chore(deps): bump the npm_and_yarn group across 22 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /examples/auth/next-app directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/auth/next-pages directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/custom-server directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/db-example directory: payload.
Bumps the npm_and_yarn group with 1 update in the /examples/draft-preview/next-app directory: next.
Bumps the npm_and_yarn group with 2 updates in the /examples/draft-preview/next-pages directory: qs and next.
Bumps the npm_and_yarn group with 1 update in the /examples/form-builder/next-pages directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/hierarchy directory: payload.
Bumps the npm_and_yarn group with 1 update in the /examples/live-preview/next-app directory: next.
Bumps the npm_and_yarn group with 2 updates in the /examples/live-preview/next-pages directory: qs and next.
Bumps the npm_and_yarn group with 1 update in the /examples/nested-docs/next-app directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/nested-docs/next-pages directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/redirects/next-pages directory: next.
Bumps the npm_and_yarn group with 2 updates in the /packages/bundler-webpack directory: ajv and webpack.
Bumps the npm_and_yarn group with 2 updates in the /packages/mzinga directory: qs and webpack.
Bumps the npm_and_yarn group with 1 update in the /packages/plugin-cloud directory: webpack.
Bumps the npm_and_yarn group with 1 update in the /packages/plugin-cloud-storage directory: webpack.
Bumps the npm_and_yarn group with 1 update in the /packages/plugin-relationship-object-ids directory: webpack.
Bumps the npm_and_yarn group with 1 update in the /packages/plugin-sentry directory: webpack.
Bumps the npm_and_yarn group with 1 update in the /packages/plugin-stripe directory: webpack.
Bumps the npm_and_yarn group with 1 update in the /packages/richtext-lexical directory: lodash.
Bumps the npm_and_yarn group with 1 update in the /test/live-preview/next-app directory: next.

Updates next from 14.2.35 to 16.1.6

Release notes

Sourced from next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• 098c0c0 [backport][ci] Make gh auth status optional when triggering a release (#89100)
• a43df32 Backport/docs fixes jan 25 16.1.x (#89124)
• d6d5734 tweak LRU sentinel cache key (#89123)
• 4324698 backport: implement LRU cache with invocation ID scoping for minimal mode res...
• 23c4649 [backport] Upgrade to swc 54 (#88207) (#89103)
• acba4a6 v16.1.5
• e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
• 500ec83 fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 1caaca3 feat(next/image)!: add images.maximumResponseBody config (#88183)
• Additional commits viewable in compare view

Updates next from 14.2.35 to 16.1.6

Release notes

Sourced from next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• 098c0c0 [backport][ci] Make gh auth status optional when triggering a release (#89100)
• a43df32 Backport/docs fixes jan 25 16.1.x (#89124)
• d6d5734 tweak LRU sentinel cache key (#89123)
• 4324698 backport: implement LRU cache with invocation ID scoping for minimal mode res...
• 23c4649 [backport] Upgrade to swc 54 (#88207) (#89103)
• acba4a6 v16.1.5
• e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
• 500ec83 fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 1caaca3 feat(next/image)!: add images.maximumResponseBody config (#88183)
• Additional commits viewable in compare view

Updates next from 14.2.35 to 16.1.6

Release notes

Sourced from next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• 098c0c0 [backport][ci] Make gh auth status optional when triggering a release (#89100)
• a43df32 Backport/docs fixes jan 25 16.1.x (#89124)
• d6d5734 tweak LRU sentinel cache key (#89123)
• 4324698 backport: implement LRU cache with invocation ID scoping for minimal mode res...
• 23c4649 [backport] Upgrade to swc 54 (#88207) (#89103)
• acba4a6 v16.1.5
• e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
• 500ec83 fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 1caaca3 feat(next/image)!: add images.maximumResponseBody config (#88183)
• Additional commits viewable in compare view

Updates payload from 2.32.3 to 3.75.0

Release notes

Sourced from payload's releases.

v3.75.0

v3.75.0 (2026-02-05)

🚀 Features

• adds beforeNav and afterNav component slots (#15493) (f23a1df)
• next: pass full initReq context to server functions and dashboard widgets (#15427) (ce13e97)

🐛 Bug Fixes

• handle absolute paths correctly with tempFileDir upload option (#14436) (5ca9bd4)
• ungenerated image sizes should not store original URL (#15454) (fa1cd62)
• add safety check to redirects from external file URL uploads (#15458) (1041bb6)
• sass warning not hidden during webpack build (#15442) (dec0ea7)
• add collection property to auth documents, fixing multi tenancy access control issue (#15404) (d6aa6cc)
• graphql: blocks return null with select: true (#15464) (c2baef4)
• next: versions diff error when swapping blocks with relationship fields (#15478) (5ba0055)
• next: export SlugField from the client dir not rsc (#15461) (6c07f3b)
• next: sync modular dashboard widgets when server component re-renders (#15439) (5495b47)
• plugin-ecommerce: variant creation blocked by variants in trash (#15449) (3f01682)
• plugin-mcp: create and update resource tools now support point fields (#15381) (a28261d)
• ui: extra padding rendering in list view when no description exists (#15507) (3ff6be4)
• ui: remove slug field from rsc exports (#15480) (8f66035)

⚡ Performance

• next: avoid re-calculating permissions in some server functions, pass missing args (#15428) (9c8be5c)

📚 Documentation

• jobs queue improvements (#15318) (3d357b3)

🎨 Styles

• run lint-staged commands in correct order (#15446) (731037e)

🧪 Tests

• trash e2e URL regex too strict and blocks query parameters (#15498) (57e759c)
• additional admin e2e coverage for templates (#15477) (63d63be)
• reorganize helpers into shared/e2e/int subdirectories (#15479) (b901231)
• enable figma adapter testing (#15467) (f4920d8)
• improve script to reset tests (#15328) (399b579)
• richText fields serialization (#15465) (fc99048)
• update suites selected by default in runTestsWithSummary (#15463) (603897d)
• trash auth e2e tests have race condition on navigation (#15468) (9bd5123)

⚙️ CI

... (truncated)

Commits

• 00e2ffb chore(release): v3.75.0 [skip ci]
• 5ca9bd4 fix: handle absolute paths correctly with tempFileDir upload option (#14436)
• fa1cd62 fix: ungenerated image sizes should not store original URL (#15454)
• f23a1df feat: adds beforeNav and afterNav component slots (#15493)
• 8422668 chore: replace magic strings with centralized constants (#15475)
• 1041bb6 fix: add safety check to redirects from external file URL uploads (#15458)
• 6c07f3b fix(next): export SlugField from the client dir not rsc (#15461)
• 9c8be5c perf(next): avoid re-calculating permissions in some server functions, pass m...
• d6aa6cc fix: add collection property to auth documents, fixing multi tenancy access c...
• ce13e97 feat(next): pass full initReq context to server functions and dashboard widge...
• Additional commits viewable in compare view

Updates next from 14.2.35 to 16.1.6

Release notes

Sourced from next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• 098c0c0 [backport][ci] Make gh auth status optional when triggering a release (#89100)
• a43df32 Backport/docs fixes jan 25 16.1.x (#89124)
• d6d5734 tweak LRU sentinel cache key (#89123)
• 4324698 backport: implement LRU cache with invocation ID scoping for minimal mode res...
• 23c4649 [backport] Upgrade to swc 54 (#88207) (#89103)
• acba4a6 v16.1.5
• e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
• 500ec83 fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 1caaca3 feat(next/image)!: add images.maximumResponseBody config (#88183)
• Additional commits viewable in compare view

Updates qs from 6.11.2 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates next from 14.2.35 to 16.1.6

Release notes

Sourced from next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• 098c0c0 [backport][ci] Make gh auth status optional when triggering a release (#89100)
• a43df32 Backport/docs fixes jan 25 16.1.x (#89124)
• d6d5734 tweak LRU sentinel cache key (#89123)
• 4324698 backport: implement LRU cache with invocation ID scoping for minimal mode res...
• 23c4649 [backport] Upgrade to swc 54 (#88207) (#89103)
• acba4a6 v16.1.5
• e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
• 500ec83 fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 1caaca3 feat(next/image)!: add images.maximumResponseBody config (#88183)
• Additional commits viewable in compare view

Updates next from 14.2.35 to 16.1.6

Release notes

Sourced from next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• 098c0c0 [backport][ci] Make gh auth status optional when triggering a release (#89100)
• a43df32 Backport/docs fixes jan 25 16.1.x (#89124)
• d6d5734 tweak LRU sentinel cache key (#89123)
• 4324698 backport: implement LRU cache with invocation ID scoping for minimal mode res...
• 23c4649 [backport] Upgrade to swc 54 (#88207) (#89103)
• acba4a6 v16.1.5
• e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
• 500ec83 fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 1caaca3 feat(next/image)!: add images.maximumResponseBody config (#88183)
• Additional commits viewable in compare view

Updates payload from 2.32.3 to 3.75.0

Release notes

Sourced from payload's releases.

v3.75.0

v3.75.0 (2026-02-05)

🚀 Features

• adds beforeNav and afterNav component slots (#15493) (f23a1df)
• next: pass full initReq context to server functions and dashboard widgets (#15427) (ce13e97)

🐛 Bug Fixes

• handle absolute paths correctly with tempFileDir upload option (#14436) (5ca9bd4)
• ungenerated image sizes should not store original URL (#15454) (fa1cd62)
• add safety check to redirects from external file URL uploads (#15458) (1041bb6)
• sass warning not hidden during webpack build (#15442) (dec0ea7)
• add collection property to auth documents, fixing multi tenancy access control issue (#15404) (d6aa6cc)
• graphql: blocks return null with select: true (#15464) (c2baef4)
• next: versions diff error when swapping blocks with relationship fields (#15478) (5ba0055)
• next: export SlugField from the client dir not rsc (#15461) (6c07f3b)
• next: sync modular dashboard widgets when server component re-renders (#15439) (5495b47)
• plugin-ecommerce: variant creation blocked by variants in trash (#15449) (3f01682)
• plugin-mcp: create and update resource tools now support point fields (#15381) (a28261d)
• ui: extra padding rendering in list view when no description exists (#15507) (3ff6be4)
• ui: remove slug field from rsc exports (#15480) (8f66035)

⚡ Performance

• next: avoid re-calculating permissions in some server functions, pass missing args (#15428) (9c8be5c)

📚 Documentation

• jobs queue improvements (#15318) (3d357b3)

🎨 Styles

• run lint-staged commands in correct order (#15446) (731037e)

🧪 Tests

• trash e2e URL regex too strict and blocks query parameters (#15498) (57e759c)
• additional admin e2e coverage for templates (#15477) (63d63be)
• reorganize helpers into shared/e2e/int subdirectories (#15479) (b901231)
• enable figma adapter testing (#15467) (f4920d8)
• improve script to reset tests (#15328) (399b579)
• richText fields serialization (#15465) (fc99048)
• update suites selected by default in runTestsWithSummary (#15463) (603897d)
• trash auth e2e tests have race condition on navigation (#15468) (9bd5123)

⚙️ CI

... (truncated)

Commits

• 00e2ffb chore(release): v3.75.0 [skip ci]
• 5ca9bd4 fix: handle absolute paths correctly with tempFileDir upload option (#14436)
• fa1cd62 fix: ungenerated image sizes should not store original URL (#15454)
• f23a1df feat: adds beforeNav and afterNav component slots (#15493)
• 8422668 chore: replace magic strings with centralized constants (#15475)
• 1041bb6 fix: add safety check to redirects from external file URL uploads (#15458)
• 6c07f3b fix(next): export SlugField from the client dir not rsc (#15461)
• 9c8be5c perf(next): avoid re-calculating permissions in some server functions, pass m...
• d6aa6cc fix: add collection property to auth documents, fixing multi tenancy access c...
• ce13e97 feat(next): pass full initReq context to server functions and dashboard widge...
• Additional commits viewable in compare view

Updates next from 13.5.11 to 16.1.6

Release notes

Sourced from next's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• 098c0c0 [backport][ci] Make gh auth status optional when triggering a release (#89100)
• a43df32 Backport/docs fixes jan 25 16.1.x (#89124)
• d6d5734 tweak LRU sentinel cache key (#89123)
• 4324698 backport: implement LRU cache with invocation ID scoping for minimal mode res...
• 23c4649 [backport] Upgrade to swc 54 (#88207) (#89103)
• acba4a6 v16.1.5
• e1d1fc6 Add maximum size limit for postponed body parsing (#88175)
• 500...

  Description has been truncated