[test] Harden temporary test fixture installs against supply chain attacks

[eps1lon]

We set minimumReleaseAge in our monorepo but that's already secured against unintentional upgrades to compromised packages with a lockfile. However, test fixture installs are open since they don't have a lockfile.

We now propagate minimumReleaseAge, minimumReleaseAgeExclude, and blockExoticSubdeps. This doesn't apply to tests using other package managers with a custom installCommand.

[nextjs-bot]

Failing test suites

Commit: 7d733ba | About building and testing Next.js

pnpm test-dev test/e2e/app-dir/pnpm-workspace-root/pnpm-workspace-root.test.ts (job)

• pnpm-workspace-root > should not have multiple lockfiles warning when pnpm-workspace.yaml is present (DD)

Expand output

● pnpm-workspace-root › should not have multiple lockfiles warning when pnpm-workspace.yaml is present

expect(received).not.toMatch(expected)

Expected pattern: not /We detected multiple lockfiles/
Received string:      "▲ Next.js 16.2.1-canary.29 (Turbopack)
- Local:         http://localhost:37269
- Network:       http://176.9.53.148:37269
✓ Ready in 482ms
Creating turbopack project {
  dir: '/tmp/next-install-87d3c747792220c63717b085d03be79a7f2ab46a63281c32ed56d7c7d4ad490d/test',
  testMode: true
}

  We detected TypeScript in your project and created a tsconfig.json file for you.
⚠ Warning: Next.js inferred your workspace root, but it may not be correct.
 We detected multiple lockfiles and selected the directory of /tmp/next-install-87d3c747792220c63717b085d03be79a7f2ab46a63281c32ed56d7c7d4ad490d/pnpm-workspace.yaml as the root directory.
 To silence this warning, set `turbopack.root` in your Next.js config, or consider removing one of the lockfiles if it's not needed.
   See https://nextjs.org/docs/app/api-reference/config/next-config-js/turbopack#root-directory for more information.
 Detected additional lockfiles: 
   * /tmp/next-install-87d3c747792220c63717b085d03be79a7f2ab46a63281c32ed56d7c7d4ad490d/test/pnpm-workspace.yaml

- Experiments (use with caution):
  ✓ strictRouteTypes (enabled by `__NEXT_EXPERIMENTAL_STRICT_ROUTE_TYPES`)

 GET / 200 in 2.1s (next.js: 1921ms, application-code: 190ms)
"

  64 |     // and we shouldn't see the "multiple lockfiles" warning since pnpm-workspace.yaml
  65 |     // is prioritized and acts as the definitive workspace root marker
> 66 |     expect(next.cliOutput).not.toMatch(/We detected multiple lockfiles/)
     |                                ^
  67 |   })
  68 | })
  69 |

  at Object.toMatch (e2e/app-dir/pnpm-workspace-root/pnpm-workspace-root.test.ts:66:32)

[eps1lon]

A lot of work to make this work with tests having a custom monorepo-ish setup. I won't spend more time on this.

[nextjs-bot]

Stats from current PR

✅ No significant changes detected

📊 All Metrics

📖 Metrics Glossary

Dev Server Metrics:

• Listen = TCP port starts accepting connections
• First Request = HTTP server returns successful response
• Cold = Fresh build (no cache)
• Warm = With cached build artifacts

Build Metrics:

• Fresh = Clean build (no .next directory)
• Cached = With existing .next directory

Change Thresholds:

• Time: Changes < 50ms AND < 10%, OR < 2% are insignificant
• Size: Changes < 1KB AND < 1% are insignificant
• All other changes are flagged to catch regressions

⚡ Dev Server

Metric	Canary	PR	Change	Trend
Cold (Listen)	455ms	456ms	✓	▁█▅▅▅
Cold (Ready in log)	441ms	446ms	✓	▁▂▅▇▄
Cold (First Request)	1.129s	1.119s	✓	▆▁▁▂▂
Warm (Listen)	456ms	457ms	✓	█▁██▁
Warm (Ready in log)	446ms	446ms	✓	▂▂▇█▁
Warm (First Request)	343ms	344ms	✓	▃▄▇█▄

📦 Dev Server (Webpack) (Legacy)

📦 Dev Server (Webpack)

Metric	Canary	PR	Change	Trend
Cold (Listen)	455ms	456ms	✓	▁▁▅▁▅
Cold (Ready in log)	442ms	442ms	✓	▁▃▆▂▂
Cold (First Request)	1.946s	1.961s	✓	▇▇▇▆▁
Warm (Listen)	456ms	456ms	✓	▁▁▁▁▁
Warm (Ready in log)	442ms	442ms	✓	▁▂▅▁▂
Warm (First Request)	1.969s	1.955s	✓	▆▇█▆▁

⚡ Production Builds

Metric	Canary	PR	Change	Trend
Fresh Build	3.960s	3.934s	✓	▇▆██▁
Cached Build	3.928s	3.881s	✓	▄███▄

📦 Production Builds (Webpack) (Legacy)

📦 Production Builds (Webpack)

Metric	Canary	PR	Change	Trend
Fresh Build	14.619s	14.734s	✓	▁▂▅▂▂
Cached Build	14.747s	14.919s	✓	▁▂▇▃▄
node_modules Size	491 MB	491 MB	✓	█████

📦 Bundle Sizes

Bundle Sizes

⚡ Turbopack

Client

Main Bundles

	Canary	PR	Change
00-sfwc7hh0nr.js gzip	12.9 kB	N/A	-
04g8kkrpof4y4.js gzip	153 B	N/A	-
085r3m2vm209v.js gzip	157 B	N/A	-
09rgvusfdf6kn.js gzip	155 B	N/A	-
0cvu08z98y4ki.js gzip	153 B	N/A	-
0cz1d0mv5g_q7.js gzip	39.4 kB	39.4 kB	✓
0h9lhpjlvfuqq.js gzip	65.6 kB	N/A	-
0h9n4ueu1o3po.js gzip	160 B	N/A	-
0qz0fg1bxtbyh.js gzip	8.58 kB	N/A	-
0sruc84tgbi7a.js gzip	10.1 kB	N/A	-
12amk1ibnf4st.js gzip	8.47 kB	N/A	-
16jdy7mb2hpzo.js gzip	2.28 kB	N/A	-
16lhqjoqbznyg.js gzip	220 B	220 B	✓
1ecex550zhb99.js gzip	49 kB	N/A	-
1elt1qium-r2m.css gzip	115 B	115 B	✓
1ftbkyv1z2_x2.js gzip	9.2 kB	N/A	-
1g35gmnxav1f_.js gzip	168 B	N/A	-
1ianzfav6cg3j.js gzip	153 B	N/A	-
1lti_nqcijcmi.js gzip	225 B	N/A	-
1wh_bhnqf-6j0.js gzip	10.4 kB	N/A	-
1z7b2jcanlpqu.js gzip	8.47 kB	N/A	-
2-otcwbb_ce90.js gzip	13.3 kB	N/A	-
246le60fytek6.js gzip	1.46 kB	N/A	-
25c1ukc-mir52.js gzip	70.8 kB	N/A	-
2dkcnuvqvwnsk.js gzip	155 B	N/A	-
2ipc3se0d9mja.js gzip	7.61 kB	N/A	-
2k5-hkx-pwu9f.js gzip	8.55 kB	N/A	-
2m8m1g6m7mgym.js gzip	8.52 kB	N/A	-
2ozeyro5-5x52.js gzip	150 B	N/A	-
2rv_frnfv1elu.js gzip	13 kB	N/A	-
2t_ui66y8284y.js gzip	156 B	N/A	-
3_x1qzkrrsxvb.js gzip	154 B	N/A	-
30z650ayitjz3.js gzip	5.67 kB	N/A	-
3bue52q4myst9.js gzip	9.77 kB	N/A	-
3cq10epinkxrc.js gzip	450 B	N/A	-
3jmciayc6uehc.js gzip	8.53 kB	N/A	-
3p47jfv5q3pae.js gzip	154 B	N/A	-
3t1792qlrg1i5.js gzip	13.8 kB	N/A	-
3w-wwtj1m-6gg.js gzip	158 B	N/A	-
40u8wq1xwkg4n.js gzip	8.52 kB	N/A	-
42pywc4_-w69b.js gzip	8.55 kB	N/A	-
turbopack-0m..xupy.js gzip	4.18 kB	N/A	-
turbopack-0n..iv2i.js gzip	4.16 kB	N/A	-
turbopack-0o..-iaz.js gzip	4.17 kB	N/A	-
turbopack-22..i9nc.js gzip	4.17 kB	N/A	-
turbopack-2t..u6lv.js gzip	4.17 kB	N/A	-
turbopack-3-..s02m.js gzip	4.17 kB	N/A	-
turbopack-38..o3hw.js gzip	4.17 kB	N/A	-
turbopack-38..ykr7.js gzip	4.17 kB	N/A	-
turbopack-3d..xejq.js gzip	4.17 kB	N/A	-
turbopack-3f..88de.js gzip	4.17 kB	N/A	-
turbopack-3f..ukf-.js gzip	4.17 kB	N/A	-
turbopack-3i..oi3-.js gzip	4.17 kB	N/A	-
turbopack-3p..i3gh.js gzip	4.17 kB	N/A	-
turbopack-43.._zy3.js gzip	4.17 kB	N/A	-
05_r_-_rf4w-n.js gzip	N/A	7.61 kB	-
07edtvuknn9aj.js gzip	N/A	158 B	-
087v-6541yj-c.js gzip	N/A	157 B	-
0eihfygkvyao-.js gzip	N/A	1.46 kB	-
0f3kh1v1-la83.js gzip	N/A	65.7 kB	-
0jhgwwl5cx6aa.js gzip	N/A	8.48 kB	-
0mbrwbt_112f1.js gzip	N/A	8.55 kB	-
1-47usxbvijyt.js gzip	N/A	169 B	-
1-7i7ocjo3t_x.js gzip	N/A	8.52 kB	-
13v7vkq3viabh.js gzip	N/A	70.8 kB	-
14hk6zq4_i1a9.js gzip	N/A	159 B	-
16b25kfjz59kf.js gzip	N/A	155 B	-
19nidcupfk_bm.js gzip	N/A	8.58 kB	-
1fd23spooi5r7.js gzip	N/A	225 B	-
1nw99o32asytf.js gzip	N/A	450 B	-
1qfqrop8ol84z.js gzip	N/A	49 kB	-
1vfmp5-1v9dfa.js gzip	N/A	8.48 kB	-
1wofry-bnw1-_.js gzip	N/A	9.2 kB	-
1y_i925hckv2b.js gzip	N/A	8.55 kB	-
21_awyqp5ifp-.js gzip	N/A	157 B	-
284u7nxntygl8.js gzip	N/A	13.8 kB	-
2q-zb91f9iilw.js gzip	N/A	10.4 kB	-
2ra7ptusq6_gq.js gzip	N/A	157 B	-
2u87ln5_zfir_.js gzip	N/A	5.67 kB	-
2wmvwntu-vggf.js gzip	N/A	13.3 kB	-
2zmx56aensjs9.js gzip	N/A	160 B	-
31t7rq3_1hyxt.js gzip	N/A	152 B	-
393ek2yzi8-nv.js gzip	N/A	8.54 kB	-
3ecb2jyv0tgkm.js gzip	N/A	10.1 kB	-
3ex_2w58fcfif.js gzip	N/A	9.78 kB	-
3ge-yifqzaps2.js gzip	N/A	156 B	-
3ncb45_q4l5vt.js gzip	N/A	156 B	-
3oe0ewudfmke4.js gzip	N/A	8.52 kB	-
3tblcr7py7zqr.js gzip	N/A	156 B	-
3y97_kdf6zxqw.js gzip	N/A	13 kB	-
3yypm2pwzx0mq.js gzip	N/A	12.9 kB	-
42aoz_uk5lwoe.js gzip	N/A	155 B	-
42lado0_6oegq.js gzip	N/A	2.28 kB	-
turbopack-0i..yv8v.js gzip	N/A	4.18 kB	-
turbopack-0n..hzcg.js gzip	N/A	4.18 kB	-
turbopack-0y..p8mh.js gzip	N/A	4.18 kB	-
turbopack-13..w7h9.js gzip	N/A	4.16 kB	-
turbopack-1c..pi2l.js gzip	N/A	4.18 kB	-
turbopack-1l..s9-6.js gzip	N/A	4.18 kB	-
turbopack-1s..y5ch.js gzip	N/A	4.18 kB	-
turbopack-1x..cx4p.js gzip	N/A	4.18 kB	-
turbopack-2h..bm6h.js gzip	N/A	4.18 kB	-
turbopack-2j..8iod.js gzip	N/A	4.18 kB	-
turbopack-2w..9xkp.js gzip	N/A	4.19 kB	-
turbopack-3_..udke.js gzip	N/A	4.18 kB	-
turbopack-3d..5lb6.js gzip	N/A	4.18 kB	-
turbopack-44..wex8.js gzip	N/A	4.18 kB	-
Total	464 kB	464 kB	⚠️ +156 B

Server

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	718 B	718 B	✓
Total	718 B	718 B	✓

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	434 B	431 B	✓
Total	434 B	431 B	✅ -3 B

📦 Webpack

Client

Main Bundles

	Canary	PR	Change
1011-HASH.js gzip	5.58 kB	N/A	-
2168.HASH.js gzip	169 B	N/A	-
2225-HASH.js gzip	4.64 kB	N/A	-
61a8f394-HASH.js gzip	62.8 kB	N/A	-
850-HASH.js gzip	60.6 kB	N/A	-
framework-HASH.js gzip	59.7 kB	59.7 kB	✓
main-app-HASH.js gzip	254 B	252 B	✓
main-HASH.js gzip	39.2 kB	39.6 kB	✓
webpack-HASH.js gzip	1.68 kB	1.68 kB	✓
36c7d9a6-HASH.js gzip	N/A	62.8 kB	-
3967-HASH.js gzip	N/A	4.63 kB	-
5025-HASH.js gzip	N/A	5.58 kB	-
634-HASH.js gzip	N/A	60.9 kB	-
7586.HASH.js gzip	N/A	170 B	-
Total	235 kB	235 kB	⚠️ +607 B

Polyfills

	Canary	PR	Change
polyfills-HASH.js gzip	39.4 kB	39.4 kB	✓
Total	39.4 kB	39.4 kB	✓

Pages

	Canary	PR	Change
_app-HASH.js gzip	194 B	194 B	✓
_error-HASH.js gzip	182 B	181 B	✓
css-HASH.js gzip	334 B	333 B	✓
dynamic-HASH.js gzip	1.8 kB	1.81 kB	✓
edge-ssr-HASH.js gzip	255 B	254 B	✓
head-HASH.js gzip	352 B	352 B	✓
hooks-HASH.js gzip	384 B	384 B	✓
image-HASH.js gzip	580 B	581 B	✓
index-HASH.js gzip	259 B	259 B	✓
link-HASH.js gzip	2.52 kB	2.52 kB	✓
routerDirect..HASH.js gzip	320 B	317 B	✓
script-HASH.js gzip	386 B	386 B	✓
withRouter-HASH.js gzip	315 B	315 B	✓
1afbb74e6ecf..834.css gzip	106 B	106 B	✓
Total	7.98 kB	7.99 kB	⚠️ +4 B

Server

Edge SSR

	Canary	PR	Change
edge-ssr.js gzip	125 kB	126 kB	✓
page.js gzip	272 kB	273 kB	✓
Total	398 kB	399 kB	⚠️ +1.13 kB

Middleware

	Canary	PR	Change
middleware-b..fest.js gzip	615 B	617 B	✓
middleware-r..fest.js gzip	156 B	156 B	✓
middleware.js gzip	44.4 kB	44.2 kB	✓
edge-runtime..pack.js gzip	842 B	842 B	✓
Total	46 kB	45.8 kB	✅ -168 B

Build Details

Build Manifests

	Canary	PR	Change
_buildManifest.js gzip	719 B	718 B	✓
Total	719 B	718 B	✅ -1 B

Build Cache

	Canary	PR	Change
0.pack gzip	4.37 MB	4.38 MB	✓
index.pack gzip	116 kB	114 kB	🟢 1.38 kB (-1%)
index.pack.old gzip	114 kB	113 kB	✓
Total	4.6 MB	4.6 MB	⚠️ +56 B

🔄 Shared (bundler-independent)

Runtimes

	Canary	PR	Change
app-page-exp...dev.js gzip	345 kB	345 kB	✓
app-page-exp..prod.js gzip	191 kB	191 kB	✓
app-page-tur...dev.js gzip	345 kB	345 kB	✓
app-page-tur..prod.js gzip	191 kB	191 kB	✓
app-page-tur...dev.js gzip	341 kB	341 kB	✓
app-page-tur..prod.js gzip	189 kB	189 kB	✓
app-page.run...dev.js gzip	342 kB	342 kB	✓
app-page.run..prod.js gzip	189 kB	189 kB	✓
app-route-ex...dev.js gzip	76.9 kB	76.9 kB	✓
app-route-ex..prod.js gzip	52.5 kB	52.5 kB	✓
app-route-tu...dev.js gzip	76.9 kB	76.9 kB	✓
app-route-tu..prod.js gzip	52.5 kB	52.5 kB	✓
app-route-tu...dev.js gzip	76.5 kB	76.5 kB	✓
app-route-tu..prod.js gzip	52.2 kB	52.2 kB	✓
app-route.ru...dev.js gzip	76.5 kB	76.5 kB	✓
app-route.ru..prod.js gzip	52.2 kB	52.2 kB	✓
dist_client_...dev.js gzip	324 B	324 B	✓
dist_client_...dev.js gzip	326 B	326 B	✓
dist_client_...dev.js gzip	318 B	318 B	✓
dist_client_...dev.js gzip	317 B	317 B	✓
pages-api-tu...dev.js gzip	43.9 kB	43.9 kB	✓
pages-api-tu..prod.js gzip	33.4 kB	33.4 kB	✓
pages-api.ru...dev.js gzip	43.8 kB	43.8 kB	✓
pages-api.ru..prod.js gzip	33.4 kB	33.4 kB	✓
pages-turbo....dev.js gzip	53.2 kB	53.2 kB	✓
pages-turbo...prod.js gzip	39 kB	39 kB	✓
pages.runtim...dev.js gzip	53.2 kB	53.2 kB	✓
pages.runtim..prod.js gzip	39 kB	39 kB	✓
server.runti..prod.js gzip	62.8 kB	62.8 kB	✓
Total	3.05 MB	3.05 MB	⚠️ +3 B

📎 Tarball URL

https://vercel-packages.vercel.app/next/commits/ac442d8e240ce6f3dd6d7edeeed00840236b68bc/next