fix: validate image optimization content types and width bounds (#101)

- Add Content-Security-Policy and X-Content-Type-Options headers to image responses - Validate Content-Type allowlist (reject SVG, HTML, non-image types) - Bound width parameter to configured deviceSizes/imageSizes with 3840px max - Add deviceSizes and imageSizes to NextConfig type - Apply to all image paths: Workers, Node.js prod server (App + Pages Router) - Fix benchmarks limit param NaN handling

Steve Faulkner committed on Feb 26, 2026, 05:08 AM

Showing 8 changed files +386 additions -27 deletions

M examples/benchmarks/worker/index.ts +2 -1

M packages/vinext/src/config/next-config.ts +4

M packages/vinext/src/deploy.ts +6 -4

M packages/vinext/src/index.ts +13

M packages/vinext/src/server/image-optimization.ts +100 -4

M packages/vinext/src/server/prod-server.ts +49 -13

M packages/vinext/src/shims/image.tsx +10 -3

M tests/shims.test.ts +202 -2