meta: bump @opennextjs/cloudflare from 1.17.1 to 1.17.3

[dependabot]

Bumps @opennextjs/cloudflare from 1.17.1 to 1.17.3.

Release notes

Sourced from @​opennextjs/cloudflare's releases.

@​opennextjs/cloudflare@​1.17.3

Patch Changes

• #1160 161e726 Thanks @​matthewvolk! - fix(patches): include prefetch-hints.json in loadManifest build-time inlining

  Next.js 16.2.0 introduced prefetch-hints.json as a new server manifest loaded unconditionally by NextNodeServer.getPrefetchHints(). The file exists in the build output but wasn't matched by the glob pattern *-manifest.json, causing the patched loadManifest() to throw at runtime.

@​opennextjs/cloudflare@​1.17.2

Patch Changes

• #1151 a143282 Thanks @​nathanschram! - fix: handle known optional manifests gracefully in loadManifest/evalManifest patches

  Next.js loads certain manifests with handleMissing: true (returning {} when the file doesn't exist). The adapter's build-time glob scan doesn't find these files when they're conditionally generated, so the patched function threw at runtime, crashing dynamic routes with 500.

  Instead of a blanket catch-all, handle only the specific optional manifests from Next.js route-module.ts:

  • react-loadable-manifest (Turbopack per-route, not all routes have dynamic imports)
  • subresource-integrity-manifest (only when experimental.sri configured)
  • server-reference-manifest (App Router only)
  • dynamic-css-manifest (Pages Router + Webpack only)
  • fallback-build-manifest (only for /_error page)
  • prefetch-hints (new in Next.js 16.2)
  • _client-reference-manifest.js (optional for static metadata routes, evalManifest)

  Manifest matching strips .json before comparison since some Next.js constants omit the extension (SUBRESOURCE_INTEGRITY_MANIFEST, DYNAMIC_CSS_MANIFEST, etc.).

  Unknown manifests still throw to surface genuine errors.

  Fixes #1141.

Changelog

Sourced from @​opennextjs/cloudflare's changelog.

1.17.3

Patch Changes

• #1160 161e726 Thanks @​matthewvolk! - fix(patches): include prefetch-hints.json in loadManifest build-time inlining

  Next.js 16.2.0 introduced prefetch-hints.json as a new server manifest loaded unconditionally by NextNodeServer.getPrefetchHints(). The file exists in the build output but wasn't matched by the glob pattern *-manifest.json, causing the patched loadManifest() to throw at runtime.

1.17.2

Patch Changes

• #1151 a143282 Thanks @​nathanschram! - fix: handle known optional manifests gracefully in loadManifest/evalManifest patches

  Next.js loads certain manifests with handleMissing: true (returning {} when the file doesn't exist). The adapter's build-time glob scan doesn't find these files when they're conditionally generated, so the patched function threw at runtime, crashing dynamic routes with 500.

  Instead of a blanket catch-all, handle only the specific optional manifests from Next.js route-module.ts:

  • react-loadable-manifest (Turbopack per-route, not all routes have dynamic imports)
  • subresource-integrity-manifest (only when experimental.sri configured)
  • server-reference-manifest (App Router only)
  • dynamic-css-manifest (Pages Router + Webpack only)
  • fallback-build-manifest (only for /_error page)
  • prefetch-hints (new in Next.js 16.2)
  • _client-reference-manifest.js (optional for static metadata routes, evalManifest)

  Manifest matching strips .json before comparison since some Next.js constants omit the extension (SUBRESOURCE_INTEGRITY_MANIFEST, DYNAMIC_CSS_MANIFEST, etc.).

  Unknown manifests still throw to surface genuine errors.

  Fixes #1141.

Commits

• 6fdc1e2 Version Packages (#1162)
• 161e726 fix(patches): include prefetch-hints.json in loadManifest glob for Next.js 16...
• 7ccf5ea Version Packages (#1161)
• a143282 fix(patches): return empty object for unhandled manifests in loadManifest (#1...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nodejs-org	Ready	Preview	Apr 4, 2026 0:53am

[github-actions]

👋 Codeowner Review Request

The following codeowners have been identified for the changed files:

Team reviewers: @nodejs/nodejs-website @nodejs/web-infra

Please review the changes when you have a chance. Thank you! 🙏

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.25%. Comparing base (c52de6f) to head (d36bcac).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8796      +/-   ##
==========================================
+ Coverage   74.23%   74.25%   +0.01%     
==========================================
  Files         105      105              
  Lines        8870     8870              
  Branches      328      328              
==========================================
+ Hits         6585     6586       +1     
+ Misses       2283     2282       -1     
  Partials        2        2              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

📦 Build Size Comparison

Summary

Metric	Value
Old Total Size	3.51 MB
New Total Size	3.51 MB
Delta	0 B (0.00%)

Changes

➕ Added Assets (1)

Name	Size
.next/static/chunks/81df285e0e7634c9.js	197.56 KB

➖ Removed Assets (1)

Name	Size
.next/static/chunks/4622a98ebec3ad79.js	197.56 KB

[cursor]

PR Summary

Low Risk
Primarily a dependency/lockfile update for the Cloudflare Next.js adapter; risk is limited to potential runtime/deploy behavior changes in the Cloudflare build pipeline due to the adapter and its transitive AWS/Smithy bumps.

Overview
Updates the site’s Cloudflare deployment adapter by bumping @opennextjs/cloudflare from 1.17.1 to 1.18.0.

Refreshes pnpm-lock.yaml accordingly, pulling in newer transitive versions (notably @aws-sdk/*, @smithy/*, fast-xml-parser, and @types/node).

^{Reviewed by Cursor Bugbot for commit d36bcac. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 6cd0935. Configure here.}

[cursor]

Version bumped to 1.18.0 instead of stated 1.17.3

Medium Severity

The PR title and description state this bumps @opennextjs/cloudflare from 1.17.1 to 1.17.3 (a patch update), but the specifier was actually changed to ^1.18.0 and the lockfile resolves version 1.18.0 — a minor version bump. This installs a different version than what was reviewed and approved, potentially introducing unintended changes beyond the two patch fixes described in the PR.

 

^{Reviewed by Cursor Bugbot for commit 6cd0935. Configure here.}