Changelog

Netlify CLI 21.4.1 has a cleaner look, simplified workflows, and a new command.

Install the latest version:

npm install netlify-cli -g
# or
yarn global add netlify-cli

Onboard to Netlify projects with netlify clone command

Pull an existing Netlify project locally from its repo with one command:

netlify clone <repository-url>

Clones the repo and links it to the right Netlify site–ideal for onboarding or switching projects.

Builds are included with netlify deploy

The deploy command now runs a build step by default, eliminating separate build commands.

Instead of netlify build && netlify deploy or netlify deploy --build, simply run:

netlify deploy

To deploy without building, use netlify deploy --no-build.

Smarter manual setup

netlify init now auto-detects your framework and suggests the right build settings. It’ll even help you create a netlify.toml if you don’t have one.

Better updates and onboarding

Additional improvements include:

• Better update notifications with links to release notes
• Improved onboarding guidance with clearer next steps and resource links
• Reorganized help command with better documentation references

The Next.js team recently disclosed CVE-2025-32421, a low-severity vulnerability allowing for CDN cache poisoning in some scenarios.

The engineering team at Netlify has confirmed that all Next.js sites on Netlify are not vulnerable. The vulnerability requires use of a CDN that may cache responses without explicit Cache-Control headers, but Netlify’s CDN never does so.

As a general security precaution, we recommend upgrading to the latest versions of the Next.js framework and allowing automatic updates of the OpenNext Netlify Next.js adapter.

Discover the new Netlify Cache API beta. Built on web standards, it lets developers cache fetch requests in serverless and edge functions. Works seamlessly with any framework (or without one) for faster, more resilient apps.

The following versions of Node.js have reached their official end of life. Node.js v14 on February 16, 2023 Node.js v16 on August 9, 2023 It is also worth noting that the following version is also about to reach its end of life date. Node.js v18 on…

We are aware of recently disclosed vulnerabilities affecting React Router and Remix:

1. CVE 2025-31137 (React Router 7 and Remix): Spoof request path allowing certain access control bypasses
2. CVE-2025-43864 (React Router 7 only): Cache poisoning leading to unusable responses
3. CVE-2025-43865 (React Router 7 only): Cache poisoning with arbitrary data

Impact on Netlify sites:

• CVE 2025-31137: Sites on Netlify are not vulnerable, because the Netlify CDN cache varies on the query string by default, and Remix and React Router sites on Netlify do not use the impacted Express package.
• CVE-2025-43864: Sites on Netlify using React Router 7.2.0 to 7.5.1 were vulnerable until 04/27 3:00 UTC. However, exploitation requires all of the following conditions for a given URL to be poisonable:
  • The site must not be using React Router’s SPA mode.
  • The page or loader must be explicitly setting caching headers.
  • A malicious request would need to be the first request to reach the cache (such as immediately after a deploy or cache invalidation).
• CVE-2025-43865: Sites on Netlify using React Router 7.0.0 to 7.5.1 were vulnerable until 04/27 3:00 UTC. However, exploitation requires all of the following conditions for a given URL to be poisonable:
  • The page or loader must be explicitly setting caching headers.
  • A malicious request would need to be the first request to reach the cache (such as immediately after a deploy or cache invalidation).

We strongly recommend upgrading to the latest versions of React Router (7.5.2).

Given these specific requirements, the number of vulnerable Netlify sites is low. However, out of an abundance of caution, our engineering team is actively rolling out a mitigation to further protect against these vulnerabilities. We will continue to monitor the situation and will provide updates as our work progresses.

Update: As of 2025-04-27 3:00 AM UTC, a mitigation has been rolled out to the Netlify CDN for all vulnerable sites.

Our “Why did it fail?” feature now integrates better with your chosen AI-powered development workflows. When our AI shares its diagnosis and proposed solution, the “Copy analysis for use in AI tools” button will copy to clipboard:

• The relevant error log lines from your deploy
• Diagnosis of the problem
• The proposed solution

This is ready to paste into your AI tool of choice, unlocking a closer feedback loop to speed up bug resolution and get your deploy up and running error-free!

Build, deploy, and host Model Context Protocol (MCP) servers on Netlify today. This emerging protocol lets you expose tools, resources, and prompts to AI agents via the open MCP standard. This helps streamline creating good agent experiences and bringing powerful context-aware capabilities to the AI applications your end users are relying upon.

Read the “Building MCPs with Netlify” developer guide by Sean Roberts to get started.

Netlify now makes it even easier to deploy zipped site builds with improved support for multipart/form-data. The updated deploy flow encourages developers to include a title field — a descriptive message similar to a git commit — explaining the purpose of the deploy. This title appears in the Netlify UI, helping teams track changes, review builds faster, and maintain better deploy hygiene.

Zip it, tag it, ship it 🚀 Get started with this developer guide.

When using the Netlify context files in Cursor or Windsurf, whenever the agents generate code with Netlify Forms, they will add the honeypot field to make your forms more secure by default.

See context files