next 15.3.0-canary.3 → 15.3.0-canary.5

package/dist/esm/build/swc/index.js

@@ -11,7 +11,7 @@ import { isDeepStrictEqual } from 'util';
 import { getDefineEnv } from '../webpack/plugins/define-env-plugin';
 import { getReactCompilerLoader } from '../get-babel-loader-config';
 import { TurbopackInternalError } from '../../shared/lib/turbopack/utils';
-const nextVersion = "15.3.0-canary.3";
+const nextVersion = "15.3.0-canary.5";
 const ArchName = arch();
 const PlatformName = platform();
 function infoLog(...args) {

package/dist/esm/build/webpack-config.js

@@ -1527,7 +1527,7 @@ export default async function getBaseWebpackConfig(dir, { buildId, encryptionKey
             isClient && new CopyFilePlugin({
                 // file path to build output of `@next/polyfill-nomodule`
                 filePath: require.resolve('./polyfills/polyfill-nomodule'),
-                cacheKey: "15.3.0-canary.3",
+                cacheKey: "15.3.0-canary.5",
                 name: `static/chunks/polyfills${dev ? '' : '-[hash]'}.js`,
                 minimize: false,
                 info: {
@@ -1704,7 +1704,7 @@ export default async function getBaseWebpackConfig(dir, { buildId, encryptionKey
         //  - Next.js location on disk (some loaders use absolute paths and some resolve options depend on absolute paths)
         //  - Next.js version
         //  - next.config.js keys that affect compilation
-        version: `${__dirname}|${"15.3.0-canary.3"}|${configVars}`,
+        version: `${__dirname}|${"15.3.0-canary.5"}|${configVars}`,
         cacheDirectory: path.join(distDir, 'cache', 'webpack'),
         // For production builds, it's more efficient to compress all cache files together instead of compression each one individually.
         // So we disable compression here and allow the build runner to take care of compressing the cache as a whole.

package/dist/esm/client/app-bootstrap.js

@@ -3,7 +3,7 @@
  * sure the following scripts are executed in the correct order:
  * - Polyfills
  * - next/script with `beforeInteractive` strategy
- */ const version = "15.3.0-canary.3";
+ */ const version = "15.3.0-canary.5";
 window.next = {
     version,
     appDir: true

package/dist/esm/client/index.js

@@ -26,7 +26,7 @@ import { SearchParamsContext, PathParamsContext } from '../shared/lib/hooks-clie
 import { onRecoverableError } from './react-client-callbacks/on-recoverable-error';
 import tracer from './tracing/tracer';
 import { isNextRouterError } from './components/is-next-router-error';
-export const version = "15.3.0-canary.3";
+export const version = "15.3.0-canary.5";
 export let router;
 export const emitter = mitt();
 const looseToArray = (input)=>[].slice.call(input);

package/dist/esm/lib/inline-static-env.js

@@ -4,32 +4,27 @@ import crypto from 'crypto';
 import { promisify } from 'util';
 import globOriginal from 'next/dist/compiled/glob';
 import { Sema } from 'next/dist/compiled/async-sema';
-import { BUILD_MANIFEST } from '../shared/lib/constants';
 import { getNextConfigEnv, getStaticEnv } from './static-env';
 const glob = promisify(globOriginal);
-export async function inlineStaticEnv({ distDir, config, buildId }) {
+export async function inlineStaticEnv({ distDir, config }) {
     const nextConfigEnv = getNextConfigEnv(config);
     const staticEnv = getStaticEnv(config);
     const serverDir = path.join(distDir, 'server');
-    const serverChunks = await glob('**/*.js', {
+    const serverChunks = await glob('**/*.{js,json,js.map}', {
         cwd: serverDir
     });
     const clientDir = path.join(distDir, 'static');
-    const clientChunks = await glob('**/*.js', {
+    const clientChunks = await glob('**/*.{js,json,js.map}', {
         cwd: clientDir
     });
-    const webpackRuntimeFile = clientChunks.find((item)=>item.match(/webpack-[a-z0-9]{16}/));
-    if (!webpackRuntimeFile) {
-        throw Object.defineProperty(new Error(`Invariant failed to find webpack runtime chunk`), "__NEXT_ERROR_CODE", {
-            value: "E662",
-            enumerable: false,
-            configurable: true
-        });
-    }
+    const manifestChunks = await glob('*.{js,json,js.map}', {
+        cwd: distDir
+    });
     const inlineSema = new Sema(8);
     const nextConfigEnvKeys = Object.keys(nextConfigEnv).map((item)=>item.split('process.env.').pop());
     const builtRegEx = new RegExp(`[\\w]{1,}(\\.env)?\\.(?:NEXT_PUBLIC_[\\w]{1,}${nextConfigEnvKeys.length ? '|' + nextConfigEnvKeys.join('|') : ''})`, 'g');
     const changedClientFiles = [];
+    const filesToCheck = new Set(manifestChunks.map((f)=>path.join(distDir, f)));
     for (const [parentDir, files] of [
         [
             serverDir,
@@ -58,6 +53,7 @@ export async function inlineStaticEnv({ distDir, config, buildId }) {
                     content: newContent
                 });
             }
+            filesToCheck.add(filepath);
             inlineSema.release();
         }));
     }
@@ -80,14 +76,13 @@ export async function inlineStaticEnv({ distDir, config, buildId }) {
             newHash
         });
         const filepath = path.join(clientDir, file);
-        await fs.promises.rename(filepath, filepath.replace(originalHash, newHash));
+        const newFilepath = filepath.replace(originalHash, newHash);
+        filesToCheck.delete(filepath);
+        filesToCheck.add(newFilepath);
+        await fs.promises.rename(filepath, newFilepath);
     }
     // update build-manifest and webpack-runtime with new hashes
-    for (const file of [
-        path.join(distDir, BUILD_MANIFEST),
-        path.join(distDir, 'static', webpackRuntimeFile),
-        path.join(distDir, 'static', buildId, '_buildManifest.js')
-    ]){
+    for (let file of filesToCheck){
         const content = await fs.promises.readFile(file, 'utf-8');
         let newContent = content;
         for (const { originalHash, newHash } of hashChanges){

package/dist/esm/lib/inline-static-env.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/lib/inline-static-env.ts"],"sourcesContent":["import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\nimport { promisify } from 'util'\nimport globOriginal from 'next/dist/compiled/glob'\nimport { Sema } from 'next/dist/compiled/async-sema'\nimport type { NextConfigComplete } from '../server/config-shared'\nimport { BUILD_MANIFEST } from '../shared/lib/constants'\nimport { getNextConfigEnv, getStaticEnv } from './static-env'\n\nconst glob = promisify(globOriginal)\n\nexport async function inlineStaticEnv({\n  distDir,\n  config,\n  buildId,\n}: {\n  distDir: string\n  buildId: string\n  config: NextConfigComplete\n}) {\n  const nextConfigEnv = getNextConfigEnv(config)\n  const staticEnv = getStaticEnv(config)\n\n  const serverDir = path.join(distDir, 'server')\n  const serverChunks = await glob('**/*.js', {\n    cwd: serverDir,\n  })\n  const clientDir = path.join(distDir, 'static')\n  const clientChunks = await glob('**/*.js', {\n    cwd: clientDir,\n  })\n  const webpackRuntimeFile = clientChunks.find((item) =>\n    item.match(/webpack-[a-z0-9]{16}/)\n  )\n\n  if (!webpackRuntimeFile) {\n    throw new Error(`Invariant failed to find webpack runtime chunk`)\n  }\n\n  const inlineSema = new Sema(8)\n  const nextConfigEnvKeys = Object.keys(nextConfigEnv).map((item) =>\n    item.split('process.env.').pop()\n  )\n\n  const builtRegEx = new RegExp(\n    `[\\\\w]{1,}(\\\\.env)?\\\\.(?:NEXT_PUBLIC_[\\\\w]{1,}${nextConfigEnvKeys.length ? '|' + nextConfigEnvKeys.join('|') : ''})`,\n    'g'\n  )\n  const changedClientFiles: Array<{ file: string; content: string }> = []\n\n  for (const [parentDir, files] of [\n    [serverDir, serverChunks],\n    [clientDir, clientChunks],\n  ] as const) {\n    await Promise.all(\n      files.map(async (file) => {\n        await inlineSema.acquire()\n        const filepath = path.join(parentDir, file)\n        const content = await fs.promises.readFile(filepath, 'utf8')\n        const newContent = content.replace(builtRegEx, (match) => {\n          let normalizedMatch = `process.env.${match.split('.').pop()}`\n\n          if (staticEnv[normalizedMatch]) {\n            return JSON.stringify(staticEnv[normalizedMatch])\n          }\n          return match\n        })\n\n        await fs.promises.writeFile(filepath, newContent)\n\n        if (content !== newContent && parentDir === clientDir) {\n          changedClientFiles.push({ file, content: newContent })\n        }\n        inlineSema.release()\n      })\n    )\n  }\n  const hashChanges: Array<{\n    originalHash: string\n    newHash: string\n  }> = []\n\n  // hashes need updating for any changed client files\n  for (const { file, content } of changedClientFiles) {\n    // hash is 16 chars currently for all client chunks\n    const originalHash = file.match(/([a-z0-9]{16})\\./)?.[1] || ''\n\n    if (!originalHash) {\n      throw new Error(\n        `Invariant: client chunk changed but failed to detect hash ${file}`\n      )\n    }\n    const newHash = crypto\n      .createHash('sha256')\n      .update(content)\n      .digest('hex')\n      .substring(0, 16)\n\n    hashChanges.push({ originalHash, newHash })\n    const filepath = path.join(clientDir, file)\n    await fs.promises.rename(filepath, filepath.replace(originalHash, newHash))\n  }\n\n  // update build-manifest and webpack-runtime with new hashes\n  for (const file of [\n    path.join(distDir, BUILD_MANIFEST),\n    path.join(distDir, 'static', webpackRuntimeFile),\n    path.join(distDir, 'static', buildId, '_buildManifest.js'),\n  ]) {\n    const content = await fs.promises.readFile(file, 'utf-8')\n    let newContent = content\n\n    for (const { originalHash, newHash } of hashChanges) {\n      newContent = newContent.replaceAll(originalHash, newHash)\n    }\n    if (content !== newContent) {\n      await fs.promises.writeFile(file, newContent)\n    }\n  }\n}\n"],"names":["fs","path","crypto","promisify","globOriginal","Sema","BUILD_MANIFEST","getNextConfigEnv","getStaticEnv","glob","inlineStaticEnv","distDir","config","buildId","nextConfigEnv","staticEnv","serverDir","join","serverChunks","cwd","clientDir","clientChunks","webpackRuntimeFile","find","item","match","Error","inlineSema","nextConfigEnvKeys","Object","keys","map","split","pop","builtRegEx","RegExp","length","changedClientFiles","parentDir","files","Promise","all","file","acquire","filepath","content","promises","readFile","newContent","replace","normalizedMatch","JSON","stringify","writeFile","push","release","hashChanges","originalHash","newHash","createHash","update","digest","substring","rename","replaceAll"],"mappings":"AAAA,OAAOA,QAAQ,KAAI;AACnB,OAAOC,UAAU,OAAM;AACvB,OAAOC,YAAY,SAAQ;AAC3B,SAASC,SAAS,QAAQ,OAAM;AAChC,OAAOC,kBAAkB,0BAAyB;AAClD,SAASC,IAAI,QAAQ,gCAA+B;AAEpD,SAASC,cAAc,QAAQ,0BAAyB;AACxD,SAASC,gBAAgB,EAAEC,YAAY,QAAQ,eAAc;AAE7D,MAAMC,OAAON,UAAUC;AAEvB,OAAO,eAAeM,gBAAgB,EACpCC,OAAO,EACPC,MAAM,EACNC,OAAO,EAKR;IACC,MAAMC,gBAAgBP,iBAAiBK;IACvC,MAAMG,YAAYP,aAAaI;IAE/B,MAAMI,YAAYf,KAAKgB,IAAI,CAACN,SAAS;IACrC,MAAMO,eAAe,MAAMT,KAAK,WAAW;QACzCU,KAAKH;IACP;IACA,MAAMI,YAAYnB,KAAKgB,IAAI,CAACN,SAAS;IACrC,MAAMU,eAAe,MAAMZ,KAAK,WAAW;QACzCU,KAAKC;IACP;IACA,MAAME,qBAAqBD,aAAaE,IAAI,CAAC,CAACC,OAC5CA,KAAKC,KAAK,CAAC;IAGb,IAAI,CAACH,oBAAoB;QACvB,MAAM,qBAA2D,CAA3D,IAAII,MAAM,CAAC,8CAA8C,CAAC,GAA1D,qBAAA;mBAAA;wBAAA;0BAAA;QAA0D;IAClE;IAEA,MAAMC,aAAa,IAAItB,KAAK;IAC5B,MAAMuB,oBAAoBC,OAAOC,IAAI,CAAChB,eAAeiB,GAAG,CAAC,CAACP,OACxDA,KAAKQ,KAAK,CAAC,gBAAgBC,GAAG;IAGhC,MAAMC,aAAa,IAAIC,OACrB,CAAC,6CAA6C,EAAEP,kBAAkBQ,MAAM,GAAG,MAAMR,kBAAkBX,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,EACpH;IAEF,MAAMoB,qBAA+D,EAAE;IAEvE,KAAK,MAAM,CAACC,WAAWC,MAAM,IAAI;QAC/B;YAACvB;YAAWE;SAAa;QACzB;YAACE;YAAWC;SAAa;KAC1B,CAAW;QACV,MAAMmB,QAAQC,GAAG,CACfF,MAAMR,GAAG,CAAC,OAAOW;YACf,MAAMf,WAAWgB,OAAO;YACxB,MAAMC,WAAW3C,KAAKgB,IAAI,CAACqB,WAAWI;YACtC,MAAMG,UAAU,MAAM7C,GAAG8C,QAAQ,CAACC,QAAQ,CAACH,UAAU;YACrD,MAAMI,aAAaH,QAAQI,OAAO,CAACf,YAAY,CAACT;gBAC9C,IAAIyB,kBAAkB,CAAC,YAAY,EAAEzB,MAAMO,KAAK,CAAC,KAAKC,GAAG,IAAI;gBAE7D,IAAIlB,SAAS,CAACmC,gBAAgB,EAAE;oBAC9B,OAAOC,KAAKC,SAAS,CAACrC,SAAS,CAACmC,gBAAgB;gBAClD;gBACA,OAAOzB;YACT;YAEA,MAAMzB,GAAG8C,QAAQ,CAACO,SAAS,CAACT,UAAUI;YAEtC,IAAIH,YAAYG,cAAcV,cAAclB,WAAW;gBACrDiB,mBAAmBiB,IAAI,CAAC;oBAAEZ;oBAAMG,SAASG;gBAAW;YACtD;YACArB,WAAW4B,OAAO;QACpB;IAEJ;IACA,MAAMC,cAGD,EAAE;IAEP,oDAAoD;IACpD,KAAK,MAAM,EAAEd,IAAI,EAAEG,OAAO,EAAE,IAAIR,mBAAoB;YAE7BK;QADrB,mDAAmD;QACnD,MAAMe,eAAef,EAAAA,cAAAA,KAAKjB,KAAK,CAAC,wCAAXiB,WAAgC,CAAC,EAAE,KAAI;QAE5D,IAAI,CAACe,cAAc;YACjB,MAAM,qBAEL,CAFK,IAAI/B,MACR,CAAC,0DAA0D,EAAEgB,MAAM,GAD/D,qBAAA;uBAAA;4BAAA;8BAAA;YAEN;QACF;QACA,MAAMgB,UAAUxD,OACbyD,UAAU,CAAC,UACXC,MAAM,CAACf,SACPgB,MAAM,CAAC,OACPC,SAAS,CAAC,GAAG;QAEhBN,YAAYF,IAAI,CAAC;YAAEG;YAAcC;QAAQ;QACzC,MAAMd,WAAW3C,KAAKgB,IAAI,CAACG,WAAWsB;QACtC,MAAM1C,GAAG8C,QAAQ,CAACiB,MAAM,CAACnB,UAAUA,SAASK,OAAO,CAACQ,cAAcC;IACpE;IAEA,4DAA4D;IAC5D,KAAK,MAAMhB,QAAQ;QACjBzC,KAAKgB,IAAI,CAACN,SAASL;QACnBL,KAAKgB,IAAI,CAACN,SAAS,UAAUW;QAC7BrB,KAAKgB,IAAI,CAACN,SAAS,UAAUE,SAAS;KACvC,CAAE;QACD,MAAMgC,UAAU,MAAM7C,GAAG8C,QAAQ,CAACC,QAAQ,CAACL,MAAM;QACjD,IAAIM,aAAaH;QAEjB,KAAK,MAAM,EAAEY,YAAY,EAAEC,OAAO,EAAE,IAAIF,YAAa;YACnDR,aAAaA,WAAWgB,UAAU,CAACP,cAAcC;QACnD;QACA,IAAIb,YAAYG,YAAY;YAC1B,MAAMhD,GAAG8C,QAAQ,CAACO,SAAS,CAACX,MAAMM;QACpC;IACF;AACF"}
+{"version":3,"sources":["../../src/lib/inline-static-env.ts"],"sourcesContent":["import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\nimport { promisify } from 'util'\nimport globOriginal from 'next/dist/compiled/glob'\nimport { Sema } from 'next/dist/compiled/async-sema'\nimport type { NextConfigComplete } from '../server/config-shared'\nimport { getNextConfigEnv, getStaticEnv } from './static-env'\n\nconst glob = promisify(globOriginal)\n\nexport async function inlineStaticEnv({\n  distDir,\n  config,\n}: {\n  distDir: string\n  config: NextConfigComplete\n}) {\n  const nextConfigEnv = getNextConfigEnv(config)\n  const staticEnv = getStaticEnv(config)\n\n  const serverDir = path.join(distDir, 'server')\n  const serverChunks = await glob('**/*.{js,json,js.map}', {\n    cwd: serverDir,\n  })\n  const clientDir = path.join(distDir, 'static')\n  const clientChunks = await glob('**/*.{js,json,js.map}', {\n    cwd: clientDir,\n  })\n  const manifestChunks = await glob('*.{js,json,js.map}', {\n    cwd: distDir,\n  })\n\n  const inlineSema = new Sema(8)\n  const nextConfigEnvKeys = Object.keys(nextConfigEnv).map((item) =>\n    item.split('process.env.').pop()\n  )\n\n  const builtRegEx = new RegExp(\n    `[\\\\w]{1,}(\\\\.env)?\\\\.(?:NEXT_PUBLIC_[\\\\w]{1,}${nextConfigEnvKeys.length ? '|' + nextConfigEnvKeys.join('|') : ''})`,\n    'g'\n  )\n  const changedClientFiles: Array<{ file: string; content: string }> = []\n  const filesToCheck = new Set<string>(\n    manifestChunks.map((f) => path.join(distDir, f))\n  )\n\n  for (const [parentDir, files] of [\n    [serverDir, serverChunks],\n    [clientDir, clientChunks],\n  ] as const) {\n    await Promise.all(\n      files.map(async (file) => {\n        await inlineSema.acquire()\n        const filepath = path.join(parentDir, file)\n        const content = await fs.promises.readFile(filepath, 'utf8')\n        const newContent = content.replace(builtRegEx, (match) => {\n          let normalizedMatch = `process.env.${match.split('.').pop()}`\n\n          if (staticEnv[normalizedMatch]) {\n            return JSON.stringify(staticEnv[normalizedMatch])\n          }\n          return match\n        })\n\n        await fs.promises.writeFile(filepath, newContent)\n\n        if (content !== newContent && parentDir === clientDir) {\n          changedClientFiles.push({ file, content: newContent })\n        }\n        filesToCheck.add(filepath)\n        inlineSema.release()\n      })\n    )\n  }\n  const hashChanges: Array<{\n    originalHash: string\n    newHash: string\n  }> = []\n\n  // hashes need updating for any changed client files\n  for (const { file, content } of changedClientFiles) {\n    // hash is 16 chars currently for all client chunks\n    const originalHash = file.match(/([a-z0-9]{16})\\./)?.[1] || ''\n\n    if (!originalHash) {\n      throw new Error(\n        `Invariant: client chunk changed but failed to detect hash ${file}`\n      )\n    }\n    const newHash = crypto\n      .createHash('sha256')\n      .update(content)\n      .digest('hex')\n      .substring(0, 16)\n\n    hashChanges.push({ originalHash, newHash })\n\n    const filepath = path.join(clientDir, file)\n    const newFilepath = filepath.replace(originalHash, newHash)\n\n    filesToCheck.delete(filepath)\n    filesToCheck.add(newFilepath)\n\n    await fs.promises.rename(filepath, newFilepath)\n  }\n\n  // update build-manifest and webpack-runtime with new hashes\n  for (let file of filesToCheck) {\n    const content = await fs.promises.readFile(file, 'utf-8')\n    let newContent = content\n\n    for (const { originalHash, newHash } of hashChanges) {\n      newContent = newContent.replaceAll(originalHash, newHash)\n    }\n    if (content !== newContent) {\n      await fs.promises.writeFile(file, newContent)\n    }\n  }\n}\n"],"names":["fs","path","crypto","promisify","globOriginal","Sema","getNextConfigEnv","getStaticEnv","glob","inlineStaticEnv","distDir","config","nextConfigEnv","staticEnv","serverDir","join","serverChunks","cwd","clientDir","clientChunks","manifestChunks","inlineSema","nextConfigEnvKeys","Object","keys","map","item","split","pop","builtRegEx","RegExp","length","changedClientFiles","filesToCheck","Set","f","parentDir","files","Promise","all","file","acquire","filepath","content","promises","readFile","newContent","replace","match","normalizedMatch","JSON","stringify","writeFile","push","add","release","hashChanges","originalHash","Error","newHash","createHash","update","digest","substring","newFilepath","delete","rename","replaceAll"],"mappings":"AAAA,OAAOA,QAAQ,KAAI;AACnB,OAAOC,UAAU,OAAM;AACvB,OAAOC,YAAY,SAAQ;AAC3B,SAASC,SAAS,QAAQ,OAAM;AAChC,OAAOC,kBAAkB,0BAAyB;AAClD,SAASC,IAAI,QAAQ,gCAA+B;AAEpD,SAASC,gBAAgB,EAAEC,YAAY,QAAQ,eAAc;AAE7D,MAAMC,OAAOL,UAAUC;AAEvB,OAAO,eAAeK,gBAAgB,EACpCC,OAAO,EACPC,MAAM,EAIP;IACC,MAAMC,gBAAgBN,iBAAiBK;IACvC,MAAME,YAAYN,aAAaI;IAE/B,MAAMG,YAAYb,KAAKc,IAAI,CAACL,SAAS;IACrC,MAAMM,eAAe,MAAMR,KAAK,yBAAyB;QACvDS,KAAKH;IACP;IACA,MAAMI,YAAYjB,KAAKc,IAAI,CAACL,SAAS;IACrC,MAAMS,eAAe,MAAMX,KAAK,yBAAyB;QACvDS,KAAKC;IACP;IACA,MAAME,iBAAiB,MAAMZ,KAAK,sBAAsB;QACtDS,KAAKP;IACP;IAEA,MAAMW,aAAa,IAAIhB,KAAK;IAC5B,MAAMiB,oBAAoBC,OAAOC,IAAI,CAACZ,eAAea,GAAG,CAAC,CAACC,OACxDA,KAAKC,KAAK,CAAC,gBAAgBC,GAAG;IAGhC,MAAMC,aAAa,IAAIC,OACrB,CAAC,6CAA6C,EAAER,kBAAkBS,MAAM,GAAG,MAAMT,kBAAkBP,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,EACpH;IAEF,MAAMiB,qBAA+D,EAAE;IACvE,MAAMC,eAAe,IAAIC,IACvBd,eAAeK,GAAG,CAAC,CAACU,IAAMlC,KAAKc,IAAI,CAACL,SAASyB;IAG/C,KAAK,MAAM,CAACC,WAAWC,MAAM,IAAI;QAC/B;YAACvB;YAAWE;SAAa;QACzB;YAACE;YAAWC;SAAa;KAC1B,CAAW;QACV,MAAMmB,QAAQC,GAAG,CACfF,MAAMZ,GAAG,CAAC,OAAOe;YACf,MAAMnB,WAAWoB,OAAO;YACxB,MAAMC,WAAWzC,KAAKc,IAAI,CAACqB,WAAWI;YACtC,MAAMG,UAAU,MAAM3C,GAAG4C,QAAQ,CAACC,QAAQ,CAACH,UAAU;YACrD,MAAMI,aAAaH,QAAQI,OAAO,CAAClB,YAAY,CAACmB;gBAC9C,IAAIC,kBAAkB,CAAC,YAAY,EAAED,MAAMrB,KAAK,CAAC,KAAKC,GAAG,IAAI;gBAE7D,IAAIf,SAAS,CAACoC,gBAAgB,EAAE;oBAC9B,OAAOC,KAAKC,SAAS,CAACtC,SAAS,CAACoC,gBAAgB;gBAClD;gBACA,OAAOD;YACT;YAEA,MAAMhD,GAAG4C,QAAQ,CAACQ,SAAS,CAACV,UAAUI;YAEtC,IAAIH,YAAYG,cAAcV,cAAclB,WAAW;gBACrDc,mBAAmBqB,IAAI,CAAC;oBAAEb;oBAAMG,SAASG;gBAAW;YACtD;YACAb,aAAaqB,GAAG,CAACZ;YACjBrB,WAAWkC,OAAO;QACpB;IAEJ;IACA,MAAMC,cAGD,EAAE;IAEP,oDAAoD;IACpD,KAAK,MAAM,EAAEhB,IAAI,EAAEG,OAAO,EAAE,IAAIX,mBAAoB;YAE7BQ;QADrB,mDAAmD;QACnD,MAAMiB,eAAejB,EAAAA,cAAAA,KAAKQ,KAAK,CAAC,wCAAXR,WAAgC,CAAC,EAAE,KAAI;QAE5D,IAAI,CAACiB,cAAc;YACjB,MAAM,qBAEL,CAFK,IAAIC,MACR,CAAC,0DAA0D,EAAElB,MAAM,GAD/D,qBAAA;uBAAA;4BAAA;8BAAA;YAEN;QACF;QACA,MAAMmB,UAAUzD,OACb0D,UAAU,CAAC,UACXC,MAAM,CAAClB,SACPmB,MAAM,CAAC,OACPC,SAAS,CAAC,GAAG;QAEhBP,YAAYH,IAAI,CAAC;YAAEI;YAAcE;QAAQ;QAEzC,MAAMjB,WAAWzC,KAAKc,IAAI,CAACG,WAAWsB;QACtC,MAAMwB,cAActB,SAASK,OAAO,CAACU,cAAcE;QAEnD1B,aAAagC,MAAM,CAACvB;QACpBT,aAAaqB,GAAG,CAACU;QAEjB,MAAMhE,GAAG4C,QAAQ,CAACsB,MAAM,CAACxB,UAAUsB;IACrC;IAEA,4DAA4D;IAC5D,KAAK,IAAIxB,QAAQP,aAAc;QAC7B,MAAMU,UAAU,MAAM3C,GAAG4C,QAAQ,CAACC,QAAQ,CAACL,MAAM;QACjD,IAAIM,aAAaH;QAEjB,KAAK,MAAM,EAAEc,YAAY,EAAEE,OAAO,EAAE,IAAIH,YAAa;YACnDV,aAAaA,WAAWqB,UAAU,CAACV,cAAcE;QACnD;QACA,IAAIhB,YAAYG,YAAY;YAC1B,MAAM9C,GAAG4C,QAAQ,CAACQ,SAAS,CAACZ,MAAMM;QACpC;IACF;AACF"}

package/dist/esm/server/dev/hot-reloader-turbopack.js

@@ -83,7 +83,7 @@ export async function createHotReloaderTurbopack(opts, serverFields, distDir, re
     }
     const hasRewrites = opts.fsChecker.rewrites.afterFiles.length > 0 || opts.fsChecker.rewrites.beforeFiles.length > 0 || opts.fsChecker.rewrites.fallback.length > 0;
     const hotReloaderSpan = trace('hot-reloader', undefined, {
-        version: "15.3.0-canary.3"
+        version: "15.3.0-canary.5"
     });
     // Ensure the hotReloaderSpan is flushed immediately as it's the parentSpan for all processing
     // of the current `next dev` invocation.

package/dist/esm/server/dev/hot-reloader-webpack.js

@@ -180,7 +180,7 @@ export default class HotReloaderWebpack {
         this.previewProps = previewProps;
         this.rewrites = rewrites;
         this.hotReloaderSpan = trace('hot-reloader', undefined, {
-            version: "15.3.0-canary.3"
+            version: "15.3.0-canary.5"
         });
         // Ensure the hotReloaderSpan is flushed immediately as it's the parentSpan for all processing
         // of the current `next dev` invocation.

package/dist/esm/server/lib/app-info-log.js

@@ -4,7 +4,7 @@ import { bold, purple } from '../../lib/picocolors';
 import { PHASE_DEVELOPMENT_SERVER, PHASE_PRODUCTION_BUILD } from '../../shared/lib/constants';
 import loadConfig, { getConfiguredExperimentalFeatures } from '../config';
 export function logStartInfo({ networkUrl, appUrl, envInfo, experimentalFeatures, maxExperimentalFeatures = Infinity }) {
-    Log.bootstrap(`${bold(purple(`${Log.prefixes.ready} Next.js ${"15.3.0-canary.3"}`))}${process.env.TURBOPACK ? ' (Turbopack)' : ''}`);
+    Log.bootstrap(`${bold(purple(`${Log.prefixes.ready} Next.js ${"15.3.0-canary.5"}`))}${process.env.TURBOPACK ? ' (Turbopack)' : ''}`);
     if (appUrl) {
         Log.bootstrap(`- Local:        ${appUrl}`);
     }

package/dist/esm/server/lib/router-utils/block-cross-site.js

@@ -1,6 +1,7 @@
 import { parseUrl } from '../../../lib/url';
 import net from 'net';
 import { warnOnce } from '../../../build/output/log';
+import { isCsrfOriginAllowed } from '../../app-render/csrf-protection';
 export const blockCrossSite = (req, res, allowedOrigins, activePort)=>{
     var _req_url;
     // only process _next URLs
@@ -14,7 +15,7 @@ export const blockCrossSite = (req, res, allowedOrigins, activePort)=>{
             res.statusCode = 403;
         }
         res.end('Unauthorized');
-        warnOnce(`Blocked cross-origin request to /_next/*. To allow this, configure "allowedDevOrigins" in next.config\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`);
+        warnOnce(`Blocked cross-origin request to /_next/*. Cross-site requests are blocked in "no-cors" mode.`);
         return true;
     }
     // ensure websocket requests from allowed origin
@@ -27,7 +28,7 @@ export const blockCrossSite = (req, res, allowedOrigins, activePort)=>{
             const isIpRequest = net.isIPv4(originLowerCase) || net.isIPv6(originLowerCase);
             if (// allow requests if direct IP and matching port and
             // allow if any of the allowed origins match
-            !(isIpRequest && isMatchingPort) && !allowedOrigins.some((allowedOrigin)=>allowedOrigin === originLowerCase)) {
+            !(isIpRequest && isMatchingPort) && !isCsrfOriginAllowed(originLowerCase, allowedOrigins)) {
                 if ('statusCode' in res) {
                     res.statusCode = 403;
                 }

package/dist/esm/server/lib/router-utils/block-cross-site.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../src/server/lib/router-utils/block-cross-site.ts"],"sourcesContent":["import type { Duplex } from 'stream'\nimport type { IncomingMessage, ServerResponse } from 'webpack-dev-server'\nimport { parseUrl } from '../../../lib/url'\nimport net from 'net'\nimport { warnOnce } from '../../../build/output/log'\n\nexport const blockCrossSite = (\n  req: IncomingMessage,\n  res: ServerResponse | Duplex,\n  allowedOrigins: string[],\n  activePort: string\n): boolean => {\n  // only process _next URLs\n  if (!req.url?.includes('/_next')) {\n    return false\n  }\n  // block non-cors request from cross-site e.g. script tag on\n  // different host\n  if (\n    req.headers['sec-fetch-mode'] === 'no-cors' &&\n    req.headers['sec-fetch-site'] === 'cross-site'\n  ) {\n    if ('statusCode' in res) {\n      res.statusCode = 403\n    }\n    res.end('Unauthorized')\n    warnOnce(\n      `Blocked cross-origin request to /_next/*. To allow this, configure \"allowedDevOrigins\" in next.config\\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`\n    )\n    return true\n  }\n\n  // ensure websocket requests from allowed origin\n  const rawOrigin = req.headers['origin']\n\n  if (rawOrigin) {\n    const parsedOrigin = parseUrl(rawOrigin)\n\n    if (parsedOrigin) {\n      const originLowerCase = parsedOrigin.hostname.toLowerCase()\n      const isMatchingPort = parsedOrigin.port === activePort\n      const isIpRequest =\n        net.isIPv4(originLowerCase) || net.isIPv6(originLowerCase)\n\n      if (\n        // allow requests if direct IP and matching port and\n        // allow if any of the allowed origins match\n        !(isIpRequest && isMatchingPort) &&\n        !allowedOrigins.some(\n          (allowedOrigin) => allowedOrigin === originLowerCase\n        )\n      ) {\n        if ('statusCode' in res) {\n          res.statusCode = 403\n        }\n        res.end('Unauthorized')\n        warnOnce(\n          `Blocked cross-origin request from ${originLowerCase}. To allow this, configure \"allowedDevOrigins\" in next.config\\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`\n        )\n        return true\n      }\n    }\n  }\n\n  return false\n}\n"],"names":["parseUrl","net","warnOnce","blockCrossSite","req","res","allowedOrigins","activePort","url","includes","headers","statusCode","end","rawOrigin","parsedOrigin","originLowerCase","hostname","toLowerCase","isMatchingPort","port","isIpRequest","isIPv4","isIPv6","some","allowedOrigin"],"mappings":"AAEA,SAASA,QAAQ,QAAQ,mBAAkB;AAC3C,OAAOC,SAAS,MAAK;AACrB,SAASC,QAAQ,QAAQ,4BAA2B;AAEpD,OAAO,MAAMC,iBAAiB,CAC5BC,KACAC,KACAC,gBACAC;QAGKH;IADL,0BAA0B;IAC1B,IAAI,GAACA,WAAAA,IAAII,GAAG,qBAAPJ,SAASK,QAAQ,CAAC,YAAW;QAChC,OAAO;IACT;IACA,4DAA4D;IAC5D,iBAAiB;IACjB,IACEL,IAAIM,OAAO,CAAC,iBAAiB,KAAK,aAClCN,IAAIM,OAAO,CAAC,iBAAiB,KAAK,cAClC;QACA,IAAI,gBAAgBL,KAAK;YACvBA,IAAIM,UAAU,GAAG;QACnB;QACAN,IAAIO,GAAG,CAAC;QACRV,SACE,CAAC,mMAAmM,CAAC;QAEvM,OAAO;IACT;IAEA,gDAAgD;IAChD,MAAMW,YAAYT,IAAIM,OAAO,CAAC,SAAS;IAEvC,IAAIG,WAAW;QACb,MAAMC,eAAed,SAASa;QAE9B,IAAIC,cAAc;YAChB,MAAMC,kBAAkBD,aAAaE,QAAQ,CAACC,WAAW;YACzD,MAAMC,iBAAiBJ,aAAaK,IAAI,KAAKZ;YAC7C,MAAMa,cACJnB,IAAIoB,MAAM,CAACN,oBAAoBd,IAAIqB,MAAM,CAACP;YAE5C,IACE,oDAAoD;YACpD,4CAA4C;YAC5C,CAAEK,CAAAA,eAAeF,cAAa,KAC9B,CAACZ,eAAeiB,IAAI,CAClB,CAACC,gBAAkBA,kBAAkBT,kBAEvC;gBACA,IAAI,gBAAgBV,KAAK;oBACvBA,IAAIM,UAAU,GAAG;gBACnB;gBACAN,IAAIO,GAAG,CAAC;gBACRV,SACE,CAAC,kCAAkC,EAAEa,gBAAgB,2JAA2J,CAAC;gBAEnN,OAAO;YACT;QACF;IACF;IAEA,OAAO;AACT,EAAC"}
+{"version":3,"sources":["../../../../src/server/lib/router-utils/block-cross-site.ts"],"sourcesContent":["import type { Duplex } from 'stream'\nimport type { IncomingMessage, ServerResponse } from 'webpack-dev-server'\nimport { parseUrl } from '../../../lib/url'\nimport net from 'net'\nimport { warnOnce } from '../../../build/output/log'\nimport { isCsrfOriginAllowed } from '../../app-render/csrf-protection'\n\nexport const blockCrossSite = (\n  req: IncomingMessage,\n  res: ServerResponse | Duplex,\n  allowedOrigins: string[],\n  activePort: string\n): boolean => {\n  // only process _next URLs\n  if (!req.url?.includes('/_next')) {\n    return false\n  }\n  // block non-cors request from cross-site e.g. script tag on\n  // different host\n  if (\n    req.headers['sec-fetch-mode'] === 'no-cors' &&\n    req.headers['sec-fetch-site'] === 'cross-site'\n  ) {\n    if ('statusCode' in res) {\n      res.statusCode = 403\n    }\n    res.end('Unauthorized')\n    warnOnce(\n      `Blocked cross-origin request to /_next/*. Cross-site requests are blocked in \"no-cors\" mode.`\n    )\n    return true\n  }\n\n  // ensure websocket requests from allowed origin\n  const rawOrigin = req.headers['origin']\n\n  if (rawOrigin) {\n    const parsedOrigin = parseUrl(rawOrigin)\n\n    if (parsedOrigin) {\n      const originLowerCase = parsedOrigin.hostname.toLowerCase()\n      const isMatchingPort = parsedOrigin.port === activePort\n      const isIpRequest =\n        net.isIPv4(originLowerCase) || net.isIPv6(originLowerCase)\n\n      if (\n        // allow requests if direct IP and matching port and\n        // allow if any of the allowed origins match\n        !(isIpRequest && isMatchingPort) &&\n        !isCsrfOriginAllowed(originLowerCase, allowedOrigins)\n      ) {\n        if ('statusCode' in res) {\n          res.statusCode = 403\n        }\n        res.end('Unauthorized')\n        warnOnce(\n          `Blocked cross-origin request from ${originLowerCase}. To allow this, configure \"allowedDevOrigins\" in next.config\\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`\n        )\n        return true\n      }\n    }\n  }\n\n  return false\n}\n"],"names":["parseUrl","net","warnOnce","isCsrfOriginAllowed","blockCrossSite","req","res","allowedOrigins","activePort","url","includes","headers","statusCode","end","rawOrigin","parsedOrigin","originLowerCase","hostname","toLowerCase","isMatchingPort","port","isIpRequest","isIPv4","isIPv6"],"mappings":"AAEA,SAASA,QAAQ,QAAQ,mBAAkB;AAC3C,OAAOC,SAAS,MAAK;AACrB,SAASC,QAAQ,QAAQ,4BAA2B;AACpD,SAASC,mBAAmB,QAAQ,mCAAkC;AAEtE,OAAO,MAAMC,iBAAiB,CAC5BC,KACAC,KACAC,gBACAC;QAGKH;IADL,0BAA0B;IAC1B,IAAI,GAACA,WAAAA,IAAII,GAAG,qBAAPJ,SAASK,QAAQ,CAAC,YAAW;QAChC,OAAO;IACT;IACA,4DAA4D;IAC5D,iBAAiB;IACjB,IACEL,IAAIM,OAAO,CAAC,iBAAiB,KAAK,aAClCN,IAAIM,OAAO,CAAC,iBAAiB,KAAK,cAClC;QACA,IAAI,gBAAgBL,KAAK;YACvBA,IAAIM,UAAU,GAAG;QACnB;QACAN,IAAIO,GAAG,CAAC;QACRX,SACE,CAAC,4FAA4F,CAAC;QAEhG,OAAO;IACT;IAEA,gDAAgD;IAChD,MAAMY,YAAYT,IAAIM,OAAO,CAAC,SAAS;IAEvC,IAAIG,WAAW;QACb,MAAMC,eAAef,SAASc;QAE9B,IAAIC,cAAc;YAChB,MAAMC,kBAAkBD,aAAaE,QAAQ,CAACC,WAAW;YACzD,MAAMC,iBAAiBJ,aAAaK,IAAI,KAAKZ;YAC7C,MAAMa,cACJpB,IAAIqB,MAAM,CAACN,oBAAoBf,IAAIsB,MAAM,CAACP;YAE5C,IACE,oDAAoD;YACpD,4CAA4C;YAC5C,CAAEK,CAAAA,eAAeF,cAAa,KAC9B,CAAChB,oBAAoBa,iBAAiBT,iBACtC;gBACA,IAAI,gBAAgBD,KAAK;oBACvBA,IAAIM,UAAU,GAAG;gBACnB;gBACAN,IAAIO,GAAG,CAAC;gBACRX,SACE,CAAC,kCAAkC,EAAEc,gBAAgB,2JAA2J,CAAC;gBAEnN,OAAO;YACT;QACF;IACF;IAEA,OAAO;AACT,EAAC"}

package/dist/esm/server/lib/start-server.js

@@ -43,7 +43,7 @@ export async function getRequestHandlers({ dir, port, isDev, onDevServerCleanup,
 export async function startServer(serverOptions) {
     const { dir, isDev, hostname, minimalMode, allowRetry, keepAliveTimeout, selfSignedCertificate } = serverOptions;
     let { port } = serverOptions;
-    process.title = `next-server (v${"15.3.0-canary.3"})`;
+    process.title = `next-server (v${"15.3.0-canary.5"})`;
     let handlersReady = ()=>{};
     let handlersError = ()=>{};
     let handlersPromise = new Promise((resolve, reject)=>{

package/dist/esm/shared/lib/canary-only.js

@@ -1,6 +1,6 @@
 export function isStableBuild() {
     var _process_env___NEXT_VERSION;
-    return !((_process_env___NEXT_VERSION = "15.3.0-canary.3") == null ? void 0 : _process_env___NEXT_VERSION.includes('canary')) && !process.env.__NEXT_TEST_MODE && !process.env.NEXT_PRIVATE_LOCAL_DEV;
+    return !((_process_env___NEXT_VERSION = "15.3.0-canary.5") == null ? void 0 : _process_env___NEXT_VERSION.includes('canary')) && !process.env.__NEXT_TEST_MODE && !process.env.NEXT_PRIVATE_LOCAL_DEV;
 }
 export class CanaryOnlyError extends Error {
     constructor(arg){

package/dist/lib/inline-static-env.d.ts

@@ -1,6 +1,5 @@
 import type { NextConfigComplete } from '../server/config-shared';
-export declare function inlineStaticEnv({ distDir, config, buildId, }: {
+export declare function inlineStaticEnv({ distDir, config, }: {
     distDir: string;
-    buildId: string;
     config: NextConfigComplete;
 }): Promise<void>;

package/dist/lib/inline-static-env.js

@@ -14,7 +14,6 @@ const _crypto = /*#__PURE__*/ _interop_require_default(require("crypto"));
 const _util = require("util");
 const _glob = /*#__PURE__*/ _interop_require_default(require("next/dist/compiled/glob"));
 const _asyncsema = require("next/dist/compiled/async-sema");
-const _constants = require("../shared/lib/constants");
 const _staticenv = require("./static-env");
 function _interop_require_default(obj) {
     return obj && obj.__esModule ? obj : {
@@ -22,29 +21,25 @@ function _interop_require_default(obj) {
     };
 }
 const glob = (0, _util.promisify)(_glob.default);
-async function inlineStaticEnv({ distDir, config, buildId }) {
+async function inlineStaticEnv({ distDir, config }) {
     const nextConfigEnv = (0, _staticenv.getNextConfigEnv)(config);
     const staticEnv = (0, _staticenv.getStaticEnv)(config);
     const serverDir = _path.default.join(distDir, 'server');
-    const serverChunks = await glob('**/*.js', {
+    const serverChunks = await glob('**/*.{js,json,js.map}', {
         cwd: serverDir
     });
     const clientDir = _path.default.join(distDir, 'static');
-    const clientChunks = await glob('**/*.js', {
+    const clientChunks = await glob('**/*.{js,json,js.map}', {
         cwd: clientDir
     });
-    const webpackRuntimeFile = clientChunks.find((item)=>item.match(/webpack-[a-z0-9]{16}/));
-    if (!webpackRuntimeFile) {
-        throw Object.defineProperty(new Error(`Invariant failed to find webpack runtime chunk`), "__NEXT_ERROR_CODE", {
-            value: "E662",
-            enumerable: false,
-            configurable: true
-        });
-    }
+    const manifestChunks = await glob('*.{js,json,js.map}', {
+        cwd: distDir
+    });
     const inlineSema = new _asyncsema.Sema(8);
     const nextConfigEnvKeys = Object.keys(nextConfigEnv).map((item)=>item.split('process.env.').pop());
     const builtRegEx = new RegExp(`[\\w]{1,}(\\.env)?\\.(?:NEXT_PUBLIC_[\\w]{1,}${nextConfigEnvKeys.length ? '|' + nextConfigEnvKeys.join('|') : ''})`, 'g');
     const changedClientFiles = [];
+    const filesToCheck = new Set(manifestChunks.map((f)=>_path.default.join(distDir, f)));
     for (const [parentDir, files] of [
         [
             serverDir,
@@ -73,6 +68,7 @@ async function inlineStaticEnv({ distDir, config, buildId }) {
                     content: newContent
                 });
             }
+            filesToCheck.add(filepath);
             inlineSema.release();
         }));
     }
@@ -95,14 +91,13 @@ async function inlineStaticEnv({ distDir, config, buildId }) {
             newHash
         });
         const filepath = _path.default.join(clientDir, file);
-        await _fs.default.promises.rename(filepath, filepath.replace(originalHash, newHash));
+        const newFilepath = filepath.replace(originalHash, newHash);
+        filesToCheck.delete(filepath);
+        filesToCheck.add(newFilepath);
+        await _fs.default.promises.rename(filepath, newFilepath);
     }
     // update build-manifest and webpack-runtime with new hashes
-    for (const file of [
-        _path.default.join(distDir, _constants.BUILD_MANIFEST),
-        _path.default.join(distDir, 'static', webpackRuntimeFile),
-        _path.default.join(distDir, 'static', buildId, '_buildManifest.js')
-    ]){
+    for (let file of filesToCheck){
         const content = await _fs.default.promises.readFile(file, 'utf-8');
         let newContent = content;
         for (const { originalHash, newHash } of hashChanges){

package/dist/lib/inline-static-env.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/lib/inline-static-env.ts"],"sourcesContent":["import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\nimport { promisify } from 'util'\nimport globOriginal from 'next/dist/compiled/glob'\nimport { Sema } from 'next/dist/compiled/async-sema'\nimport type { NextConfigComplete } from '../server/config-shared'\nimport { BUILD_MANIFEST } from '../shared/lib/constants'\nimport { getNextConfigEnv, getStaticEnv } from './static-env'\n\nconst glob = promisify(globOriginal)\n\nexport async function inlineStaticEnv({\n  distDir,\n  config,\n  buildId,\n}: {\n  distDir: string\n  buildId: string\n  config: NextConfigComplete\n}) {\n  const nextConfigEnv = getNextConfigEnv(config)\n  const staticEnv = getStaticEnv(config)\n\n  const serverDir = path.join(distDir, 'server')\n  const serverChunks = await glob('**/*.js', {\n    cwd: serverDir,\n  })\n  const clientDir = path.join(distDir, 'static')\n  const clientChunks = await glob('**/*.js', {\n    cwd: clientDir,\n  })\n  const webpackRuntimeFile = clientChunks.find((item) =>\n    item.match(/webpack-[a-z0-9]{16}/)\n  )\n\n  if (!webpackRuntimeFile) {\n    throw new Error(`Invariant failed to find webpack runtime chunk`)\n  }\n\n  const inlineSema = new Sema(8)\n  const nextConfigEnvKeys = Object.keys(nextConfigEnv).map((item) =>\n    item.split('process.env.').pop()\n  )\n\n  const builtRegEx = new RegExp(\n    `[\\\\w]{1,}(\\\\.env)?\\\\.(?:NEXT_PUBLIC_[\\\\w]{1,}${nextConfigEnvKeys.length ? '|' + nextConfigEnvKeys.join('|') : ''})`,\n    'g'\n  )\n  const changedClientFiles: Array<{ file: string; content: string }> = []\n\n  for (const [parentDir, files] of [\n    [serverDir, serverChunks],\n    [clientDir, clientChunks],\n  ] as const) {\n    await Promise.all(\n      files.map(async (file) => {\n        await inlineSema.acquire()\n        const filepath = path.join(parentDir, file)\n        const content = await fs.promises.readFile(filepath, 'utf8')\n        const newContent = content.replace(builtRegEx, (match) => {\n          let normalizedMatch = `process.env.${match.split('.').pop()}`\n\n          if (staticEnv[normalizedMatch]) {\n            return JSON.stringify(staticEnv[normalizedMatch])\n          }\n          return match\n        })\n\n        await fs.promises.writeFile(filepath, newContent)\n\n        if (content !== newContent && parentDir === clientDir) {\n          changedClientFiles.push({ file, content: newContent })\n        }\n        inlineSema.release()\n      })\n    )\n  }\n  const hashChanges: Array<{\n    originalHash: string\n    newHash: string\n  }> = []\n\n  // hashes need updating for any changed client files\n  for (const { file, content } of changedClientFiles) {\n    // hash is 16 chars currently for all client chunks\n    const originalHash = file.match(/([a-z0-9]{16})\\./)?.[1] || ''\n\n    if (!originalHash) {\n      throw new Error(\n        `Invariant: client chunk changed but failed to detect hash ${file}`\n      )\n    }\n    const newHash = crypto\n      .createHash('sha256')\n      .update(content)\n      .digest('hex')\n      .substring(0, 16)\n\n    hashChanges.push({ originalHash, newHash })\n    const filepath = path.join(clientDir, file)\n    await fs.promises.rename(filepath, filepath.replace(originalHash, newHash))\n  }\n\n  // update build-manifest and webpack-runtime with new hashes\n  for (const file of [\n    path.join(distDir, BUILD_MANIFEST),\n    path.join(distDir, 'static', webpackRuntimeFile),\n    path.join(distDir, 'static', buildId, '_buildManifest.js'),\n  ]) {\n    const content = await fs.promises.readFile(file, 'utf-8')\n    let newContent = content\n\n    for (const { originalHash, newHash } of hashChanges) {\n      newContent = newContent.replaceAll(originalHash, newHash)\n    }\n    if (content !== newContent) {\n      await fs.promises.writeFile(file, newContent)\n    }\n  }\n}\n"],"names":["inlineStaticEnv","glob","promisify","globOriginal","distDir","config","buildId","nextConfigEnv","getNextConfigEnv","staticEnv","getStaticEnv","serverDir","path","join","serverChunks","cwd","clientDir","clientChunks","webpackRuntimeFile","find","item","match","Error","inlineSema","Sema","nextConfigEnvKeys","Object","keys","map","split","pop","builtRegEx","RegExp","length","changedClientFiles","parentDir","files","Promise","all","file","acquire","filepath","content","fs","promises","readFile","newContent","replace","normalizedMatch","JSON","stringify","writeFile","push","release","hashChanges","originalHash","newHash","crypto","createHash","update","digest","substring","rename","BUILD_MANIFEST","replaceAll"],"mappings":";;;;+BAYsBA;;;eAAAA;;;2DAZP;6DACE;+DACE;sBACO;6DACD;2BACJ;2BAEU;2BACgB;;;;;;AAE/C,MAAMC,OAAOC,IAAAA,eAAS,EAACC,aAAY;AAE5B,eAAeH,gBAAgB,EACpCI,OAAO,EACPC,MAAM,EACNC,OAAO,EAKR;IACC,MAAMC,gBAAgBC,IAAAA,2BAAgB,EAACH;IACvC,MAAMI,YAAYC,IAAAA,uBAAY,EAACL;IAE/B,MAAMM,YAAYC,aAAI,CAACC,IAAI,CAACT,SAAS;IACrC,MAAMU,eAAe,MAAMb,KAAK,WAAW;QACzCc,KAAKJ;IACP;IACA,MAAMK,YAAYJ,aAAI,CAACC,IAAI,CAACT,SAAS;IACrC,MAAMa,eAAe,MAAMhB,KAAK,WAAW;QACzCc,KAAKC;IACP;IACA,MAAME,qBAAqBD,aAAaE,IAAI,CAAC,CAACC,OAC5CA,KAAKC,KAAK,CAAC;IAGb,IAAI,CAACH,oBAAoB;QACvB,MAAM,qBAA2D,CAA3D,IAAII,MAAM,CAAC,8CAA8C,CAAC,GAA1D,qBAAA;mBAAA;wBAAA;0BAAA;QAA0D;IAClE;IAEA,MAAMC,aAAa,IAAIC,eAAI,CAAC;IAC5B,MAAMC,oBAAoBC,OAAOC,IAAI,CAACpB,eAAeqB,GAAG,CAAC,CAACR,OACxDA,KAAKS,KAAK,CAAC,gBAAgBC,GAAG;IAGhC,MAAMC,aAAa,IAAIC,OACrB,CAAC,6CAA6C,EAAEP,kBAAkBQ,MAAM,GAAG,MAAMR,kBAAkBZ,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,EACpH;IAEF,MAAMqB,qBAA+D,EAAE;IAEvE,KAAK,MAAM,CAACC,WAAWC,MAAM,IAAI;QAC/B;YAACzB;YAAWG;SAAa;QACzB;YAACE;YAAWC;SAAa;KAC1B,CAAW;QACV,MAAMoB,QAAQC,GAAG,CACfF,MAAMR,GAAG,CAAC,OAAOW;YACf,MAAMhB,WAAWiB,OAAO;YACxB,MAAMC,WAAW7B,aAAI,CAACC,IAAI,CAACsB,WAAWI;YACtC,MAAMG,UAAU,MAAMC,WAAE,CAACC,QAAQ,CAACC,QAAQ,CAACJ,UAAU;YACrD,MAAMK,aAAaJ,QAAQK,OAAO,CAAChB,YAAY,CAACV;gBAC9C,IAAI2B,kBAAkB,CAAC,YAAY,EAAE3B,MAAMQ,KAAK,CAAC,KAAKC,GAAG,IAAI;gBAE7D,IAAIrB,SAAS,CAACuC,gBAAgB,EAAE;oBAC9B,OAAOC,KAAKC,SAAS,CAACzC,SAAS,CAACuC,gBAAgB;gBAClD;gBACA,OAAO3B;YACT;YAEA,MAAMsB,WAAE,CAACC,QAAQ,CAACO,SAAS,CAACV,UAAUK;YAEtC,IAAIJ,YAAYI,cAAcX,cAAcnB,WAAW;gBACrDkB,mBAAmBkB,IAAI,CAAC;oBAAEb;oBAAMG,SAASI;gBAAW;YACtD;YACAvB,WAAW8B,OAAO;QACpB;IAEJ;IACA,MAAMC,cAGD,EAAE;IAEP,oDAAoD;IACpD,KAAK,MAAM,EAAEf,IAAI,EAAEG,OAAO,EAAE,IAAIR,mBAAoB;YAE7BK;QADrB,mDAAmD;QACnD,MAAMgB,eAAehB,EAAAA,cAAAA,KAAKlB,KAAK,CAAC,wCAAXkB,WAAgC,CAAC,EAAE,KAAI;QAE5D,IAAI,CAACgB,cAAc;YACjB,MAAM,qBAEL,CAFK,IAAIjC,MACR,CAAC,0DAA0D,EAAEiB,MAAM,GAD/D,qBAAA;uBAAA;4BAAA;8BAAA;YAEN;QACF;QACA,MAAMiB,UAAUC,eAAM,CACnBC,UAAU,CAAC,UACXC,MAAM,CAACjB,SACPkB,MAAM,CAAC,OACPC,SAAS,CAAC,GAAG;QAEhBP,YAAYF,IAAI,CAAC;YAAEG;YAAcC;QAAQ;QACzC,MAAMf,WAAW7B,aAAI,CAACC,IAAI,CAACG,WAAWuB;QACtC,MAAMI,WAAE,CAACC,QAAQ,CAACkB,MAAM,CAACrB,UAAUA,SAASM,OAAO,CAACQ,cAAcC;IACpE;IAEA,4DAA4D;IAC5D,KAAK,MAAMjB,QAAQ;QACjB3B,aAAI,CAACC,IAAI,CAACT,SAAS2D,yBAAc;QACjCnD,aAAI,CAACC,IAAI,CAACT,SAAS,UAAUc;QAC7BN,aAAI,CAACC,IAAI,CAACT,SAAS,UAAUE,SAAS;KACvC,CAAE;QACD,MAAMoC,UAAU,MAAMC,WAAE,CAACC,QAAQ,CAACC,QAAQ,CAACN,MAAM;QACjD,IAAIO,aAAaJ;QAEjB,KAAK,MAAM,EAAEa,YAAY,EAAEC,OAAO,EAAE,IAAIF,YAAa;YACnDR,aAAaA,WAAWkB,UAAU,CAACT,cAAcC;QACnD;QACA,IAAId,YAAYI,YAAY;YAC1B,MAAMH,WAAE,CAACC,QAAQ,CAACO,SAAS,CAACZ,MAAMO;QACpC;IACF;AACF"}
+{"version":3,"sources":["../../src/lib/inline-static-env.ts"],"sourcesContent":["import fs from 'fs'\nimport path from 'path'\nimport crypto from 'crypto'\nimport { promisify } from 'util'\nimport globOriginal from 'next/dist/compiled/glob'\nimport { Sema } from 'next/dist/compiled/async-sema'\nimport type { NextConfigComplete } from '../server/config-shared'\nimport { getNextConfigEnv, getStaticEnv } from './static-env'\n\nconst glob = promisify(globOriginal)\n\nexport async function inlineStaticEnv({\n  distDir,\n  config,\n}: {\n  distDir: string\n  config: NextConfigComplete\n}) {\n  const nextConfigEnv = getNextConfigEnv(config)\n  const staticEnv = getStaticEnv(config)\n\n  const serverDir = path.join(distDir, 'server')\n  const serverChunks = await glob('**/*.{js,json,js.map}', {\n    cwd: serverDir,\n  })\n  const clientDir = path.join(distDir, 'static')\n  const clientChunks = await glob('**/*.{js,json,js.map}', {\n    cwd: clientDir,\n  })\n  const manifestChunks = await glob('*.{js,json,js.map}', {\n    cwd: distDir,\n  })\n\n  const inlineSema = new Sema(8)\n  const nextConfigEnvKeys = Object.keys(nextConfigEnv).map((item) =>\n    item.split('process.env.').pop()\n  )\n\n  const builtRegEx = new RegExp(\n    `[\\\\w]{1,}(\\\\.env)?\\\\.(?:NEXT_PUBLIC_[\\\\w]{1,}${nextConfigEnvKeys.length ? '|' + nextConfigEnvKeys.join('|') : ''})`,\n    'g'\n  )\n  const changedClientFiles: Array<{ file: string; content: string }> = []\n  const filesToCheck = new Set<string>(\n    manifestChunks.map((f) => path.join(distDir, f))\n  )\n\n  for (const [parentDir, files] of [\n    [serverDir, serverChunks],\n    [clientDir, clientChunks],\n  ] as const) {\n    await Promise.all(\n      files.map(async (file) => {\n        await inlineSema.acquire()\n        const filepath = path.join(parentDir, file)\n        const content = await fs.promises.readFile(filepath, 'utf8')\n        const newContent = content.replace(builtRegEx, (match) => {\n          let normalizedMatch = `process.env.${match.split('.').pop()}`\n\n          if (staticEnv[normalizedMatch]) {\n            return JSON.stringify(staticEnv[normalizedMatch])\n          }\n          return match\n        })\n\n        await fs.promises.writeFile(filepath, newContent)\n\n        if (content !== newContent && parentDir === clientDir) {\n          changedClientFiles.push({ file, content: newContent })\n        }\n        filesToCheck.add(filepath)\n        inlineSema.release()\n      })\n    )\n  }\n  const hashChanges: Array<{\n    originalHash: string\n    newHash: string\n  }> = []\n\n  // hashes need updating for any changed client files\n  for (const { file, content } of changedClientFiles) {\n    // hash is 16 chars currently for all client chunks\n    const originalHash = file.match(/([a-z0-9]{16})\\./)?.[1] || ''\n\n    if (!originalHash) {\n      throw new Error(\n        `Invariant: client chunk changed but failed to detect hash ${file}`\n      )\n    }\n    const newHash = crypto\n      .createHash('sha256')\n      .update(content)\n      .digest('hex')\n      .substring(0, 16)\n\n    hashChanges.push({ originalHash, newHash })\n\n    const filepath = path.join(clientDir, file)\n    const newFilepath = filepath.replace(originalHash, newHash)\n\n    filesToCheck.delete(filepath)\n    filesToCheck.add(newFilepath)\n\n    await fs.promises.rename(filepath, newFilepath)\n  }\n\n  // update build-manifest and webpack-runtime with new hashes\n  for (let file of filesToCheck) {\n    const content = await fs.promises.readFile(file, 'utf-8')\n    let newContent = content\n\n    for (const { originalHash, newHash } of hashChanges) {\n      newContent = newContent.replaceAll(originalHash, newHash)\n    }\n    if (content !== newContent) {\n      await fs.promises.writeFile(file, newContent)\n    }\n  }\n}\n"],"names":["inlineStaticEnv","glob","promisify","globOriginal","distDir","config","nextConfigEnv","getNextConfigEnv","staticEnv","getStaticEnv","serverDir","path","join","serverChunks","cwd","clientDir","clientChunks","manifestChunks","inlineSema","Sema","nextConfigEnvKeys","Object","keys","map","item","split","pop","builtRegEx","RegExp","length","changedClientFiles","filesToCheck","Set","f","parentDir","files","Promise","all","file","acquire","filepath","content","fs","promises","readFile","newContent","replace","match","normalizedMatch","JSON","stringify","writeFile","push","add","release","hashChanges","originalHash","Error","newHash","crypto","createHash","update","digest","substring","newFilepath","delete","rename","replaceAll"],"mappings":";;;;+BAWsBA;;;eAAAA;;;2DAXP;6DACE;+DACE;sBACO;6DACD;2BACJ;2BAE0B;;;;;;AAE/C,MAAMC,OAAOC,IAAAA,eAAS,EAACC,aAAY;AAE5B,eAAeH,gBAAgB,EACpCI,OAAO,EACPC,MAAM,EAIP;IACC,MAAMC,gBAAgBC,IAAAA,2BAAgB,EAACF;IACvC,MAAMG,YAAYC,IAAAA,uBAAY,EAACJ;IAE/B,MAAMK,YAAYC,aAAI,CAACC,IAAI,CAACR,SAAS;IACrC,MAAMS,eAAe,MAAMZ,KAAK,yBAAyB;QACvDa,KAAKJ;IACP;IACA,MAAMK,YAAYJ,aAAI,CAACC,IAAI,CAACR,SAAS;IACrC,MAAMY,eAAe,MAAMf,KAAK,yBAAyB;QACvDa,KAAKC;IACP;IACA,MAAME,iBAAiB,MAAMhB,KAAK,sBAAsB;QACtDa,KAAKV;IACP;IAEA,MAAMc,aAAa,IAAIC,eAAI,CAAC;IAC5B,MAAMC,oBAAoBC,OAAOC,IAAI,CAAChB,eAAeiB,GAAG,CAAC,CAACC,OACxDA,KAAKC,KAAK,CAAC,gBAAgBC,GAAG;IAGhC,MAAMC,aAAa,IAAIC,OACrB,CAAC,6CAA6C,EAAER,kBAAkBS,MAAM,GAAG,MAAMT,kBAAkBR,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,EACpH;IAEF,MAAMkB,qBAA+D,EAAE;IACvE,MAAMC,eAAe,IAAIC,IACvBf,eAAeM,GAAG,CAAC,CAACU,IAAMtB,aAAI,CAACC,IAAI,CAACR,SAAS6B;IAG/C,KAAK,MAAM,CAACC,WAAWC,MAAM,IAAI;QAC/B;YAACzB;YAAWG;SAAa;QACzB;YAACE;YAAWC;SAAa;KAC1B,CAAW;QACV,MAAMoB,QAAQC,GAAG,CACfF,MAAMZ,GAAG,CAAC,OAAOe;YACf,MAAMpB,WAAWqB,OAAO;YACxB,MAAMC,WAAW7B,aAAI,CAACC,IAAI,CAACsB,WAAWI;YACtC,MAAMG,UAAU,MAAMC,WAAE,CAACC,QAAQ,CAACC,QAAQ,CAACJ,UAAU;YACrD,MAAMK,aAAaJ,QAAQK,OAAO,CAACnB,YAAY,CAACoB;gBAC9C,IAAIC,kBAAkB,CAAC,YAAY,EAAED,MAAMtB,KAAK,CAAC,KAAKC,GAAG,IAAI;gBAE7D,IAAIlB,SAAS,CAACwC,gBAAgB,EAAE;oBAC9B,OAAOC,KAAKC,SAAS,CAAC1C,SAAS,CAACwC,gBAAgB;gBAClD;gBACA,OAAOD;YACT;YAEA,MAAML,WAAE,CAACC,QAAQ,CAACQ,SAAS,CAACX,UAAUK;YAEtC,IAAIJ,YAAYI,cAAcX,cAAcnB,WAAW;gBACrDe,mBAAmBsB,IAAI,CAAC;oBAAEd;oBAAMG,SAASI;gBAAW;YACtD;YACAd,aAAasB,GAAG,CAACb;YACjBtB,WAAWoC,OAAO;QACpB;IAEJ;IACA,MAAMC,cAGD,EAAE;IAEP,oDAAoD;IACpD,KAAK,MAAM,EAAEjB,IAAI,EAAEG,OAAO,EAAE,IAAIX,mBAAoB;YAE7BQ;QADrB,mDAAmD;QACnD,MAAMkB,eAAelB,EAAAA,cAAAA,KAAKS,KAAK,CAAC,wCAAXT,WAAgC,CAAC,EAAE,KAAI;QAE5D,IAAI,CAACkB,cAAc;YACjB,MAAM,qBAEL,CAFK,IAAIC,MACR,CAAC,0DAA0D,EAAEnB,MAAM,GAD/D,qBAAA;uBAAA;4BAAA;8BAAA;YAEN;QACF;QACA,MAAMoB,UAAUC,eAAM,CACnBC,UAAU,CAAC,UACXC,MAAM,CAACpB,SACPqB,MAAM,CAAC,OACPC,SAAS,CAAC,GAAG;QAEhBR,YAAYH,IAAI,CAAC;YAAEI;YAAcE;QAAQ;QAEzC,MAAMlB,WAAW7B,aAAI,CAACC,IAAI,CAACG,WAAWuB;QACtC,MAAM0B,cAAcxB,SAASM,OAAO,CAACU,cAAcE;QAEnD3B,aAAakC,MAAM,CAACzB;QACpBT,aAAasB,GAAG,CAACW;QAEjB,MAAMtB,WAAE,CAACC,QAAQ,CAACuB,MAAM,CAAC1B,UAAUwB;IACrC;IAEA,4DAA4D;IAC5D,KAAK,IAAI1B,QAAQP,aAAc;QAC7B,MAAMU,UAAU,MAAMC,WAAE,CAACC,QAAQ,CAACC,QAAQ,CAACN,MAAM;QACjD,IAAIO,aAAaJ;QAEjB,KAAK,MAAM,EAAEe,YAAY,EAAEE,OAAO,EAAE,IAAIH,YAAa;YACnDV,aAAaA,WAAWsB,UAAU,CAACX,cAAcE;QACnD;QACA,IAAIjB,YAAYI,YAAY;YAC1B,MAAMH,WAAE,CAACC,QAAQ,CAACQ,SAAS,CAACb,MAAMO;QACpC;IACF;AACF"}

package/dist/server/dev/hot-reloader-turbopack.js

@@ -139,7 +139,7 @@ async function createHotReloaderTurbopack(opts, serverFields, distDir, resetFetc
     }
     const hasRewrites = opts.fsChecker.rewrites.afterFiles.length > 0 || opts.fsChecker.rewrites.beforeFiles.length > 0 || opts.fsChecker.rewrites.fallback.length > 0;
     const hotReloaderSpan = (0, _trace.trace)('hot-reloader', undefined, {
-        version: "15.3.0-canary.3"
+        version: "15.3.0-canary.5"
     });
     // Ensure the hotReloaderSpan is flushed immediately as it's the parentSpan for all processing
     // of the current `next dev` invocation.

package/dist/server/dev/hot-reloader-webpack.js

@@ -256,7 +256,7 @@ class HotReloaderWebpack {
         this.previewProps = previewProps;
         this.rewrites = rewrites;
         this.hotReloaderSpan = (0, _trace.trace)('hot-reloader', undefined, {
-            version: "15.3.0-canary.3"
+            version: "15.3.0-canary.5"
         });
         // Ensure the hotReloaderSpan is flushed immediately as it's the parentSpan for all processing
         // of the current `next dev` invocation.

package/dist/server/lib/app-info-log.js

@@ -67,7 +67,7 @@ function _interop_require_wildcard(obj, nodeInterop) {
     return newObj;
 }
 function logStartInfo({ networkUrl, appUrl, envInfo, experimentalFeatures, maxExperimentalFeatures = Infinity }) {
-    _log.bootstrap(`${(0, _picocolors.bold)((0, _picocolors.purple)(`${_log.prefixes.ready} Next.js ${"15.3.0-canary.3"}`))}${process.env.TURBOPACK ? ' (Turbopack)' : ''}`);
+    _log.bootstrap(`${(0, _picocolors.bold)((0, _picocolors.purple)(`${_log.prefixes.ready} Next.js ${"15.3.0-canary.5"}`))}${process.env.TURBOPACK ? ' (Turbopack)' : ''}`);
     if (appUrl) {
         _log.bootstrap(`- Local:        ${appUrl}`);
     }

package/dist/server/lib/router-utils/block-cross-site.js

@@ -11,6 +11,7 @@ Object.defineProperty(exports, "blockCrossSite", {
 const _url = require("../../../lib/url");
 const _net = /*#__PURE__*/ _interop_require_default(require("net"));
 const _log = require("../../../build/output/log");
+const _csrfprotection = require("../../app-render/csrf-protection");
 function _interop_require_default(obj) {
     return obj && obj.__esModule ? obj : {
         default: obj
@@ -29,7 +30,7 @@ const blockCrossSite = (req, res, allowedOrigins, activePort)=>{
             res.statusCode = 403;
         }
         res.end('Unauthorized');
-        (0, _log.warnOnce)(`Blocked cross-origin request to /_next/*. To allow this, configure "allowedDevOrigins" in next.config\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`);
+        (0, _log.warnOnce)(`Blocked cross-origin request to /_next/*. Cross-site requests are blocked in "no-cors" mode.`);
         return true;
     }
     // ensure websocket requests from allowed origin
@@ -42,7 +43,7 @@ const blockCrossSite = (req, res, allowedOrigins, activePort)=>{
             const isIpRequest = _net.default.isIPv4(originLowerCase) || _net.default.isIPv6(originLowerCase);
             if (// allow requests if direct IP and matching port and
             // allow if any of the allowed origins match
-            !(isIpRequest && isMatchingPort) && !allowedOrigins.some((allowedOrigin)=>allowedOrigin === originLowerCase)) {
+            !(isIpRequest && isMatchingPort) && !(0, _csrfprotection.isCsrfOriginAllowed)(originLowerCase, allowedOrigins)) {
                 if ('statusCode' in res) {
                     res.statusCode = 403;
                 }

package/dist/server/lib/router-utils/block-cross-site.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../src/server/lib/router-utils/block-cross-site.ts"],"sourcesContent":["import type { Duplex } from 'stream'\nimport type { IncomingMessage, ServerResponse } from 'webpack-dev-server'\nimport { parseUrl } from '../../../lib/url'\nimport net from 'net'\nimport { warnOnce } from '../../../build/output/log'\n\nexport const blockCrossSite = (\n  req: IncomingMessage,\n  res: ServerResponse | Duplex,\n  allowedOrigins: string[],\n  activePort: string\n): boolean => {\n  // only process _next URLs\n  if (!req.url?.includes('/_next')) {\n    return false\n  }\n  // block non-cors request from cross-site e.g. script tag on\n  // different host\n  if (\n    req.headers['sec-fetch-mode'] === 'no-cors' &&\n    req.headers['sec-fetch-site'] === 'cross-site'\n  ) {\n    if ('statusCode' in res) {\n      res.statusCode = 403\n    }\n    res.end('Unauthorized')\n    warnOnce(\n      `Blocked cross-origin request to /_next/*. To allow this, configure \"allowedDevOrigins\" in next.config\\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`\n    )\n    return true\n  }\n\n  // ensure websocket requests from allowed origin\n  const rawOrigin = req.headers['origin']\n\n  if (rawOrigin) {\n    const parsedOrigin = parseUrl(rawOrigin)\n\n    if (parsedOrigin) {\n      const originLowerCase = parsedOrigin.hostname.toLowerCase()\n      const isMatchingPort = parsedOrigin.port === activePort\n      const isIpRequest =\n        net.isIPv4(originLowerCase) || net.isIPv6(originLowerCase)\n\n      if (\n        // allow requests if direct IP and matching port and\n        // allow if any of the allowed origins match\n        !(isIpRequest && isMatchingPort) &&\n        !allowedOrigins.some(\n          (allowedOrigin) => allowedOrigin === originLowerCase\n        )\n      ) {\n        if ('statusCode' in res) {\n          res.statusCode = 403\n        }\n        res.end('Unauthorized')\n        warnOnce(\n          `Blocked cross-origin request from ${originLowerCase}. To allow this, configure \"allowedDevOrigins\" in next.config\\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`\n        )\n        return true\n      }\n    }\n  }\n\n  return false\n}\n"],"names":["blockCrossSite","req","res","allowedOrigins","activePort","url","includes","headers","statusCode","end","warnOnce","rawOrigin","parsedOrigin","parseUrl","originLowerCase","hostname","toLowerCase","isMatchingPort","port","isIpRequest","net","isIPv4","isIPv6","some","allowedOrigin"],"mappings":";;;;+BAMaA;;;eAAAA;;;qBAJY;4DACT;qBACS;;;;;;AAElB,MAAMA,iBAAiB,CAC5BC,KACAC,KACAC,gBACAC;QAGKH;IADL,0BAA0B;IAC1B,IAAI,GAACA,WAAAA,IAAII,GAAG,qBAAPJ,SAASK,QAAQ,CAAC,YAAW;QAChC,OAAO;IACT;IACA,4DAA4D;IAC5D,iBAAiB;IACjB,IACEL,IAAIM,OAAO,CAAC,iBAAiB,KAAK,aAClCN,IAAIM,OAAO,CAAC,iBAAiB,KAAK,cAClC;QACA,IAAI,gBAAgBL,KAAK;YACvBA,IAAIM,UAAU,GAAG;QACnB;QACAN,IAAIO,GAAG,CAAC;QACRC,IAAAA,aAAQ,EACN,CAAC,mMAAmM,CAAC;QAEvM,OAAO;IACT;IAEA,gDAAgD;IAChD,MAAMC,YAAYV,IAAIM,OAAO,CAAC,SAAS;IAEvC,IAAII,WAAW;QACb,MAAMC,eAAeC,IAAAA,aAAQ,EAACF;QAE9B,IAAIC,cAAc;YAChB,MAAME,kBAAkBF,aAAaG,QAAQ,CAACC,WAAW;YACzD,MAAMC,iBAAiBL,aAAaM,IAAI,KAAKd;YAC7C,MAAMe,cACJC,YAAG,CAACC,MAAM,CAACP,oBAAoBM,YAAG,CAACE,MAAM,CAACR;YAE5C,IACE,oDAAoD;YACpD,4CAA4C;YAC5C,CAAEK,CAAAA,eAAeF,cAAa,KAC9B,CAACd,eAAeoB,IAAI,CAClB,CAACC,gBAAkBA,kBAAkBV,kBAEvC;gBACA,IAAI,gBAAgBZ,KAAK;oBACvBA,IAAIM,UAAU,GAAG;gBACnB;gBACAN,IAAIO,GAAG,CAAC;gBACRC,IAAAA,aAAQ,EACN,CAAC,kCAAkC,EAAEI,gBAAgB,2JAA2J,CAAC;gBAEnN,OAAO;YACT;QACF;IACF;IAEA,OAAO;AACT"}
+{"version":3,"sources":["../../../../src/server/lib/router-utils/block-cross-site.ts"],"sourcesContent":["import type { Duplex } from 'stream'\nimport type { IncomingMessage, ServerResponse } from 'webpack-dev-server'\nimport { parseUrl } from '../../../lib/url'\nimport net from 'net'\nimport { warnOnce } from '../../../build/output/log'\nimport { isCsrfOriginAllowed } from '../../app-render/csrf-protection'\n\nexport const blockCrossSite = (\n  req: IncomingMessage,\n  res: ServerResponse | Duplex,\n  allowedOrigins: string[],\n  activePort: string\n): boolean => {\n  // only process _next URLs\n  if (!req.url?.includes('/_next')) {\n    return false\n  }\n  // block non-cors request from cross-site e.g. script tag on\n  // different host\n  if (\n    req.headers['sec-fetch-mode'] === 'no-cors' &&\n    req.headers['sec-fetch-site'] === 'cross-site'\n  ) {\n    if ('statusCode' in res) {\n      res.statusCode = 403\n    }\n    res.end('Unauthorized')\n    warnOnce(\n      `Blocked cross-origin request to /_next/*. Cross-site requests are blocked in \"no-cors\" mode.`\n    )\n    return true\n  }\n\n  // ensure websocket requests from allowed origin\n  const rawOrigin = req.headers['origin']\n\n  if (rawOrigin) {\n    const parsedOrigin = parseUrl(rawOrigin)\n\n    if (parsedOrigin) {\n      const originLowerCase = parsedOrigin.hostname.toLowerCase()\n      const isMatchingPort = parsedOrigin.port === activePort\n      const isIpRequest =\n        net.isIPv4(originLowerCase) || net.isIPv6(originLowerCase)\n\n      if (\n        // allow requests if direct IP and matching port and\n        // allow if any of the allowed origins match\n        !(isIpRequest && isMatchingPort) &&\n        !isCsrfOriginAllowed(originLowerCase, allowedOrigins)\n      ) {\n        if ('statusCode' in res) {\n          res.statusCode = 403\n        }\n        res.end('Unauthorized')\n        warnOnce(\n          `Blocked cross-origin request from ${originLowerCase}. To allow this, configure \"allowedDevOrigins\" in next.config\\nRead more: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins`\n        )\n        return true\n      }\n    }\n  }\n\n  return false\n}\n"],"names":["blockCrossSite","req","res","allowedOrigins","activePort","url","includes","headers","statusCode","end","warnOnce","rawOrigin","parsedOrigin","parseUrl","originLowerCase","hostname","toLowerCase","isMatchingPort","port","isIpRequest","net","isIPv4","isIPv6","isCsrfOriginAllowed"],"mappings":";;;;+BAOaA;;;eAAAA;;;qBALY;4DACT;qBACS;gCACW;;;;;;AAE7B,MAAMA,iBAAiB,CAC5BC,KACAC,KACAC,gBACAC;QAGKH;IADL,0BAA0B;IAC1B,IAAI,GAACA,WAAAA,IAAII,GAAG,qBAAPJ,SAASK,QAAQ,CAAC,YAAW;QAChC,OAAO;IACT;IACA,4DAA4D;IAC5D,iBAAiB;IACjB,IACEL,IAAIM,OAAO,CAAC,iBAAiB,KAAK,aAClCN,IAAIM,OAAO,CAAC,iBAAiB,KAAK,cAClC;QACA,IAAI,gBAAgBL,KAAK;YACvBA,IAAIM,UAAU,GAAG;QACnB;QACAN,IAAIO,GAAG,CAAC;QACRC,IAAAA,aAAQ,EACN,CAAC,4FAA4F,CAAC;QAEhG,OAAO;IACT;IAEA,gDAAgD;IAChD,MAAMC,YAAYV,IAAIM,OAAO,CAAC,SAAS;IAEvC,IAAII,WAAW;QACb,MAAMC,eAAeC,IAAAA,aAAQ,EAACF;QAE9B,IAAIC,cAAc;YAChB,MAAME,kBAAkBF,aAAaG,QAAQ,CAACC,WAAW;YACzD,MAAMC,iBAAiBL,aAAaM,IAAI,KAAKd;YAC7C,MAAMe,cACJC,YAAG,CAACC,MAAM,CAACP,oBAAoBM,YAAG,CAACE,MAAM,CAACR;YAE5C,IACE,oDAAoD;YACpD,4CAA4C;YAC5C,CAAEK,CAAAA,eAAeF,cAAa,KAC9B,CAACM,IAAAA,mCAAmB,EAACT,iBAAiBX,iBACtC;gBACA,IAAI,gBAAgBD,KAAK;oBACvBA,IAAIM,UAAU,GAAG;gBACnB;gBACAN,IAAIO,GAAG,CAAC;gBACRC,IAAAA,aAAQ,EACN,CAAC,kCAAkC,EAAEI,gBAAgB,2JAA2J,CAAC;gBAEnN,OAAO;YACT;QACF;IACF;IAEA,OAAO;AACT"}

package/dist/server/lib/start-server.js

@@ -111,7 +111,7 @@ async function getRequestHandlers({ dir, port, isDev, onDevServerCleanup, server
 async function startServer(serverOptions) {
     const { dir, isDev, hostname, minimalMode, allowRetry, keepAliveTimeout, selfSignedCertificate } = serverOptions;
     let { port } = serverOptions;
-    process.title = `next-server (v${"15.3.0-canary.3"})`;
+    process.title = `next-server (v${"15.3.0-canary.5"})`;
     let handlersReady = ()=>{};
     let handlersError = ()=>{};
     let handlersPromise = new Promise((resolve, reject)=>{

package/dist/shared/lib/canary-only.js

@@ -22,7 +22,7 @@ _export(exports, {
 });
 function isStableBuild() {
     var _process_env___NEXT_VERSION;
-    return !((_process_env___NEXT_VERSION = "15.3.0-canary.3") == null ? void 0 : _process_env___NEXT_VERSION.includes('canary')) && !process.env.__NEXT_TEST_MODE && !process.env.NEXT_PRIVATE_LOCAL_DEV;
+    return !((_process_env___NEXT_VERSION = "15.3.0-canary.5") == null ? void 0 : _process_env___NEXT_VERSION.includes('canary')) && !process.env.__NEXT_TEST_MODE && !process.env.NEXT_PRIVATE_LOCAL_DEV;
 }
 class CanaryOnlyError extends Error {
     constructor(arg){

package/dist/telemetry/anonymous-meta.js

@@ -81,7 +81,7 @@ function getAnonymousMeta() {
         isWsl: _iswsl.default,
         isCI: _ciinfo.isCI,
         ciName: _ciinfo.isCI && _ciinfo.name || null,
-        nextVersion: "15.3.0-canary.3"
+        nextVersion: "15.3.0-canary.5"
     };
     return traits;
 }

package/dist/telemetry/events/session-stopped.js

@@ -11,11 +11,11 @@ Object.defineProperty(exports, "eventCliSessionStopped", {
 const EVENT_VERSION = 'NEXT_CLI_SESSION_STOPPED';
 function eventCliSessionStopped(event) {
     // This should be an invariant, if it fails our build tooling is broken.
-    if (typeof "15.3.0-canary.3" !== 'string') {
+    if (typeof "15.3.0-canary.5" !== 'string') {
         return [];
     }
     const payload = {
-        nextVersion: "15.3.0-canary.3",
+        nextVersion: "15.3.0-canary.5",
         nodeVersion: process.version,
         cliCommand: event.cliCommand,
         durationMilliseconds: event.durationMilliseconds,

package/dist/telemetry/events/version.js

@@ -36,12 +36,12 @@ function hasBabelConfig(dir) {
 function eventCliSession(dir, nextConfig, event) {
     var _nextConfig_experimental_staleTimes, _nextConfig_experimental_staleTimes1, _nextConfig_experimental_reactCompiler, _nextConfig_experimental_reactCompiler1;
     // This should be an invariant, if it fails our build tooling is broken.
-    if (typeof "15.3.0-canary.3" !== 'string') {
+    if (typeof "15.3.0-canary.5" !== 'string') {
         return [];
     }
     const { images, i18n } = nextConfig || {};
     const payload = {
-        nextVersion: "15.3.0-canary.3",
+        nextVersion: "15.3.0-canary.5",
         nodeVersion: process.version,
         cliCommand: event.cliCommand,
         isSrcDir: event.isSrcDir,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "next",
-  "version": "15.3.0-canary.3",
+  "version": "15.3.0-canary.5",
   "description": "The React Framework",
   "main": "./dist/server/next.js",
   "license": "MIT",
@@ -100,7 +100,7 @@
     ]
   },
   "dependencies": {
-    "@next/env": "15.3.0-canary.3",
+    "@next/env": "15.3.0-canary.5",
     "@swc/counter": "0.1.3",
     "@swc/helpers": "0.5.15",
     "busboy": "1.6.0",
@@ -132,14 +132,14 @@
   },
   "optionalDependencies": {
     "sharp": "^0.33.5",
-    "@next/swc-darwin-arm64": "15.3.0-canary.3",
-    "@next/swc-darwin-x64": "15.3.0-canary.3",
-    "@next/swc-linux-arm64-gnu": "15.3.0-canary.3",
-    "@next/swc-linux-arm64-musl": "15.3.0-canary.3",
-    "@next/swc-linux-x64-gnu": "15.3.0-canary.3",
-    "@next/swc-linux-x64-musl": "15.3.0-canary.3",
-    "@next/swc-win32-arm64-msvc": "15.3.0-canary.3",
-    "@next/swc-win32-x64-msvc": "15.3.0-canary.3"
+    "@next/swc-darwin-arm64": "15.3.0-canary.5",
+    "@next/swc-darwin-x64": "15.3.0-canary.5",
+    "@next/swc-linux-arm64-gnu": "15.3.0-canary.5",
+    "@next/swc-linux-arm64-musl": "15.3.0-canary.5",
+    "@next/swc-linux-x64-gnu": "15.3.0-canary.5",
+    "@next/swc-linux-x64-musl": "15.3.0-canary.5",
+    "@next/swc-win32-arm64-msvc": "15.3.0-canary.5",
+    "@next/swc-win32-x64-msvc": "15.3.0-canary.5"
   },
   "devDependencies": {
     "@ampproject/toolbox-optimizer": "2.8.3",
@@ -172,11 +172,11 @@
     "@jest/types": "29.5.0",
     "@mswjs/interceptors": "0.23.0",
     "@napi-rs/triples": "1.2.0",
-    "@next/font": "15.3.0-canary.3",
-    "@next/polyfill-module": "15.3.0-canary.3",
-    "@next/polyfill-nomodule": "15.3.0-canary.3",
-    "@next/react-refresh-utils": "15.3.0-canary.3",
-    "@next/swc": "15.3.0-canary.3",
+    "@next/font": "15.3.0-canary.5",
+    "@next/polyfill-module": "15.3.0-canary.5",
+    "@next/polyfill-nomodule": "15.3.0-canary.5",
+    "@next/react-refresh-utils": "15.3.0-canary.5",
+    "@next/swc": "15.3.0-canary.5",
     "@opentelemetry/api": "1.6.0",
     "@playwright/test": "1.41.2",
     "@storybook/addon-a11y": "8.6.0",