Proposal: Integrate server-only as a first-class utility in next core

[abhishekmardiya]

Goals

Zero-Config Security: Eliminate the requirement to manually install server-only as a separate peer dependency for every project.

Improved Discoverability: Make server-side enforcement part of the standard next API (e.g., next/server-only), making it easier for new developers to find.

Package Consistency: Reduce the "fragmentation" of having to manage a tiny, single-purpose external package for a core Next.js architectural concept.

Non-Goals

No response

Background

Currently, the server-only package is a fundamental part of the Next.js security story. It ensures that sensitive code—such as database queries or internal business logic—never accidentally leaks into Client Components.

While the documentation recommends it, it currently exists as a separate dependency that developers must remember to npm install.

Proposal

I propose that Next.js should export a built-in server-only marker directly from the next package. This would streamline the setup process and ensure that security best practices are baked directly into the framework.

[icyJoseph]

• https://nextjs.org/docs/app/getting-started/server-and-client-components#preventing-environment-poisoning

In Next.js, installing server-only or client-only is optional. However, if your linting rules flag extraneous dependencies, you may install them to avoid issues.

Next.js handles server-only and client-only imports internally to provide clearer error messages when a module is used in the wrong environment. The contents of these packages from NPM are not used by Next.js.

It is already automatically interpreted by the framework. Next.js does some additional checks to make sure you get better errors when a module ends up in the wrong module graph.

[icyJoseph]

We could perhaps re order those sections, and add a cross-reference "Good to know" kind of thing, in data-security.

[abhishekmardiya]

Thanks for the clarification.

I agree that the Data Security and Preventing Environment Poisoning docs should be aligned to provide clearer guidance. I can try submitting a PR to address this.

[icyJoseph]

I turned this into a Help item and marked as answered, as people might find it through other means.