Skip to content

docs: strengthen Next.js parity verification in agent guidelines#604

Merged
southpolesteve merged 1 commit intomainfrom
docs/strengthen-nextjs-parity-checks
Mar 20, 2026
Merged

docs: strengthen Next.js parity verification in agent guidelines#604
southpolesteve merged 1 commit intomainfrom
docs/strengthen-nextjs-parity-checks

Conversation

@southpolesteve
Copy link
Copy Markdown
Collaborator

@southpolesteve southpolesteve commented Mar 20, 2026

Summary

Strengthens the AGENTS.md guidelines to prevent shipping fixes that diverge from Next.js behavior.

Motivation

During recent security remediation work, we repeatedly shipped fixes that didn't match Next.js behavior:

  • Changed config header has/missing evaluation to use post-middleware context, when Next.js evaluates them pre-middleware (headers run before middleware)
  • Added javascript: URI blocking to router.push(), when Next.js intentionally does not block these (developer responsibility, documented in their docs)
  • Added query params to ISR route handler cache keys, when Next.js handles this differently (dynamic detection skips caching entirely)

In each case, the fix was written and PRed before discovering the divergence. The verification step happened too late.

Changes

  • Local Next.js clone (.nextjs-ref/, gitignored): instructions for cloning and searching the Next.js repo locally with ripgrep, much faster and more reliable than gh search code
  • Mandatory verification for bug fixes: 4-step checklist (search tests, search issues/PRs, search source, document findings) added to the Fixing Bugs section
  • Document what Next.js does: require linking to Next.js tests/issues/docs when creating PRs or closing issues
  • Explicit permission to diverge: if vinext should differ from Next.js, that's OK, but it must be deliberate and documented

@southpolesteve
docs: strengthen Next.js parity verification in agent guidelines
56b1649 
Add mandatory Next.js behavior verification for all bug fixes and
security work, not just feature development. We repeatedly shipped
fixes that diverged from Next.js because this step was skipped
(config header execution order, javascript: URI blocking, ISR cache
key semantics).

Changes:
- Add local Next.js clone instructions (.nextjs-ref, gitignored)
  for fast ripgrep searches of source and test suite
- Add 4-step verification checklist to Fixing Bugs section
- Require documenting what Next.js does in PRs and issue closures
- Update Looking at Next.js Source with clone instructions
- Add .nextjs-ref/ to .gitignore
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Mar 20, 2026

Open in StackBlitz

npm i https://pkg.pr.new/vinext@604

commit: 56b1649

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 20, 2026

Example Preview Production Original
app-router-cloudflare preview production
pages-router-cloudflare preview production
app-router-playground preview production original
realworld-api-rest preview production
nextra-docs-template preview production
benchmarks preview production
hackernews preview production original

@southpolesteve southpolesteve enabled auto-merge (squash) March 20, 2026 02:02
@southpolesteve southpolesteve merged commit 3af644f into main Mar 20, 2026
25 checks passed
@southpolesteve southpolesteve deleted the docs/strengthen-nextjs-parity-checks branch March 20, 2026 02:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@southpolesteve