Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: vercel/next.js
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v14.2.33
Choose a base ref
...
head repository: vercel/next.js
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v14.2.35
Choose a head ref
  • 7 commits
  • 127 files changed
  • 5 contributors

Commits on Dec 10, 2025

  1. lock swc binaries

    @ijjk
    ijjk committed Dec 10, 2025
    Configuration menu
    Copy the full SHA
    778e7bf View commit details
    Browse the repository at this point in the history

  2. update version script

    @ijjk
    ijjk committed Dec 10, 2025
    Configuration menu
    Copy the full SHA
    7a2cf51 View commit details
    Browse the repository at this point in the history

Commits on Dec 11, 2025

  1. Backport Next.js changes to v14.2.34 (#29) 

    * remove urlencoded server action handling (#14)

* remove urlencoded server action handling

* urlencoded POSTs should still flow through action handler

* bailout early for urlencoded

* tweak handling to 404 in feetch action case

* error when there are no server actions (#15)

* remove custom error

* remove dev gate

* error when there are no server actions

* gate against dev

* Check whether action ids are valid before parsing (#16)

* Check whether action ids are valid before parsing

In an effort to narrow access to parsing methods Next.js now prequalifies MPA form parsing by ensuring there are only valid action IDs as part of the submission. This is not meant to be a strong line of defense against malicious payloads since action IDs are not private and are for many apps relatively easy to acquire. It does however provide some limited narrowing of code paths so that action decoding only happens for plausible actions

Additionally all other branches that use next-action header now consistently check the header before proceeding with parsing. This is also a perf improvement.

* fix test assertion

---------

Co-authored-by: Zack Tanner <1939140+ztanner@users.noreply.github.com>

* fix test

---------

Co-authored-by: Josh Story <story@hey.com>
    @ztanner @gnoff
    ztanner and gnoff committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    385e8c2 View commit details
    Browse the repository at this point in the history

  2. Update React Version (#36)

    @gnoff @ztanner
    gnoff authored and ztanner committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    8e43882 View commit details
    Browse the repository at this point in the history

  3. v14.2.34

    @vercel-release-bot
    vercel-release-bot committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    f307368 View commit details
    Browse the repository at this point in the history

  4. Backport facebook/react#35351 for 14.2.34 (#87095) 

    facebook/react#35351

Co-authored-by: Josh Story <story@hey.com>
    @unstubbable @gnoff
    unstubbable and gnoff authored Dec 11, 2025
    Configuration menu
    Copy the full SHA
    7c1be85 View commit details
    Browse the repository at this point in the history

  5. v14.2.35

    @vercel-release-bot
    vercel-release-bot committed Dec 11, 2025
    Configuration menu
    Copy the full SHA
    7b940d9 View commit details
    Browse the repository at this point in the history
Loading