIs, as it does not cause a route to become dynamic.
- @vercel/devlow-bench@0.3.4
#72588) Considering the bound args param in the server reference information byte is required for a client-side optimization of omitting unused arguments to work properly when a server action or `"use cache"` function uses closed-over variables. The server reference information byte is not used yet, so this PR should not change any observable behavior.
…ldren and storage (#72426) ### What? Add options for the new backend to disable certain features. * Storage can be disabled to avoid capturing change log data. * Dependency tracking can be disabled when no changes are expected and no persistence is used * Children tracking can be disabled for testing purposes. Closes PACK-3405
### What? typo that took me long to find. We want to check stale flag again when the task lock is acquired again
Using the information byte in a server reference ID, as introduced in #71463, we can omit unused arguments when calling a `"use cache"` function. This enables us, for example, to use a cached function in conjunction with `useActionState` when the function does not need the previous state, as shown below: ```ts 'use cache' export async function getCachedRandomValue() { return Math.random() } ``` ```tsx 'use client' import { useActionState } from 'react' import { getCachedRandomValue } from './cached' export default function Page() { const [result, formAction] = useActionState(getCachedRandomValue, null) return ( <form action={formAction}> <p>{result}</p> <button>Submit</button> </form> ) } ``` Previously, in this use case, a new value would have been rendered for every click. This is because React passes the previous state and the form data as arguments into the action function. These two arguments are then included in the cache key, resulting in a new cache key being generated for every invocation. _Note: This optimization is currently based purely on the function signature. It does not yet detect when a param is declared, but not used in the function body. It's also not yet applied for server actions._
### Why? Since Turbopack for dev is stable for v15, enable the prompt value to true. Closes NDX-461 x-ref: [slack-thread](https://vercel.slack.com/archives/C03KAR5DCKC/p1731083893866479)
This will be used to gate a rewrite of the client cache that we've just started. Eventually it should merge with the PPR rollout, but that's already in active experimentation and we don't want to harm the PPR rollout. This will also let us incrementally get to parity with the existing implementation, instead of trying to reach parity in one big step. When enabled (and when a route is using PPR), prefetches will use a new per-segment cache instead of the existing per-page cache.
This ensures we don't incorrectly update the static indicator status during the dev warmup render which was causing it to show unexpectedly with dynamicIO enabled.
…72620) ### Improving Documentation - This PR updates Page component examples by adding `function` keyword to ensure proper syntax highlighting 🙂 - Also includes the missing `export default` for page components, and applies consistent code formatting. <img width="675" alt="image" src="https://github.com/user-attachments/assets/c081f866-8523-4597-aa56-7baad96eecb5"> <br />
### Improving Documentation
- Since the params prop is now a promise, the type of params in the
generateMetadata and Page components has been changed from `{ id: string
}` to `Promise<{ id: string }>`.
---------
Co-authored-by: JJ Kasper <jj@jjsweb.site>
Local builds of Node.js will be considered prereleases e.g. a local build of Node.js will have `24.0.0-pre` as their version. Now these versions are accepted as long as their base version still matches.
## Why? The example `app-dir-i18n-routing` needs to be updated to v15. ## How? Run the `next-async-request-api` codemod: ``` pnpm dlx @next/codemod@latest next-async-request-api . ``` - Fixes #72630
Follow-up to #72631 this ensures we properly update the `requestStore` when we detect pure IO case and no dynamic methods are used like `cookies()` or `headers()` e.g. just a fetch with no caching opts enabled. --------- Co-authored-by: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )