Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: vercel/next.js
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v15.4.8
Choose a base ref
...
head repository: vercel/next.js
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v15.4.10
Choose a head ref
  • 7 commits
  • 83 files changed
  • 5 contributors

Commits on Dec 10, 2025

  1. lock binaries

    @ijjk
    ijjk committed Dec 10, 2025
    Configuration menu
    Copy the full SHA
    bd84546 View commit details
    Browse the repository at this point in the history

Commits on Dec 11, 2025

  1. Backport Next.js changes to v15.4.9 (#24) 

    * remove urlencoded server action handling (#14)

* remove urlencoded server action handling

* urlencoded POSTs should still flow through action handler

* bailout early for urlencoded

* tweak handling to 404 in feetch action case

* error when there are no server actions (#15)

* remove custom error

* remove dev gate

* error when there are no server actions

* gate against dev

* Check whether action ids are valid before parsing (#16)

* Check whether action ids are valid before parsing

In an effort to narrow access to parsing methods Next.js now prequalifies MPA form parsing by ensuring there are only valid action IDs as part of the submission. This is not meant to be a strong line of defense against malicious payloads since action IDs are not private and are for many apps relatively easy to acquire. It does however provide some limited narrowing of code paths so that action decoding only happens for plausible actions

Additionally all other branches that use next-action header now consistently check the header before proceeding with parsing. This is also a perf improvement.

* fix test assertion

---------

Co-authored-by: Zack Tanner <[email protected]>

---------

Co-authored-by: Josh Story <[email protected]>
    @ztanner @gnoff
    ztanner and gnoff committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    d0edaac View commit details
    Browse the repository at this point in the history

  2. Update React Version (#31)

    @gnoff @ztanner
    gnoff authored and ztanner committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    2ff781e View commit details
    Browse the repository at this point in the history

  3. Update React Version (#42) 

    Co-authored-by: Josh Story <[email protected]>
    @unstubbable @gnoff @ztanner
    2 people authored and ztanner committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    596f513 View commit details
    Browse the repository at this point in the history

  4. v15.4.9

    @nextjs-bot
    nextjs-bot committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    d1449e5 View commit details
    Browse the repository at this point in the history

  5. Backport facebook/react#35351 for 15.4.9 (#87087) 

    facebook/react#35351

Co-authored-by: Josh Story <[email protected]>
    @unstubbable @gnoff
    unstubbable and gnoff authored Dec 11, 2025
    Configuration menu
    Copy the full SHA
    6129673 View commit details
    Browse the repository at this point in the history

  6. v15.4.10

    @nextjs-bot
    nextjs-bot committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    43cb546 View commit details
    Browse the repository at this point in the history
Loading