### Next.js 16 notable platform changes (confirmed)
−- Next.js 16.2 (published March 18, 2026): performance and DX improvements including significantly faster developer startup and server rendering. Highlights from the Next.js team include dramatically faster Time‑to‑URL in development, faster server rendering (25–60% faster HTML render depending on RSC payload size), a redesigned default error page, Server Function logging in the dev terminal, a Hydration Diff Indicator in the overlay, and `next start --inspect` to attach a Node.js debugger to a running server. Source: Next.js 16.2 blog (March 18, 2026).
+- Next.js 16.2 (published April 26, 2026): performance and DX improvements including faster developer startup and server rendering, a redesigned default error page, Server Function logging in the dev terminal, a Hydration Diff Indicator in the overlay, and `next start --inspect` to attach a Node.js debugger. See the Next.js blog for release notes and upgrade guidance.
− - Time-to-URL / dev startup: the release notes report large improvements (top-line measurements show up to ~400% faster next dev startup in some scenarios; the default-app measurement in the post reports ~87% faster startup vs 16.1). Expect measurable gains on both small and large apps—benchmark your codebase when upgrading.
+- Turbopack (16.2 deep-dive): multiple fixes and feature improvements landed in Turbopack for the 16.2 release. Highlights called out by the team include Server Fast Refresh, Subresource Integrity (SRI) support, TypeScript PostCSS config support, improved tree-shaking for dynamic imports, and better Web Worker/WASM handling. Turbopack is the recommended default bundler for many Next.js projects; follow the Turbopack deep-dive and docs when adopting it.
− - Server rendering improvements: Next.js 16.2 includes changes that reduce RSC payload deserialization overhead (a two-step parse + walk approach contributed to React), delivering roughly 25–60% faster HTML render times in real-world workloads.
+- transitionTypes prop for next/link: the Link component now accepts `transitionTypes` to annotate client-side transitions (useful when coordinating with View Transitions APIs).
−- Turbopack (16.2 deep-dive): 200+ fixes and feature improvements landed in Turbopack for 16.2. Notable items: Server Fast Refresh (fine-grained server hot reload), Subresource Integrity (SRI) support, postcss.config.ts (TypeScript PostCSS config) support, improved tree-shaking for dynamic imports, Web Worker origin fixes (better WASM/worker support), LightningCSS experimental hooks, and log filtering. Turbopack remains the recommended default bundler for most Next.js workflows. Source: Turbopack deep-dive (Next.js blog, March 18, 2026).
+- Next.js Across Platforms (Adapter API, stable): the project introduced a stable Adapter API and collaboration with OpenNext and major providers to improve deploy-target parity across Vercel, Netlify, Cloudflare, AWS, and other platforms. Adapters provide a typed, versioned build description that targets can consume.
−- transitionTypes prop for next/link: the Link component accepts transitionTypes to annotate client-side transitions (useful when coordinating with View Transitions APIs).
+- Middleware → Proxy migration: the prior middleware convention has been superseded by the Proxy network boundary (export `proxy.ts` / `proxy.js`). Use `matcher` to scope Proxy execution and run the provided codemods when upgrading. Keep Proxy logic small and fast; offload heavy I/O to server code or route handlers.
−
−- Next.js Across Platforms (Adapter API, stable; published March 25, 2026): the release includes a stable Adapter API and collaboration with OpenNext and major providers to produce a typed, versioned build description that adapters consume. This improves deploy-target parity across Vercel, Netlify, Cloudflare, AWS, and others. Source: Next.js Across Platforms blog (March 25, 2026).
−
−- Middleware → Proxy: the previous middleware convention is replaced by Proxy (exported as `proxy.ts` / `proxy.js`) as the network-boundary entry point. Use `matcher` to scope Proxy execution. Run the provided migration codemods when upgrading. Keep Proxy logic small and fast; offload heavy I/O to server code.
Actionable checklist when upgrading to v16.x:
−- Read the Next.js 16.2 release notes and the Turbopack deep-dive for Turbopack behavior changes.
+- Read the Next.js 16.2 release notes and the Turbopack deep-dive for Turbopack behavior and migration guidance.
- Run Next.js codemods for large upgrades: `npx @next/codemod@canary upgrade latest`.
- Migrate middleware to Proxy with the codemod: `npx @next/codemod@canary middleware-to-proxy .` and validate `matcher` scopes.
- Benchmark your dev startup and server render times pre/post-upgrade.
- Verify Node.js and TypeScript minimums in the Next.js docs before upgrading CI images.
−Sources: Next.js 16.2 blog (Mar 18, 2026), Turbopack deep-dive (Mar 18, 2026), Next.js Across Platforms blog (Mar 25, 2026), Next.js docs (Proxy/Caching guidance).
+Sources: Next.js blog (release and 16.2 posts), Turbopack deep-dive (Next.js blog), Next.js Across Platforms blog (Next.js blog), Next.js docs (Proxy/Caching guidance).
### React runtime and security
−- December 2025 — January 2026 RSC advisories: the React team disclosed a critical unauthenticated remote code execution vulnerability affecting React Server Components in early December 2025 (CVE-2025-55182) with follow-up disclosures adding Denial of Service and Source Code Exposure variants (December 11, 2025 and later updates). These advisories were patched and subsequently backported. Source: React blog (Dec 3 & Dec 11, 2025; updates Jan 26, 2026).
+- December 2025 — critical RSC advisories: in early December 2025 the React team disclosed critical vulnerabilities affecting React Server Components and related packages, with follow-up advisories in mid-December 2025. The React team published fixes and recommended backported package versions for affected release lines. See the React blog and release notes for exact CVE identifiers and fixed package versions.
+- Remediation checklist:
+ - Audit whether your app or any dependency uses React Server Components or Server Functions. If yes, prioritize patching those packages.
+ - Upgrade react-server-dom-* and related packages to the fixed versions listed in the React advisories, rebuild, and redeploy.
−- Patched packages and remediation (high level): React published fixes and backports for the react-server-dom-* packages. The advisories recommend upgrading the affected react-server-dom packages to the patched backported versions (see the React blog for the exact fixed package versions for your release series). Do not rely on provider mitigations alone — upgrade packages, rebuild, and redeploy.
+ - Update Next.js to the recommended patch for your release line because framework integrations can pin or bundle these packages.
−
−- Practical guidance:
− - Audit whether your app (or any dependency) uses React Server Components or Server Functions. If yes, treat these packages as high-priority for patching.
− - Upgrade react-server-dom-* to the fixed backported versions as listed by the React advisory (and update react/react-dom per your framework's guidance). Rebuild and redeploy.
− - Update Next.js to the recommended patch for your release line; follow the Next.js blog/upgrade docs because framework integrations may bundle or pin these packages.
- Add dependency vulnerability scanning to CI and pin critical runtime/compiler/tooling versions in your lockfile and CI images.
- Validate any temporary hosting-provider mitigations with your provider, but do not substitute them for package upgrades.
