- Setting up authentication logic at the network boundary (proxy.ts)
- Configuring metadata and SEO for production
- Implementing Server Actions for form mutations
+- Targeting multiple hosts/providers using Adapters / OpenNext (cross-provider deployments)
## When NOT to use
@@ −36 +37 @@
### Next.js 16 notable platform changes (confirmed)
−- Next.js 16.2 (released March 18, 2026): performance and DX improvements including significantly faster developer startup and server rendering. The release highlights faster Time-to-URL in development (startup improvements observed at ~87% faster Time‑to‑URL on default apps vs 16.1) and faster server rendering (important Server Component payload deserialization contributions from React). The release also adds Server Function logging in the dev terminal, a Hydration Diff Indicator in the overlay, a redesigned default error page, `next start --inspect` support, and other developer diagnostics. (Source: Next.js 16.2 blog)
+- Next.js 16.2 (released March 18, 2026): performance and DX improvements including significantly faster developer startup and server rendering. Release highlights include much faster Time‑to‑URL in development (~87% faster on default apps vs 16.1), faster server rendering (up to ~25–60% faster HTML render depending on RSC payload size), a redesigned default error page, Server Function logging in the dev terminal, a Hydration Diff Indicator in the overlay, and `next start --inspect` for attaching a Node.js debugger to a running server in production-like environments. (Source: Next.js 16.2 blog)
−- Turbopack: 16.2 includes over 200 Turbopack fixes and feature improvements (Server Fast Refresh for server code, SRI support, postcss.config.ts, tree-shaking of dynamic imports, inline loader configuration, Lightning CSS hooks, Web Worker origin fixes). Turbopack remains the default bundler for many Next.js workflows; if you must use webpack temporarily, the Next.js docs show flags for switching. (Source: Turbopack deep-dive)
+- Turbopack: 16.2 includes 200+ Turbopack fixes and feature improvements (Server Fast Refresh for server code, SRI support, postcss.config.ts support, tree-shaking improvements, Lightning CSS hooks, and Web Worker origin fixes). Turbopack continues as the recommended default bundler for most Next.js workflows; use webpack only if a specific toolchain plugin requires it. (Source: Next.js blog / Turbopack deep-dive)
−- Next.js Across Platforms (Adapter API, stable): Next.js 16.2 shipped a stable Adapter API and a shared adapter test suite (OpenNext collaboration) so Next.js can be deployed with full App Router semantics across multiple providers. This improves cross-provider compatibility for routing, edge runtimes, and asset handling. (Source: Next.js Across Platforms blog)
+- Next.js Across Platforms (Adapter API, stable): Next.js 16.2 shipped a stable Adapter API (collaboration with OpenNext and providers) and a shared adapter test suite so providers can implement verified adapters that preserve App Router semantics (routing, streaming, revalidation, and edge runtimes). This improves cross-provider compatibility when deploying App Router apps outside Vercel. (Source: Next.js Across Platforms blog)
- Middleware → Proxy: The middleware convention is replaced by Proxy (`proxy.ts` / `proxy.js`) as the network-boundary entry point. Use `matcher` to scope Proxy execution and run the migration codemods when upgrading. Keep Proxy logic small and fast; offload heavy I/O to server code. (Source: Next.js docs & release notes)
@@ −48 +49 @@
### React runtime and security
−- Critical/High RSC vulnerabilities (Dec 2025): The React team disclosed a critical unauthenticated RCE in React Server Components (CVE-2025-55182) on December 3, 2025 and followed up with DoS and source-exposure issues on December 11, 2025. Patches were published and later backported; update immediately if you use RSC-enabled packages or frameworks that bundle them. (Sources: React blog posts Dec 3 and Dec 11, 2025)
+- Critical/High RSC vulnerabilities (Dec 2025): The React team disclosed a critical unauthenticated remote code execution vulnerability in React Server Components (CVE-2025-55182) on December 3, 2025 and followed up with additional DoS and source-exposure issues on December 11, 2025. Patches were initially published (19.0.1, 19.1.2, 19.2.1) and the fixes were later backported to 19.0.4, 19.1.5, and 19.2.4 — upgrade immediately if you use RSC-enabled packages or frameworks that bundle them. (Sources: React blog posts Dec 3 & Dec 11, 2025)
−- Patched versions and remediation: The fixes were backported to react-server-dom packages in versions 19.0.4, 19.1.5, and 19.2.4 (React team guidance, Dec 11, 2025). If you previously upgraded to earlier patch releases (for example 19.0.1 or 19.2.1), upgrade again to the backported versions. Also upgrade Next.js and any bundler plugins that include RSC packages. (Source: React blog)
+- Patched versions and remediation: Ensure your package.json pins the fixed react-server-dom packages (19.0.4, 19.1.5, or 19.2.4 as appropriate) and upgrade any framework/bundler plugins that embed these packages. Do not rely on hosting-provider temporary mitigations; update packages immediately. (Source: React blog)
−- Practice: treat Server Actions and Server Component endpoints like any other server endpoint — validate input, avoid deserializing untrusted payloads without careful checks, add dependency vulnerability scanning in CI, and pin runtime/compiler versions used in production builds. Do not rely on hosting-provider temporary mitigations; update packages immediately.
+- Practice: treat Server Actions and Server Component endpoints like any other server endpoint — validate input, avoid deserializing untrusted payloads without careful checks, add dependency vulnerability scanning in CI, and pin runtime/compiler versions used in production builds.
### Caching layers (updated)
