Skip to content

fix: exclude static assets from middleware matcher#510

Open
peppescg wants to merge 2 commits intomainfrom
fix/exclude-static-assets-from-middleware
Open

fix: exclude static assets from middleware matcher#510
peppescg wants to merge 2 commits intomainfrom
fix/exclude-static-assets-from-middleware

Conversation

@peppescg
Copy link
Copy Markdown
Collaborator

@peppescg peppescg commented May 6, 2026

Summary

  • The proxy middleware intercepted requests to public static files (e.g. /bg-pattern.png on the sign-in page), causing a broken image icon in the top-left corner
  • Extends the middleware matcher regex to skip common image extensions (.svg, .png, .jpg, .jpeg, .gif, .webp)
  • Backport of stacklok/stacklok-enterprise-platform#746

Test plan

  • Start dev server (pnpm dev) and navigate to /signin
  • Verify bg-pattern.png loads correctly (no broken image icon)
  • Verify toolhive-logo.svg renders on both mobile and desktop layouts
  • Verify authenticated routes still go through the middleware

🤖 Generated with Claude Code

@peppescg @claude
fix: exclude static assets from middleware matcher
7ba8eff 
The proxy middleware intercepted requests to public static files
(e.g. /bg-pattern.png on the signin page), causing a broken image
icon. Extend the matcher regex to skip common image extensions.

Backport of stacklok/stacklok-enterprise-platform#746.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 6, 2026 10:11
@github-actions github-actions Bot added the size/XS Extra small PR: < 100 lines changed label May 6, 2026
@peppescg peppescg self-assigned this May 6, 2026
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Next.js middleware matcher to prevent the proxy middleware from running on public image assets, fixing broken static images on routes like /signin (e.g. /bg-pattern.png).

Changes:

  • Extend the middleware matcher negative-lookahead to exclude common image extensions (svg, png, jpg, jpeg, gif, webp).
  • Escape favicon.ico in the matcher regex for literal matching.

@peppescg @claude
fix: add ip-address override to resolve GHSA-v2v4-37r5-5v8g
26f82cc 
Transitive dep ip-address@10.1.0 (via @modelcontextprotocol/sdk →
express-rate-limit) has a medium severity vulnerability. Override
to >=10.1.1 resolves the Grype and pnpm audit failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added size/XS Extra small PR: < 100 lines changed and removed size/XS Extra small PR: < 100 lines changed labels May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@samuv samuv samuv approved these changes

Assignees

@peppescg peppescg

Labels

size/XS Extra small PR: < 100 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@peppescg @samuv