Next.js 16 arrived in October 2025 with Turbopack as the default bundler, a new caching model, architectural changes to Middleware, and a trimmed bundle. It also shipped with a critical security patch that every team on an older version should know about. Here is what changed and what it means in practice.

Turbopack Is Now the Default

Turbopack, the Rust-based bundler Vercel has been developing since 2022, is now the default in Next.js 16. Local development start times are significantly faster, hot module replacement is near-instant, and cold builds on CI have improved across the board.

For most projects the switch is transparent. Turbopack is compatible with the same configuration and loaders. Teams that had been running the old webpack-based pipeline on large codebases will notice the biggest difference. If you are starting a new project, you are getting Turbopack automatically.

use cache Replaces the Old Data Caching Model

Next.js introduced a new use cache directive that replaces the previous approach to data caching in the App Router. The old model had multiple overlapping caching layers that were difficult to reason about and frequently caused confusion about when data was fresh and when it was stale.

The new directive is more explicit. You add use cache at the top of a function to opt it into caching, and you control the behaviour with cache tags and revalidation. It is closer to how most developers think about caching: you declare what should be cached and how long it is valid, and the framework handles the rest.

Middleware Replaced by proxy.ts

The Middleware API in Next.js has been replaced by proxy.ts, which provides a clearer boundary for network-level logic. The old Middleware ran in the Edge runtime and was often used for things it was not well suited to: authentication, redirects, header manipulation, and A/B testing all tangled together.

The new proxy.ts file makes the network layer explicit. It runs before requests hit your application and is designed specifically for routing logic, not application logic. The separation makes it easier to understand what runs where, which matters when debugging performance or caching issues.

Bundle Size Down ~20MB

The Next.js core bundle has been trimmed by approximately 20MB. This matters most for cold start performance in serverless and Edge deployments. Smaller bundles mean faster Lambda function initialisation, lower memory usage, and reduced deployment artifact sizes. For teams paying per-request on serverless infrastructure, it can translate directly to cost savings.

The Critical RSC Vulnerability You Need to Know About

Next.js 16 shipped a patch for a critical security vulnerability in React Server Components with a CVSS score of 10.0. The vulnerability allowed attackers to bypass authentication middleware under certain conditions by sending crafted requests to RSC endpoints.

If you are running Next.js 13, 14, or 15 and using the App Router with Middleware-based authentication, you need to update. The patch is backported to earlier versions, but the fix is most complete in 16. This is not a theoretical risk. Staying on older versions with known critical vulnerabilities is not a reasonable position for a production application.

Is It Worth Upgrading Now?

For new projects: yes, start on 16. For existing projects: the security patch alone is reason enough. The Turbopack and caching improvements are valuable, and the migration path from Next.js 15 is straightforward.

If you are building a product on Next.js and want a team that understands the framework deeply, Cystall ships MVPs on modern stacks and keeps them up to date after launch.