Middleware got renamed to Proxy in Next.js 16. Same functionality. Better name.

What is Proxy? Every request to your app has to go somewhere - a page, an API route, a file. Proxy gets to look at it first and decide what happens: send the user somewhere else, serve different content silently, or just let it through as-is.

Think of it as a traffic controller 🚦 sitting in front of your routes.

So, why you should stop putting auth in Proxy?

It feels like the perfect place but it isn't. Developers started throwing auth and session logic into middleware. That's not what it's for. "Middleware" kept getting confused with Express middleware too. That's exactly why it got renamed.

So where should you do it? Next to the data access layer i.e. fetching the data or where you need it.

Here's how proxy should be,

But there is another very important reason too

In March 2025, a CVE disclosed that Next.js uses an internal header called x-middleware-subrequest to prevent infinite loops. The problem? An attacker could spoof it and Next.js would skip all middleware checks entirely.

That's also why auth should NOT live in Proxy.

💡 Takeaway

→ Use Proxy for redirects, rewrites, headers, A/B tests

→ Move auth into Server Components, Route Handlers, or Server Actions

LIBRARY UPDATES

​Astro 6.0 is out and it basically catching up to Next.js's feature set (native font optimization, route caching, CSP, better SSR) but users have to explicitly choose which ones to enable

A React framework built for Cloudflare is now out of beta and full stable

​TanStack AI Open Router lets you hit GPT-5, Claude, Gemini, Llama, DeepSeek and more, all through one API

A new CLI tool by TanStack that helps library maintainers generate and ship Agent Skills alongside their npm packages

​shadcn/cli v4 is out - this is a HUGE update. Previously, changing fonts, colors, icons, or component library meant manually updating multiple files. Now a single --preset flag with a short string like AKG33FG restyles your entire design system.

TypeScript 6.0 is now available as a release candidate, go try it (with caution) before it officially ships

​Prisma ORM 7.5.0 just shipped with Nested transaction rollbacks via save-points, Run raw SQL in Studio and a lot more.

GREAT READ

​Slim lets you share your local dev server with a public URL, no tunneling headaches

How does a Fast Rust bundler for JS/TS handle chunking and dependency graphs for faster builds and bundles

​Next.js installs will soon include version-matched docs, giving agents context on new and recently updated APIs.

AI

Claude Code just killed a bunch of startups as it now has built-in code review - it can analyze pull requests, flag issues, and suggest improvements before you merge

Ask Side Questions while your main task keeps running in Claude Code?, /a new tool by claude code​

Remember the hype around Cloudflare's Next.js alternative? Well, there are multiple critical security flaws​

Make sure to keep sharing your feedback by clicking one of the links below. I'm listening 👀 .
​​
​🔥 Love it!​

​😐 It’s okay​

​👎 Not good​

If you’ve published a blog post or shipped something, feel free to reply to this email and it comes straight to my inbox. I’m always looking for great community work to consider featuring.

All past newsletters can be found here. You can email me at me@kulkarniankita.com to advertise/sponsor the newsletter.

For those curious, I write all my emails using Convertkit.