---
title: "Changelog | Netlify"
description: "Stay updated with the latest features, fixes, and improvements. Realize the speed, agility and performance of a scalable, composable web architecture with Netlify. Explore the composable web platform now!"
source: "https://www.netlify.com/changelog/page/8/"
last_updated: "2026-07-02T18:11:23.000Z"
---
# Changelog

All Tags Agent-runners AI Ai-gateway Angular Astro AX Build CLI Database Design Devtools Domains E-commerce Extensions Forms Framework Functions Logs Next.js Nuxt.js Remix SDK Security Updates Workflow  [Subscribe to feed](https://www.netlify.com/changelog/feed.xml)

-   [
    
    ## Agent Runners improvements
    
    ](/changelog/2026-01-29-agent-runners-improvements/)
    
    January 29, 2026
    
    -   [agent runners](/changelog/tag/agent-runners/)
    
    Here are some Agent Runners improvements that all people with [Credit-based pricing plans](https://docs.netlify.com/manage/accounts-and-billing/billing/billing-for-credit-based-plans/credit-based-pricing-plans/) can enjoy:
    
    ### Shareable agent run links
    
    You can now link directly to an agent run to share it with your team or bookmark for later review.
    
    ![Screenshot showing the copy link button in the Agent Runners interface](/images/changelog/copy-link-to-run.png)
    
    ### Agent Runners available no matter how you deploy
    
    Agent Runners now supports static projects without build steps. Previously, projects without a build step couldn’t use Agent Runners.
    
    ### Improved diff view performance
    
    By default, the diff view now loads only the first 50 changed files with an option to load more. This improves performance for large projects.
    
    ## Feedback welcome
    
    Keep sharing your product feedback about Agent Runners in the feedback form at the bottom of our [Agent Runners docs page](https://docs.netlify.com/build/build-with-ai/agent-runners/overview/).
    
    And don’t forget that while you can run multiple agent runs and do other work while they run, you can also [play a Netlify game](https://www.netlify.com/changelog/2026-01-08-agent-runner-games/) while you wait for the agent to finish.
    
    [Permalink to Agent Runners improvements Permalink](/changelog/2026-01-29-agent-runners-improvements/)
    
-   [
    
    ## Security Update: DoS vulnerability in Next.js and React Server Components
    
    ](/changelog/2026-01-26-react-nextjs-dos-vulnerability/)
    
    January 26, 2026
    
    -   [security](/changelog/tag/security/)
    -   [next.js](/changelog/tag/next-js/)
    
    A denial-of-service (DoS) vulnerability ([CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864), CVSS 7.5) has been disclosed affecting React Server Components (RSCs), a feature used by Next.js and other React metaframeworks. A malicious payload can cause memory exhaustion or excessive CPU consumption. Next.js has also disclosed two unrelated medium-severity CVEs ([CVE-2025-59471](https://www.cve.org/CVERecord?id=CVE-2025-59471), [CVE-2025-59472](https://www.cve.org/CVERecord?id=CVE-2025-59472)) patched in the same releases. Here’s what Netlify customers need to know.
    
    ## Impact on Netlify
    
    Nominally, this is a server-side DoS vulnerability. However, **on Netlify this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
    
    ## Affected frameworks
    
    All RSC frameworks are affected:
    
    -   **Next.js** (see version table below)
    -   React Router 7 (if using RSC preview)
    -   Waku
    -   `@parcel/rsc`
    -   `@vitejs/plugin-rsc`
    
    Astro, Gatsby, and Remix are not affected.
    
    ### React affected versions
    
    See the [React blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for full details.
    
    Affected versions
    
    Fixed in
    
    19.0.0–19.0.3
    
    19.0.4
    
    19.1.0–19.1.4
    
    19.1.5
    
    19.2.0–19.2.3
    
    19.2.4
    
    ### Next.js affected versions
    
    See the [Next.js advisory](https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf) for full details.
    
    Affected versions
    
    Fixed in
    
    13.3.0+
    
    EOL - no fix
    
    14.x
    
    EOL - no fix
    
    15.0.0–15.0.7
    
    15.0.8
    
    15.1.0–15.1.10
    
    15.1.11
    
    15.2.0–15.2.8
    
    15.2.9
    
    15.3.0–15.3.8
    
    15.3.9
    
    15.4.0–15.4.10
    
    15.4.11
    
    15.5.0–15.5.9
    
    15.5.10
    
    15.x canaries
    
    15.6.0-canary.61
    
    16.0.0–16.0.10
    
    16.0.11
    
    16.1.0–16.1.4
    
    16.1.5
    
    16.x canaries
    
    16.2.0-canary.9
    
    ## What should I do?
    
    If any of your projects are using an affected version, we recommend upgrading as soon as possible to a patched release.
    
    For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    ## Resources
    
    -   [React CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864)
    -   [React blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
    -   [Next.js security advisory](https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf)
    
    [Permalink to Security Update: DoS vulnerability in Next.js and React Server Components Permalink](/changelog/2026-01-26-react-nextjs-dos-vulnerability/)
    
-   [
    
    ## Security Update: Multiple vulnerabilities in React Router and Remix
    
    ](/changelog/2026-01-15-react-router-remix-security-vulnerabilities/)
    
    January 19, 2026
    
    -   [security](/changelog/tag/security/)
    -   [remix](/changelog/tag/remix/)
    
    The React Router team has disclosed six security vulnerabilities affecting React Router and Remix. Here’s what Netlify customers need to know.
    
    ## Vulnerabilities
    
    Vulnerability
    
    Remix versions
    
    React Router versions & modes
    
    [CVE-2025-61686](https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw) - Path traversal
    
    ≤2.17.1
    
    7.0.0–7.9.3  
    All modes
    
    [CVE-2025-68470](https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m) - Open redirect
    
    \-
    
    6.0.0–6.30.1, 7.0.0–7.9.5  
    All modes
    
    [CVE-2026-22030](https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh) - CSRF
    
    ≤2.17.2
    
    7.0.0–7.11.0  
    Framework only
    
    [CVE-2025-59057](https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8) - Meta XSS
    
    1.15.0–2.17.0
    
    7.0.0–7.8.2  
    Framework only
    
    [CVE-2026-22029](https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx) - Redirect XSS
    
    ≤2.17.3
    
    6.0.0–6.30.2, 7.0.0–7.11.0  
    Framework, Data
    
    [CVE-2026-21884](https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7) - ScrollRestoration XSS
    
    ≤2.17.2
    
    7.0.0–7.11.0  
    Framework only
    
    ## Impact on Netlify
    
    ### CVE-2025-61686 (path traversal)
    
    This vulnerability affects `@react-router/node`, `@remix-run/node`, and `@remix-run/deno`. These packages are not used on Netlify, therefore **Netlify projects are not affected**.
    
    ### CVE-2025-68470 (open redirect)
    
    Apps with unsafe uses of React Router navigation APIs may be hijacked to redirect to arbitrary origins.
    
    **Regardless of hosting provider, all apps constructing paths from untrusted user input may be vulnerable.**
    
    ### CVE-2026-22030 (CSRF)
    
    Actions and experimental RSC Server Functions can be triggered by cross-origin form submissions, allowing an attacker to execute actions on behalf of authenticated users.
    
    **Regardless of hosting provider, all apps may be vulnerable.**
    
    ### CVE-2025-59057, CVE-2026-22029, and CVE-2026-21884 (XSS)
    
    These are cross-site scripting (XSS) vulnerabilities. For example, in CVE-2026-22029 actions and experimental RSC Server Functions performing a redirect to a path constructed from untrusted user input may be hijacked to execute arbitrary JavaScript in the browser.
    
    **Regardless of hosting provider, all apps passing untrusted data into certain APIs may be vulnerable.** (The Remix team has left this intentionally vague.)
    
    ## What should I do?
    
    If any of your projects are using any affected version listed above, we strongly recommend upgrading as soon as possible to patched releases:
    
    -   `react-router` 7.12.0 or later (for React Router 7.x)
    -   `react-router` 6.30.2 or later (for React Router 6.x)
    -   `@remix-run/react` 2.17.4 or later
    -   `@remix-run/server-runtime` 2.17.4 or later
    
    Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).
    
    [Permalink to Security Update: Multiple vulnerabilities in React Router and Remix Permalink](/changelog/2026-01-15-react-router-remix-security-vulnerabilities/)
    
-   [
    
    ## Security Update: DoS vulnerability in Node.js
    
    ](/changelog/2026-01-16-nodejs-async-hooks-dos-vulnerability/)
    
    January 16, 2026
    
    -   [security](/changelog/tag/security/)
    -   [functions](/changelog/tag/functions/)
    
    The Node.js team has released a [security update addressing a denial-of-service vulnerability](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks) affecting applications that use `async_hooks` (including in dependencies). Here’s what Netlify customers need to know.
    
    ## Vulnerability
    
    When `async_hooks` are enabled on certain versions of Node.js, a stack overflow causes the Node.js process to exit immediately rather than throw a catchable error. This bypasses `try-catch` blocks and uncaught exception handlers entirely.
    
    A malicious actor could send a crafted payload to crash a server.
    
    Note that many common tools and frameworks use `async_hooks` under the hood, notably APM and tracing tools (e.g. DataDog, NewRelic, OpenTelemetry) as well as Next.js App Router and other React Server Components implementations. You can find [more details on that here](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks#important-react-and-nextjs-impact-by-version).
    
    ## Impact on Netlify
    
    This is a server-side denial-of-service (DoS) vulnerability. **On Netlify, this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your cold starts and your function costs.
    
    Note that Node.js used during your project’s _build_ is not impacted at all.
    
    ## What should I do?
    
    If you have [opted your Netlify Functions into Node.js 18](https://docs.netlify.com/build/functions/optional-configuration/?fn-language=js&data-tab=TypeScript#nodejs-version-for-runtime), we **recommend upgrading to Node.js 20 or later**. Node.js 18 reached end-of-life in April 2025 and thus will not be patched.
    
    Otherwise, there is **no action for you to take**. Although this CVE’s impact to Netlify sites is limited, deployed Netlify Functions will be updated to patched Node.js versions automatically on a rolling basis.
    
    For completeness, please note that [the Node.js version used during your project’s _build_](https://docs.netlify.com/build/configure-builds/manage-dependencies/#nodejs-and-javascript) is not relevant to this CVE. There is no action for you to take and this will not be automatically patched.
    
    ## Resources
    
    -   [Node.js security release announcement](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks)
    -   [Netlify Functions Node.js version configuration](https://docs.netlify.com/build/functions/optional-configuration/?fn-language=js&data-tab=TypeScript#nodejs-version-for-runtime)
    
    [Permalink to Security Update: DoS vulnerability in Node.js Permalink](/changelog/2026-01-16-nodejs-async-hooks-dos-vulnerability/)
    
-   [
    
    ## Security Update: Multiple vulnerabilities in SvelteKit
    
    ](/changelog/2026-01-15-sveltekit-security-vulnerabilities/)
    
    January 15, 2026
    
    -   [security](/changelog/tag/security/)
    -   [framework](/changelog/tag/framework/)
    
    The Svelte team has disclosed [five CVEs affecting the Svelte and SvelteKit ecosystem](https://svelte.dev/blog/cves-affecting-the-svelte-ecosystem). Here’s what Netlify customers need to know.
    
    ## Vulnerabilities
    
    -   [**CVE-2026-22775**](https://www.cve.org/CVERecord?id=CVE-2026-22775): Memory/CPU exhaustion in `devalue` (5.1.0–5.6.1)
    -   [**CVE-2026-22774**](https://www.cve.org/CVERecord?id=CVE-2026-22774): Memory exhaustion in `devalue` (5.3.0–5.6.1)
    -   [**CVE-2026-22803**](https://www.cve.org/CVERecord?id=CVE-2026-22803): Server crash in `@sveltejs/kit` (2.49.0–2.49.4)
    -   [**CVE-2025-67647**](https://www.cve.org/CVERecord?id=CVE-2025-67647): Server crash and SSRF in `@sveltejs/kit` (2.44.0–2.49.4) and `@sveltejs/adapter-node` (2.19.0–2.49.4)
    -   [**CVE-2025-15265**](https://www.cve.org/CVERecord?id=CVE-2025-15265): XSS in `svelte` (5.46.0–5.46.3)
    
    ## Impact on Netlify
    
    ### CVE-2026-22775, CVE-2026-22774, and CVE-2026-22803
    
    These are server-side denial-of-service (DoS) vulnerabilities. **On Netlify, these have minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
    
    In addition, note that only sites using the experimental [Remote Functions](https://svelte.dev/docs/kit/remote-functions) feature are affected.
    
    ### CVE-2025-67647
    
    As above, this DoS vulnerability involves intentionally “crashing” a server. **On Netlify, this has minimal impact.**
    
    The SSRF vulnerability affects a `@sveltejs/adapter-node`, which is not used by apps deployed to Netlify.
    
    ### CVE-2025-15265
    
    This is a client-side cross-site scripting (XSS) vulnerability. **Regardless of hosting provider, all apps using the experimental `hydratable` with unsanitized user-controlled keys are vulnerable**.
    
    ## What should I do?
    
    Although the impact to Netlify sites is limited in this case, we always strongly recommend upgrading as soon as possible to patched releases:
    
    -   `devalue` 5.6.2 or later
    -   `@sveltejs/kit` 2.49.5 or later
    -   `@sveltejs/adapter-node` 5.5.1 or later
    -   `svelte` 5.46.4 or later
    
    ## Resources
    
    -   [Svelte team disclosure](https://svelte.dev/blog/cves-affecting-the-svelte-ecosystem)
    
    [Permalink to Security Update: Multiple vulnerabilities in SvelteKit Permalink](/changelog/2026-01-15-sveltekit-security-vulnerabilities/)
    
-   [
    
    ## GPT-5.2-Codex Now Available in AI Gateway and Agent Runners
    
    ](/changelog/gpt-5-2-codex-ai-gateway/)
    
    January 14, 2026
    
    -   [ai gateway](/changelog/tag/ai-gateway/)
    -   [agent runners](/changelog/tag/agent-runners/)
    
    OpenAI’s GPT-5.2-Codex model is now available through Netlify’s AI Gateway and Agent Runners with zero configuration required.
    
    Use the OpenAI SDK directly in your Netlify Functions without managing API keys or authentication. The AI Gateway handles everything automatically. Here’s an example using the GPT-5.2-Codex model:
    
    ```
    import OpenAI from 'openai';
    export default async () => {    const openai = new OpenAI();
        const response = await openai.responses.create({        model: 'gpt-5.2-codex',        input: 'How does AI work?'    });
        return new Response(JSON.stringify(response), {        headers: { 'Content-Type': 'application/json' }    });};
    ```
    
    GPT-5.2-Codex is available across Background Functions, Scheduled Functions, and Agent Runners. You get automatic access to Netlify’s caching, rate limiting, and authentication infrastructure.
    
    Learn more in the [AI Gateway documentation](https://docs.netlify.com/build/ai-gateway/overview/) and [Agent Runners documentation](https://docs.netlify.com/build/build-with-ai/agent-runners/overview/).
    
    [Permalink to GPT-5.2-Codex Now Available in AI Gateway and Agent Runners Permalink](/changelog/gpt-5-2-codex-ai-gateway/)
    
-   [
    
    ## Play Games While Agent Runners Do the Work
    
    ](/changelog/2026-01-08-agent-runner-games/)
    
    January 8, 2026
    
    -   [agent runners](/changelog/tag/agent-runners/)
    
    While Agent Runners take care of tasks on your site, you can now play games right in the UI. We’ve brought the same beloved build-time games to the Agent Runner page, so you can flip tiles, plan snake, install other games, or even create your own while your agent runs in the background.
    
    A little delight, now everywhere you wait.
    
    ![Play a game while you wait modal showing a Match the Pairs game on the Agent Runner page](/images/changelog/netlify-agent-runners-games.webp)
    
    Learn more about the [Netlify Entertainment System](https://www.netlify.com/blog/netlify-entertainment-system/).
    
    [Permalink to Play Games While Agent Runners Do the Work Permalink](/changelog/2026-01-08-agent-runner-games/)
    
-   [
    
    ## Prerender.io support available as new extension
    
    ](/changelog/2026-01-08-prerenderio-support-updates/)
    
    January 8, 2026
    
    -   [extensions](/changelog/tag/extensions/)
    
    The third-party Prerender.io service for advanced prerendering is now available as an extension for all Netlify customers.
    
    Previously, you needed a Netlify Pro plan or higher to set up Prerender.io with Netlify’s legacy in-app prerendering feature.
    
    Prerender.io offers advanced configuration options and the Prerender.io dashboard. Learn more about the [Prerender.io extension](https://app.netlify.com/extensions/prerenderio) from the extension details page.
    
    If you previously set up Prerender.io using Netlify’s legacy in-app prerendering feature, you need to update your configuration to continue using it this year. [Learn more](#configuration-updates-required-for-existing-users) about your next steps and how to check if you need to update your configuration.
    
    To check if your project still needs prerendering, see our [prerendering needs checker](https://docs.netlify.com/build/post-processing/prerendering/#check-prerendering-needs) documentation.
    
    ## Configuration updates required for existing users
    
    If you have a Netlify Pro plan and you set up the Prerender.io service with Netlify’s legacy prerendering feature (most likely before January 6, 2026), you’ll need to update your configuration to continue using it this year.
    
    To check if your project is using Netlify’s legacy in-app prerendering feature, go to **Project configuration > Build & deploy > Post processing > Prerendering** from your Netlify project dashboard to see if the legacy prerendering feature is enabled.
    
    Updates are required because Prerender.io no longer relies on Netlify’s legacy in-app prerendering feature, which is being deprecated and will stop working later this year.
    
    Follow our [migration steps](https://answers.netlify.com/t/legacy-prerendering-migration-guide/158938) to update your configuration before these key dates:
    
    Date
    
    Impacted plans
    
    February 17, 2026
    
    The feature will be disabled for customers on Personal or Pro plans (legacy or credit-based)
    
    March 17, 2026
    
    The feature will be disabled for Enterprise and all other specialized plans.
    
    Learn more about this migration process in this [migration post](https://answers.netlify.com/t/legacy-prerendering-migration-guide/158938).
    
    You can also reach out to [Netlify Support](https://www.netlify.com/support/) for help.
    
    [Permalink to Prerender.io support available as new extension Permalink](/changelog/2026-01-08-prerenderio-support-updates/)
    
-   [
    
    ## Gemini 3 Flash Preview now available in AI Gateway
    
    ](/changelog/gemini-3-flash-preview-ai-gateway/)
    
    December 17, 2025
    
    -   [ai gateway](/changelog/tag/ai-gateway/)
    
    Google’s Gemini 3 Flash Preview is now available through AI Gateway. You can call this model from Netlify Functions without configuring API keys; the AI Gateway provides the connection to Google for you.
    
    Example usage in a Function:
    
    ```
    import { GoogleGenAI } from '@google/genai';
    export default async (request: Request, context: Context) => {  const ai = new GoogleGenAI({});
      const response = await ai.models.generateContent({    model: 'gemini-3-flash-preview',    contents: 'How does AI work?'  });
      return new Response(JSON.stringify({ answer: response.text }), {    headers: { 'Content-Type': 'application/json' }  });};
    ```
    
    This model works across any function type and is compatible with other Netlify primitives such as caching and rate limiting, giving you control over request behavior across your site.
    
    See the [AI Gateway documentation](https://docs.netlify.com/build/ai-gateway/overview/) for details.
    
    [Permalink to Gemini 3 Flash Preview now available in AI Gateway Permalink](/changelog/gemini-3-flash-preview-ai-gateway/)
    

[Previous page](/changelog/page/7) [Next page](/changelog/page/9)