• @formatjs/svelte-intl: add runtime package, CLI extraction, and docs for .svelte files (#6122) (fc35630) - by @longlho

• @formatjs/cli-lib: add AbortSignal support to extract() and compile() (#6131) (19fd7e0), closes #6067 - by @longlho

• @formatjs/cli-lib: add AbortSignal support to extract() and compile() (#6131) (19fd7e0), closes #6067 - by @longlho
• @formatjs/svelte-intl: add runtime package, CLI extraction, and docs for .svelte files (#6122) (fc35630) - by @longlho

• @formatjs/cli-lib: add AbortSignal support to extract() and compile() (#6131) (19fd7e0), closes #6067 - by @longlho

Release 2026-03-16 23:09

• add @tanstack/intent AI agent skills for Router and Start (#6866) (940151cbed) by @tannerlinsley

• write static server function cache to correct output directory with Nitro (#6940) (d6371529b5) by @tannerlinsley

• @tanstack/react-router@1.167.4
• @tanstack/react-start@1.166.15
• @tanstack/react-start-client@1.166.13
• @tanstack/react-start-server@1.166.13
• @tanstack/router-cli@1.166.12
• @tanstack/router-core@1.167.4
• @tanstack/router-generator@1.166.12
• @tanstack/router-plugin@1.166.13
• @tanstack/router-vite-plugin@1.166.13
• @tanstack/solid-router@1.167.4
• @tanstack/solid-start@1.166.15
• @tanstack/solid-start-client@1.166.12
• @tanstack/solid-start-server@1.166.12
• @tanstack/start-client-core@1.166.12
• @tanstack/start-plugin-core@1.166.15
• @tanstack/start-server-core@1.166.12
• @tanstack/start-static-server-functions@1.166.14
• @tanstack/start-storage-context@1.166.12
• @tanstack/virtual-file-routes@1.161.7
• @tanstack/vue-router@1.167.4
• @tanstack/vue-start@1.166.15
• @tanstack/vue-start-client@1.166.12
• @tanstack/vue-start-server@1.166.12

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Huge thanks to @ztanner for helping!

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Huge thanks to @unstubbable, @styfle, @eps1lon, and @ztanner for helping!

• Changes v3.48.0...v3.49.0 (373 commits)
• Iterator.range updated following the actual spec version
  • Throw a RangeError on NaN start / end / step
  • Allow null as optionOrStep
• Improved accuracy of Math.{ asinh, atanh } polyfills with big and small values
• Improved accuracy of Number.prototype.toExponential polyfills with big and small values
• Improved performance of atob, btoa, Uint8Array.fromHex, Uint8Array.prototype.setFromHex, and Uint8Array.prototype.toHex, #1503, #1464, #1510, thanks @johnzhou721
• Minor performance optimization polyfills of methods from Map upsert proposal
• Polyfills of methods from Map upsert proposal from the pure version made generic to make it work with polyfilled and native collections
• Wrap Symbol.for in Symbol.prototype.description polyfill for correct handling of empty string descriptions
• Fixed a modern Safari bug in Array.prototype.includes with sparse arrays and fromIndex
• Fixed one more case (Iterator.prototype.take) of a V8 ~ Chromium < 126 bug
• Forced replacement of Iterator.{ concat, zip, zipKeyed } in the pure version for ensuring proper wrapped Iterator instances as the result
• Fixed proxying .return() on exhausted iterator from some methods of iterator helpers polyfill to the underlying iterator
• Fixed double .return() calling in case of throwing error in this method in the internal iterate helper that affected some polyfills
• Fixed closing iterator on IteratorValue errors in the internal iterate helper that affected some polyfills
• Fixed iterator closing in Array.from polyfill on failure to create array property
• Fixed order of arguments validation in Array.fromAsync polyfill
• Fixed a lack of counter validation on MAX_SAFE_INTEGER in Array.fromAsync polyfill
• Fixed order of arguments validation in Array.prototype.flat polyfill
• Fixed handling strings as iterables in Iterator.{ zip, zipKeyed } polyfills
• Fixed some cases of iterators closing in Iterator.{ zip, zipKeyed } polyfills
• Fixed validation of iterators .next() results an objects in Iterator.{ zip, zipKeyed } polyfills
• Fixed a lack of early error in Iterator.concat polyfill on primitive as an iterator
• Fixed buffer mutation exposure in Iterator.prototype.windows polyfill
• Fixed iterator closing in Set.prototype.{ isDisjointFrom, isSupersetOf } polyfill
• Fixed (updated following the final spec) one more case Set.prototype.difference polyfill with updating this
• Fixed DataView.prototype.setFloat16 polyfill in (0, 1) range
• Fixed order of arguments validation in String.prototype.{ padStart, padEnd } polyfills
• Fixed order of arguments validation in String.prototype.{ startsWith, endsWith } polyfills
• Fixed some cases of Infinity handling in String.prototype.substr polyfill
• Fixed String.prototype.repeat polyfill with a counter exceeding 2 ** 32
• Fixed some cases of chars case in escape polyfill
• Fixed named backreferences in RegExp NCG polyfill
• Fixed some cases of RegExp NCG polyfill in combination with other types of groups
• Fixed some cases of RegExp NCG polyfill in combination with dotAll
• Fixed String.prototype.replace with sticky polyfill, #810, #1514
• Fixed RegExp sticky polyfill with alternation
• Fixed handling of some line terminators in case of multiline + sticky mode in RegExp polyfill
• Fixed .input slicing on result object with RegExp sticky mode polyfill
• Fixed handling of empty groups with global and unicode modes in polyfills
• Fixed URLSearchParam.prototype.delete polyfill with duplicate key-value pairs
• Fixed possible removal of unnecessary entries in URLSearchParam.prototype.delete polyfill with second argument
• Fixed an error in some cases of non-special URLs without a path in the URL polyfill
• Fixed some percent encode cases / character sets in the URL polyfill
• Fixed parsing of non-IPv4 hosts ends in a number in the URL polyfill
• Fixed some cases of '' and null host handling in the URL polyfill
• Fixed host parsing with hostname = host:port in the URL polyfill
• Fixed host inheritance in some cases of file scheme in the URL polyfill
• Fixed block of protocol change for file with empty host in the URL polyfill
• Fixed invalid code points handling in UTF-8 decode in the URLSearchParams polyfill
• Fixed some cases of serialization in URL polyfill (/. prefix for non-special URLs with null host and path starting with empty segment)
• Fixed URL polyfill .origin getter with blob scheme
• Fixed a lack of error in URLSearchParams.prototype.set polyfill on calling only with 1 argument
• Fixed handling invalid UTF-8 continuation bytes in URLSearchParams polyfill
• Fixed incomplete sequences with out-of-range continuation bytes handling in URLSearchParams polyfill
• Fixed allowing unexpected symbols in scheme in the URL polyfill
• Fixed repeated ToPropertyKey calling in Reflect.{ get, set, deleteProperty } polyfills
• Fixed Reflect.set polyfill with some descriptors cases
• Fixed Reflect.set polyfill with some non-extensible receiver cases
• Fixed the order of Reflect.construct polyfill arguments validation (observable only in the error message)
• Fixed a lack of error in Reflect.defineProperty polyfill with malformed descriptor
• Fixed a lack of error in JSON.parse polyfill on unterminated object and array literals
• Fixed a lack of error in JSON.parse polyfill on numbers with ., but without a fraction part
• Fixed a lack of error on \u{} in String.dedent polyfill
• Fixed some cases of hex escaping in the end of string in String.dedent polyfill
• Fixed %AsyncFromSyncIteratorPrototype% to make it a little stricter
• Fixed counter in some cases of some AsyncIterator methods
• Fixed order of async iterators closing
• Fixed iterator closing in AsyncIterator.prototype.flatMap polyfill
• Fixed iterator closing in AsyncIterator.prototype.map polyfill on error in underlying iterator .next()
• Fixed iterator closing in AsyncIterator.prototype.take polyfill with return: null
• Fixed validation .return() result as object in AsyncIterator.prototype.take polyfill
• Fixed a lack of error in structuredClone polyfill on attempt to transfer multiple objects, some of which are non-transferable
• Fixed resizable ArrayBuffer transferring where newByteLength exceeds the original maxByteLength
• Fixed possible loss of symbol enumerability in Object.defineProperty in Symbol polyfill
• Fixed return value of Object.defineProperty in Symbol polyfill in Android ~ 2
• Fixed order of %TypedArray%.from arguments validation
• Fixed a lack of error on passing an ArrayBuffer and a negative length to the %TypedArray% and DataView constructors polyfills
• Fixed some cases of @@toStringTag on %TypedArray% polyfill
• Fixed some cases of ToUint8Clamp conversion
• Fixed NaN handling in Date.prototype.setYear polyfill
• Fixed false positive on a WeakMap validation in the pure version
• Fixed some minor { Map, Set }.prototype.forEach moments in the pure version
• Fixed possible error in Array.isTemplateObject polyfill on frozen array
• Fixed semantics of Observable.from with multiple subscriptions of the obsolete ECMAScript Observable proposal polyfill
• Fixed handling of ending zeroes in the fraction part in Number.fromString polyfill
• Fixed esmodules: intersect option of core-js-compat
• Fixed a lack of reactnative alias in core-js-compat types
• Fixed a minor logical bug in the debugging output of core-js-builder
• Fixed ignorance of the obsolete blacklist option of core-js-builder - it should be removed only in the next major release
• In case of bugs in String.prototype.{ match, matchAll, replace, split } in modern engines, add s, d and v flag support to polyfills of those methods
• Just in case, added an extra input string validation to the polyfill of obsolete Number.fromString proposals
• Simplified iOS detection
• Many minor stylistic fixes and optimizations
• Compat data improvements:
  • Math.sumPrecise marked as shipped in V8 ~ Chrome 147
  • Iterator.concat marked as shipped in V8 ~ Chrome 146
  • Iterator.concat marked as shipped in Safari 26.4
  • Because of a bug, Array.prototype.includes marked as not supported in modern Safari
  • Fixed compat data for parseInt and parseFloat
  • Added Deno 2.6.7, 2.7.0 and 2.7.2 compat data mapping
  • Added Electron 42 compat data mapping
  • Added Opera for Android 95 and 96 compat data mapping
  • Added Oculus Quest Browser 42 compat data mapping

• 6f3e7f5: fix possible crash on drag + transformer (Anton Lavrevov)
• 4fd2712: update CHANGELOG with new version (Anton Lavrevov)
• 167c30f: build for 10.2.3 (Anton Lavrevov)
• a537685: update cdn link (Anton Lavrevov)

• Occlusion Query: allow queries to be performed for a specific render pass - by Popov72 (#18106)

• Feat/inspector add alphaCutOff - by Jeggery (#18104)

• glTF loading: Fix loading base64 data uri - [Bug Fix] by Popov72 (#18102)

• Edge Detection post-process: Fix crash in WebGPU - [Bug Fix] by Popov72 (#18109)