Changelog

Team Owners on the credit-based Pro plan can now create and assign labels to organize projects across their team, a capability previously limited to Enterprise.

Use labels to group projects by environment, purpose, or team—for example, staging, marketing, or production—then filter and find projects faster from your team’s project list.

Learn more in Organize projects in the Netlify documentation.

You can now use as many environment variables as your Serverless Functions need. The 4KB total size limit on environment variables no longer applies to functions running on the current Netlify Functions runtime.

This limit was a common source of friction. Teams with several API keys, connection strings, or feature flags could quietly bump into the cap and see their functions fail to deploy or run, often with confusing errors. With the limit gone, you no longer have to ration space or work around the ceiling for the configuration your functions legitimately need.

The limit still applies to functions running in Lambda compatibility mode. If your functions are using Lambda compatibility mode and you want to remove the size limit entirely, consider upgrading to the current Netlify Functions runtime.

Learn more about environment variables in Netlify Functions in our documentation.

Netlify is now listed in the Cursor marketplace, so you can connect your AI-assisted coding environment directly to Netlify without leaving your editor.

Whether you’re spinning up a new project or iterating on an existing site, having Netlify available from within Cursor means fewer context switches between building and deploying.

Find it at cursor.com/marketplace/netlify.

Update — June 13, 2026

Anthropic has suspended access to Claude Fable 5. Requests to claude-fable-5 through Netlify AI Gateway will fail until access is restored.

Anthropic’s Claude Fable 5 model is now available through Netlify’s AI Gateway with zero configuration required.

Use the Anthropic SDK directly in your Netlify Functions without managing API keys or authentication. The AI Gateway handles everything automatically. Here’s an example using the Claude Fable 5 model:

import Anthropic from '@anthropic-ai/sdk';

export default async () => {
    const anthropic = new Anthropic();

    const response = await anthropic.messages.create({
        model: 'claude-fable-5',
        max_tokens: 4096,
        messages: [
            {
                role: 'user',
                content: 'How can AI improve my cybersecurity?'
            }
        ]
    });

    return new Response(JSON.stringify(response), {
        headers: { 'Content-Type': 'application/json' }
    });
};

Claude Fable 5 is available for all Function types. You get automatic access to Netlify’s caching, rate limiting, and authentication infrastructure.

Learn more in the AI Gateway documentation.

Angular v22 was released today and it is supported on Netlify on day one.

To upgrade, follow the Angular upgrade steps and update @netlify/angular-runtime to v4.0.0 or later.

Notable changes

• Minimum Node.js version: Angular v22 requires Node.js 22.12.0 or later. Make sure your Netlify site is configured to use a supported Node.js version.
• allowedHosts config: Angular v21.x (specifically, @angular/ssr) introduced an allowedHosts option in the AngularAppEngine configuration, giving you explicit control over which hosts are permitted to connect. Angular 22 started returning a HTTP 400 for requests with other host headers. @netlify/angular-runtime handles adding the most common URLs for a Netlify deploy to the allowedHosts config automatically allowing developers to use Netlify’s branch and deploy previews without the HTTP 400 error.
• Forwarded headers support withtrustProxyHeaders: A new trustProxyHeaders option lets Angular applications behind a reverse proxy correctly read forwarded headers such as X-Forwarded-For and X-Forwarded-Proto. @netlify/angular-runtime handles adding the required headers automatically.

Learn more:

• Angular v22 Release
• Angular on Netlify
• Angular Runtime

The React Router team has disclosed seven security vulnerabilities. Here’s what Netlify customers need to know.

Vulnerabilities

Impact on Netlify

GHSA-8x6r-g9mw-2r78 and GHSA-rxv8-25v2-qmq8 (denial of service)

These are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.

GHSA-8646-j5j9-6r62 (XSS in unstable RSC)

This vulnerability affects apps using the experimental unstable_* RSC APIs where an attacker can control a redirect target. Only apps using these unstable APIs are affected.

Regardless of hosting provider, affected apps passing untrusted input into RSC redirect calls may be vulnerable.

GHSA-49rj-9fvp-4h2h (RCE when chained)

This vulnerability is not directly exploitable against React Router alone. Reaching the vulnerable code path requires the application to first be independently vulnerable to a prototype pollution attack.

GHSA-2j2x-hqr9-3h42 (open redirect)

Apps that redirect users to attacker-supplied URLs with the intent to restrict them to the same origin may inadvertently allow protocol-relative redirects to external origins.

Regardless of hosting provider, all affected apps passing untrusted input to redirect() may be vulnerable.

GHSA-f22v-gfqf-p8f3 (stored XSS in prerendering)

This vulnerability affects apps using the prerendering feature (prerender: [...] in react-router.config.ts). If any redirect target baked into a prerendered build originates from external or attacker-controlled data, the static artifact remains affected until a fresh build is run with a patched version.

Regardless of hosting provider, all affected apps using prerendering with externally sourced redirect targets may be vulnerable.

GHSA-84g9-w2xq-vcv6 (CSRF bypass for PUT/PATCH/DELETE)

The CSRF origin check introduced in React Router 7.12.0 only applied to POST requests on the document-request path, leaving PUT, PATCH, and DELETE unchecked. In practice, exploitation additionally requires the app to have explicitly opened CORS for those methods and to be issuing session cookies with SameSite=None.

Regardless of hosting provider, this only poses a meaningful risk in apps with permissive cross-origin configurations.

What should I do?

We strongly recommend upgrading as soon as possible to patched releases:

• react-router 7.15.1 or later
• @react-router/dev 7.13.2 or later (if using prerendering)

If your app uses prerendering, trigger a fresh build after upgrading to regenerate any affected static assets.

Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.

Anthropic’s Claude Opus 4.8 model is now available through Netlify’s AI Gateway and Agent Runners with zero configuration required.

Use the Anthropic SDK directly in your Netlify Functions without managing API keys or authentication. The AI Gateway handles everything automatically. Here’s an example using the Claude Opus 4.8 model:

import Anthropic from '@anthropic-ai/sdk';

export default async () => {
    const anthropic = new Anthropic();

    const response = await anthropic.messages.create({
        model: 'claude-opus-4-8',
        max_tokens: 4096,
        messages: [
            {
                role: 'user',
                content: 'How can AI improve my coding?'
            }
        ]
    });

    return new Response(JSON.stringify(response), {
        headers: { 'Content-Type': 'application/json' }
    });
};

Claude Opus 4.8 is available for all Function types and Agent Runners. You get automatic access to Netlify’s caching, rate limiting, and authentication infrastructure.

Learn more in the AI Gateway documentation and Agent Runners documentation.

The following versions of Node.js have reached their official end of life: Node.js v18 on April 30, 2025 Node.js v20 on April 30, 2026 Now it’s time to say goodbye to Node.js versions 18 and 20 in our build plugins. This change will allow us to use…

Google’s Gemini 3.5 Flash model is now available through Netlify’s Agent Runners with zero configuration required.

Learn more in the Agent Runners documentation.