Skip to content

feat(nextjs): Add routeManifestInjection option to exclude routes from client bundle #18798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
logaretm merged 6 commits into from
Jan 14, 2026
Merged

feat(nextjs): Add routeManifestInjection option to exclude routes from client bundle #18798

logaretm merged 6 commits into from
Jan 14, 2026
+267 −18

Conversation

@logaretm
Copy link
Collaborator

@logaretm logaretm commented Jan 13, 2026
edited
Loading

Added a new routeManifestInjection configuration option that allows users to exclude specific routes from the route manifest injected into the client bundle. This addresses concerns about sensitive or unreleased route patterns being exposed in the client-side code.

This also deprecated disableManifestInjection option since it would be possible to have conflicting options present which wouldn't be a great DX.

Users can disable it entirely by passing false, otherwise they can use an object with an exclude property. The property can be an array of string/regex values, or a predicate function.

The value typings prevent disabling the manifest and excluding it at the same time, also deprecation annotations and build-time warnings should point users towards the new option.

// Disable route manifest injection entirely
withSentryConfig(nextConfig, {
  routeManifestInjection: false
})

// Exclude specific routes
withSentryConfig(nextConfig, {
  routeManifestInjection: {
    exclude: [
      '/admin',           // Exact match
      /^\/internal\//,    // Regex: routes starting with /internal/
      /\/secret-/,        // Regex: routes containing /secret-
    ]
  }
})

// Exclude using a function
withSentryConfig(nextConfig, {
  routeManifestInjection: {
    exclude: (route) => route.includes('hidden')
  }
})

closes #18713

@logaretm logaretm requested a review from chargome January 13, 2026 14:38
@logaretm logaretm self-assigned this Jan 13, 2026
Copilot AI review requested due to automatic review settings January 13, 2026 14:38
@linear
Copy link

linear bot commented Jan 13, 2026

JS-1414 Explore alternatives to client injected route manifest

Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new routeManifestInjection configuration option that provides fine-grained control over which routes are included in the route manifest injected into the client bundle, addressing security concerns about exposing sensitive route patterns. The PR also deprecates the existing disableManifestInjection option in favor of the more flexible new option.

Changes:

  • Added routeManifestInjection option supporting false, object with exclude array/function, providing exact string matching, regex patterns, and predicate function filtering
  • Deprecated disableManifestInjection option with a console warning
  • Implemented route filtering logic in maybeCreateRouteManifest to apply exclusion rules to static routes, dynamic routes, and ISR routes

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
packages/nextjs/src/config/types.ts Added new routeManifestInjection type definition with documentation and examples, deprecated disableManifestInjection
packages/nextjs/src/config/withSentryConfig/getFinalConfigObjectUtils.ts Implemented deprecation warning, option precedence handling, and route filtering logic based on exclude patterns
packages/nextjs/test/config/manifest/excludeRoutesFromManifest.test.ts Added comprehensive unit tests for route exclusion filtering with string, regex, function, and edge case scenarios

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

cursor[bot]
cursor bot reviewed Jan 13, 2026
View reviewed changes
sentry[bot]
sentry bot reviewed Jan 13, 2026
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 9,490 - 8,871 +7%
GET With Sentry 1,750 18% 1,677 +4%
GET With Sentry (error only) 6,287 66% 6,180 +2%
POST Baseline 1,208 - 1,199 +1%
POST With Sentry 594 49% 581 +2%
POST With Sentry (error only) 1,059 88% 1,042 +2%
MYSQL Baseline 3,358 - 3,287 +2%
MYSQL With Sentry 446 13% 495 -10%
MYSQL With Sentry (error only) 2,747 82% 2,686 +2%

View base workflow run

chargome
chargome approved these changes Jan 14, 2026
View reviewed changes
Copy link
Member

@chargome chargome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good, just left a comment but feel free to ignore.
Thanks for shipping this!

packages/nextjs/src/config/withSentryConfig/getFinalConfigObjectUtils.ts Outdated

return excludeFilter.some(pattern => {
if (typeof pattern === 'string') {
return route === pattern;
Copy link
Member

@chargome chargome Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want exact matching here? Easy to mess up with trailing slashes etc – maybe an includes would be more suitable?

Copy link
Collaborator Author

@logaretm logaretm Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I initially thought that strings should be precise, but then found a isMatchingPattern utility that uses includes for this case.

So for consistency I will use that util, and users can do precise matching with fully qualified URLs or Regexs anyways. Thanks for calling it out!

packages/nextjs/src/config/types.ts
/**
* Disables automatic injection of the route manifest into the client bundle.
*
* @deprecated Use `routeManifestInjection: false` instead.
Copy link
Member

@chargome chargome Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a todo(v11) comment for removal pls. We should add a tracking issue for v11 for removing all the deprecated types then

Copy link
Collaborator Author

@logaretm logaretm Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, I will also add it for the other deprecated stuff.

@logaretm
Copy link
Collaborator Author

logaretm commented Jan 14, 2026

Merging since remix hydro tests are flakey atm

@logaretm logaretm enabled auto-merge (squash) January 14, 2026 11:50
@logaretm logaretm disabled auto-merge January 14, 2026 11:50
@JPeer264 JPeer264 force-pushed the awad/js-1414-explore-alternatives-to-client-injected-route-manifest branch from 8db1794 to fba9871 Compare January 14, 2026 13:32
@logaretm logaretm merged commit 5da93d8 into develop Jan 14, 2026
68 checks passed
@logaretm logaretm deleted the awad/js-1414-explore-alternatives-to-client-injected-route-manifest branch January 14, 2026 14:04
@github-actions github-actions bot mentioned this pull request Jan 14, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

@chargome chargome chargome approved these changes

Assignees

@logaretm logaretm

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Explore alternatives to client injected route manifest

3 participants

@logaretm @chargome