Summary

Next.js 11.1 focuses on build and runtime performance, a security patch for an open-redirect, experimental ES Modules support, early adoption of the Rust-based SWC toolchain, faster pre-render data fetching, source map optimizations, ESLint rule improvements, and multiple next/image enhancements. Engineers should upgrade to get immediate security and performance benefits.

Key Points

• Security
  • Patch for an open-redirect involving pages/_error.js. Upgrade recommended; Vercel-hosted apps were not affected.
• ES Modules (experimental)
  • Enable importing ESM npm packages with experimental.esmExternals: true in next.config.js. This will be the default in Next.js 12.
• Rust-based SWC (tooling)
  • SWC replaces Babel/Terser for faster transforms and minification. Early tests show ~2x faster builds and large reductions in per-file transform and minify times.
• Faster data fetching
  • HTTP keep-alive is enabled by default for fetch() during pre-rendering, improving build-time fetching (≈2x). Disable per-call via a custom Agent or globally with httpAgentOptions in next.config.js.
• Source maps
  • Production browser source maps now cost ~70% less time and ~67% less memory. Enabling productionBrowserSourceMaps: true increases build time by ~11% (much improved vs prior).
• ESLint improvements
  • New default accessibility rules and linting for common typos in getStaticProps, getStaticPaths, and getServerSideProps to catch mistakes earlier.
• next/image improvements
  • Optional sharp install for faster uncached optimization; WebAssembly optimizer remains default (smaller install, M1/ARM support). Lazy generation of placeholder="blur" during dev, skip lazy-loading for previously loaded images, support for custom loaders with next export, onLoadingComplete event, and images.minimumCacheTTL config.

Actionable steps

• Upgrade: npm i next@latest
• Try ESM externals: add experimental: { esmExternals: true } to next.config.js and report issues.
• If you rely on external fetch behavior, verify pre-rendering fetch calls with keep-alive, and opt out with httpAgentOptions or per-request Agent.

References

• Read the public CVE and release notes for detailed migration and security guidance.