Next.js 16 Patterns Review
Comprehensive review for Next.js 16 compliance covering security vulnerabilities, caching patterns, breaking changes, and migration readiness.
Review Process
For comprehensive security review patterns, use the reviewing-security skill from the review plugin. For dependency auditing, use the reviewing-dependencies skill from the review plugin.
1. Security Audit
CVE-2025-29927 - Server Action Authentication
Check all Server Actions for proper authentication:
# Find all Server Actions grep -r "use server" --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx"
For each Server Action verify:
- • Authentication check at function start
- • Authorization validation before data access
- • No reliance on client-side validation only
- • Proper error handling without leaking sensitive data
Middleware Security
# Find middleware files find . -name "middleware.ts" -o -name "middleware.js"
Verify:
- • Authentication logic present in middleware
- • Protected routes defined in config.matcher
- • No authentication logic removed in Next.js 16 migration
- • Proper redirect handling for unauthorized access
Server Component Data Access
# Find async Server Components grep -r "export default async function" app/
Check each Server Component:
- • Session validation before data queries
- • User context verified before personalized data
- • No direct database queries without auth checks
- • Proper error boundaries for auth failures
2. Caching Patterns
use cache Adoption
# Find fetch calls that should use cache
grep -r "fetch(" --include="*.ts" --include="*.tsx"
# Find functions that should be cached
grep -r "export async function" --include="*.ts"
Verify:
- •
use cachedirective for cacheable functions - • Proper cache tags with
cacheTag()for revalidation - • Cache lifecycle control with
cacheLife() - • No unstable_cache in new code
- • fetch() caching replaced with use cache
Cache Lifecycle Configuration
Check for proper cache profiles:
- •
cacheLife('seconds')for rapidly changing data - •
cacheLife('minutes')for moderate update frequency - •
cacheLife('hours')for stable content - •
cacheLife('days')for rarely changing data - •
cacheLife('weeks')for static content - • Custom profiles defined in next.config.js if needed
Revalidation Strategy
# Find revalidation calls grep -r "revalidateTag\|revalidatePath" --include="*.ts" --include="*.tsx"
Verify:
- • revalidateTag() matches cacheTag() definitions
- • revalidatePath() used for page-level invalidation
- • No orphaned cache tags
- • Proper error handling in revalidation
3. Breaking Changes
Async Request APIs
# Find synchronous API usage grep -r "cookies()\|headers()\|params\|searchParams" --include="*.ts" --include="*.tsx"
Check for required async usage:
- •
await cookies()in Server Components/Actions - •
await headers()in Server Components/Actions - •
await paramsin page/layout/route components - •
await searchParamsin page components - • React.use() wrapper in Client Components if needed
Middleware to Proxy Migration
# Check for removed middleware patterns grep -r "NextResponse.rewrite\|NextResponse.redirect" middleware.ts
Verify migration:
- • Simple rewrites moved to next.config.js redirects/rewrites
- • Complex logic converted to Middleware Proxies
- • Authentication logic preserved
- • Header manipulation handled correctly
Route Handler Changes
# Find route handlers find app -name "route.ts" -o -name "route.js"
Check each route handler:
- • Dynamic functions require dynamic = 'force-dynamic'
- • No synchronous cookies()/headers() calls
- • Proper TypeScript types for request/params
- • Error handling updated for new patterns
generateStaticParams Changes
# Find static param generation grep -r "generateStaticParams" --include="*.ts" --include="*.tsx"
Verify:
- • Returns array of param objects (not nested)
- • Works with new async params
- • Proper TypeScript types
- • No deprecated patterns
4. Migration Verification
Dependency Updates
Check package.json:
- • next: ^16.0.0 or higher
- • react: ^19.0.0 or higher
- • react-dom: ^19.0.0 or higher
- • @types/react: ^19.0.0 (if using TypeScript)
- • @types/react-dom: ^19.0.0 (if using TypeScript)
Configuration Updates
Check next.config.js:
- • experimental.dynamicIO enabled if using dynamic APIs
- • staleTimes configured if controlling client-side cache
- • Custom cacheLife profiles defined if needed
- • TypeScript config updated for async params
Build Validation
Run and verify:
npm run build
- • No deprecation warnings
- • No type errors
- • No runtime errors in build
- • Static generation works correctly
- • Dynamic routes render properly
Runtime Testing
- • Authentication flows work correctly
- • Protected routes require login
- • Server Actions validate permissions
- • Cache invalidation triggers updates
- • Dynamic content updates appropriately
- • Static content serves from cache
Violation Severity
Critical
- •Missing authentication in Server Actions (CVE-2025-29927)
- •Synchronous cookies()/headers() calls
- •Security middleware removed or broken
High
- •Missing cache directives on expensive operations
- •Incorrect async params usage
- •Broken revalidation strategy
Medium
- •Using deprecated unstable_cache
- •Middleware patterns that should be proxies
- •Missing cache lifecycle configuration
Nitpick
- •Suboptimal cache profiles
- •Missing cache tags for fine-grained invalidation
- •Legacy fetch caching patterns
Best Practices
- •Run security audit first - Critical vulnerabilities take priority
- •Group related violations - Fix all async API issues together
- •Test incrementally - Verify each category before moving on
- •Document decisions - Record why certain patterns were chosen
- •Update documentation - Keep project docs current with Next.js 16 patterns