vinext 0.1.1 → 0.1.3

package/dist/server/prod-server.js

@@ -8,17 +8,14 @@ import { isUnknownRecord } from "../utils/record.js";
 import { resolveRequestHost, resolveRequestProtocol, trustProxy, trustedHosts } from "./proxy-trust.js";
 import { DEFAULT_DEVICE_SIZES, DEFAULT_IMAGE_SIZES, isImageOptimizationPath, isSafeImageContentType, parseImageParams } from "./image-optimization.js";
 import { installSocketErrorBackstop } from "./socket-error-backstop.js";
-import { ASSET_PREFIX_URL_DIR, assetPrefixPathname, isAbsoluteAssetPrefix, resolveAssetsDir } from "../utils/asset-prefix.js";
+import { ASSET_PREFIX_URL_DIR, assetPrefixPathname, isAbsoluteAssetPrefix } from "../utils/asset-prefix.js";
 import { CONTENT_TYPES, StaticFileCache, etagFromFilenameHash } from "./static-file-cache.js";
 import { buildNextDataNotFoundResponse, isNextDataPathname, parseNextDataPathname } from "./pages-data-route.js";
 import { collectInlineCssManifest } from "../build/inline-css.js";
 import { mergeHeaders } from "./worker-utils.js";
-import { runPagesRequest } from "./pages-request-pipeline.js";
-import { manifestFileWithBase } from "../utils/manifest-paths.js";
+import { runPagesRequest, wrapMiddlewareWithBasePath } from "./pages-request-pipeline.js";
 import { readTrustedPrerenderRouteParamsFromHeaders, serializePrerenderRouteParamsHeader } from "./prerender-route-params.js";
-import { computeLazyChunks } from "../utils/lazy-chunks.js";
-import { findClientEntryFile, findPagesClientEntryFile, readClientBuildManifest } from "../utils/client-build-manifest.js";
-import { findClientEntryFileFromVinextManifest, findPagesClientEntryFileFromVinextManifest, readClientEntryManifest } from "../utils/client-entry-manifest.js";
+import { computeClientRuntimeMetadata } from "../utils/client-runtime-metadata.js";
 import { readPrerenderSecret } from "../build/server-manifest.js";
 import { seedMemoryCacheFromPrerender } from "./seed-cache.js";
 import fs from "node:fs";
@@ -48,6 +45,68 @@ import { Readable, pipeline } from "node:stream";
 * - dist/server/index.js — RSC entry (default export: handler(Request) → Response)
 * - dist/server/ssr/index.js — SSR entry (imported by RSC entry at runtime)
 */
+/**
+* mtime of the build each bare (query-less) server-entry URL was first
+* imported from in this process. Node's ESM cache pins a bare URL to that
+* build forever, so rebuilds to the same path must be detected and loaded
+* through a cache-busted URL instead.
+*/
+const bareServerEntryMtimes = /* @__PURE__ */ new Map();
+/**
+* Import a built server entry module (App Router RSC entry or Pages Router
+* server entry) by absolute file path.
+*
+* The first import of a given path uses the plain file:// URL with NO query
+* string. This is load-bearing: code-split builds emit lazy chunks that
+* import the entry back by bare specifier (default Vite builds on both
+* supported majors — Rollup on Vite 7 and Rolldown on Vite 8 — hoist modules
+* shared between the entry's static graph and lazy route chunks into the
+* entry chunk, which the chunks then import as e.g. "../../index.js").
+* Node keys its ESM cache on the full URL including the query string, so if
+* the server imported the entry as `index.js?t=<mtime>`, a chunk's bare
+* back-import would evaluate the entire server bundle a second time and
+* module-level singletons (db pools, service registries) would silently
+* diverge between the two copies. See
+* https://github.com/cloudflare/vinext/issues/1923.
+*
+* A `?t=<mtime>` query string is appended only when the same path is
+* imported again after a rebuild (different mtime) — e.g. test suites that
+* rebuild a fixture to the same output path within one process — where the
+* bare URL's cache entry would return the stale previous build. Note this
+* rebuild branch trades the single-instance guarantee back: chunks that
+* import the entry by bare path still resolve to the FIRST build's cache
+* entry, so freshness and single-instance only hold together on the first
+* import of a path. Production processes import each entry path exactly
+* once and always get both.
+*
+* The entry is imported via its canonical real path: the bundler
+* canonicalizes module ids with fs.realpathSync.native, so chunks evaluate
+* under realpath-based URLs and their relative imports resolve to realpath
+* URLs too. Importing the entry through a symlinked path (macOS /var/...
+* tmpdirs, symlinked deploy directories) would otherwise create a second
+* instance keyed on the symlinked URL.
+*
+* Exported for direct unit testing of the URL choice.
+*/
+function resolveServerEntryImportUrl(entryPath) {
+	let canonicalEntryPath;
+	try {
+		canonicalEntryPath = fs.realpathSync.native(entryPath);
+	} catch {
+		canonicalEntryPath = entryPath;
+	}
+	const href = pathToFileURL(canonicalEntryPath).href;
+	const mtime = fs.statSync(canonicalEntryPath).mtimeMs;
+	const bareMtime = bareServerEntryMtimes.get(href);
+	if (bareMtime === void 0 || bareMtime === mtime) {
+		bareServerEntryMtimes.set(href, mtime);
+		return href;
+	}
+	return `${href}?t=${mtime}`;
+}
+async function importServerEntryModule(entryPath) {
+	return import(resolveServerEntryImportUrl(entryPath));
+}
 /** Convert a Node.js IncomingMessage into a ReadableStream for Web Request body. */
 function readNodeStream(req) {
 	return new ReadableStream({ start(controller) {
@@ -142,6 +201,7 @@ function toWebHeaders(headersRecord) {
 }
 function appendWebHeader(headers, key, value) {
 	if (value === void 0) return;
+	if (key.startsWith(":")) return;
 	if (Array.isArray(value)) {
 		for (const item of value) headers.append(key, item);
 		return;
@@ -158,8 +218,14 @@ const NO_BODY_RESPONSE_STATUSES = new Set([
 	205,
 	304
 ]);
-function omitHeadersCaseInsensitive(headersRecord, names) {
-	const targets = new Set(names.map((name) => name.toLowerCase()));
+const OMIT_BODY_HEADERS = new Set(["content-length", "content-type"]);
+const OMIT_STATIC_RESPONSE_HEADERS = new Set([
+	VINEXT_STATIC_FILE_HEADER,
+	"content-encoding",
+	"content-length",
+	"content-type"
+]);
+function omitHeadersCaseInsensitive(headersRecord, targets) {
 	const filtered = {};
 	for (const [key, value] of Object.entries(headersRecord)) {
 		if (targets.has(key.toLowerCase())) continue;
@@ -172,6 +238,15 @@ function matchesIfNoneMatchHeader(ifNoneMatch, etag) {
 	if (ifNoneMatch === "*") return true;
 	return ifNoneMatch.split(",").map((value) => value.trim()).some((value) => value === etag);
 }
+function installClientBuildManifestGlobals(clientDir, assetBase, assetPrefix) {
+	const metadata = computeClientRuntimeMetadata({
+		clientDir,
+		assetBase,
+		assetPrefix
+	});
+	globalThis.__VINEXT_LAZY_CHUNKS__ = metadata.lazyChunks;
+	globalThis.__VINEXT_DYNAMIC_PRELOADS__ = metadata.dynamicPreloads;
+}
 function isNoBodyResponseStatus(status) {
 	return NO_BODY_RESPONSE_STATUSES.has(status);
 }
@@ -212,7 +287,7 @@ function sendCompressed(req, res, body, contentType, statusCode, extraHeaders =
 	const buf = typeof body === "string" ? Buffer.from(body) : body;
 	const baseType = contentType.split(";")[0].trim();
 	const encoding = compress ? negotiateEncoding(req) : null;
-	const headersWithoutBodyHeaders = omitHeadersCaseInsensitive(extraHeaders, ["content-length", "content-type"]);
+	const headersWithoutBodyHeaders = omitHeadersCaseInsensitive(extraHeaders, OMIT_BODY_HEADERS);
 	const writeHead = (headers) => {
 		if (statusText) res.writeHead(statusCode, statusText, headers);
 		else res.writeHead(statusCode, headers);
@@ -619,19 +694,15 @@ function readSsrManifest(clientDir) {
 function installPagesClientAssetGlobals(options) {
 	const ssrManifest = readSsrManifest(options.clientDir);
 	globalThis.__VINEXT_SSR_MANIFEST__ = Object.keys(ssrManifest).length > 0 ? ssrManifest : void 0;
-	const buildManifest = readClientBuildManifest(path.join(options.clientDir, ".vite", "manifest.json"));
-	const clientEntryManifest = readClientEntryManifest(options.clientDir);
-	const entryOptions = {
+	const metadata = computeClientRuntimeMetadata({
 		clientDir: options.clientDir,
-		assetsSubdir: options.assetsSubdir,
 		assetBase: options.assetBase,
-		...buildManifest ? { buildManifest } : {}
-	};
-	globalThis.__VINEXT_CLIENT_ENTRY__ = options.clientEntryLookup === "pages-client-entry" ? findPagesClientEntryFileFromVinextManifest(clientEntryManifest, options.assetBase) ?? findPagesClientEntryFile(entryOptions) : findClientEntryFileFromVinextManifest(clientEntryManifest, options.assetBase) ?? findClientEntryFile(entryOptions);
-	if (buildManifest) {
-		const lazyChunks = computeLazyChunks(buildManifest).map((file) => manifestFileWithBase(file, options.assetBase));
-		globalThis.__VINEXT_LAZY_CHUNKS__ = lazyChunks.length > 0 ? lazyChunks : void 0;
-	} else globalThis.__VINEXT_LAZY_CHUNKS__ = void 0;
+		assetPrefix: options.assetPrefix,
+		includeClientEntry: options.clientEntryLookup === "pages-client-entry" ? "pages-client-entry" : true
+	});
+	globalThis.__VINEXT_CLIENT_ENTRY__ = metadata.clientEntryFile;
+	globalThis.__VINEXT_LAZY_CHUNKS__ = metadata.lazyChunks;
+	globalThis.__VINEXT_DYNAMIC_PRELOADS__ = metadata.dynamicPreloads;
 	return ssrManifest;
 }
 /**
@@ -659,8 +730,7 @@ async function startAppRouterServer(options) {
 		imageConfig = JSON.parse(fs.readFileSync(imageConfigPath, "utf-8"));
 	} catch {}
 	const prerenderSecret = readPrerenderSecret(path.dirname(rscEntryPath));
-	const rscMtime = fs.statSync(rscEntryPath).mtimeMs;
-	const rscModule = await import(`${pathToFileURL(rscEntryPath).href}?t=${rscMtime}`);
+	const rscModule = await importServerEntryModule(rscEntryPath);
 	const rscHandler = resolveAppRouterHandler(rscModule.default);
 	const appRouterAssetPrefix = typeof rscModule.__assetPrefix === "string" ? rscModule.__assetPrefix : "";
 	const appRouterBasePath = typeof rscModule.__basePath === "string" ? rscModule.__basePath : "";
@@ -671,10 +741,11 @@ async function startAppRouterServer(options) {
 	const appAssetBase = appRouterBasePath ? `${appRouterBasePath}/` : "/";
 	if (appRouterHasPagesDir) installPagesClientAssetGlobals({
 		clientDir,
-		assetsSubdir: resolveAssetsDir(appRouterAssetPrefix),
+		assetPrefix: appRouterAssetPrefix,
 		assetBase: appAssetBase,
 		clientEntryLookup: "pages-client-entry"
 	});
+	else installClientBuildManifestGlobals(clientDir, appAssetBase, appRouterAssetPrefix);
 	const seededRoutes = await resolveAppRouterPrerenderSeeder(rscModule)(path.dirname(rscEntryPath));
 	if (seededRoutes > 0) console.log(`[vinext] Seeded ${seededRoutes} pre-rendered route${seededRoutes !== 1 ? "s" : ""} into memory cache`);
 	const staticCache = await StaticFileCache.create(clientDir);
@@ -713,7 +784,7 @@ async function startAppRouterServer(options) {
 			}
 		}
 		if (isImageOptimizationPath(pathname)) {
-			const params = parseImageParams(new URL(rawUrl, "http://localhost"), [...DEFAULT_DEVICE_SIZES, ...DEFAULT_IMAGE_SIZES]);
+			const params = parseImageParams(new URL(rawUrl, "http://localhost"), [...imageConfig?.deviceSizes ?? DEFAULT_DEVICE_SIZES, ...imageConfig?.imageSizes ?? DEFAULT_IMAGE_SIZES], imageConfig?.qualities);
 			if (!params) {
 				res.writeHead(400);
 				res.end("Bad Request");
@@ -745,12 +816,7 @@ async function startAppRouterServer(options) {
 				} catch {
 					staticFilePath = staticFileSignal;
 				}
-				const staticResponseHeaders = omitHeadersCaseInsensitive(mergeResponseHeaders({}, response), [
-					VINEXT_STATIC_FILE_HEADER,
-					"content-encoding",
-					"content-length",
-					"content-type"
-				]);
+				const staticResponseHeaders = omitHeadersCaseInsensitive(mergeResponseHeaders({}, response), OMIT_STATIC_RESPONSE_HEADERS);
 				const served = await tryServeStatic(req, res, clientDir, staticFilePath, compress, staticCache, staticResponseHeaders, response.status);
 				cancelResponseBody(response);
 				if (served) return;
@@ -804,8 +870,7 @@ function readPagesServerEntryPageRoutes(value) {
 */
 async function startPagesRouterServer(options) {
 	const { port, host, clientDir, serverEntryPath, compress, purpose } = options;
-	const serverMtime = fs.statSync(serverEntryPath).mtimeMs;
-	const serverEntry = await import(`${pathToFileURL(serverEntryPath).href}?t=${serverMtime}`);
+	const serverEntry = await importServerEntryModule(serverEntryPath);
 	const { renderPage, handleApiRoute: handleApi, runMiddleware, vinextConfig, buildId: pagesBuildId } = serverEntry;
 	const matchPageRoute = typeof serverEntry.matchPageRoute === "function" ? serverEntry.matchPageRoute : void 0;
 	const pageRoutes = readPagesServerEntryPageRoutes(serverEntry.pageRoutes);
@@ -827,12 +892,13 @@ async function startPagesRouterServer(options) {
 	const pagesImageConfig = vinextConfig?.images ? {
 		dangerouslyAllowSVG: vinextConfig.images.dangerouslyAllowSVG,
 		dangerouslyAllowLocalIP: vinextConfig.images.dangerouslyAllowLocalIP,
+		qualities: vinextConfig.images.qualities,
 		contentDispositionType: vinextConfig.images.contentDispositionType,
 		contentSecurityPolicy: vinextConfig.images.contentSecurityPolicy
 	} : void 0;
 	const ssrManifest = installPagesClientAssetGlobals({
 		clientDir,
-		assetsSubdir: resolveAssetsDir(assetPrefix),
+		assetPrefix,
 		assetBase,
 		clientEntryLookup: "any-client-entry"
 	});
@@ -896,7 +962,7 @@ async function startPagesRouterServer(options) {
 			return;
 		}
 		if (isImageOptimizationPath(pathname) || isImageOptimizationPath(staticLookupPath)) {
-			const params = parseImageParams(new URL(rawUrl, "http://localhost"), allowedImageWidths);
+			const params = parseImageParams(new URL(rawUrl, "http://localhost"), allowedImageWidths, pagesImageConfig?.qualities);
 			if (!params) {
 				res.writeHead(400);
 				res.end("Bad Request");
@@ -927,6 +993,7 @@ async function startPagesRouterServer(options) {
 				}
 			}
 			let isDataReq = false;
+			const originalRenderUrl = url;
 			if (isNextDataPathname(pathname)) {
 				const dataMatch = pagesBuildId ? parseNextDataPathname(pathname, pagesBuildId) : null;
 				if (!dataMatch) {
@@ -963,8 +1030,11 @@ async function startPagesRouterServer(options) {
 				ctx: void 0,
 				rawSearch: rawQs,
 				matchPageRoute: matchPageRoute ?? null,
-				runMiddleware: typeof runMiddleware === "function" ? runMiddleware : null,
-				renderPage: typeof renderPage === "function" ? (request, resolvedUrl, options, stagedHeaders) => renderPage(request, resolvedUrl, ssrManifest, void 0, stagedHeaders, options) : null,
+				runMiddleware: typeof runMiddleware === "function" ? wrapMiddlewareWithBasePath(runMiddleware, basePath, hadBasePath) : null,
+				renderPage: typeof renderPage === "function" ? (request, resolvedUrl, options, stagedHeaders) => renderPage(request, resolvedUrl, ssrManifest, void 0, stagedHeaders, {
+					...options,
+					originalUrl: originalRenderUrl
+				}) : null,
 				handleApi: typeof handleApi === "function" ? (request, apiUrl) => handleApi(request, apiUrl, createNodeExecutionContext()) : null,
 				serveStaticFile: async (requestPathname, stagedHeaders) => {
 					if (requestPathname === "/" || requestPathname.startsWith("/api/") || requestPathname.startsWith(`/_next/static/`)) return false;
@@ -1018,4 +1088,4 @@ async function startPagesRouterServer(options) {
 	};
 }
 //#endregion
-export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveRequestHost as resolveHost, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };
+export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, importServerEntryModule, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveRequestHost as resolveHost, resolveServerEntryImportUrl, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };

package/dist/server/request-pipeline.d.ts

@@ -76,7 +76,8 @@ type ApplyConfigHeadersOptions = {
    * (basePath: true) rule for backward compatibility — callers that need to
    * support `basePath: false` headers must pass this in.
    */
-  basePathState?: BasePathMatchState;
+  basePathState?: BasePathMatchState; /** Existing framework-generated headers that matching config rules may replace. */
+  overwriteExisting?: ReadonlySet<string>;
 };
 type StaticFileSignalContext = {
   headers: Headers | null;
@@ -157,19 +158,6 @@ declare function validateCsrfOrigin(request: Request, allowedOrigins?: string[])
  */
 declare function validateServerActionPayload(body: string | FormData): Promise<Response | null>;
 declare function isOriginAllowed(origin: string, allowed: string[]): boolean;
-/**
- * Validate an image optimization URL parameter.
- *
- * Ensures the URL is a relative path that doesn't escape the origin:
- * - Must start with "/" but not "//"
- * - Backslashes are normalized (browsers treat `\` as `/`)
- * - Origin validation as defense-in-depth
- *
- * @param rawUrl - The raw `url` query parameter value
- * @param requestUrl - The full request URL for origin comparison
- * @returns An error Response if validation fails, or the normalized image URL
- */
-declare function validateImageUrl(rawUrl: string | null, requestUrl: string): Response | string;
 /**
  * Strip internal `x-middleware-*` headers from a Headers object.
  *
@@ -219,4 +207,4 @@ declare function cloneRequestWithHeaders(request: Request, headers: Headers): Re
  */
 declare function cloneRequestWithUrl(request: Request, url: string): Request;
 //#endregion
-export { HeaderRecord, INTERNAL_HEADERS, VINEXT_INTERNAL_HEADERS, applyConfigHeadersToHeaderRecord, applyConfigHeadersToResponse, cloneRequestWithHeaders, cloneRequestWithUrl, createStaticFileSignal, filterInternalHeaders, guardProtocolRelativeUrl, hasBasePath, isOpenRedirectShaped, isOriginAllowed, normalizeTrailingSlash, normalizeTrailingSlashPathname, processMiddlewareHeaders, resolvePublicFileRoute, stripBasePath, validateCsrfOrigin, validateImageUrl, validateServerActionPayload };
+export { HeaderRecord, INTERNAL_HEADERS, VINEXT_INTERNAL_HEADERS, applyConfigHeadersToHeaderRecord, applyConfigHeadersToResponse, cloneRequestWithHeaders, cloneRequestWithUrl, createStaticFileSignal, filterInternalHeaders, guardProtocolRelativeUrl, hasBasePath, isOpenRedirectShaped, isOriginAllowed, normalizeTrailingSlash, normalizeTrailingSlashPathname, processMiddlewareHeaders, resolvePublicFileRoute, stripBasePath, validateCsrfOrigin, validateServerActionPayload };

package/dist/server/request-pipeline.js

@@ -122,7 +122,7 @@ function applyConfigHeadersToResponse(responseHeaders, options) {
 	for (const header of matched) {
 		const lowerName = header.key.toLowerCase();
 		if (lowerName === "vary" || lowerName === "set-cookie") responseHeaders.append(header.key, header.value);
-		else if (!responseHeaders.has(lowerName)) responseHeaders.set(header.key, header.value);
+		else if (options.overwriteExisting?.has(lowerName) || !responseHeaders.has(lowerName)) responseHeaders.set(header.key, header.value);
 	}
 }
 /**
@@ -197,9 +197,10 @@ function normalizeTrailingSlash(pathname, basePath, trailingSlash, search) {
 	if (isOpenRedirectShaped(pathname)) return notFoundResponse();
 	const normalizedPathname = normalizeTrailingSlashPathname(pathname, trailingSlash);
 	if (normalizedPathname === null) return null;
+	const encodedPathname = normalizedPathname.replace(/[^A-Za-z0-9\-._~!$&'()*+,;=:@/%]/gu, encodeURIComponent);
 	return new Response(null, {
 		status: 308,
-		headers: { Location: basePath + normalizedPathname + search }
+		headers: { Location: basePath + encodedPathname + search }
 	});
 }
 /**
@@ -246,45 +247,74 @@ function validateCsrfOrigin(request, allowedOrigins = []) {
 * Regular user form fields are ignored entirely.
 */
 async function validateServerActionPayload(body) {
-	const containerRefRe = /"\$([QWi])(\d+)"/g;
+	const maxNumericFields = 4096;
+	const maxContainerReferences = 16384;
+	const maxContainerDepth = 1024;
+	const containerRefRe = /"\$([QWi])([0-9a-f]+)(?=[:"])/gi;
 	const fieldRefs = /* @__PURE__ */ new Map();
+	let referenceCount = 0;
+	const invalidPayloadResponse = () => new Response("Invalid server action payload", {
+		status: 400,
+		headers: { "Content-Type": "text/plain" }
+	});
 	const collectRefs = (fieldKey, text) => {
+		if (fieldRefs.has(fieldKey)) return true;
+		if (fieldRefs.size >= maxNumericFields) return false;
 		const refs = /* @__PURE__ */ new Set();
 		let match;
 		containerRefRe.lastIndex = 0;
-		while ((match = containerRefRe.exec(text)) !== null) refs.add(match[2]);
+		while ((match = containerRefRe.exec(text)) !== null) {
+			const previousSize = refs.size;
+			refs.add(String(Number.parseInt(match[2], 16)));
+			if (refs.size !== previousSize && ++referenceCount > maxContainerReferences) return false;
+		}
 		fieldRefs.set(fieldKey, refs);
+		return true;
 	};
-	if (typeof body === "string") collectRefs("0", body);
-	else for (const [key, value] of body.entries()) {
+	if (typeof body === "string") {
+		if (!collectRefs("0", body)) return invalidPayloadResponse();
+	} else for (const [key, value] of body.entries()) {
 		if (!/^\d+$/.test(key)) continue;
 		if (typeof value === "string") {
-			collectRefs(key, value);
+			if (!collectRefs(key, value)) return invalidPayloadResponse();
 			continue;
 		}
-		if (typeof value?.text === "function") collectRefs(key, await value.text());
+		if (typeof value?.text === "function") {
+			if (!collectRefs(key, await value.text())) return invalidPayloadResponse();
+		}
 	}
 	if (fieldRefs.size === 0) return null;
 	const knownFields = new Set(fieldRefs.keys());
-	for (const refs of fieldRefs.values()) for (const ref of refs) if (!knownFields.has(ref)) return new Response("Invalid server action payload", {
-		status: 400,
-		headers: { "Content-Type": "text/plain" }
-	});
-	const visited = /* @__PURE__ */ new Set();
-	const stack = /* @__PURE__ */ new Set();
-	const hasCycle = (node) => {
-		if (stack.has(node)) return true;
-		if (visited.has(node)) return false;
-		visited.add(node);
-		stack.add(node);
-		for (const ref of fieldRefs.get(node) ?? []) if (hasCycle(ref)) return true;
-		stack.delete(node);
-		return false;
-	};
-	for (const node of fieldRefs.keys()) if (hasCycle(node)) return new Response("Invalid server action payload", {
-		status: 400,
-		headers: { "Content-Type": "text/plain" }
-	});
+	for (const refs of fieldRefs.values()) for (const ref of refs) if (!knownFields.has(ref)) return invalidPayloadResponse();
+	const state = /* @__PURE__ */ new Map();
+	for (const root of fieldRefs.keys()) {
+		if (state.has(root)) continue;
+		const stack = [{
+			node: root,
+			refs: [...fieldRefs.get(root) ?? []],
+			nextRef: 0
+		}];
+		state.set(root, "visiting");
+		while (stack.length > 0) {
+			if (stack.length > maxContainerDepth) return invalidPayloadResponse();
+			const frame = stack[stack.length - 1];
+			const ref = frame.refs[frame.nextRef++];
+			if (ref === void 0) {
+				state.set(frame.node, "visited");
+				stack.pop();
+				continue;
+			}
+			const refState = state.get(ref);
+			if (refState === "visiting") return invalidPayloadResponse();
+			if (refState === "visited") continue;
+			state.set(ref, "visiting");
+			stack.push({
+				node: ref,
+				refs: [...fieldRefs.get(ref) ?? []],
+				nextRef: 0
+			});
+		}
+	}
 	return null;
 }
 /**
@@ -329,25 +359,6 @@ function isOriginAllowed(origin, allowed) {
 	return false;
 }
 /**
-* Validate an image optimization URL parameter.
-*
-* Ensures the URL is a relative path that doesn't escape the origin:
-* - Must start with "/" but not "//"
-* - Backslashes are normalized (browsers treat `\` as `/`)
-* - Origin validation as defense-in-depth
-*
-* @param rawUrl - The raw `url` query parameter value
-* @param requestUrl - The full request URL for origin comparison
-* @returns An error Response if validation fails, or the normalized image URL
-*/
-function validateImageUrl(rawUrl, requestUrl) {
-	const imgUrl = rawUrl?.replaceAll("\\", "/") ?? null;
-	if (!imgUrl || !imgUrl.startsWith("/") || imgUrl.startsWith("//")) return new Response(!rawUrl ? "Missing url parameter" : "Only relative URLs allowed", { status: 400 });
-	const url = new URL(requestUrl);
-	if (new URL(imgUrl, url.origin).origin !== url.origin) return new Response("Only relative URLs allowed", { status: 400 });
-	return imgUrl;
-}
-/**
 * Strip internal `x-middleware-*` headers from a Headers object.
 *
 * Middleware uses `x-middleware-*` headers as internal signals (e.g.
@@ -465,4 +476,4 @@ function cloneRequestWithUrl(request, url) {
 	return cloned;
 }
 //#endregion
-export { INTERNAL_HEADERS, VINEXT_INTERNAL_HEADERS, applyConfigHeadersToHeaderRecord, applyConfigHeadersToResponse, cloneRequestWithHeaders, cloneRequestWithUrl, createStaticFileSignal, filterInternalHeaders, guardProtocolRelativeUrl, hasBasePath, isOpenRedirectShaped, isOriginAllowed, normalizeTrailingSlash, normalizeTrailingSlashPathname, processMiddlewareHeaders, resolvePublicFileRoute, stripBasePath, validateCsrfOrigin, validateImageUrl, validateServerActionPayload };
+export { INTERNAL_HEADERS, VINEXT_INTERNAL_HEADERS, applyConfigHeadersToHeaderRecord, applyConfigHeadersToResponse, cloneRequestWithHeaders, cloneRequestWithUrl, createStaticFileSignal, filterInternalHeaders, guardProtocolRelativeUrl, hasBasePath, isOpenRedirectShaped, isOriginAllowed, normalizeTrailingSlash, normalizeTrailingSlashPathname, processMiddlewareHeaders, resolvePublicFileRoute, stripBasePath, validateCsrfOrigin, validateServerActionPayload };

package/dist/server/rsc-stream-hints.d.ts

@@ -1,6 +1,10 @@
 //#region src/server/rsc-stream-hints.d.ts
 declare function normalizeReactFlightPreloadHints(stream: ReadableStream<Uint8Array>): ReadableStream<Uint8Array>;
 type RscRawRenderer = (model: unknown, options?: unknown) => ReadableStream<Uint8Array>;
+type RscRawPrerenderer = (model: unknown, options?: unknown) => Promise<{
+  prelude: ReadableStream<Uint8Array>;
+}>;
 declare function createRscRenderer(render: RscRawRenderer): RscRawRenderer;
+declare function createRscPrerenderer(prerender: RscRawPrerenderer): RscRawPrerenderer;
 //#endregion
-export { createRscRenderer, normalizeReactFlightPreloadHints };
+export { RscRawPrerenderer, RscRawRenderer, createRscPrerenderer, createRscRenderer, normalizeReactFlightPreloadHints };

package/dist/server/rsc-stream-hints.js

@@ -32,5 +32,10 @@ function normalizeReactFlightPreloadHints(stream) {
 function createRscRenderer(render) {
 	return (model, options) => normalizeReactFlightPreloadHints(render(model, options));
 }
+function createRscPrerenderer(prerender) {
+	return async (model, options) => {
+		return { prelude: normalizeReactFlightPreloadHints((await prerender(model, options)).prelude) };
+	};
+}
 //#endregion
-export { createRscRenderer, normalizeReactFlightPreloadHints };
+export { createRscPrerenderer, createRscRenderer, normalizeReactFlightPreloadHints };

package/dist/server/seed-cache.js

@@ -1,8 +1,8 @@
-import { normalizePathnameForRouteMatch } from "../routing/utils.js";
-import { normalizePath } from "./normalize-path.js";
 import { isrCacheKey, isrSetPrerenderedAppPage } from "./isr-cache.js";
 import { buildAppPageCacheTags } from "./app-page-cache.js";
 import { getOutputPath, getRscOutputPath } from "../utils/prerender-output-paths.js";
+import { addPregeneratedConcretePath, clearPregeneratedConcretePaths, normalizePregeneratedPathname } from "./pregenerated-concrete-paths.js";
+import { getRenderedAppRoutes, isFallbackShellArtifactPath, readPrerenderManifest } from "./prerender-manifest.js";
 import fs from "node:fs";
 import path from "node:path";
 //#region src/server/seed-cache.ts
@@ -46,26 +46,21 @@ import path from "node:path";
 * @returns The number of routes seeded (0 if no manifest or no renderable routes).
 */
 async function seedMemoryCacheFromPrerender(serverDir, options) {
-	const manifestPath = path.join(serverDir, "vinext-prerender.json");
-	if (!fs.existsSync(manifestPath)) return 0;
-	let manifest;
-	try {
-		manifest = JSON.parse(fs.readFileSync(manifestPath, "utf-8"));
-	} catch (err) {
-		console.warn("[vinext] Failed to parse vinext-prerender.json, skipping cache seeding:", err);
-		return 0;
-	}
+	clearPregeneratedConcretePaths();
+	const manifest = readPrerenderManifest(path.join(serverDir, "vinext-prerender.json"));
+	if (!manifest) return 0;
 	const { buildId, routes } = manifest;
 	if (!buildId || !Array.isArray(routes)) return 0;
 	const trailingSlash = manifest.trailingSlash ?? false;
 	const prerenderDir = path.join(serverDir, "prerendered-routes");
 	const writeAppPageEntry = options?.writeAppPageEntry ?? createDefaultAppPageEntryWriter();
 	let seeded = 0;
-	for (const route of routes) {
-		if (route.status !== "rendered") continue;
-		if (route.router !== "app") continue;
+	const appRoutes = getRenderedAppRoutes(routes);
+	for (const route of appRoutes) {
+		const concretePathname = route.path ?? route.route;
+		if (!isFallbackShellArtifactPath(concretePathname, route)) addPregeneratedConcretePath(route.route, concretePathname);
 		const artifactPathname = route.path ?? route.route;
-		const cachePathname = normalizePrerenderCachePathname(artifactPathname);
+		const cachePathname = normalizePregeneratedPathname(artifactPathname);
 		const baseKey = isrCacheKey("app", cachePathname, buildId);
 		const htmlKey = options?.buildAppPageHtmlKey?.(cachePathname) ?? baseKey + ":html";
 		const rscKey = options?.buildAppPageRscKey?.(cachePathname) ?? baseKey + ":rsc";
@@ -79,9 +74,6 @@ async function seedMemoryCacheFromPrerender(serverDir, options) {
 	}
 	return seeded;
 }
-function normalizePrerenderCachePathname(pathname) {
-	return normalizePath(normalizePathnameForRouteMatch(pathname));
-}
 function createDefaultAppPageEntryWriter() {
 	return (key, data, metadata) => isrSetPrerenderedAppPage(key, data, metadata);
 }

package/dist/shims/app-router-scroll-state.d.ts

@@ -3,11 +3,13 @@ type AppRouterScrollIntent = Readonly<{
   commitId: number | null;
   hash: string | null;
   id: number;
+  targetHoistedInHead: boolean;
 }>;
 declare function beginAppRouterScrollIntent(hash: string | null): AppRouterScrollIntent;
 declare function clearAppRouterScrollIntent(): void;
 declare function getPendingAppRouterScrollIntent(): AppRouterScrollIntent | null;
 declare function claimAppRouterScrollIntentForCommit(expected: AppRouterScrollIntent | null | undefined, commitId: number): void;
+declare function markAppRouterScrollIntentHeadHoisted(expected: AppRouterScrollIntent | null | undefined, commitId: number): void;
 declare function consumeAppRouterScrollIntent(expected: AppRouterScrollIntent | null | undefined, commitId?: number): AppRouterScrollIntent | null;
 //#endregion
-export { AppRouterScrollIntent, beginAppRouterScrollIntent, claimAppRouterScrollIntentForCommit, clearAppRouterScrollIntent, consumeAppRouterScrollIntent, getPendingAppRouterScrollIntent };
+export { AppRouterScrollIntent, beginAppRouterScrollIntent, claimAppRouterScrollIntentForCommit, clearAppRouterScrollIntent, consumeAppRouterScrollIntent, getPendingAppRouterScrollIntent, markAppRouterScrollIntentHeadHoisted };

package/dist/shims/app-router-scroll-state.js

@@ -14,7 +14,8 @@ function beginAppRouterScrollIntent(hash) {
 	const intent = {
 		commitId: null,
 		hash,
-		id: store.nextId
+		id: store.nextId,
+		targetHoistedInHead: false
 	};
 	store.pending = intent;
 	return intent;
@@ -35,6 +36,17 @@ function claimAppRouterScrollIntentForCommit(expected, commitId) {
 		commitId
 	};
 }
+function markAppRouterScrollIntentHeadHoisted(expected, commitId) {
+	const store = getScrollIntentStore();
+	const intent = store.pending;
+	if (expected === null || expected === void 0 || intent === null) return;
+	if (intent.id !== expected.id) return;
+	if (intent.commitId !== commitId) return;
+	store.pending = {
+		...intent,
+		targetHoistedInHead: true
+	};
+}
 function consumeAppRouterScrollIntent(expected, commitId) {
 	if (expected === null || expected === void 0) return null;
 	const store = getScrollIntentStore();
@@ -46,4 +58,4 @@ function consumeAppRouterScrollIntent(expected, commitId) {
 	return intent;
 }
 //#endregion
-export { beginAppRouterScrollIntent, claimAppRouterScrollIntentForCommit, clearAppRouterScrollIntent, consumeAppRouterScrollIntent, getPendingAppRouterScrollIntent };
+export { beginAppRouterScrollIntent, claimAppRouterScrollIntentForCommit, clearAppRouterScrollIntent, consumeAppRouterScrollIntent, getPendingAppRouterScrollIntent, markAppRouterScrollIntentHeadHoisted };

package/dist/shims/app-router-scroll.d.ts

@@ -5,9 +5,12 @@ declare class AppRouterScrollTargetInner extends React$1.Component<{
   children: React$1.ReactNode;
   commitId: number | null;
 }> {
+  scheduledCommitId: number | null;
+  schedulePotentialScroll: () => void;
   handlePotentialScroll: () => void;
   componentDidMount(): void;
   componentDidUpdate(): void;
+  componentWillUnmount(): void;
   render(): React$1.ReactNode;
 }
 declare function AppRouterScrollCommitProvider({