Fix nightly build: invalidate Docker Next.js cache on dependency changes

[gilluminate]

Ticket: N/A (hotfix for nightly build breakage)

Description Of Changes

The nightly build started serving a blank page after #7956 (webpack → Turbopack switch) merged. The browser console showed Uncaught SyntaxError: Unexpected token '<' on JS chunk requests — the backend's catch-all route was returning index.html instead of the chunk file because the chunk hashes in the HTML didn't match what was on disk.

Root cause: The Docker build uses --mount=type=cache for .next/cache and node_modules/.cache. After the bundler switch, stale webpack cache artifacts persisted across builds, producing an inconsistent output where HTML referenced chunk hashes that Turbopack never emitted.

Fix: Hash package-lock.json at build time and store it in the cache mount. On subsequent builds, if the hash differs (dependency upgrade, bundler change, etc.), the cache is cleared before the Next.js build runs. This covers .next/cache for both admin-ui and privacy-center, and node_modules/.cache (Turbo/eslint).

Also retroactively marks #7907 (Next.js 14→16) and #7956 (Turbopack switch) changelog entries as high-risk.

Code Changes

• Dockerfile — added package-lock.json hash check before each Next.js build step; clears .next/cache and node_modules/.cache when the hash changes
• changelog/7907-upgrade-nextjs-14-to-16.yaml — added high-risk label
• changelog/7956-drop-palette-sass-export.yaml — fixed truncated description, added high-risk label

Steps to Confirm

1. Build the built_frontend Docker stage:

   docker buildx build --target built_frontend --progress=plain -f Dockerfile .

   Expected: build succeeds, logs show Invalidating Next.js cache (lock hash changed to: ...) on first run

2. Rebuild without changing package-lock.json:

   docker buildx build --target built_frontend --progress=plain -f Dockerfile .

   Expected: layer is cached (fast), or if forced to re-run, logs show Next.js cache valid (lock hash: ...)

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored		Apr 22, 2026 4:09pm
fides-privacy-center	Ignored		Apr 22, 2026 4:09pm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.96%. Comparing base (2350cce) to head (2304d11).
⚠️ Report is 1 commits behind head on main.

❌ Your project status has failed because the head coverage (84.96%) is below the target coverage (85.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8000      +/-   ##
==========================================
- Coverage   84.97%   84.96%   -0.01%     
==========================================
  Files         631      631              
  Lines       41238    41238              
  Branches     4787     4787              
==========================================
- Hits        35040    35039       -1     
  Misses       5113     5113              
- Partials     1085     1086       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.